Enterprise Security Management Center

Enterprise security engineering, with the enterprise security management center (SaaS) as the core, creates a unified security manager for users, and develops capabilities such as advanced threat analysis, core data asset monitoring, and unified management of security equipment. Help users reduce the risk of economic losses caused by network attacks and core data leaks, improve security operation efficiency, reduce security operation and maintenance investment, create a security capability system suitable for them, and meet the requirements of "Classified Protection 2.0", "Data Security Law", "Network Safety Law and other compliance requirements.

a) Asset discovery and management: Asset discovery and management is the core functional module of the industrial security management center, which can realize scanning and discovery of intranet assets, manual management, asset change comparison, comprehensive asset portrait, asset safety monitoring and visual display and other functions. The industrial security management center has a built-in rich asset fingerprint library, which can automatically identify asset information in the network through fingerprint comparison, SNMP scanning, etc., including IT layer assets such as servers, routers, hosts, and industrial field assets such as host computers, PLCs, and controllers. , and combines in-depth traffic analysis to create a multi-dimensional portrait of each asset, labeling each asset with labels such as brand, model, quintuple, operating status, communication, risk, responsible person, responsible department, etc., thereby achieving comprehensive monitoring of assets. .
b) Vulnerability analysis management: The industrial security management center uses a variety of threat monitoring methods to detect threats to industrial control networks. Threat discovery objects cover mainstream network hosts, operating systems, database systems, configuration software, and PLCs, etc., through the latest threat intelligence library , Intranet host scan results , baseline scan results, manual penetration test results, etc., uniformly associate, display and alert assets and threat information, so that managers can effectively track the full life cycle of threats, clearly grasp the security and health status of the entire network, and achieve threat control. Visible, controllable and manageable throughout the entire life cycle.
c) Network traffic anomaly monitoring: The industrial security management center can conduct unified modeling and analysis of the network traffic models of each asset in the network, and establish a variety of security baseline models that are consistent with the current assets and network traffic, such as communication security baseline models, network traffic Baseline models, etc., set different network traffic thresholds and communication whitelists for different assets, and conduct real-time security alarms for network traffic and communication behaviors that deviate from the security baseline, thereby discovering illegal external connections, communication interruptions, traffic Security threats such as mutations. The overall traffic monitoring results of the entire control network are displayed through various methods such as traffic curve graphs, histograms and detailed traffic distribution tables.
d) Industrial control protocol abnormality monitoring: The industrial safety management center collects data after in-depth analysis of industrial protocols based on industrial intelligent collection probes, and can implement command-level abnormality monitoring of industrial protocols, thereby discovering the following abnormal conditions and providing real-time alarms. Industrial control protocol anomalies that can be monitored include instruction changes, threshold alarms, configuration changes, load changes, etc.
e) Abnormal behavior monitoring: The industrial safety management center has event correlation analysis capabilities based on abnormal behaviors, fine-grained dynamic periodic behavior modeling capabilities, and behavior prediction capabilities based on multiple exponential smoothing. It can periodically model the event behavior characteristics of the specified IP (such as error ratio, rejection ratio, frequency, number of occurrences, etc.), and then compare the measured values ​​with the modeled values ​​to determine abnormalities; it can determine the abnormality based on the event behavior of the specified IP. The historical values ​​of features (such as error ratio, rejection ratio, frequency, number of occurrences, etc.) are predicted by the prediction algorithm to predict the value range in the future, and then the actual measured value is compared with the predicted value to determine anomalies.
f) Unified audit of security logs: The industrial security management center uniformly collects, normalizes, and collects the log information of network equipment, security equipment, servers, operator stations, database systems, and industrial intelligent collection probes from different manufacturers in the network in real time. Classification, filtering and correlation merge analysis realize unified collection and analysis of distributed logs, helping front-line managers to quickly and accurately identify security events from massive logs, trace or intervene in security events in a timely manner, and meet the requirements of national standards for logs Audit related requirements.
g) Alarm management: The alarm management module of the industrial safety management center can display alarm-related statistical views to users, including the number of alarms, alarm type distribution, alarm level distribution, alarm status statistics, key content, alarm trends, and a list of alarms to be handled. Threat intelligence hit ranking, correlation rule hit ranking, recent alarm list and other information.
h) Report management: The industrial safety management center can provide flexible report management functions, including assets, safety events, risk analysis, etc., support rapid generation of reports, real-time output of expected report content, and can also automatically generate reports according to customer-specified cycles. To help users review the security situation periodically. At the same time, the system provides flexible editing of report templates. Users can select the content they need from multiple premade report templates according to their own needs, and adjust the order to form the report they need.
i) Permission management: The industrial security management center can set different permissions for different personnel, including super administrators, system administrators and log auditors. The super administrator is mainly responsible for the creation and deletion of users and the management of function certificates; the system administrator is mainly responsible for the business configuration and management of the platform, including rule management and alarm processing; the log auditor can audit security logs.
j) System management: The system has rich self-configuration management functions, including self-configuration, system operating parameter monitoring, etc. The system has its own operation monitoring and alarm, system log recording, storage, backup and other functions.