When it comes to terminal audit, the common topic is what information can be recorded by terminal audit. However, if we think that terminal audit is monitoring and recording, we will go into the terminal audit misunderstanding. The real purpose of terminal audit is not to record all events that have occurred on the terminal for future query, but to collect evidence and analyze whether the implemented Intranet security management policies meet the security management requirements, improve Intranet security.
I. Leave the terminal audit misunderstanding
An important feature of terminal audit is to backtrack historical events in the past ". For example, Can you monitor and record the content of websites and websites browsed by end users, and can you monitor and record operations such as copying, deleting, and modifying files by end users; monitor and record what documents and printed content are printed by end users; monitor MSN and QQ behavior of end users and record chat content; can I monitor and save terminal screen pictures and content of end users ......
This feature makes it easy for many people to fall into such a misunderstanding that the terminal audit is for Monitoring and recording. In fact, monitoring and recording of various terminal behavior information is only the beginning of terminal audit, not the purpose. The real purpose of terminal audit is to analyze abnormal behaviors of terminals, discover vulnerabilities in Intranet Security Management in a timely manner, and collect evidence and warn against malicious behaviors to ensure the security of the Intranet.
In addition, as a type of information security audit, terminal audit has the following distinctive characteristics:
1. Massive terminal audit data
-Number of terminals, each of which is a data collection point
-Terminal audit data types: network behavior, file operations, printing, etc.
-The Daily data produced by the terminal is massive.
-A massive amount of data drowned out truly valuable information
2. Complex and variable terminal identities
-Diverse terminal identities: User Name, IP address, MAC, host name, software and hardware configuration information, etc.
-Changing terminal identities: illegal account theft, illegal modification of IP addresses, MAC, and other identity information
-Terminal behavior is uncontrollable. If a network attack (such as ARP spoofing) causes a large amount of "false" Information
-The audit result "Zhang guanli Dai" caused by identity changes"
-The audit results cannot be traced due to terminal identity changes.
If the unique features of terminal auditing cannot ensure the correctness of audit objectives and methods, the audit results will be highly divergent, administrators or auditors will be drowned in the "ocean" of audit data. They cannot effectively discover security vulnerabilities in the Intranet, nor can they check whether Intranet security management policies are appropriate, nor can malicious behaviors be precisely located. The ultimate goal of terminal auditing is lost.
2. Terminal Control is for better auditing
Aiming at the characteristics of terminal audit and the real value of end audit users, Starling's Intranet security management product-"Daily Intranet Security Risk Management and Audit System ", the goal and method of terminal audit are re-interpreted.
Qi Mingxing believes that terminal auditing has the potential challenges of "Massive Data" and "complicated and changing terminal identities" and requires effective control of terminal audit results based on the terminal audit objectives, discard messy and unordered "interfering" behaviors and data, and retain truly valuable or highly relevant terminal behavior information, this can help users quickly and effectively analyze and locate defects and malicious behaviors in the Intranet, and promote the continuous improvement of Intranet security.
To locate weak points or attacks on the Intranet, "Daily Intranet Security Risk Management and Audit System" not only provides terminal "File Operation Audit", "online behavior audit", "Print audit", "violation policy event audit"," information audit functions related to terminal behavior, such as abnormal routing and Windows Logon audit, at the same time, we also emphasize "auditing with control as the premise ", that is to say, the "Daily Intranet Security Risk Management and Audit System" first utilizes its powerful "terminal access control", "terminal security control", "Mobile storage management", and the audit module. fine-grained terminal behavior control, such as "file operation control", "online behavior control", and "print control, ensure that only valid and secure terminals are connected to internal networks and secure network access, effectively eliminating the vast majority of violations or attacks, this ensures that the information obtained by the terminal audit is more accurate, effective, and credible.
Only by analyzing accurate and reliable audit data can we identify the weaknesses in the Intranet and the deficiencies in Intranet security management, so as to promote timely measures or adjust the security policies of the existing Intranet security management system. Instead of Monitoring and recording for auditing, we need to control the audit first, and do a good job of terminal security control for auditing is to better audit.
Figure 1 shows the relationship between control and audit of the "Daily Intranet security risk management and audit system.
Daily promotion of Intranet security system compliance
Starling's "tianyao Intranet security risk management and audit system" closely focuses on "compliance" and includes enterprise-level host firewall systems, it comprehensively improves the Intranet security protection capability and compliance management level through the five-dimensional Management of terminal access control, terminal security control, desktop compliance management, terminal Leak Control and terminal audit.
The tianyao system has led a new change in the Intranet security management mode. While exercising the Intranet security management function, together with tianqing hanma USG's integrated security gateway, UTM square unified condom is built with "network border and terminal border" as the main protection target, and a multi-level in-depth defense system is constructed in collaboration, it has changed the traditional Intranet Security Management Model of "passive and event-driven" and created a new era of Intranet security management with the goal of "active defense and compliance management.
Figure 2 shows the daily five-dimensional Intranet compliance management model.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
