Network security incidents occur frequently, and a bunch of products are bought, but the daily life of the organization unit is either “fighting fire” or on the way of “fighting fire”. Where is the root cause of the problem?
From the perspective of organizational unit security construction: the occurrence of an attack event will leave attack traces on multiple paths. Organizations have bought a lot of security devices in the past. A single device can only find a single attack trace, and the devices are fighting and detecting separate ones. It is difficult to automatically correlate the traces of multiple nodes into a complete security event, resulting in a large number of alarms. lack of skills in the middle;
From the perspective of malicious hackers’ attack methods: With the continuous upgrading of malicious hackers’ technical and tactical (TTP) methods, past detection equipment can only capture part of the hacker’s attack methods, so there are a large number of false positives and false negatives, and it is impossible to accurately locate threats;
From the perspective of analysis and response of operation and maintenance personnel: in the face of false positives and false negatives, and attack traces scattered on different devices, operation and maintenance personnel need to find the attack traces of an event from the alarm logs of different devices, and security operation and maintenance personnel have limited ability and energy. , it is difficult to ensure timely follow-up of alarm analysis and incident response.
Therefore, in the face of the challenge of threat detection and response, Sangfor often hears the “three consecutive questions of the soul” when communicating with users:
How to get rid of massive alarms and focus on security events?
How to detect latent threats and improve detection accuracy?
How to improve operational efficiency, save worry, effort and money?
Smashing threat detection and response problems, directly attacking the torture of the soul, Sangfor’s scalable detection and response platform SaaS XDR provides a new answer.
Part 1
Taking the burglary as an analogy, the thief will first step on the building, mark the target room, determine the best time to act, and pick the door lock to carry out the theft. It can be seen that a security incident does not happen overnight. Every move of a thief, such as stepping on a spot, making a mark, picking a door lock, etc., will leave traces.
The same is true for malicious hackers’ attacks, which usually focus on network (N: Network) and terminal (E: Endpoint) behaviors. In the past, the corresponding terminal anti-virus software and traffic detection equipment will give alarms for each attack step, but the alarms on both sides of the network cannot be deeply correlated and analyzed, resulting in a large amount of alarm information, and no security events can be generated.
Different from full data collection, a new monitoring and measurement technology – telemetry behavior data collection, can actively collect behavior data related to each telemetry point and attack techniques and tactics, and aggregate and analyze the telemetry data through the engine to capture attack behavior in time and display more information. Multi-state information helps users deeply understand whether there is a security risk, and even trace back the security incidents that have occurred to restore the attack story line.
Sangfor SaaS XDR can cover over 163 ATT&CK attack methods by collecting telemetry data related to the network side and terminal side, such as network connection information, key content of data packets, terminal process calls, scheduled tasks, etc. Correlate the story line with telemetry data, build a complete and high-quality attack chain, and realize minute-level intrusion identification.
Aggregating massive alarms through automated detection capabilities, Sangfor SaaS XDR can effectively reduce discrete and massive original alarm information on both sides of the network, control the number of alarms within the scope of limited manpower, and convert them into security events and alarms that users can understand. The reduction ratio is nearly 90%.
Part 2
How to understand IOA and IOC detection technology? Taking the burglary as an example, the IOA detection technology means that the security of the community can detect the behavior of the thief stepping on, marking, and picking the door lock, so as to stop the thief’s theft in time, while the IOC detection technology represents that after the thief commits the theft, through monitoring, Fingerprints and other evidence tracked to catch the thief.
From this, it can be understood that IOA detects various attack behavior characteristics in real time before the attack is successful; IOC refers to various failure characteristics of the compromised system after the attack is successful. IOC detection has high accuracy, but cannot detect latent advanced threats. In contrast, IOA can proactively detect and immediately look for early warning signs of possible attacks, such as code execution, persistent residency, concealment, C&C communication, and lateral movement.
Sangfor SaaS XDR combines IOA and IOC detection technologies to realize continuous monitoring of attack behavior in the event and rapid response to traceability after the event, which also means that the security construction idea has shifted from passive defense to active detection.
However, after an attack alarm was generated in the past, the operation and maintenance personnel needed to analyze and confirm whether it was a real attack and eliminate possible false alarms. This analysis process is very time-consuming and requires physical access to suspicious terminals, which is basically impossible in scenarios such as remote offices/branch offices.
Therefore, Sangfor SaaS XDR can also provide XTH threat identification capabilities in combination with cloud experts, continuously conduct event mining, and discover potential threats. After the second confirmation of the attack event, a timely response report is generated, thereby reducing false positives and the event detection accuracy is as high as 99%.
Part 3
Sangfor XDR brings a new experience of “four efficiencies” through the SaaS delivery model, effectively helping users save worry and effort:
1. Out of the box, efficient delivery online
Only need to deploy the relevant collection equipment and protection components locally and connect with the SaaS XDR platform to complete the delivery and use of the security operation solution.
2. Data-driven, efficient iteration capability
The cloud platform has massive real-time security data, combined with threat intelligence and expert research, to continuously build the latest detection algorithms and models to continuously enhance detection accuracy.
3. Cloud experts’ secondary research and judgment, efficient analysis and response
All security events automatically generated by Sangfor XDR will undergo secondary analysis and judgment by cloud experts to ensure a 99.9% accuracy rate of security events. Users only need to deal with them without worrying about false positives and release operational pressure.
4. WeChat subscription, efficient access to event information and response
Users can bind to WeChat and subscribe to the required push content, so that they can view the details of security events in a timely manner, and can quickly deal with them with one click, so as to quickly issue commands such as isolation and killing.
Sangfor XDR solves the problems of high one-time investment cost, difficult version update and poor scalability of original security equipment through SaaS-based abundant storage and computing resources. Adapting to the business development needs of users, Sangfor SaaS XDR significantly reduces investment and construction costs and operator labor costs, and achieves higher cost performance while improving security incident handling efficiency by nearly 70%.
In the face of data migration to the cloud, some organizational units may still have doubts: “I know that SaaS delivery can make security operations more efficient and cost-effective, but how to ensure security?”
In terms of architecture design, Sangfor SaaS XDR establishes an encrypted back-up mechanism, which cannot be decrypted even if it is broken. At the same time, Sangfor security blue army, security team, and external agencies continue to conduct attack drills.
In terms of stability, based on the hosted cloud base, Sangfor SaaS XDR stability SLA is as high as 99.9%, and the security operation and maintenance team monitors the platform’s indicators, logs, and resources in real time.
In addition to the platform’s own capabilities, Sangfor SaaS XDR can also be connected to the managed detection and response service MDR to achieve 7*24-hour online collaboration between the cloud and the ground, and continuously monitor threats and events. Summarize results and analyze security trends, reduce the daily work pressure of operation and maintenance personnel, and save effort and worry in security work. Relying on the “human-machine intelligence” and SaaS model, Sangfor MDR can quickly share security experts, tools, and experience, and organizational units will obtain the security capabilities of TOP-level units with the best input-output ratio.
Having introduced so much, I will give you the key points:
Sangfor Scalable Detection and Response Platform XDR
A SaaS-based security threat detection and incident response platform that aggregates key data through native traffic collection tools and endpoint collection tools, and implements in-depth attack chain traceability through network-side aggregation analysis engines and contextual correlation analysis, combined with managed detection and response Serving MDR releases the energy of personnel; at the same time, it has scalable interface openness, and cooperates with SOAR and other products to simplify complexity and bring the security effect experience of in-depth detection, accurate response, and continuous growth.
Cybersecurity is a never-ending confrontation between offense and defense.
Sangfor SaaS XDR redefines threat detection response,
Put the initiative in the hands of each organizational unit,
Simplify the complexity, and the threat has nowhere to hide.
Leifeng Network
This article is reproduced from: https://www.leiphone.com/category/industrynews/f3HjeWaJOExbARHq.html
This site is for inclusion only, and the copyright belongs to the original author.