Less routine, more automation: Kaspersky adds new capabilities to its SIEM system
As challenges continue to grow for cybersecurity teams, Kaspersky has unveiled a significant update to its Unified Monitoring and Analysis Platform, a security information and event management system (SIEM). The enhanced functionality is designed to bolster the productivity of cybersecurity teams by expanding the capabilities for threat detection and response.
Cybersecurity teams face numerous challenges, such as frequent attempts to penetrate companies’ infrastructures and an increase in the number of complex attacks. According to the Kaspersky Human Factor 360 Report, 78% of businesses in the META region experienced at least one cybersecurity breach in 2023 and the year before. To optimize their resources and improve cybersecurity efficiency, companies are looking for solutions that help them collect and analyze information security telemetry in real time, significantly increasing their situational awareness.
The Kaspersky Unified Monitoring and Analysis platform is a next-generation SIEM solution for managing security data and events. The platform not only collects, aggregates, analyzes and stores log data from the entire IT infrastructure but also provides contextual enrichment and actionable threat intelligence insights. These functionalities are very useful to IT security experts in many cases. Kaspersky added new features that allow cybersecurity professionals to better navigate on the platform and efficiently detect threats on time.
Event forwarding from remote offices to a single stream. An event router has been added to reduce the load on communication channels and decrease the number of ports that open on network firewalls. This receives events from collectors and sends them to specified destinations based on filters configured for the service. Using an intermediate service like this one enables effective load balancing between links and allows the use of low-bandwidth links.
Grouping by arbitrary fields, using time rounding functions from the event interface. During investigations, analysts need to select events and build queries with groupings and aggregate functions. Now customers can run aggregation queries simply by selecting one or more fields, that they can use as grouping parameters, and click “Run query”.
Searching events in multiple selected storage. It is now possible to launch a search query simultaneously in multiple storage clusters and obtain results in a single consolidated table. This capability allows for more efficient and straightforward retrieval of necessary events in distributed storage clusters. The combined table indicates the storage location of each record.
Mapping rules to MITRE ATT&CK®. A mechanism has been created to assist analysts in visualizing the coverage of the MITRE ATT&CK® matrix by developed rules, thereby assessing the level of security. The functionality also allows analysts to import an up-to-date file with the list of techniques and tactics into SIEM system, specify techniques and tactics detected by a rule in its properties and export a list of rules from SIEM system marked up in accordance with a matrix to the MITRE ATT&CK Navigator.
Collection of DNS Analytics logs. The new ETW (Event Tracing for Windows) transport used to read DNS Analytics subscriptions provides an extended DNS log, diagnostic events, analytical data on DNS server operations. This provides more information than the DNS debug log, and impacts DNS server performance less.
“SIEM system is one of the primary working tools designed for cybersecurity professionals. A company’s security largely depends on how conveniently experts can interact with SIEM, allowing them to focus directly on combating threats rather than performing routine tasks. We are continuing to actively improve the solution based on market needs and customer feedback, and we are consistently introducing new features to make analysts’ work simpler,” comments Ilya Markelov, Head of Unified Platform Product Line at Kaspersky.