Consultants from Defensys’s Center of expertise along with our partners are ready to map the current correlation rules of SIEMs and other security tools of our customers with MITRE tags so that the incident registered in SOAR will already contain all the needed data.

“It’s been almost a year and a half since we started this practise with one of our Telecom customers. At the moment we’ve got all SOAR implementation projects where this mapping exists. This way you can ease the process of incidents classification, adopt proper playbooks, draw metrics with statistics. And of course you can speak the same language with the community when it comes to discuss some interesting or critical cases.” – says Andrey Chechetkin, Deputy CEO of Defensys.

We’d like to remind you that after the implementation of the Defensys SOAR in the incident card a customer is able to see:

The Defensys company issued the fifth version of its SOAR platform which is core solution for building Security Operations Centers (SOC) of different scales. SOAR v 5.0 got a lot of new features. In particular there appeared a native part in the incident card for working with IoCs which come from security alerts and Threat Intelligence platforms. User experience in operating with playbooks updated significantly as well. Besides the overall interface of the system got serious enhancements.

Important changes are ready to be used in the core functional block of incident management. The version 5.0 of Defensys SOAR gives you the opportunity to work with groups of incidents and it helps users conveniently handle cases when several incidents are related between each other. You can simply customize policies for auto filling field values inside this group of incidents. For example the parent incident status could be just inherited in included incidents or the total amount of damage will be automatically placed into the dedicated field in the parent incident. One more important feature is the part of incident card specially tailored to work with IoCs in the most convenient way and of course all the results of operating with IoCs are distributed into the variety of dashboards.

Challenge

With 5 independent regional SOCs connected to the main SOC in HQ the Company’s cybersecurity staff had to register incidents in service desk, that wasn’t connected to an IT SD but all the other data needed for the investigation was manually collected from multiple sources: security tools, data lakes, billing systems. Also, it was quite difficult to quickly find properties of the technical equipment involved in the cyber incident. Threat Intelligence data was processed semi-automatically without any connections to other systems.

Defensys products

After a comprehensive procedure of comparing different technologies for building the next version of SOC the Company have chosen Defensys as a leader in automating cybersecurity processes. The decision was to use SOAR and TIP to enhance capabilities of an existing SOC with a lot of systems not connected with each other.

Results

All the incidents from different security tools along with customers’ enquiries are processed in one system that helps to use the same investigation frameworks for different teams that is important when it comes to collect performance metrics. These incidents are automatically registered based on the MITRE ATT&CK framework so the whole team operates with the same terms when working during the response process.

Cybersecurity news

• Zyxel has published a security advisory to warn admins about multiple vulnerabilities affecting a wide range of firewall, AP, and AP controller products. While the vulnerabilities aren’t rated as critical, they are still significant on their own and can be abused by threat actors as part of exploit chains.
• A new ransomware named ‘Cheers’ has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers.
• Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma.

Cybersecurity news

• HP has released BIOS updates to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges.
• Google announced a range of privacy measures that will help users retain more control over how their data is used by Google applications and displayed to the world through search.
• Microsoft has issued fixes for three zero-day vulnerabilities, including one being actively exploited in the wild, as part of its May monthly update round.
• Apple, Google and Microsoft have joined forces to expand support for passwordless logins across mobile, desktop and browsers.
• The National Institute of Standards and Technology (NIST) released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.
• Nozomi Networks

Cybersecurity news

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog, including flaws affecting Microsoft, Linux, WSO2, and Jenkins systems.
• The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.
• Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company’s web application security framework. The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9.
• Some popular virtual private networks (VPNs) may be leaving users exposed to a significant security risk.

Cybersecurity news

• Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new ‘Serpent’ backdoor malware on systems of French government agencies and large construction firms.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities’. These flaws have been observed in real cyberattacks against organizations, so they are published to raise awareness to system administrations and serve as official advisories for applying the corresponding security updates.
• A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment.

Cybersecurity news

• A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam.
• A new Linux vulnerability known as ‘Dirty Pipe’ allows local users to gain root privileges through publicly available exploits. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
• HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gain high privileges and remain undetectable by installed security software.

Cybersecurity news

• The Cube ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLD DRAWN. However, the ransomware is more commonly known as Cuba.
• A notification from the U.S. Cybersecurity Infrastructure and Security Agency warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services.

Defensys has released a new version of the Defensys Security Orchestration Automation and Response Platform (SOAR), a platform that is designed to automate monitoring and responding to cybersecurity incidents.

The Defensys SOAR 4.7 platform allows incidents to be combined into groups. You can work with a chain of related or the same types of incidents. One parent incident is selected for the group, the others are considered as child incidents. By grouping them, the user can examine and analyze cybersecurity events all together, if they have a common cause. Besides working with groups of incidents from the user interface, it is now available for the users to use in playbooks and through the public API of the system.

Playbooks were also updated. In version 4.7, the incident card has a playbook launch timeline with the ability to control its display: the user can navigate to the selected playbook, as well as collapse the playbook diagram into a compact block. The start button for a particular playbook can now be placed in the incident card itself.

Defensys customer support will notify current users when updates are available for migration. If you would like to receive an update for pre-testing and to familiarize yourself with the functionality, send us an email to support@defensys.com