Terminal AuditThe real purpose is not to record all events that have occurred on the terminal for future query, but to collect evidence and analyze whether the implemented Intranet security management policies meet the security management requirements and promoteIntranet SecurityContinuous improvement.
I. Leave the terminal audit misunderstanding
An important feature of terminal audit is to backtrack historical events in the past ". For example, Can you monitor and record the content of websites and websites browsed by end users, and can you monitor and record operations such as copying, deleting, and modifying files by end users; monitor and record what documents and printed content are printed by end users; monitor MSN and QQ behavior of end users and record chat content; can I monitor and save terminal screen pictures and content of end users ......
This feature makes it easy for many people to fall into such a misunderstanding that the terminal audit is for Monitoring and recording. In fact, monitoring and recording of various terminal behavior information is only the beginning of terminal audit, not the purpose. The real purpose of terminal audit is to analyze abnormal behaviors of terminals, discover vulnerabilities in Intranet Security Management in a timely manner, and collect evidence and warn against malicious behaviors to ensure the security of the Intranet.
In addition, as a type of information security audit, terminal audit has the following distinctive characteristics:
1. Massive terminal audit data
-Number of terminals, each of which is a data collection point
-Terminal audit data types: network behavior, file operations, printing, etc.
-The Daily data produced by the terminal is massive.
-A massive amount of data drowned out truly valuable information
2. Complex and variable terminal identities
-Diverse terminal identities: User Name, IP address, MAC, host name, software and hardware configuration information, etc.
-Changing terminal identities: illegal account theft, illegal modification of IP addresses, MAC, and other identity information
-Terminal behavior is uncontrollable. If a network attack (such as ARP spoofing) causes a large amount of "false" Information
-The audit result "Zhang guanli Dai" caused by identity changes"
-The audit results cannot be traced due to terminal identity changes.
If the unique features of terminal auditing cannot ensure the correctness of audit objectives and methods, the audit results will be highly divergent, administrators or auditors will be drowned in the "ocean" of audit data. They cannot effectively discover security vulnerabilities in the Intranet, nor can they check whether Intranet security management policies are appropriate, nor can malicious behaviors be precisely located. The ultimate goal of terminal auditing is lost.
2. Terminal Control is for better auditing
In view of the characteristics of terminal audit and the real value of end audit users, the Intranet security management product re-interprets the terminal audit objectives and terminal audit methods.
Terminal audit has potential massive data and complex and variable terminal identity challenges. It is required to effectively control the terminal audit results based on the terminal audit objectives, discard messy and unordered "interfering" behaviors and data, and retain truly valuable or highly relevant terminal behavior information, this can help users quickly and effectively analyze and locate defects and malicious behaviors in the Intranet, and promote the continuous improvement of Intranet security.
To locate weak points or attacks on the Intranet, the Intranet security management product not only provides information audit functions related to terminal behavior, such as terminal File Operation Audit, internet behavior audit, print audit, violation policy event audit, abnormal routing, and Windows Logon audit, at the same time, audit with control as the premise is emphasized. First, with its powerful terminal access control, terminal security control, mobile Storage Management and Audit modules, fine-grained terminal behavior control, such as file operation control, online behavior control, and print control, ensure that only valid and secure terminals are connected to internal networks and secure network access, effectively eliminating the vast majority of violations or attacks, this ensures that the information obtained by the terminal audit is more accurate, effective, and credible.
Vulnerabilities in Intranet security management and Intranet can be identified only by analyzing accurate and reliable audit data, so as to promote timely measures or adjust the security policies of the existing Intranet security management system. Instead of Monitoring and recording for auditing, we need to control the audit first, and do a good job of terminal security control for auditing is to better audit.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
