The new version of MaxPatrol SIEM can be deployed on Linux systems


Positive Technologies has released a new version of the MaxPatrol SIEM — 7.0 information security event monitoring system. The main thing in the new release is support for Linux operating systems, the ability to conduct a distributed event search to identify attacks on large geographically branched infrastructures, as well as simplification of asset significance management from the point of view of information security.

MaxPatrol SIEM 7.0 has received support for Linux operating systems. In 2020, over 1 million licenses for the Astra Linux OS were purchased, and the total number of organizations using this software is more than 4 thousand. Now the product can be deployed by government departments, state corporations, CII entities and organizations already using Linux or switching to this software as part of import substitution. The possibility of installing MaxPatrol SIEM on domestic OS distributions is especially relevant for Russian companies in modern realities. The system also supports working with Debian 10.

“We have long felt the need for customers to use a single platform for all components of the product. This greatly simplifies the deployment of the system and its operation, which is the main priority of the company in the development of its information technology solutions. And the support of domestic Linux distributions simplifies the implementation of import substitution requirements,” comments Roman Sergeev, Product Development Manager MaxPatrol SIEM, Positive Technologies.

According to Positive Technologies, 15% of information security specialists attribute information security monitoring in subordinate units to the most time-consuming actions in the SIEM system. This problem is typical primarily for organizations with a large geographically extensive infrastructure. Thanks to the distributed event search, MaxPatrol SIEM users see the overall picture of information security and can quickly identify complex atypical attacks aimed at the infrastructure of both an individual unit and the entire enterprise as a whole. Events from all installations are available to the operator of the head platform for searching, filtering, grouping, aggregating and issuing reports on them.

The nodes of the network infrastructure, the number of which is estimated in tens and hundreds of thousands, differ in the degree of importance from the point of view of information security. To prevent operators from being unnecessarily distracted by less important assets, MaxPatrol SIEM 7.0 has added the ability to assign importance to assets using a policy. For example, all domain controllers can be assigned a high level of significance — the function works automatically, which saves MaxPatrol SIEM users from routine operations. At the same time, you can manually redefine the significance of the asset at any time.

Starting from version 7.0, the product supports a new event storage specially developed by Positive Technologies — LogSpace. Its use increases the efficiency of disk resources by 5-7 times. Thus, MaxPatrol SIEM users can either reduce their hardware costs, or increase the depth of event storage with the same resources that they previously had. In addition, customers still have the opportunity to use the usual Elasticsearch storage.

In addition, in MaxPatrol SIEM 7.0, the performance of the correlator responsible for detecting malicious activity has been improved: RAM consumption has been optimized, bandwidth has been increased and the ability to use multiple processor cores has been added.

Requests for filtering events are now saved in the history and are available for reuse. This change is especially useful for SIEM system operators when testing hypotheses using PDQL queries.1 during investigations.

“MaxPatrol SIEM 7.0 is a long—awaited release. It combines updates affecting system changes (for example, the possibility of using the Linux OS family, including certified versions, and the transition to a proprietary database that meets customer requests for processing significant event flows) and architectural — horizontal scaling for distributed event search. Also in the new version of the system there are many improvements that increase the convenience of the operational work of information security analysts investigating cybersecurity incidents. The MaxPatrol SIEM development team has done a lot of work to effectively use the product in distributed environments of large enterprise segment customers,” confirms Elman Beybutov, Head of Information Security Event Monitoring at Positive Technologies.

To upgrade to MaxPatrol SIEM 7.0, contact Positive Technologies partners or technical support.

1Positive Data Query Language, PDQL is a language developed by Positive Technologies for writing queries to the knowledge base when processing events, incidents, dynamic asset groups and tabular lists in MaxPatrol SIEM.

Start a discussion …