R-Vision UEBA Cybersecurity Analytics Platform (formerly R-Vision Sense)

The main articles are:

• Data breaches
• Security Information and Event Management (SIEM)
• DLP - Data Loss/Leak Prevention

cyber security The R-Vision UEBA (formerly R-Vision SENSE) analytics platform allows you to monitor the security status of the infrastructure, identify significant anomalies and signal a threat, providing the necessary context for decision-making.

2024: R-Vision UEBA 1.16 with User Profile section

R-Vision has released an update for R-Vision UEBA 1.16 to improve the efficiency of information security specialists. In this version, the developer has expanded the scenarios for detecting 15 anomalies. Added a "User Profile" section to monitor the object, and also changed the rendering of the timeline to speed up the collection of artifacts during the investigation. The company announced this on February 5, 2024.

R-Vision has made major changes to the process of working with observation objects. The developer added a window - "User Profile" to the interface, in which information security specialists can instantly receive a detailed summary of all sessions of the observation object, analyze them in one window, and leave comments. In addition, the developer divided the chronology of events in the session, limiting the display of the activity of the observation object to one day. For each session, a large range of user behavior data for the selected time period is displayed: anomalies, triggered alerts, accounts, equipment and overall rating. Now sessions group the same type of information security events in order to increase the information content of the timeline and make it more convenient for data analysis. The added features will allow specialists to quickly form the context of the investigation and can reduce the time for collecting artifacts by 3 times.

The R-Vision team continues to expand detection capabilities to better protect against threats. Therefore, in this version of R-Vision UEBA 1.16, the developer added 2 software experts - BruteForce and VPN Connections, which expanded the scenarios for detecting 15 anomalies. The programs help to detect scenarios for Bruteforce and the fact of multiple VPN connections in a short time, taking into account geolocation (VPN). Now analysts can identify the main threats in automatic mode.

In addition, the R-Vision UEBA 1.16 update also includes the following changes:

• Information security specialists have the opportunity to create widgets - observation sheets for point observation of objects. Objects can be entered into them that require additional attention in order to control the events that occur;
• added deep integration with AD and advanced API capabilities, thanks to which an advanced surveillance object card is available;
• increased interaction with R-Vision Endpoint to quickly obtain the necessary data and R-Vision SOAR to transmit more detailed information about the incident and respond to it in a timely manner.

In addition to the added functions, R-Vision UEBA has successfully passed certification tests for compliance with the requirements for information protection according to the 4th level of trust of the Federal Service for Technical and Export Control (FSTEC) of Russia. Now the platform can be used: in state information systems up to the first class of security; personal data information systems up to the first level of security; automated control systems of production and technological processes (APCS) up to the first class of security; at significant facilities of the critical information infrastructure (CII) of Russia.

The R-Vision UEBA software experts include best data analysis practices and an effective object approach. Together, they allow you to automatically detect anomalies, timely inform about possible threats and quickly collect context for the investigation, - commented Viktor Nikulichev, product manager of R-Vision.

2023: Release of version 1.14 with platform renamed as R-Vision UEBA

On July 5, 2023, the company R-Vision introduced an updated platform for analyzing object behavior and detecting anomalies of R-Vision UEBA 1.14, formerly known as R-Vision SENSE. Together with the updated name, the product received a number of significant changes. In particular, it implemented integration technology with R-Vision Endpoint, expanding the ability to collect data from end devices. The developer also improved the object card, which allows you to analysts INFORMATION SECURITY to use more context when looking for the causes of anomalies.

With the release of version 1.14, the R-Vision SENSE platform was renamed R-Vision UEBA. The name change reflects the maturity level of a product whose functionality meets the requirements of User and Entity Behavior Analytics (UEBA) solutions.

In the updated version, users have access to a wider range of events and telemetry received from various operating systems, including: Windows, Linux and MacOS. This update allows you to expand the amount of data received from end devices, which provides information security analysts with better events for their subsequent study. This was made possible by the integration of the R-Vision UEBA platform with R-Vision Endpoint technology.

R-Vision introduced a number of other important functional improvements into the object card, enriching it with additional information. Now, in addition to basic information, the card reflects the technical characteristics of the object, as well as related entities. This allows you to quickly access the object and its full context and significantly speed up the search for the causes of anomalies. In addition, the developer added the "Analytics per day" tab to the object card, which displays the change in rating, anomalies and devices involved over the past 24 hours. If an object with a high rating is detected, information security analysts can use one click to view all user actions over the past day and determine whether they are abnormal and whether further investigation is required.

Other platform improvements are related to the expansion of the existing attribute list and updated data models, which the vendor supplemented with R-Vision UEBA 1.14. The innovation makes it possible to get more context on events and conduct more detailed analysis when anomalies are detected in the corporate infrastructure.

It is extremely important for cybersecurity specialists to have tools that allow them to quickly obtain artifacts that are important for investigations, effectively analyze the behavior of objects and identify anomalies. Thus, they can reduce the time to detect and study attacks. All the improvements that we made to the R-Vision UEBA 1.14 platform are aimed at providing information security analysts with the ability to quickly and detect anomalies. In particular, this option of grouping identical events within the timeline functionality helps speed up the processing of huge amounts of data, determine which events have the greatest impact on enterprise security, and take measures to prevent them. said Viktor Nikulichev, R-Vision UEBA product manager for R-Vision.

2021

R-Vision Sense 1.5

On December 13, 2021, R-Vision introduced the next version of the R-Vision SENSE 1.5 cybersecurity analytical platform.

The product has a number of features in comparison with the commercial release, released in May 2021. Key changes affected the behavioral analysis system. Now the platform independently knows how to complete training and retrain to timely update behavior patterns. The user of the system can adjust the intervals of automatic additional training to the conditions of his infrastructure, so that software experts receive new information on time and reduce the number of repeated false-positive anomalies. By also setting up retraining intervals, the user can adjust the frequency at which legacy context is reset by object, which avoids the effect of accrual of authority, for example, in the case of changing employee roles in the company.

The updated platform implements integrations with a number of sources. Separately, it is worth highlighting the integration with the MaxPatrol SIEM and ArcSight ESM systems. R-Vision SENSE also allows you to save and process not only raw events, but also correlation events from ArcSight ESM, placing them on the common timeline of the observation object. Such events can be assigned a hazard rating, after which they will affect the rating of the observation object. Version 1.5 also implements integration with the R-Vision IRP incident response system - it is now possible to configure the sending of incident alerts. In addition, a connector was developed for Kaspersky Security Center events, according to which you can also configure simple rules for assigning alert hazard points on object timelines.

R-Vision SENSE version 1.5 has a preview of the observation object - now you can quickly get an information summary about the object, frequent anomalies, hazard points and immediately go to the timeline for all the necessary details. The algorithm of the frequency model has been redesigned, thanks to which software experts work more accurately and faster. The developers also provided the ability to customize software experts to regulate their sensitivity.

In addition, integration with Active Directory was implemented. The list of users, as well as information on them, appears and updates automatically. It is also now possible to configure several such integrations, synchronizing different Base DNs.

A significant part of the improvements occurred in the logging environment. R-Vision SENSE has a separate service for centralized logging of the processes of all modules and services of the system, with the help of which it will become easier for the user to collect the necessary service information. Log coverage affected all critical services related to the platform. The functionality of system notifications has appeared - now the platform will notify the user about all important events in the user interface.

The developers also expanded the functionality of working with dashboards, optimized the process of working with the aggregated entity "User" and improved the timeline. In addition, a history of changes appeared in the user card - all updates to the object are now reflected in the corresponding tab.

"In R-Vision SENSE 1.5, we managed to automate a large block of user work with the system, in particular, with behavioral analysis tools. As a result, the end user has removed the burden of making a decision and organizing further training or retraining processes - we have adapted the system to independent training. In addition, such a process allows you to adequately and timely respond to infrastructure changes, which is the basis of behavioral analysis, - said Viktor Nikulichev, product manager of R-Vision SENSE. "The next steps to improve will be to expand the analytical capabilities of the platform - simple rules and experts, as well as user functionality, including working with analytical tools and retrospective analysis."

An advanced list of objects appears

On May 18, 2021, the company R-Vision released a commercial release of cyber security the R-Vision SENSE analytical platform. Compared to the technical release presented in the fall of 2020, a number of features have appeared in the product. Key additions include an expanded list of objects whose security status is monitored by the platform, an improved abnormal object behavior alert system, and updated software experts to identify anomalies.

In the commercial version of the product, the developers added the aggregated entity "User" to the list of objects. You can create a user list either manually or automatically by integrating the platform with Active Directory. Previously, the list of supported objects included accounts and hosts, in the future R-Vision plans to expand it further.

In addition, now the product has the ability to remove anomalies identified when simple rules are triggered. This functionality will be useful when setting up a product when the platform is learning and can generate unnecessary anomalies. If you delete a rule, all previously found anomalies will also be automatically deleted.

Another change affected the work with the system of warning about deviations from the profiles of normal behavior of objects. The platform calculates the hazard rating of each monitored object, awarding points for all suspicious events associated with it, and when the limit is reached, sends an alert to the user. In email the commercial version of the product, the rating threshold and the level of criticality of anomalies are set automatically, while the analyst SOC remains able to edit these parameters.

A separate update block concerns a multi-level system of software experts to detect anomalies. So, in the commercial version of R-Vision SENSE, a software expert Account Sharing has appeared, designed to identify cases of using other people's accounts for authorization events. Also, the product now has an expanded software expert on detecting anomalies in VPN connections. Unlike normal, it allows you to detect connections from an IP address with an unidentified location, non-standard for the user and organization of the city and country of connection, mismatch of distance and time difference between connection points.

In the commercial version of the platform, we managed to increase the stability and speed of work of software experts with. big data This became possible due to the functional separation of the pre-processing load, data as a result of which the volumes information transferred between services within the system, as well as the requirements for software experts, were reduced without losing the accuracy of their work, - said Viktor Nikulichev, product manager R-Vision SENSE. - In the future, we plan to expand the variety of absorbed data sources and integrations, as well as the taxonomy of analyzed observation objects. In addition, the solution will be supplemented by internal expertise - mathematical in the form of methods and models of software experts, as well as in terms of analytical capabilities available out of the box.

2020: Presenting R-Vision Sense

R-Vision On October 15, 2020, the company introduced cyber security the R-Vision SENSE analytical platform. This product will complement the range of technologies used in the Security Operation Center with advanced analytical capabilities that will allow you to identify signs of beginnings attacks and prioritize threats to response.

The focus of R-Vision SENSE is on infrastructure objects - users, equipment, accounts, services and other types of objects. Based on data obtained from sources directly or collected using log management tools or SIEM, the platform analyzes their behavior. The multi-level system of software experts monitors the launch of processes and applications, authentication requests, process access to data, VPN connections, mail traffic and other parameters. R-Vision SENSE remembers the normal behavior of objects and records suspicious activity in case of deviations. Also, to detect malicious activity, a set of simple rules is used that work according to certain criteria. The sequence of events, anomalies and context for each object is stored in the form of a "timeline," which makes it easier to investigate the incident, restore the chronology of the attack and identify problems in the defense for elimination.

The R-Vision SENSE platform uses a universal data format for analysis, which provides flexibility in the work of analytical tools: simple rules and software experts independently adapt to changes in data sources and do not require frequent manual adjustment. From the point of view of algorithms, the product uses a combination of statistical and behavioral analysis and machine learning methods.

To ensure protection against cyber threats, it is not enough to rely on individual indicators at a certain point in time, it is important to track changes in dynamics, - said Alexander Bondarenko, CEO of R-Vision - Infrastructure is no longer a sterile object, it is constantly under attack. The reality of the near future is that a priori the infrastructure of any organization is compromised, and you need to act on this paradigm. It is necessary to constantly monitor the traces of the presence of an attacker, and the main task of security specialists is to detect the compromise in time until the moment when this can lead to serious damage to the organization, by analogy with the work of the immune system in the human body.

Working SOC with, Russia carrying out a number of projects to automate the process of monitoring and responding to incidents for large companies and, government organizations we see the difficulties faced by INFORMATION SECURITY specialists, solving their tasks by classical means. This includes a lack of staff, its overload with notifications from monitoring tools and blurry attention, as a result of which some critical incidents can be processed late, - explained the Igor Smetanev commercial director of R-Vision. - R-Vision SENSE is based on a number of principles that solve these problems. Firstly, this is an object-centric approach, according to which any event is analyzed in relation to a specific object - user, workstation, account, etc. By constantly monitoring the state of objects, the platform detects anomalies that indicate the actions of the attacker. Secondly, the use of flexible analytical tools that are automatically adapted when sources change. This makes it data easier to support and configure the system. Thirdly, scoring threat assessments help highlight the most critical anomalies and weed out less significant incidents, thereby reducing the burden on analysts.

According to the company, the first pilot projects are planned to start in November 2020.