Security Vision Threat Intelligence Platform (TIP)

The main articles are:

• Security Information and Event Management (SIEM)
• Data mining Data mining
• How does a hacker act in a targeted attack and how to prevent him? Threat Intelligence Services Capabilities Overview
• Threat intelligence TI cyber intelligence

2024

Integration with Garda Threat Intelligence

The Garda Group of Companies and Security Vision on October 2, 2024 announced the integration of the Security Vision TIP platform and the Garda Threat Intelligence cyber threat data service. Read more here.

Compatibility with NGFW "Continent 4"

Multifunctional firewall (NGFW) "" Continent 4 from the company "" and the Security Code Security Vision Threat Intelligence Platform (TIP), User and Entity Behavior Analysis (UEBA) Security Orchestra, Automation and Response (SOAR) products Next Generation SOAR (NG SOAR) and passed comprehensive testing, as a result of which their compatibility was confirmed. The company Security Vision announced this on March 21, 2024. More. here

2023

Integration with F.A.C.C.T. Threat Intelligence

On October 26, 2023, F.A.C.C.T., a Russian developer of technologies to combat cybercrime, and Security Vision, the creator of the Russian IT platform that allows robotizing up to 95% of information security processes, announced a technological partnership. As part of the integration, the cyber intelligence systemF.A.C.C.T. Threat Intelligence delivers operational data about attackers to the Security Vision cyber intelligence platform, which allows you to counter current cyber threats and proactively detect complex targeted attacks using constantly enriched indicators of compromise (IoC). Read more here.

Supports continuous loading of a wide range of threat data. Add more than 50 connectors

The company Security Vision announced on April 6, 2023 the release of the current version of the Threat Intelligence Platform (TIP) module. Based on data the information threats , the product generates in real time detection of suspicious activity to infrastructure in the customer, enriches indicators and incidents, it is integrated with the customer's infrastructure and means of protection provides situational awareness.

Many features are available to users, including:

Wide integration stack (50 + connectors):

• Built-in integration with commercial suppliers of feeds (Kaspersky, Group IB, BI.Zone, RST Cloud);
• Built-in integration by free feed providers (Alien Vault, Feodo Tracker, DigitalSide);
• Automatic enrichment of indicators from external services (VirusTotal, Shodan, KasperskyOpenTIP and others);
• Built-in integration with main SIEM systems, NGFW systems, proxy servers, mail servers, event queuing systems, and universal reception of data flow according to standard formats (Syslog, CEF, LEEF, EBLEM, Event log)
• The ability to quickly modify the additional connector.

Operation with indicators:

• A wide range of threat data is constantly downloaded: compromise indicators, attack indicators (registry keys, processes, JARM) and strategic threat attributions (malware, attackers, threats);
• The links between different levels of indicators (for example, compromise indicator = > threat = > attacker) are deeply worked out, which allows you to quickly build a complete picture of a potential threat;
• An aggregation and deduplication system has been implemented to maintain the relevance and uniformity of the indicator base;
• It is possible to display the original format of the indicator;
• Vulnerability and bulletin databases provide additional context for analyzing indicators.

Detections:

• Several mechanisms for detecting suspicious activity have been implemented in. to infrastructure First of all, its own detection engine, which allows you to automatically search for compromise indicators in the stream of raw events from funds protection and from the infrastructure. Retro search makes it possible to compare compromise indicators with events that were previously are stored in the system. The Domain Generation Algorithm (generation) heuristic engine is also implemented Algorithm domains , which allows you to effectively identify suspicious domain names in the infrastructure using models; machine learning
• A wide range of actions on indicators of compromise makes it possible to quickly respond to the created detection;
• It is possible to create indicator whitelists to reduce the number of false positives.

Analysis:

• A scoring system has been implemented that allows you to assess the criticality of the indicator (if not provided by the supplier) based on your own calculation model;
• The classification of indicators is used using the MITRE ATT&CK knowledge base and the OWASP reference book, which allows you to build a chain of relationships between potential threats;
• The graph, as an additional analysis tool, allows you to visually track the built connections between entities and quickly switch to the card of the desired object;
• Predefined dashboards and reports help visually assess the overall picture over the required period. Among other things, it is possible to upload the report on the main objects directly from the object card.

2022: Анонс Security Vision Threat Intelligence Platform

On December 1, 2022, Security Vision announced the release of the updated automated Security Vision Threat Intelligence Platform (TIP). Based on threat data, the product generates real-time detection of suspicious activity in the Customer's infrastructure, enriches indicators and incidents, integrates with the Customer's infrastructure and security tools, and ensures situational awareness.

Security Vision Threat Intelligence Platform

According to the company, Security Vision TIP interacts with many other means of protection, information infrastructure and external services. The system appeals to feed providers and analytical services for IoC, IoA, threats, information about attackers and,, malware vulnerabilities bulletins. Information about the events for the match is collected from primary sources (Web Proxy, -, Linuxserver Windows server, NGFW), Data Lake and DB (,,),, Apache Kafka PostgreSQL EDR MS SQL , etc SIEM. Incident and indicator data can be transmitted automatically or manually to SIEM ,/IRP, SOAR NGFW, etc. The company's TIP software product Security Vision has developed functionality that covers the needs of each TI level. The solution helps you search for signs based on attacks behavioral indicators and build an enterprise strategy in the long term information security , taking into account current threats and risks.

TIP is based on a single Security Vision platform. All platform capabilities are available to customers, including extensive customization capabilities. The solution is completely parametric, and in order to create a connector, report or dashboard, no programmer services are required: everything is configured through the user interface with the appropriate administrative rights.

The system architecture supports complete fault tolerance of all components. The platform does not require direct access to, Internet interaction with feed providers and external analytical services is possible through a special dedicated component located in the DMZ segment.

For all components of the platform, work is supported on any of: OS,, MS Windows,, Ubuntu,, CentOS RedHat CE Oracle Linux" Alt Linux Astra Eagle," Astra SE "Smolensk "/" "/" Voronezh Eagle." DBMS Postgre SQL, Postgre Pro or are used as. Microsoft SQL Server

Security Vision TIP supports downloading an unlimited number of various TI sources (feeds). The basic delivery has already implemented integration with the most popular services that provide various indicators of compromise.

Security Vision TIP implements the following mechanisms for obtaining events for detecting suspicious activity: receiving a data stream by TCP/; UDP access API to external systems; Retrieving events from the queue (Kafka, RabbitMQ) Query execution in/. DBDataLake

Security Vision TIP uses its own optimized matchmaking engine that allows discovery on large data streams with an IoC database.

TIP Security Vision's useful feature is retro search. The system in an optimized form stores data obtained from adjacent systems over a long period of time (for example, for a month or quarter - set by setting in the system), and compromise indicators are compared with events that were in the past. Thus, you can see which internal infrastructure was at risk before information about the threat appeared.

An important functionality of Security Vision TIP is the heuristic engine, which, using various ML models, allows you to automatically identify suspicious domain names or URLs generated using Domain Generation Algorithm (DGA) or mimicking for well-known domains in the Customer's infrastructure.

For detections, the system implements a life cycle through which each detection goes through a series of automated and manual steps during investigation and processing. For example, when a detection is created or changed, all "triggered" indicators are automatically enriched from external analytical services, and information from the internal infrastructure is collected for all participating assets. When the user begins to work with the discovery, he immediately receives complete information on the incident and the infrastructure involved. Until the discovery is closed, all information identified by "trips" is automatically added to it and aggregated, data is deduplicated.

Security Vision TIP implements integration with the most famous suppliers and vulnerability databases, for example: NVD NIST, NOS FSTEC, NCCC, Group IB, Kaspersky.

We have implemented work with bulletins - documents issued one-time or periodically and containing the results of research by the analytical center on a separate problem/threat/attack/grouping, etc., or summary information for a certain period.

The Security Vision TIP functionality provides work with the knowledge base of MITRE ATT&CK technicians, automatic support of it in the current state in all main sections.

The strategic layer of information security management is presented in TIP from Security Vision by an attribution mechanism for data types such as attackers, malicious software and threats.

For all indicators, detected detections and changes in their status and life cycles, users of the Security Vision TIP platform can receive notifications indicating the details of the object, its changes, as well as links to the object card.

The solution supports a role model, when the user, depending on the assigned role, has access to this or that functionality of the system, as well as limited access to data and actions.