Kaspersky enhances SIEM capabilities with major platform update

Kaspersky has announced a major update to its Unified Monitoring and Analysis Platform, a security information and event management system (SIEM). The update aims to enhance the productivity of cybersecurity teams by expanding capabilities for threat detection and response.

With the growing challenges faced by cybersecurity teams, such as frequent intrusion attempts and increasingly complex attacks, the update is timely. Kaspersky's Human Factor 360 Report stated that 77% of businesses experienced at least one cybersecurity breach in 2023, with some dealing with up to six breaches in the same year. Companies are under pressure to optimise their resources and improve cybersecurity efficiency by seeking solutions that provide real-time security telemetry analysis, thus enhancing situational awareness.

Kaspersky's Unified Monitoring and Analysis Platform is a next-generation SIEM solution that manages security data and events. It collects, aggregates, analyses, and stores log data from the entire IT infrastructure while providing contextual enrichment and actionable threat intelligence insights. The new features introduced aim to make it easier for cybersecurity professionals to navigate the platform and efficiently detect threats in a timely manner.

One of the new features is event forwarding from remote offices to a single stream. An event router has been added to reduce load on communication channels and the number of ports opened on network firewalls. This router receives events from collectors and sends them to specified destinations based on configured filters, enabling effective load balancing between links and the use of low-bandwidth links.

The platform now allows grouping by arbitrary fields using time rounding functions from the event interface. During investigations, analysts can select events and build queries with groupings and aggregate functions. Users can run aggregation queries by selecting one or more fields as grouping parameters and clicking "Run query."

Another enhancement is the capability to search events in multiple selected storage clusters simultaneously. A search query can now be launched across multiple storage clusters, with results obtained in a single consolidated table that indicates the storage location of each record. This feature aims to provide more efficient and straightforward retrieval of necessary events in distributed storage clusters.

Additionally, a mechanism for mapping rules to the MITRE ATT&CK framework has been introduced. This feature assists analysts in visualising the coverage of the MITRE ATT&CK matrix by developed rules, thereby assessing security levels. The functionality also allows analysts to import an up-to-date file with techniques and tactics into the SIEM system, specify techniques and tactics detected by a rule in its properties, and export a marked-up list of rules to the MITRE ATT&CK Navigator.

The update includes the collection of DNS Analytics logs via the new Event Tracing for Windows (ETW) transport. This transport reads DNS Analytics subscriptions and provides an extended DNS log, diagnostic events, and analytical data on DNS server operations. It offers more information than the DNS debug log and has less impact on DNS server performance.

"The SIEM system is one of the primary tools designed for cybersecurity professionals," said Ilya Markelov, Head of Unified Platform Product Line at Kaspersky. "A company's security largely depends on how conveniently experts can interact with SIEM, allowing them to focus directly on combating threats rather than performing routine tasks. We are continuing to actively improve the solution based on market needs and customer feedback, and we are consistently introducing new features to make analysts' work simpler."