BACKGROUND OF DEMAND

In the digital age, technology and business architecture are constantly iterating, giving rise to new security threats that traditional security measures are unable to address. New types of attacks are frequent, and traffic side products are easily bypassed. However, the host is the last landing point for attackers and cannot be bypassed. The business and data that hackers are concerned about are all on the host, while the existing security system focuses more on boundary traffic, and the host is not given enough attention. The traceability and tracing of hacker attacks are difficult, and general logs or audit information cannot provide detailed records of host security events; Ultimately, it leads to a lack of response and countermeasures, resulting in low security efficiency.

SOLUTION

Host security lifecycle security operation and maintenance, pre installation of host security software, during installation of anti ransomware system, post installation of data disaster recovery.

Host security software - asset inventory

It can automatically identify the internal asset situation of the system and automatically associate it with risks and intrusion events, providing flexible and efficient traceability capabilities. By setting inspection rules, the system automatically checks for installed probe hosts and hosts in the network space that are not included in security management, and automatically excludes ordinary network devices; Ensure the normal operation of the detection and detected hosts.

Automated inventory of middleware, databases, big data components, web applications, web frameworks, web sites, and other assets; Based on the business characteristics of each server, identify more than 200 targeted application categories, such as Nginx, Apache, JBoss, MySQL, Memcache, Redis, HBase, etc. In the future, it will also support user-defined inventory objects.

For each type of business asset, the system provides two common dimensions: "host perspective" and "asset perspective", aggregating and displaying data. Customers can flexibly define their own table displays. Key assets (hosts, accounts, processes, etc.) are associated with the entire system, and in the future, a global search tool will also be provided.

Host Security Software - Risk Discovery

Proactively and accurately identify security risks in the system, providing continuous risk monitoring and analysis capabilities. The continuously updated patch library and agent probe scanning can timely and accurately discover important patches that the system needs to apply. At the same time, in-depth detection of applications, kernel modules, installation packages, and other important software updates in the system, and intelligent extraction of patches that urgently need to be fixed.

Automatically identify application configuration defects, by comparing critical attack paths on the attack chain, identify and address issues in the configuration, greatly reducing the risk of intrusion. After timely detection and handling of a configuration defect, it will effectively solve potential security risks and block further activities of hackers.

Continuously monitor domestic and international security trends, as well as vulnerability exploitation methods, and continuously introduce new vulnerability detection capabilities. Based on an agent-based continuous monitoring and analysis mechanism, it can quickly compare with a large vulnerability database and accurately and efficiently detect system vulnerabilities.

Host Security Software - Intrusion Detection

Real time detection of intrusion events, providing rapid defense and response capabilities. Web backdoor detection, through automated monitoring of critical paths, combined with various detection methods such as regular libraries, similarity matching, sandboxes, etc., perceives file changes in real time, enabling timely detection of web backdoors and clear labeling of the affected parts.

System backdoor monitoring, through the analysis of process association information, combined with pattern recognition and behavior detection, provides an automated system backdoor detection method that does not rely on Hash, achieving multi-dimensional, high-precision, and fast backdoor discovery in multiple systems.

Host Security Software - Compliance Baseline

A benchmark requirement consisting of domestic information security level protection requirements and CIS has been established to assist users in quickly conducting internal risk self testing, identifying problems, and promptly fixing them.

Support multiple standards such as security/CIS, covering various systems/applications: Security researchers continue to study national level protection policies and CIS baseline standards, and continuously promote support for more baseline standards. The product currently supports commonly used operating systems such as CentOS, Debian, RedHat, SUSE, Windows Server 2008, Windows Server 2012, and covers more than 10 database and web service applications, including Apache MongoDB and MySQL.

One click task-based detection and visualization of baseline inspection results: The compliance baseline function is designed with a flexible and configurable task-based scanning mechanism. Users can quickly create baseline scanning tasks and select the host and baseline to be scanned according to their testing needs. After the testing is completed, the baseline inspection results will be visualized in inspection item view and host view, meeting the personalized testing needs of enterprises.

Host security software - virus scanning and killing

Multi engine virus detection has been integrated, including Xiaohongumbrella Avira engine, Tencent T-Sec anti-virus engine, ClamAV engine, and Aoteng self-developed engine. The antivirus engine independently developed by Qingteng can effectively detect mining Trojans, worms, ransomware, and hacking tools.

Configure defense strategies, support configuring specific defense strategies for each host, and enable automatic isolation on identified vulnerable hosts to allow viruses to be automatically detected and killed; On hosts that have been confirmed to be immune to attacks, automatic processing can be disabled to avoid accidental killing and meet the diverse proactive prevention needs of customers.

Sandbox verification and repair, sandboxes can quickly verify detected viruses, discover and analyze their invasion paths, and output the correct methods and means to kill viruses. Sandbox can also automatically generate corresponding repair tools to help users restore their malicious modifications to the host and fix the impact caused by viruses.

In progress: Installing an anti ransomware system

Five fold interception and blocking of the eternal "read", "encrypt", and "write" behaviors during ransomware encryption and extortion, allowing the host to run with virus and refuse to be extorted, preventing data from being stolen and threatened. Pre configure trusted operations to provide trusted security protection for important business systems/data. Illegal and unauthorized read, write, delete, and copy operations are prohibited to ensure the security and reliability of core business/data. Build a ransomware interception capability system and network security products to form a closed loop of "front-end security protection, back-end ransomware interception" capabilities.

Afterwards: Data Disaster Recovery

Cloud era full machine protection, full web operation, simple verification, easy rehearsal, and simple disaster reconstruction, regardless of location, host type, business type and structure, database brand version, and data type. Fast backup speed, fast verification speed, fast drill speed, disaster reconstruction (second level hot backup, minute level fast whole machine reconstruction, second level volume recovery, second level file recovery)