Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Solution Overview
Advanced Persistent Threat or APT is a network attack and intrusion them back, causing great loss to the enterprise.
against enterprises. APT attackers access enterprise networks and stealthily Independent from signatures, Huawei APT big data security analysis
monitor target computer systems over a long period of time to steal core solution can effectively detect APT attacks using models for defense,
data. In recent years, APT attacks have become a hot topic in the industry. detection, tracking and investigation, and situational awareness. The
With unique patterns and methods, APT attacks render traditional defense solution collects all files, logs, and traffic on the network and realizes the
tools ineffective and their growing complexity is a big headache for analysis and detection of unusual behavior. In addition, in coordination
enterprises. with multiple security products, the solution can promptly detect, alert,
A typical APT attack includes multiple phases, such as reconnaissance, report, and display APT attacks. Huawei anti-APT solution implements
external penetration, command and control, expansion, and data network-wide security protection to maintain enterprise core information
exfiltration. Once breaking into the enterprise network, the attacker can assets intact. Therefore, this solution is especially applicable to financial
move horizontally in the network, collect sensitive information, and send and government agencies, power suppliers, and Internet enterprises.
Huawei anti-APT model Global Threat Intelligence Center APT detection service
Posture Defense Attack blocking Intelligence information update Advanced threat analysis
Display of awareness
known attacks Attack surface
reduction
Alert on
Reducing false CIS Big Data Security Analysis
potential attacks
positives Abnormal terminal Abnormal Abnormal traffic Abnormal Enterprise-defined Threat
detection behavior detection detection content detection suspicious act detection visualization
Context-aware
security File information
Mobile
Synchronize Synchronize Log & events
FireHunter sandbox behaviors
Full Packet information information PCAP packets
PC behaviors
Posture Unknown threat MetaData Detect file-based zero-day attacks. required for required for Netflow/
Server
awareness detection coordination coordination NetStream
behaviors
File upload
Attack analysis Infection scope Evasion attacks
detection Traffic Huawei next generation security Terminal Log
Evidence collection identification
Minimizing attack
collection (coordinated execution components) information collection collection
Response
efficiency time window Traffic probe NGFW NGIPS vNGFW Anti-DDoS AnyOffice NG Series Terminal probe Log collection
enhancement Investigation Detection Alert and response
Detection
NGFW/NGIPS LogCenter FireHunter: prompt detection and response
Investigation
LogCenter: path display and infection locating
Posture awareness
E E E E LogCenter: display of known attacks and alerts on possible
Mail server Terminal attacks
management system
Challenges
•• Exploits of web, application vulnerabilities, Botnets, Trojan horses, worms, and viruses
•• Phishing (mails and web pages) and DDoS attacks
•• Zero-day, watering hole, and APT attacks
•• Ineffective collection of logs on network and security devices
Solution
•• Deploy the NGFW at the Internet border and FireHunter + LogCenter in O&M
management area.
•• The NGFW provides comprehensive defense against known threats. The NGFW and
anti-APT sandbox interwork to prevent unknown threats.
NGFW
•• Provide optimized security policies, all-round security reports, and situational awareness.
Terminal access zone WAN access zone Internet access zone Challenges
•• DDoS attacks
•• Intrusion and confidential data theft by exploiting web, application vulnerabilities,
Botnet, Trojan horses, worms, and viruses
•• Zero-day, watering hole, and APT attacks
•• Requirement of independent security management for multiple tenants
Solution
•• Deploy NGFWs at the data center border and FireHunter + LogCenter in the O&M
management area.
Core switch •• NGFWs provide comprehensive defense against known threats. The NGFW and anti-APT
sandbox interwork to prevent unknown threats.
FireHunter LogCenter
•• Remote VPN access
O&M management area •• All-round security reports and situational awareness
NGFW
Values to customer
Data center •• Premium security performance: 10GE-level comprehensive threat defense
performance (a maximum of 40 Gbps)
•• Virtualization of all businesses: at most 1000 virtual firewalls, meeting custom security
requirements of multiple tenants
vFW vFW •• Full defense against known threats: intrusion defense, antivirus, data breach
prevention, and anti-DDoS
•• Accurate detection of unknown threats: accurate detection of APT attacks and
malicious behavior blocking through in-depth analysis of malicious codes with the help
of heuristic detection engine and virtual detection environment
Ordinary business Important business Core business •• Situational awareness: network and security logs collection and real-time awareness
of network-wide security posture
Heavyweight Solution
Based on the Cybersecurity Intelligence System (CIS) big data security anomaly analysis from multiple dimensions, APT attacks can be quickly
analysis platform, the heavyweight solution collects the traffic of key identified and alert can be generated so that the time window for security
paths on the live network and the log information of key systems, adopts response is effectively shortened. Besides detection, the CIS also allows
machine learning, and promptly detects various unusual behaviors of APT attack investigation by displaying a complete attack kill chain and
the APT attack chain, including web, mail, and DNS anomalies. After the drilling data at each node of the chain with a large amount of data.
locates infected hosts and terminals with the assistance of context When such information as network logs, test results of malicious files,
verification, and automatically quarantines and fixes terminals by only and user authentication records, is correlated multiple times from
one click, removing internal and external hidden risks. multiple perspectives and layers, the picture of the threat is clear. Threat
events on any node of the attack chain and original data (such as traffic
•• Network-wide situational awareness and threat source tracing for and logs) can be easily obtained. Therefore, the source tracing and
forensics evidence collection can be trustworthy and easy.
Global Threat Intelligence Center APT detection cloud service Solution values
CIS
vSwitch Telecommuting
Detection of unknown and advanced threats
VM1 VM2 •• Detect traffic for unknown attacks and identify infected hosts and zombie hosts.
•• Detect files for unknown malicious files and identify the transmission of unknown
Traffic probe
internet
malicious files.
EDC •• Detect files and traffic for APT infiltration and covert channels.
Global Threat Intelligence Center APT detection cloud service Solution values
CIS
DNS response traffic NAT tracing logs Detection of known threats
NAT
tracing •• Detect traffic for DDoS attacks and identify zombie hosts.
system •• Detect traffic for intrusions at the application layer and identify attack behavior.
•• Detect files for malware and identify the transmission of malicious files.
Interworking
File
•• Detect files and traffic for APT infiltration and covert channels.
inspection
Anti-
DDoS Detection Attack source tracking/evidence collection
logs •• Protocol metadata stored on the big data platform assist in the investigation and
Anti- Device IDS
cleaning Traffic-based attack analysis of advanced threats.
DDoS detection device
•• PCAP packet capturing for suspicious traffic assists in the confirmation and investigation
(traffic detection) Known application-
DPI of events.
based threat
system detection device
Mirrored traffic
(sample detection) Network-wide situational awareness
Diversion
•• Provide visibility to Botnets, Trojan horses, worms, C&C, advanced threats, and infected
Reinjection
e.huawei.coma