[Security and safety] Difficult host invasion detection!

My journal has been launched for a long time, the [Morning Safety] column,

In the form of graphic comics, I will tell you some interesting things and news of the "Internet security circle",

Welcome everyone to submit a lot

In this issue, we have united Aoko Cloud's safe Qing Xiaobao,

It is so difficult to talk about the invasion test of the host side. Essence Essence

Refusing the server "Robbing"

I was asked such a question a few days ago

The host is so important

Why did you start to pay attention to the invasion test of the host's side in recent years?

In fact, the reason is simple: deep barriers, large investment, high risk

Most manufacturers are unwilling to go to this hard bone

1. What is HIDS?

Host invading detection system (HIDS)

It is based on the host's invasion detection system

Yes, this time it is not based on the invasion of the network side.

It is based on the host side

It runs an agent by running on the detected host

The agent plays the role of the detection engine

For the test host for web back door, rebound shell,

Local rights, system back doors, mining Trojan horses

And monitoring and detection

When discovering suspicious acts and safety violations

The system will report to the administrator in order to take measures

2. Why do you engage in HIDS?

To put it plainly, it is forced by the evolution of attack technology

First of all, the Internet invaders are full of recruitment, and the recruitment is fatal

Secondly, the enemy is sometimes inside, which is invincible

Finally, the invasion that the border defense equipment can block is less and less invasion

Fate

And want to ensure the security of the network

Relying on network invasion detection system (NIDS)

It's not enough to fire the firewall (FW)

Instead, we must start with the core host for safety protection

This requires tailor -made for the host

HIDS's protection of all time

Where is the technical barrier of HIDS?

This advanced, professional, and bombing HIDS

Is it the "dream love" of all the net security people?

Although there are many HIDS manufacturers now

But most of the products exist like this or that

It is difficult to meet the true demands of users

Either too many reports, similar to virtual

Nine do not issue alert

This kind of HIDS is almost equal to white

Either the alarm is overwhelming, it is difficult to distinguish the true and false

Safety personnel have to receive hundreds of alarms a day,

But most of the alarms are meaningless

Because no one has time to control it at all

What is even more terrible is

These misunderstandings will even flood the real valuable alarm

Either based on the characteristic library, the unknown threat is not detected

Some HIDS products are "d” "

You can only be based on the feature library that has been set

To detect the threat

In the face of the type of threats that are not entered in the characteristic library

It became "blind"

4. What kind of HIDS products are good?

1. The detection capacity of multi

Monitor each node of the attack path

And provide cross -platform multi -system support capabilities

Guaranteed to be able to discover the failure host in real time

Alert the invasion behavior

2. Detect and alarm "successful invasion", seize the key points

Only alert to the successful invasion behavior

Reduce the number of alarms and make the alarm more valuable

3. Based on behavioral analysis, effectively discover the attack of unknown means

Combined with expert experience, threat intelligence, big data, machine learning, etc.

Multiple analysis methods

Through real -time monitoring and in -depth understanding of the user host environment

Effective discovery of various unknown attacks including "0Day"

4. Combined with asset information to provide the most accurate front -line information for response

Not only can I find invasion

It can also provide detailed invasion analysis and response methods

Let users solve the problem accurately and effectively

Incident in real -time invasion on the host

Send to the SoC/SIEM platform for linkage

Provide services such as processes, IP ban, file isolation/deletion and other services

If HIDS products have the above stunts

Implement the host invasion detection

Low missed reports, low error posters, active detection of unknown threats, real -time linkage security platforms

Okay, if you have any about

Demands and questions of intrusion detection or network security

You can scan the code to add Qing Xiaobao's security engineer, father WeChat

- END -