Multiple threat intelligence sources constantly process vast amounts of information and generate millions of alerts. This level of fragmented and multi-format data makes effective alert prioritization, triage, and validation incredibly difficult. That is why the ability to identify real threats remains one of the top challenges for IT security teams.
To help corporate security and incident response teams facilitate threat detection, investigation and response and raise the efficiency of IT security operations, Kaspersky has upgraded its CyberTrace threat intelligence fusion and analysis tool to a centralized Threat Intelligence Platform.
The new edition of the solution has been updated with advanced features that allow security teams to conduct complex searches across all indicator fields, analyze observables from previously checked events, measure the effectiveness of integrated feeds and a feed intersection matrix. It also offers a public API for integration with automated workflows. In addition, the platform now supports Multiuser and Multitenancy features to control operations that are managed by different users and handle events from different branches separately. The paid edition, which is suitable for large enterprises and MSSPs, supports all features and enables processing and downloading an unlimited number of EPS and IoCs.
Kaspersky CyberTrace remains free for users in its community edition. This version provides all the existing capabilities of the solution, as well as the new functions mentioned above, except for the ability to add multi-user and multi-tenancy accounts. It also limits the number of processed events per second (up to 250) and the number of indicators that can be downloaded (up to one million).
Unique integration approach
Kaspersky CyberTrace smoothly integrates with all commonly used SIEM solutions and security controls, supporting any threat intelligence feed in STIX 2.0/2.1/1.0/1.1, JSON, XML and CSV formats. By default, the solution includes native integration of a broad portfolio of Kaspersky Threat Data Feeds which are generated by hundreds of the company’s experts, including security analysts from across the globe and its leading-edge GReAT and R&D teams.
The platform solves the problem of ingesting many Indicators of Compromise (IoCs) to SIEMs which can lead to delays in the processing of incidents and missed detections. Kaspersky CyberTrace automatically extracts IoCs from logs coming to SIEMs and analyzes them internally within the owned in-built machine engine. That enables faster processing of an unlimited number of IoCs without overloading the SIEM.
A dashboard with statistical detection data broken down by TI source helps users to identify and measure which streams of threat intelligence are most relevant for their organization, while the multi-tenancy feature facilitates knowledge sharing and reporting for decision-makers on threat intelligence practices, allowing users to handle events from different branches (tenants).
The ability to tag IoCs helps users to evaluate importance of an incident. IoCs can also be automatically sorted and filtered based on these tags and their weights. This feature simplifies the management of groups of IoCs and their relevance.
Convenient tools for threat investigation
To obtain the full overview of an incident and understand its magnitude, the service now includes the Research Graph. This tool helps analysts study the relationships between indicators and develop an incident perimeter in a graphical visualization for more efficient responses. Relationships are built depending on the feeds ingested to Kaspersky CyberTrace, enrichments from Threat Intelligence Portal and manually added indicators.
A REST API allows analysts to look up and manage threat intelligence or easily integrate the platform into complex environments for automation and orchestration.
“Today, given the growing complexity of the cyberthreat landscape, we see that organizations need comprehensive solutions for faster, high-quality threat detection, investigation and response. Kaspersky’s expanded CyberTrace for enterprises and MSSPs, combines rich out-of-the-box functionality with the flexibility to customize and tune in to individual alerts, triage and evaluate them based on various TI sources, allowing security teams to focus on the most relevant notifications effectively,” comments Ariel Jungheit, Senior Security Researcher at Kaspersky.
12 November 2021