Government Security Threat Discovery and Operation Management Platform Solution

I. Background

Nowadays, more and more prefecture-level and district/county-level governments operate their business via the technologies of third-party platforms, such as cloud computing, big data, and mobile communication. Data has become a key factor for the stable operation of their business. However, the development of technologies also brings serious security issues. For example, data fusion, blurred boundaries, complex data flow caused by virtualization and cloud computing, numerous security threats caused by Internet-based business with an increase in web and app viewers, and growing attacks on IoT terminals due to difficult threat defense and locating.

II. Solution overview

The H3C SecCenter CSAP (standard version)[M帐1] is a "command center" of the active security defense system. It conducts an in-depth analysis of massive logs and other information based on the corporate assets via technologies such as threat intelligence and machine learning. Meanwhile, it correlates network attack events to present the security risk status of the entire network in a dimensional and visual manner. Focusing on assets and services, it integrates the management of security, network, and applications to form a complete security closed-loop from risk alarms and response. The system greatly saves the O&M time of O&M personnel in the enterprises and effectively improves their ability to discover and handle advanced threat events.

III. Solution features

Diverse data collection

Supports the log collection of various network devices, security devices, vulnerability scanners, web crawlers, hosts and applications, and can access external threat intelligence.

Adopts active and passive data collection technologies to collect heterogeneous and massive logs in the network in real time. It supports multiple log access methods, such as passive log collection via Syslog and HTTP/HTTPS, active log collection via FTP and database, and log collection via deployed agents.

Supports centralized/distributed storage of massive logs and full life-cycle management.

Supports rapid adaptation of logs from different manufacturers to the system through log normalization and log classification.

Multi-dimensional risk alarms

Uses the visualization technology to make fragmented data such as threat alarms, alarms of abnormal behaviors, and asset management data into structured data and forms a high-dimensional visualization view.

Detects intrusion events in real time through network-wide threat intelligence and big data analysis, and displays data in various forms, including 3D charts, radar charts, topology maps, and heatmaps.

Displays risks from different perspectives and dimensions based on big data about security, realizing real-time monitoring and early warning of security events.

Cloud-network-terminal collaboration

Builds a repository for policy management and quickly generates emergency response plans for early warning, response, and handling of security incidents.

Detects attacks in the cloud and forms an active defense system featuring cloud-network synergy, to implement closed-loop feedback control.

Adopts cloud-network-terminal collaboration, makes decisions and responses automatically based on real-time scenarios, and pushes security policies to network-wide key devices.

Automatic O&M response

Monitors the status of key objects in real time, conducts risk analysis of important assets, and dynamically manages assets by classification and hierarchy.

Quickly generates configuration policies and task orders in case of a system state change, enabling quick response and disposal of O&M.

Supports the operational management of work orders, enabling automatic triggering, dispatching, tracking, reminding, and closing of work orders.

Provides simple and easy deployment, modular design, and flexible expansion.

Product features

Through the collected security event data in the network and threat intelligence in the cloud, H3C SecCenter CSAP (standard version)[M帐2] can mine and correlate massive security data, and implement situational awareness of attacks, threats, and compliance to generate a comprehensive view of the security data. This enables users to quickly and accurately know the current security state of the network and make corresponding responses.