The threat intelligence platform solves the problem of ingesting many Indicators of Compromise (IoCs) to SIEMs which can lead to delays in the processing of incidents and missed detections
The Kaspersky CyberTrace solution has been updated to include extended threat intelligence (TI) platform capabilities that include alert triage, threat data analysis and incident investigation. The new paid edition integrates with all commonly used security information and event management (SIEM) solutions and security controls and provides graphical visualisation for efficient responses. The community version of CyberTrace remains available for free.
Vast amounts of information are processed and millions of alerts are generated by multiple threat intelligence sources constantly. Effective alert prioritisation, triage, and validation incredibly become difficulty by this level of fragmented and multi-format data. That is why for IT security teams the ability to identify real threats remains one of the top challenges.
Kaspersky has upgraded its CyberTrace threat intelligence fusion and analysis tool to a centralised Threat Intelligence Platform to help corporate security and incident response teams facilitate threat detection, investigation and response and raise the efficiency of IT security operations.
To allow security teams to conduct complex searches across all indicator fields, analyse observables from previously checked events, measure the effectiveness of integrated feeds and a feed intersection matrix, the new edition of the solution has been updated with advanced features. It also offers a public API for integration with automated workflows. In addition, to control operations that are managed by different users and handle events from different branches separately, the threat intelligence platform now supports Multiuser and Multi-tenancy features. The paid edition, which is suitable for large enterprises and MSSPs, supports all features and enables processing and downloading an unlimited number of EPS and IoCs.
Kaspersky CyberTrace remains free for users in its community edition. Except for the ability to add multi-user and multi-tenancy accounts, this version provides all the existing capabilities of the solution, as well as the new functions mentioned above. It also limits the number of processed events per second (up to 250) and the number of indicators that can be downloaded (up to one million).
Supporting any threat intelligence feed in STIX 2.0/2.1/1.0/1.1, JSON, XML and CSV formats, Kaspersky CyberTrace smoothly integrates with all commonly used SIEM solutions and security controls. Including security analysts from across the globe and its leading-edge GReAT and R&D teams, by default, the solution includes native integration of a broad portfolio of Kaspersky Threat Data Feeds which are generated by hundreds of the company’s expert.
The threat intelligence platform solves the problem of ingesting many Indicators of Compromise (IoCs) to SIEMs which can lead to delays in the processing of incidents and missed detections. Kaspersky CyberTrace automatically extracts IoCs from logs coming to SIEMs and analyses them internally within the owned in-built machine engine. That enables faster processing of an unlimited number of IoCs without overloading the SIEM.
While the multi-tenancy feature facilitates knowledge sharing and reporting for decision-makers on threat intelligence practices, allowing users to handle events from different branches (tenants), to identify and measure which streams of threat intelligence are most relevant for their organisation, a dashboard with statistical detection data broken down by threat intelligence source helps users.
The ability to tag IoCs helps users to evaluate importance of an incident. IoCs can also be automatically sorted and filtered based on these tags and their weights. This feature simplifies the management of groups of IoCs and their relevance.
The service now includes the Research Graph to obtain the full overview of an incident and understand its magnitude. This tool helps analysts study the relationships between indicators and develop an incident perimeter in a graphical visualisation for more efficient responses. Relationships are built depending on the feeds ingested to Kaspersky CyberTrace, enrichments from Threat Intelligence Portal and manually added indicators.
A REST API allows analysts to look up and manage threat intelligence or easily integrate the platform into complex environments for automation and orchestration.
“Today, given the growing complexity of the cyber-threat landscape, we see that organisations need comprehensive solutions for faster, high-quality threat detection, investigation and response. Kaspersky’s expanded CyberTrace for enterprises and MSSPs, combines rich out-of-the-box functionality with the flexibility to customise and tune in to individual alerts, triage and evaluate them based on various TI sources, allowing security teams to focus on the most relevant notifications effectively”, comments Ariel Jungheit, Senior Security Researcher at Kaspersky.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.