Can I integrate Kaspersky Threat Data Feeds or other threat feeds with a SIEM solution using Kaspersky CyberTrace?

 

Kaspersky Threat Data Feeds

 
 
 
 

Can I integrate Kaspersky Threat Data Feeds or other threat feeds with a SIEM solution using Kaspersky CyberTrace?

Back to article list
Latest update: January 17, 2020 ID: 13850
 
 
 
 

Yes, we have developed a special tool that allows you to integrate Kaspersky Threat Data Feeds or third-party threat data feeds (OSINT, commercial or custom) with any SIEM. It's called Kaspersky CyberTrace (previously known as Kaspersky Threat Feed Service).

Kaspersky CyberTrace is a threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions so that users can immediately leverage threat intelligence for security monitoring and IR activities in their existing security operations workflow.

Kaspersky CyberTrace uses continuously updated threat data feeds to promptly detect cyber threats, prioritize security alerts and effectively respond to information security incidents.

Kaspersky CyberTrace integrates with threat intelligence sources (threat intelligence feeds from Kaspersky, other vendors, OSINT or even custom sources), SIEM software and log sources.

Kaspersky CyberTrace dashboard

Kaspersky CyberTrace correlates events sent to your SIEM instance with threat data feeds to detect malicious activity on your enterprise network. You get the real-time awareness needed for highlighting the risks and implications associated with security breaches, as well as effectively mitigating cyber threats and defending yourself against ongoing attacks.

Kaspersky CyberTrace provides analysts with a set of tools for conducting alert triage and response:

  • Feed usage statistics for measuring the effectiveness of the integrated feeds.
  • On-demand search of indicators (hashes, IP addresses, domains, URLs) with search history for in-depth threat investigation. Bulk scanning of logs and files is also supported.
  • A web user interface providing data visualization, access to configuration, feed management, log parsing rules, blacklists and whitelists.
  • Advanced filtering for feeds (based on the context provided with each indicator, including threat type, geolocation, popularity, time stamps and more) and log events (based on custom conditions).
  • Export of lookup results matching data feeds to CSV format for integration with other systems (firewalls, network and host IDS, custom tools).
  • Role-based access to control the operations that different users manage. For example, only users with the Administrator role can manage Kaspersky CyberTrace configuration and browse the search results of all analysts.
  • Downloadable reports with statistics which are valuable to inform the management team about the value brought by each TI source.
  • Command-line interface for Windows and Linux platforms.
  • Stand-alone mode, where Kaspersky CyberTrace is not integrated with a SIEM solution, but receives and parses logs from various sources such as networking devices.
  • DMZ integration support. The computer on which event data is matched against feeds can be located in DMZ and isolated from the Internet.

Integrated with a SIEM solution, Kaspersky CyberTrace keeps you constantly informed about threat-related situations in the following ways:

  • Allows you to set dashboards in SIEMs to display and prioritize information about URLs, IP addresses, and file hashes contained in events that match threat data feeds.
  • Provides dashboards for at-a-glance overviews, as well as more detailed information on matching events.
  • Operationalizes threat intelligence for security/SOC teams and assists threat analysts' investigations.
  • Improves and accelerates Incident Response and forensic capabilities. 
  • Identifies relevant events for further investigation and filters out “noise” going to your SIEM.
  • Automatically updates Kaspersky Threat Data Feeds from Kaspersky to ensure they are always up to date.
  • Eliminates false positives and forms a proactive, intelligence-driven defense.
  • Supports all your existing security controls as event sources: Firewalls, IPS/IDS, Security Proxies, Anti-Virus solutions, DNS solutions, UTMs and more.

Indicators of compromise (IOCs) from Kaspersky Threat Data Feeds are not loaded into your SIEM instance, but are instead processed by Kaspersky CyberTrace in a separate offline process running on your infrastructure. Since the task of matching events with large numbers of IOCs is offloaded, your SIEM instance incurs a minimal performance hit. In case of a match, rich contextual information about the incident is passed to your SIEM instance and displayed in your SIEM’s dashboard.

A high-level architecture of our current solution (SIEM connectors) works like this:

  • Incoming events are sent from different security controls and collected by the SIEM.
  • The SIEM forwards received events to Kaspersky CyberTrace (a single offline process) via TCP or Unix socket.
  • Kaspersky CyberTrace receives events that contain URLs, hashes or IP addresses from the SIEM.
  • Kaspersky CyberTrace automatically receives new Data Feeds from the Kaspersky infrastructure.
  • Kaspersky CyberTrace matches observables (IP, URLs, domains and hashes) in received events with Threat Data Feeds.
  • If there is a match with Threat Data Feeds, Kaspersky CyberTrace sends the matched event back to the SIEM solution, enriched with context from Threat Data Feeds, and informs the SIEM administrator about a security incident. Also, detection statistics are stored in Kaspersky CyberTrace to allow you to track trends and identify anomalies in your network by using the CyberTrace Web Dashboard.

ktdf_13850_02 

Kaspersky CyberTrace gives you the upper hand in cyberspace, strengthening your SIEM instance with continuously updated Indicators of Compromise and actionable context, as well as delivering insight into cyber attacks so that you can more fully understand the intent, capabilities, and targets of your attackers.

For more information about Kaspersky CyberTrace and how it can help your security analysts to make timely and better-informed decisions, see the Online Help page.

Kaspersky CyberTrace is available globally. To download Kaspersky CyberTrace, go to the Knowledge Base and choose the solution that you are interested in integrating with. The links to download Kaspersky CyberTrace can be found on the page describing integration with your solution.

Kaspersky CyberTrace requires a license key to run it in Enterprise network or with commercial Data Feeds. To obtain a license key, contact Kaspersky Security Intelligence Services or your technical account manager (TAM).

If no license key is installed, the free Community Edition licensing level is used. In this case multi-user mode is not available, no more than 250 events per second are processed and no more than 1 000 000 records can be loaded from all feeds.

Kaspersky Demo Data Feeds are used by default. Kaspersky Demo Data Feeds provide a lower Detection Rate level than the commercial versions. To gain access to the commercial versions of Kaspersky Threat Data Feeds, please contact Kaspersky Security Intelligence Services.

Please note that Kaspersky Threat Data Feeds can also be supported by a SIEM solution using its in-built capabilities, without Kaspersky CyberTrace, when all the matching logic (Data Feeds and incoming events) is executed inside the SIEM. However, in this case a performance drop is likely.

To get more information on the features and improvements in each release, please download CyberTrace Release Notes.

 
 
 
 

 
 
 
 
Was this information helpful?
Yes No
Thank you
 
 
 

 
 

How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.

OK