The number of security alerts processed by information security analysts every day is growing exponentially. By integrating up-to-the-minute machine-readable threat intelligence into existing security controls, like SIEM systems, security teams can automate the initial alert triage and investigation processes. Kaspersky CyberTrace helps them leverage that intelligence in their existing security operations workflows more effectively.
A rich toolset for analysis
CyberTrace aggregates, deduplicates, normalizes and stores incoming data and detection events. It lets you analyze observables from previously checked events using the latest feeds to find previously uncovered threats (retroscan). Security analysts are able to export and share threat data as well as measure the effectiveness and relevancy of the integrated feeds - and much more.
Rapid data matching
CyberTrace uses an internalized process of parsing and matching incoming data. It parses incoming logs and events, rapidly matches the resulting data to feeds, and generates its own contextualized alerts on threat detection. It helps security analysts to make fully informed decisions by providing them with complete situational awareness.
Enhanced integrations
CyberTrace enables seamless integration of threat data feeds. It integrates with any threat intelligence feed in JSON, STIX, XML and CSV formats (threat intelligence feeds from Kaspersky, other vendors, OSINT or your custom feeds). It also supports out-of-the-box integration with numerous SIEM solutions and log sources.
Multitenancy support
Multitenancy supports MSSPs or large enterprise use cases when a service provider (central office) needs to handle events from different branches (tenants) separately. This allows a single Kaspersky CyberTrace instance to be connected with different SIEM solutions from different tenants, and you can configure which feeds are to be used for each tenant.
Suitable for
This solution is particularly well suited to addressing the security requirements, concerns and constraints of these enterprise sectors.
An internalized mechanism for matching and analysis of incoming data allows effective discovery of even obfuscated threat indicators
Out-of-the-box integration with SIEM systems as well as direct integration with other IT security controls and log sources
Integration of an unlimited number of threat intelligence feeds with no negative impact on the SIEM’s performance
Feed usage statistics for measuring the effectiveness of the integrated feeds and the feeds intersection matrix help with choosing the most valuable threat intelligence suppliers
Optimize your threat intelligence workflows
A database of indicators and detection events with full text search and the ability to search using advanced search queries
Summarized, detailed and deduplicated information about each indicator on a single page
A Research Graph to visually explore data and detections and discover threat relationships
The ability to discuss and share information about related threats in comments
Export of indicators to other security controls
Retro-matching using the latest threat intelligence feeds to find previously missed threats
Build a proactive intelligence-driven defense
Although Kaspersky CyberTrace and Kaspersky Threat Data Feeds can be used separately, when used together, they significantly strengthen your threat detection capabilities, empowering your security operations with global visibility into cyberthreats. With Kaspersky CyberTrace and Kaspersky Threat Data Feeds, organizations can:
Effectively distill and prioritize security alerts
Immediately identify critical alerts and make better informed decisions about which should be escalated to incident response teams
Reduce analyst workload and prevent burnout
Out-of-the-box integrations
Integrate your security tools with out-of-the-box connectors or our robust RESTfulAPI