Can I integrate Kaspersky Threat Data Feeds or other threat feeds with a SIEM solution using Kaspersky CyberTrace?
Yes, we have developed a special tool which allows you to integrate Kaspersky Threat Data Feeds or third-party threat data feeds (OSINT, commercial or custom) with any SIEM. It's called Kaspersky CyberTrace (previously known as Kaspersky Threat Feed Service).
Kaspersky CyberTrace is a Threat Intelligence Platform that helps analysts make timely and better-informed decisions. Kaspersky CyberTrace uses continuously updated threat data feeds to timely detect cyber threats, prioritize security alerts and effectively respond to information security incidents.
Kaspersky CyberTrace integrates threat intelligence (such as threat intelligence feeds from Kaspersky, other vendors, OSINT, internal Threat Intelligence, or even custom sources) with SIEM solutions and log sources so that users can immediately leverage threat intelligence for security monitoring and IR activities in their existing security operations workflow. If Indicators of Compromise (IoC) from the threat intelligence feeds are found in your environment, Kaspersky CyberTrace will automatically send alerts to your SIEM solutions for monitoring, validation, and uncovering additional contextual evidence of ongoing security incidents.
Kaspersky CyberTrace correlates events sent to your SIEM instance with threat data feeds to detect malicious activity on your enterprise network. You get the real-time awareness needed for highlighting the risks and implications associated with security breaches, as well as effectively mitigating cyber threats and defending against ongoing attacks.
Kaspersky CyberTrace provides analysts with a set of tools for managing threat intelligence, conducting alert triage and response:
- Ingesting any custom feeds in the most popular formats (JSON, STIX, MISP, XML, CSV) available through HTTP(S), FTP(S) or TAXII. Demo data feeds from Kaspersky and OSINT are available out of the box.
- Advanced filtering for feeds (based on the context provided with each indicator, including threat type, geolocation, popularity, time stamps and more) and log events (based on custom conditions).
- Database of indicators with full text search capability and ability to search by using advanced search queries to enable complex searches across all indicators fields, including the context fields. The ability to filter results by Intelligence supplier simplifies the process of analyzing threat intelligence.
- Pages with detailed information about each indicator for deeper analysis. Each page presents all information about an indicator from all threat intelligence suppliers (deduplication) and allows analysts to discuss threats in comments as well as add internal threat intelligence about the indicator. If the indicator has been detected, the information about detection dates and links to the detections list will be available.
- Indicators export feature allows to export indicator sets such as policies lists (block lists) in CSV format to security controls and to share threat data between Kaspersky CyberTrace instances or with other TI Platforms.
- Storage for detection events simplifies security monitoring and alerts triage processes. The raw event from the source and full information about the detection are saved to the database for future analysis. The detection list supports searching over the saved data to find all detections by threat, source IP address, user name, or any other field.
- Historical correlation feature (retroscan) allows analyzing observables from previously checked events by using the latest feeds to find previously uncovered threats. All historical detections will be included in the report for future investigations.
- Feeds usage statistics for measuring the effectiveness of the integrated feeds. Feeds intersection matrix helps in choosing the most valuable threat intelligence suppliers.
- Downloadable reports with statistics, which are valuable for informing management and teams about the value brought by each TI source.
- On-demand search of indicators (hashes, IP addresses, domains, URLs) with search history for in-depth threat investigation. Bulk scanning of logs and files is also supported.
- Export of indicators lookup results that match threat data feeds in CSV format for integration with other systems (firewalls, network and host IDS, custom tools).
- Role-based access to control and information about the operations performed by other users. For example, only users with the Administrator role can manage Kaspersky CyberTrace configuration and browse the search results of all analysts.
- Multitenancy feature allows to support MSSP or Large Enterprise use cases when a service provider (central office) needs to handle events from different branches (tenants) separately. The feature allows connecting a single Kaspersky CyberTrace instance with different SIEM solutions from different tenants and configure what feeds are used for each tenant.
- HTTP RestAPI for searching and managing threat intelligence. By using the Rest API, Kaspersky CyberTrace can be easily integrated into complex environments for automation and orchestration. The API supports observables lookup as well as TI indicators and TI suppliers managing scenarios (for example, creating and configuring a TI supplier).
- Command-line interface for Windows and Linux platforms.
- Authentication with LDAP (MS Active Directory) supported.
- Stand-alone mode, where Kaspersky CyberTrace is not integrated with a SIEM solution, but receives and parses logs from various sources such as networking devices.
- DMZ integration support. The computer on which event data is matched against feeds can be located in DMZ and isolated from the Internet.
Integrated with a SIEM solution, Kaspersky CyberTrace keeps you constantly informed about threat-related situations in the following ways:
- Allows you to configure dashboards in SIEMs in order to display and prioritize information about URLs, IP addresses, and file hashes contained in events that match threat data feeds
- Filter for sending detection events to SIEM solutions reduces the load on the solutions and on the Analyst (fighting with alerts fatigue). It allows to send to SIEM solutions only the most dangerous and confident detections that must be treated as incidents. All other detections will be saved to the internal database and can be used during root cause analysis or in threat hunting.
- Provides dashboards for at-a-glance overviews, as well as more detailed information on matching events.
- Operationalizes threat intelligence for security/SOC teams and assists threat analysts in their investigations.
- Improves and accelerates Incident Response and forensic capabilities.
- Automatically updates Kaspersky Threat Data Feeds from Kaspersky to ensure they are always up to date.
- Eliminates false positives and forms proactive, intelligence-driven defense.
- Supports all your existing security controls as event sources: Firewalls, IPS/IDS, Security Proxies, Anti-Virus solutions, DNS solutions, UTMs and more.
Indicators of compromise (IOCs) from Kaspersky Threat Data Feeds are not loaded into your SIEM instance, but processed by Kaspersky CyberTrace in a separate offline process running on your infrastructure. Since the task of matching events with large numbers of IOCs is offloaded, your SIEM instance incurs a minimal performance hit. In case of a match, rich contextual information about the incident is passed to your SIEM instance and displayed in your SIEM’s dashboard.
A high-level architecture of our current solution (SIEM connectors) works as follows:
- Incoming events are sent from different security controls and collected by the SIEM.
- The SIEM forwards received events to Kaspersky CyberTrace (a single offline process) via a TCP or Unix socket.
- Kaspersky CyberTrace receives events that contain URLs, hashes or IP addresses from the SIEM.
- Kaspersky CyberTrace automatically receives updated Threat Data Feeds from the Kaspersky infrastructure.
- Kaspersky CyberTrace matches observables (IP, URLs, domains and hashes) in received events with Threat Data Feeds.
- If there is a match with Threat Data Feeds, Kaspersky CyberTrace sends the matched event back to the SIEM solution, enriched with context from Threat Data Feeds, and informs the SIEM administrator about a security incident. Also, detection statistics are stored in Kaspersky CyberTrace to allow you to track trends and identify anomalies in your network by using the CyberTrace Web Dashboard.
- If retroscan mode is enabled, CyberTrace will store observables from checked events for future matching against the latest data feeds.
Kaspersky CyberTrace gives you the upper hand in cyberspace, strengthening your SIEM instance with continuously updated Indicators of Compromise and actionable context, as well as delivering insight into cyber attacks so that you can more fully understand the intent, capabilities, and targets of your attackers..
For more information about Kaspersky CyberTrace and how it can help your security analysts to make timely and better-informed decisions, see the Online Help page.
Kaspersky CyberTrace is available globally. To download Kaspersky CyberTrace, go to the Knowledge Base and choose the solution that you are interested in integrating with. The links to download Kaspersky CyberTrace can be found on the page describing integration with your solution.
Kaspersky CyberTrace requires a license key to run it in Enterprise network or with commercial Data Feeds. To obtain a license key, contact Kaspersky Security Intelligence Services or your technical account manager (TAM).
If no license key is installed, the free Community Edition licensing level will be used. In this mode some features are not available, no more than 250 events per second are processed and a maximum of 1,000,000 records can be loaded from all threat intelligence sources.
Kaspersky Demo Data Feeds are used by default. Kaspersky Demo Data Feeds provide a lower Detection Rate level compared to the commercial versions. To gain access to the commercial versions of Kaspersky Threat Data Feeds, please contact Kaspersky Security Intelligence Services.
Please note that Kaspersky Threat Data Feeds can also be supported by a SIEM solution using its in-built capabilities, without Kaspersky CyberTrace. It means that matching incoming events against Data Feeds will be executed inside the SIEM. Yet in this case performance is likely to drop.
To get more information on the features and improvements in each release, please download CyberTrace Release Notes.