企业级信息安全监控与风险防范解决方案

1、企业级信息安全监控与风险防范解决方案Symantec Security Analytics 大数据安全分析平台企业安全主要面临的风险黑客内部人员国家对抗网络犯罪组织FINANCIALLY MOTIVATEDNATIONALISTICALLYMOTIVATEDPOLITICALLY MOTIVATEDATA/APT GRADEDDOSRansom & fraudGovt, enterprise & infrastructure targetsPublic data leakageDefacementDATATHEFTMALWAREBADSTUFF INGOOD STUFF OUT“爱德华斯诺登告

2、诉SXSW 他会再次泄漏一些机密” NPR, March 2014“又一天, 又一个零售商发生大量信用卡泄漏事件。” 彭博社商业周刊, March 2014“银行面对来自伊朗的网络攻击寻求美国政府的帮助” 华尔街日报, Jan 2013Nation StatesCybercriminalsInside ThreatsHacktivistsTargeted AttacksDDOSAPTsAdvanced MalwareRansom and FraudData TheftZero Day ThreatsIPsEmail SecurityWeb GatewayHost FirewallAntiSpa

3、mNACSIEMVPNEncryptionDLPNext Gen FirewallURL FilteringIntegrityConfidentialityAvailabilityAdv. Threat ProtectionTodays Security GapVisibilityContext现代安全的新趋势TodaysAdvancedThreatLandscape信息安全官最关心的问题 谁在对我们进行网络攻击? 他们怎么做到的? 什么系统和数据受影响了? 我们能否确定威胁已经结束? 是不是会再次发生?安全事件的分析关联、重建、取证、响应Turning Complexity into Con

4、textDPI分类2500多种应用和数千种元属性在线并实时地可见和分析数据泄露和渗透安全关联性 包括“名誉”、用户和社交角色、人为特征实现“事件响应”、“取证”、“根本原因”和影响分析的“Black Box”记录、分类和索引高速网络中的所有通讯包和通讯流Providingreal-time analysis and full visibility of everything going in and out of your networkSymantec Security AnalyticsSEE ALL. KNOW MORE. RESPOND FASTER.01010010100110110

5、01010101010101010010101001000010101010001101实时威胁分析（可见）Internal NetworkTAP/SMART TAPDPIMETADATAIOCsSecurity Analytics & Malware Analysis实时威胁分析（可见）0101001010011011001010101010101010010101001000010101010001101IOCsInternal NetworkTAP/SMART TAPDPIMETADATAMETADATAPACKETS& FILESSecurity Analytics & Malware

6、 Analysis0101001010011011001010101010101010010101001000010101010001101实时威胁分析（可知）DataEnrichmentMETADATAPacketsFilesInternal NetworkTAP/SMART TAPDPISecurity Analytics & Malware Analysis0101001010011011001010101010101010010101001000010101010001101实时威胁分析（可知）Global Intelligence NetworkPE ScannerjSUNPACKE

7、xternal Threat FeedsGeolocationMoreMAADataEnrichmentInternal NetworkTAP/SMART TAPDPISecurity Analytics & Malware Analysis0101001010011011001010101010101010010101001000010101010001101实时威胁分析（可知）Global Intelligence NetworkPE ScannerjSUNPACKExternal Threat FeedsGeolocationMoreMAADataEnrichmentInternal N

8、etworkTAP/SMART TAPDPISecurity Analytics & Malware AnalysisNGFWIPSEndpointAdministratorUPDATE实时威胁分析（可防、可控、可依）SIEMEmailEDRInternal NetworkTAP/SMART TAP!Security Analytics & Malware AnalysisNGFWIPSEndpointSIEMNGFW/IPS/SandboxEDR实时威胁分析（按需关联调查）AdministratorUPDATEInternal NetworkSecurity Analytics & Malw

9、are AnalysisTAP/SMART TAP!INTRUSIONPREVENTION SYSTEMSNEXT-GENFIREWALLSLOGMANAGEMENTSIEMCONTENTFILTERINGDATALOSSPREVENTIONINICIDENT RESPONSEFORENSICS开放的关联整合环境 Solid PartnershipsSECURITY ANALYTICS SUPPORTS BEST-OF-BREED INTEGRATIONSWork Smarter & Faster Make Better DecisionSplunk 集成Security Analytics纠

10、正和巩固一个告警的之前、期间和之后的细节取证（主动告警、联动告警）Securtiy Analytics 在现代安全体系中的重要作用对所有网络通讯的实时智能安全可见（收集、分析、上下文关联、事件重建）Security Analytics 市场领导者Frost & Sullivan 评定 Blue Coat Systems (now Symantec) 在全球网络安全取证市场拥有领导地位“ Blue Coat Security Analytics seeks to empower security professionals with full packet capture, indexing a

11、nd analyzing packets to offer maximum resolution in a forensics investigation.” 智能、丰富、易用的使用界面基于Web的访问使用界面深度识别网络中的所有事件“最新的”警报通知可疑、恶意或禁止的行为调查的界面快速缩小或扩大范围、转移时间区间交互式报告2 7层的基本元素数据通过“Extractions”功能，重建事件或文件会话提取和事件重建重新组装数据包到会话，并提取其应用层内容看到实际用户的访问页面Safely exclude unsafe objectsRetrieve web components from cap

12、tured data or current state on web servers重建IM, email and VoIP 会话快速筛选分析结果，以发现需要的特定内容Search by MD5 or SHA1 hashFilename, size, file type, etc.ExampleArtifactsArchive files (zip, rar, rpm), Images (bmp, gif, jpg, png), Multimedia (avi, flash, mov, mpg, wav, wmv), Office files (doc, docx, ppt, pptx, wp

13、d, xls, xlsx), PDF, DLL, EXE, HTML, Java, FTP, emailmore“I view an email as an email and a Word doc as a Word doc.Not just a bunch of packets. Nice!”会话提取和事件重建通过来自原始数据包的重建，快速分析图片音频文件根据文件的类型、扩展属性和尺寸等进行精细过滤可以看到所有关联的元素数据URLSource IPDestination IPSizeMIME TypeA Picture is worth a thousand words. “No deny

14、ing what my user sawgood or bad”. 报警管理界面Incident Response Launchpad关键报警展示“组织内部的关键安全问题在哪里?”聚焦在哪些方面去解决?安全问题发生的主要时间区间直接进一步展示详细的报告自动化智能学习，确定： “Normal” baseline复杂的统计建模，标识 “Abnormal” activity异常行为（事件）感知That looks odd! I better take a look!Organizations need to understand their environment and what constitu

15、tes normal and abnormal behavior, train staff on how to use analytic tools and define the data they need to collect.- SANSKnow Abnormal Find Evil”减少人工和人为的影响，提高分析的可信度和准确度, 避免误判和漏判结合行为来展示相关的异常One indicator = not so suspicious multiple indicators = I better look!为什么异常行为（事件）感知是准确且唯一的？它是你的数据、你的活动、你的模式你的威胁发现静态特征识别工具遗漏的问题结合全数据集取完全的证据重要的异常行为感知识别不同寻常的计数、签名、协议和目的地检测高流