By Konstantin Karasev, Lead Cybersecurity Architect

AI in SOC: Capabilities and Applications

The effectiveness of a cybersecurity center is determined by many factors among which the main ones are:

1. The presence of well-developed and formalized processes, covering everything from threat detection to post-incident analysis.

2. The availability of tools that enable the implementation of these processes.

   This includes a combination of systems, utilities, and other solutions designed to perform their assigned tasks with minimal failure probability.

3. The high competence of analysts.

   A lack of expertise among employees can directly impact threat response outcomes, which may negate all efforts described in points 1 and 2 and lead to unacceptable consequences for the organization.

By Konstantin Karasev, Lead Cybersecurity Architect

Playbooks in Security Operation Centers: what should they be like?

Any cybersecurity center, regardless of its maturity level, deals with a range of routine operations primarily focused on monitoring, incident response (i.e., taking actions to minimize damage from an incident), and reporting to optimize and improve SOC operations.

Sooner or later, the number of operations increases, making it necessary to automate certain routine tasks. Despite powerful AI-based tools, cybersecurity centers still need human involvement. However, it is important to note that additional automation tools do lower the threshold for entry into SOC analyst work, leading to cost savings. Any cybersecurity center is interested in spending money wisely and generally protecting the company's revenue, in whose interests the SOC operates.

What is a playbook?

Essentially, a playbook is a set of actions designed to achieve a specific result, it’s not necessarily identical to a response scenario. Customers of automation systems sometimes confuse response scenarios with playbooks, assuming they are the same. However, this is not entirely true.

The developer has added a correlation rules builder to the Defensys SIEM 2.0. It enables interactive creation and modification of correlation rules without using the code editor. Visual interface and step-by-step process visualization make it easier for analysts to create necessary rules.

The changes have also affected elements of the event processing pipeline. Defensys experts have added the main metrics: “number of errors”, “received and sent events” to the pipeline interface. Now metrics for each element are available at once, without further going into details. The new feature helps to identify potential errors faster and minimize the loss of incoming events.

The vendor has also added a WMI-type entry point that collects Windows logs from endpoints, servers, and WEC (Windows Event Collector) to the release. The update allows users to configure a single entry point to collect multiple logs, making the source configuration easier for engineers.

Defensys has presented a new version of the flagship product Defensys SIEM 1.8 with extended functions. The version has audit of cyber event sources for a quick problem’s identification and elimination, Kubernetes performance monitoring for glitch risk minimization, and a faster user authentication through LDAP-protocol.

New level of event source management

In the new version of the Defensys SIEM users can track sources’ statuses, that transfer events to collectors. The status is assessed based on the events’ quantity and quality, which makes the abnormalities detection possible.

For this purpose, the system provides customizable source auditing policies. They track changes in the event pipeline and send notifications via customized integrations when specified threshold values are reached.

Timeliness and completeness of incoming events are crucial aspects for SOC functionality. That’s why the developer has added metrics for sources control which help to promptly detect and eliminate possible problems, such as missing events from one of the sources.

Kubernetes performance monitoring

Challenge

A variety of disordered incidents coming from different sources, no automatic classification, a lot of tasks with manual handling, lack of transparency in operations – all these factors lead to mismanagement incompanies’ cyber security and cause complex issues. Unfortunately, each organization that has no implemented incident management process faces the problems mentioned above and the Mining company was no exception.

Besides, the Company had an additional requirement connected with its business niche: incident information had to be transferred to a government agency in a special report form, when severe incidents occur.

After comparing the products of different vendors, the Mining company has chosen the Defensys SOAR as a perfect solution, that fulfills all necessary tasks.

Implementation & Results

First of all, Defensys has set up integrations with the antivirus, SIEM system, and a vulnerability scanner already used in the Company, so that the SOAR immediately receives all data regarding coming incidents.

Defensys defines cybersecurity and governance with a comprehensive suite of SGRC tools designed to streamline and automate KPI measurement. Defensys SGRC empowers organizations to enhance their cybersecurity resilience and maintain robust protection against evolving threats.

Automate and Customize Metrics to Fit Your Needs

Defensys SGRC enables seamless automation of KPI calculations across any time period, gathering data from diverse sources to ensure accuracy and relevance. With our platform, organizations can easily implement automated measurements for critical cybersecurity resilience metrics, making it possible to monitor and manage cybersecurity performance in real-time.

Defensys supports a wide range of KPIs to assess compliance, asset protection, and training effectiveness. This flexible functionality allows users to track:

• Percentage of antivirus agents successfully installed and reviewed on servers and endpoints.

• Percentage of employees completing annual training, including privacy and sensitive data protection practices.

• Percentage of policies reviewed annually.

• Percentage of network devices not running the latest stable version of security-related updates.

The number of cyber threats increases rapidly. Year by year emerge new malware and hacker groups that can undermine the continuity of companies’ business processes. To protect themselves, organizations need reliable tools that can help them withstand today’s cyber threats, one of them is the Defensys SIEM.

Defensys analysts team pays considerable attention to the development of in-house expertise packages, focusing on the quality, relevance and timeliness of rules in the Defensys SIEM. Special feature of the technology is the convenience and flexibility of working with collected events: the solution provides a multifunctional set of tools for creating, testing and operating rules for detecting attacks and threats.

Defensys takes into account the needs of customers, so the product can be easily adapted to work with various event sources, including information security tools from well-known vendors and operating systems, and others. A wide range of systems supported by the Defensys SIEM allows users to quickly configure sources and subsequent event collection to quickly identify threats and develop effective measures to eliminate them.

Challenge & Implementation

The Financial Institution had an implemented vulnerabilities management process based on Company’s scanners, that transferred vulnerabilities to the Defensys SOAR. When the Institution decided to change existing scanners, the running process was stopped. Moreover, the process was inconvenient for users and there was a huge demand for innovations. The Defensys’s engineers together with the Institution’s representatives have formulated the main goals for the process modernization:

1. Нosts have to be grouped in one incident

Previously 1 vulnerability was connected to only 1 host, that consequently led to creation of 1 incident in the SOAR and 1 remediation request in the Company’s ITSM system. So the process was related to the most critical vulnerabilities only. Because if the SOAR received more than three hundred thousand vulnerabilities, the IT department would have the same number of requests. As human resources are limited all the vulnerabilities could not be remediated on time in such a case.

Defensys, the developer of cybersecurity solutions, continues to keep Defensys SIEM development at a high pace and is ready to announce the release of the new version 1.6. The version includes improvements of correlation rules handling, as well as enhanced scalability, additional control, and user management.

A new module of distributed correlator available while setting up a collector has been added to the Defensys SIEM 1.6. Now resources of several nodes in a cluster can be used for synchronized events handling. Thanks to this correlation resources can be horizontally scaled with available physical machines for numerous events handling saving the cost of large configurations.

The Defensys team has paid particular attention to companies with huge infrastructures for whom a flexible role model is extremely important. Therefore, the developers have implemented the multitenancy in the new version, thanks to which it’s possible to centrally manage one solution to protect several organization’s branches or different organizations within one interface.

Challenge

The Bank effectively uses the Defensys SOAR and SGRC in their routine. Nevertheless, the implemented scanner of the Bank from another vendor reported about numerous vulnerabilities daily. Thus the necessity appeared to develop and set up new processes of vulnerabilities management.

Implementation

New policies and processes had to be restructured considering the specifics of the Bank’s infrastructure: all company’s assets are united into informational systems. Individual departments of the Bank and even teams are responsible for different cyber security functions.

Using integration with the Bank’s task-manager, the Defensys’s engineers updated response processes. A playbook, that creates a ticket for responsible employees in a task-manager and adds a report in Excel-form, starts after a new portion of vulnerabilities has automatically come from the scanner. The report contains necessary information regarding vulnerabilities only for a certain team, responsible for separate business processes.