1Security Big Data Analysis Function Overview:
2Features:
3Value:
By using the big data technology, users can make daily security management ordered and simplified, to promote the overall network security management capability by:
● Improving local security to global security.
● Improving single-point prevention to collaborative prevention.
● Improving fuzzy management to quantitative management.
● Expanding from compliance analysis to threat detection.
4Advantages:
● Big data security analysis architecture
Adopts patented CupidMQ message bus and CupidDB non-relational database technology and stream analysis, continuous aggregation, interactive analysis, full-text retrieval, and playback engine to provide multiple high performance security analysis capabilities.
● Powerful data processing capability
The event analysis library writing capability is improved more than 4 times and retrieval performance is improved more than 100 times. System deployment is flexible and can be expanded horizontally.
● Service-focused unified security management
The system has a built-in service modeling tool. Users can build a service topology to reflect the assets in the service support system. The system can automatically build a service health indicator system to assess the health situation of a service based on its performance and availability, vulnerability, and threats, which helps users analyze the availability, security events, and alerts associated with the service.
● Complete monitoring on performance and availability
The system monitors the status of IT assets on an entire network in real time and in fine-grained manner to discover availability faults timely, locate faults and alerts. This ensures the availability and service continuity of important service information systems and visually displays the network topologies of users.
● All-round security information collection
Venusense USM can use various methods to collect log, performance, weakness, and stream information about devices and service systems, such as the Syslog, SNMP, SNMP trap, FTP, OPSEC LEA, NETBIOS, ODBC, WMI, Shell scripts, SSH, NetFlow, Telnet, RDP, and Web Service information.
● Flexible full-text retrieval
The system provides the distributed full-text retrieval technology, supports speedy information collection as well as token division and indexing for security events without normalization, and implements high speed full-text retrieval on event content, as convenient as a search engine.
● Powerful interactive security analysis
Based on detailed log normalization and categorization technologies, the system uses a big data technology-based distributed non-relational database to implement full-text indexing for formatted data and original logs. Working together with distributed processing, the system provides policy-based security event analysis, interactive query through a visualization dashboard, and powerful event hybrid retrieval capability by merging multiple log analysis technologies. The system provides a powerful interactive security analysis tool for security analysts.
● Intelligent security event association analysis
By using the advanced intelligent event association analysis engine, the system continuously implements security event association analysis on all normalized log streams in real time. It provides the following event association analysis technologies: rule-based association analysis, context-based association analysis, and behavior-based association analysis. In addition, it provides rich visible security event analysis views to improve analysis efficiency and help security analysts discover security problems based on threat information.
● Intelligent stream security analysis
By capturing, generating, and intelligently analyzing service network stream information, the system builds the stream behavior outline, recognizes asset attributes, detects abnormal service streams, checks compliance, and implements cross analysis and tracing on streams and security events.
● Complete vulnerability management and risk assessment
Efficiently associating with multiple vulnerability scanning systems in real time, the system has the built-in configuration check function to fully manage and control vulnerabilities. By referencing national and international standards, the system can quantitatively estimate and assess security risks based on the risk matrix.
● Proactive warning management
The system uses the warning management function to issue early internal and external warning information, and associates such information with IP assets on the network to analyze the affected assets, which helps users know possible attacks and potential security risks encountered by service systems. The system supports both internal and external warning. The warning types include security notification, attack warning, vulnerability warning, and virus warning. Warning information can be in preparatory, formal, or archived status.
● Proactive network threat information collection and use
The system proactively collects threat information in real time and uses rule association and observation list to help security management personnel discover threats from known external attack sources. At the same time, the system generates threat intelligence for security analysts.
Venustech cooperates with FengHuo Tai CTI Alliance and other famous independent threat intelligence service providers. The system integrates numerous third-party threat intelligence sources to provide more comprehensive and precise threat intelligence.
● Indicator-based macro situational awareness
Based on collected massive security events, the system uses data mining technologies such as address entropy analysis, hotspot analysis, threat situation analysis, and KPI analysis to help administrators estimate the macro security situation and identify, locate, trace, and predict major threats.
● Various security response management and reports
The system has the excellent response management function. Based on configured trigger conditions, the system notifies users by various methods (such as by email, short message, voice, SNMP trap, instant message, WeChat, and work orders), triggers the response handling process, and traces problem handling until completion to achieve security event close-loop management. The system provides various security reports based on different users.
● Integrated security management control user interface
The system provides the powerful integrated security management & control interface and multi-perspective and -level management views for different users.
Components
● Security management center
Includes the Venusense USM core function of the big data CupidDB version.
Built-in performance collection module with complete monitoring functions.
Built-in event collection module with complete events collecting functions.
● Performance collector
The performance collector can be installed and deployed independently or integrated with the event collector. Same as the function of the built-in performance collection module in the management center, the performance collector helps the management center to implement distributed performance collection and monitoring.
● Event collector
The event collector can be installed and deployed independently or integrated with the performance collector. Same as the function of the built-in event collection module in the management center, the event collector helps the management center to implement distributed event collection and load balancing.
● Log proxy
For Windows logs, the system provides separate Windows log proxy software, which is installed on a Windows host to collect information about Windows system logs.
● Stream collector
The stream collector can be installed and deployed independently to help the management center to collect and analyze information about network streams.
● Distributed data storage index node
The nodes are used to store, query, extract, and count massive events in distributed mode and perform other related processing operations.
● Configuration check collector
The configuration check collector can be installed and deployed independently to implement distributed configuration check or offline configuration check.
● Configuration check proxy
For the Windows OS, the system provides a configuration check proxy installed on Windows OS to implement configuration check.
5Deployment Mode:
1. Single-stage hybrid distributed deployment
Collectors are deployed in distributed mode to collect log, performance, and configuration information. To meet massive data storage and analysis requirements, distributed storage index nodes are used. These nodes are elastically expanded as needed and managed by the security management center uniformly.
2. Multi-stage deployment
In multi-stage deployment mode, multiple
management centers are deployed and a general center is built to connect to
multiple sub centers. In this case, multiple management center components are
deployed on the network. The administrator of each sub center uses the browser
to log in to the sub center to manage the security of the jurisdictional network.
The administrator of the general center uses the browser to log in to the
general management center for uniform management and centralized display of the
entire network. The administrator of the general center can also supervise the management
of each sub-center.
This mode is applicable to enterprises that
have branch offices or institutions that have subordinate agencies, to meet
multi-stage management requirements.
6Certification and Honors:
● Information Technology Security Assessment Certificate EAL3 Level issued by China Information Technology Security Evaluation Center
● Military Information Security Certificate
● CCID report shows that Venusense USM has ranked No. 1 in domestic market share for eight consecutive years from 2008 to 2015.