Network Intrusion Analysis Center DAC

Background introduction

Nowadays, the complexity and diversity of malicious threats against the network have changed significantly and improved. In just a few years, the malicious threat has been transformed from a blind, direct and rude malicious attack to an advanced, targeted, accurate, hidden and durable threat.

At the same time, advanced threats are not like the original single threat events. They will be carried out in an orderly manner according to the various stages of the arrangement. Each step is estimated, through detection, weaponization, transmission, exploit, and implant penetration, C2, stealing steps to achieve the ultimate goal, and can cause heavy losses for users in a short period of time, but it takes weeks or months to discover, solve, and more and more traditional security solutions are not effective on this problem of solving advanced threats. By deploying real-time traffic analysis and combining security products, tools, and threat intelligence to detect high-risk IP, you can discover a large number of unknown threats in traffic, and then redefine rules to further backtrack analysis and achieve a comprehensive detection analysis on traffic and abnormal findings with the formation of test reports.

Product Introduction

The network intrusion analysis center product is a threat cues discovery and comprehensive analysis system that combines multiple sources of information such as traffic, samples, behaviors, logs, etc. The system uses new technologies for big data collection, storage, retrieval, analysis, etc., from drilling analysis of multi-dimensional perspectives of attackers, defendants, samples, events, etc., to two-way process mining of attack surface and attacked surface thus hunting target threat. Collaborate with cloud or offline threat intelligence to collide real-time or historical threat cues and behavior logs, comprehensive threat awareness will be provided to users. The system can simultaneously integrate the sample detection module to discover unknown threats, and the generated user-side threat intelligence information can be distributed to the IDS, IPS, gateway, terminal and other linkage devices to form a complete, closed-loop security solution.

Features

· Threat hunting takes threat cues, abnormal behaviors, and missing hosts as the starting point, the spatial and temporal breadth as the data foundation of the analysis, based on the log retrieval and process analysis module of the Intrusion Analysis Center, from the attack surface and the attacked surface, the directional relationship between the attacker and the attacked, provide analysts with the ability to quickly trace history and conductin-depth analysis.

· Missing host positioning through the failure analysis process of each host, through the stages of threat activity (intrusion, control, internal attack, malicious behavior), the current host's certainty index and threat index are analyzed. You can see the trend of the host's collapse in the specified time, so as to determine the activity level and risk level of the lost host.

· Through the big data association analysis, through the time dimension, attacks that really threaten the network from the massive logs can be found out, providing users with preciseanalysis and alarms.

· Correlation analysis, tracking traceability through multi-dimensional clustering of attacker's perspectives, perspectives of the attacked, samples, events, malicious URL, etc., can achieve deep exploration of suspicious associations, providing a two-way threat analysis starting point between the attacker and the attacked, and looking for deep hidden clue associations between the attack surface and the attacked surface.

Product Advantages

Detection ability ++

A comprehensive analysis platform for intrusion analysis + known detection + unknown detection provides an all-round attack chain analysis process

Threat intelligence

Module Threat Intelligence supports offline library import and online intelligence updates

Threat hunting

Space and time breadth are the data foundation of the analysis, providing analysts with the ability to quickly trace the history and deepen the analysis and judgment

Threat awareness

Discovering intrusive cues that have not been discovered in history, traceability analysis through log retrieval

Threat analysis

Multidimensional analysis modeling in massive logs, highlighting important clues and behavioral judgments

Threat trail

Multi-dimensional clue aggregation, deep mining to find hidden clue associations

Typical application

The Scorpio Intrusion Analysis Center detection system can support single-machine or distributed deployment. It can receive external device data such as IDS and APT through the interface. It can also choose to integrate IDS and APT modules in the intrusion analysis center.

User value

Deploying the Scorpio Intrusion Analysis Center can conduct qualitative analysis of suspicious events, efficiently and accurately locate security incidents, and effectively assess the impact of security incidents through event correlation analysis, helping users to block abnormal suspicious sessions in time, and timely report blocking results collected from comprehensive tracking of evidence collection centers, which is helpful to prevent the situation from continuing to deteriorate and to prevent similar incidents from happening again.