Today, the speed at which a network threat has been generated has been shortened to two seconds. The U.S. Ostermanresearch "Cloud Client Enterprise Security Impact Assessment Report" shows that in today's network environment, a company with 5,000 employees, in the case of traditional terminal protection has been deployed, in a year will still have 2/3 of the endpoint is infected, The company will lose 2.5 million yuan for the cost. At the same time, because of the inability to locate the source of the threat of infection, the virus will continue to repeat the infection in the corporate network, resulting in the company's losses are constantly magnified.
Terminals are targeted by hackers and virus-makers because they store a large amount of sensitive data. Because each virus code is deployed to 1000 terminals at least 4 hours, and the terminal directly facing the internal staff of the enterprise, and difficult to manage, so that the terminal becomes the most vulnerable enterprise network. Although cloud security technology is used, the response time for viruses is reduced by 90%. However, it is still very necessary for us to judge and think over the value of terminal security.
Can gateway security Replace terminal security?
If the rising cloud security shows that the area of information security is technically changing, the implications behind this are actually more interesting.
For a long time, gateway security was a respected protection model. Because the defense system at the gateway can filter most of the communication content, there is a large number of organizations that focus their security on the gateway location.
However, it turns out that too much reliance on gateway protection ignores the protection of the computer nodes in the organization, and the result is still low security. The improvement of technology and function brought by cloud security is gratifying, and its safety to the terminal and even to the entire security system, let people see from the core level to change the possibility of security protection.
The terminal security dilemma of traditional security system
In some typical security cases, organizations deploy security measures such as firewalls, intrusion detection, and VPNs, but these measures seem to prevent external threats from entering the internal network, but are unable to manage internal security issues such as improper information storage and employee misuse.
Many survey reports show that corporate employees around the world are more likely to perform security-risky computer operations at work hours, such as accessing potentially threatening sites, opening e-mail attachments with unknown sources, and so on. May be the lack of strict enough and effective security management system, but also may be the staff of private property protection awareness is insufficient, in short, people in the working state does not seem to the network security issues to give the correct understanding and enough attention.
Networkworld, the United States reported that the current network access control solutions are often only to evaluate the initial state of the terminal, once a terminal node access to security systems, then the operation will rarely be strictly monitored, which also reflects the current terminal protection system lacks dynamic response capacity of the current situation.
As Oscar, the global senior vice president of trend technology and general manager of Greater China, points out, if the security threats are not sufficiently visible for reasons and locations, it will be impossible for the information Technology department to determine the right solution and to provide effective and timely security response services. In addition to identifying the pitfalls of security threats, traditional security management systems lack the tools to effectively alert and repair security threats.
Lin Yu-min, Chief solution Advisor at Symantec China Technical Support, said that in the event of a security incident, IT departments often need to spend a lot of time locating the source of the threat, identifying the type of threat, and then working out the solution and implementing it. In time, this tends to lag behind the spread of threats, often when all terminals have been affected and the information technology sector begins to deal with the real work.
How cloud security helps terminal security
In fact, enumerating the many features of cloud security technology reveals that many cloud security features can help improve terminal security. The cloud security system provides a more timely and effective threat identification capability when security components attempt to detect security threats in terminals and internal networks. Using the strong correlation analysis ability of cloud security system, we can find out the security threat and locate the threat location better.
In the next generation of cloud security technology, leading vendors are trying to embed a new signature management mechanism to achieve detection engine and signature separation. Through the communication mode provided by cloud security system, the storage and alignment of signature can be put on the cloud, and a large number of signature updates to each terminal in the network will no longer be a necessary condition to ensure security.
In a new generation of cloud security networks, a large number of security threat detection capabilities will migrate from the terminal to the cloud, while the client system will only complete the basic security features such as scanning. In the real-time protection process, the client continuously cooperates with the cloud server, thus reduces the client's burden, namely lets the end user in the least possible interference situation, realizes the better security protection.
Taking the Cloud Security 2.0 of trend technology as an example, the multi-protocol correlation analysis technology can be used to analyze the intelligence in nearly hundred kinds of common protocols so as to trace the real attack position and provide real support for the administrator to solve the security problem. A truly mature cloud security system, security threat discovery and response coverage from the network layer to the application layer at all levels, and the protection front also runs through the clouds, gateways, terminals and other different locations and regions.
The advent of cloud Security 2.0 is bound to accelerate the speed of cloud security in the architecture mainstreaming process. Users should begin to think carefully from now on whether their organization's computer terminals have been adequately protected, the high management efficiency and high ROI of cloud security system will undoubtedly arouse the users ' high attention.
Incremental network threat and the outlet of information security
From the point of view of supply and demand, the emergence of cloud security technology is undoubtedly a kind of inevitable result in order to counter the endless new security threats. According to estimates, around 800 new security threats occur every hour of the world in 2008, and in 2009 the number of new security threats per hour has reached 1500. At this rate of development, the number of new security threats per hour will exceed 10000 in up to 5 years.
High-speed security threat growth has become the background of the whole security world, the traditional security response system, which relies on artificial analysis of malware features, has completely failed to meet the needs of security protection. Under this premise, the cloud Security Network, which has the advantage of sharing the global security threat information, becomes an important outlet in the field of information security.
The correct cognition of cloud security
It may be difficult for security experts to give the next accurate definition of cloud security from the various vendors ' promotional materials alone. In fact, from the technical point of view to define cloud security is not difficult, but the actual mapping to the product and operational level, it can be said to be "horizontal as ridge side into the peak, the height and distance of different". The embodiment of Izumo security is a very complicated system, and it also shows that different security vendors have different positioning and input on cloud security.
There are many users who understand cloud security as a completely new security model, as well as a user who understands cloud security as an upgrade to the traditional security system. In fact, these two understandings have the merit, cloud security is more similar to cloud computing technology in the security Domain specific application, but its innovation place more comes from the user and the operation and so on level.
The cloud security system can give security vendors a better understanding of the changing dynamics of global security threats, while also helping vendors discover new security threats. Whether foreign manufacturers or domestic manufacturers, really in the field of cloud security investment in the manufacturers, its collection of threats and the speed of the number of the exponential growth trend. Trend technology has its own cloud server number of tens of thousands of, and Jinshan also in the headquarters of the office opened a layer dedicated to the placement of cloud security system, these in the cloud security field invested in the number of vendors to master the amount of virus samples already reached tens.
More importantly, with a huge amount of security threat data, vendors can dynamically change the working state of their cloud protection systems based on security threats. A security outbreak defense system similar to the trend technology requires a sufficient number of monitoring points and statistical data to support it, or as one of the earliest applications of cloud security.
From the core model, the current cloud security applications are focused on blocking user access to identified security threats and potentially risky security threats, mainly because cloud security systems can significantly speed up the response of vendors to security threats. One of the more misleading things about this is whether cloud security is a better way to deal with an unknown security threat. Essentially, the main improvement in cloud security is the ability to respond better and faster to known security threats. However, under certain conditions, cloud security can also help protect against unknown security threats.
Assuming that a malware that has just been put on the internet is infected with the first computer, this malware is an unknown security threat to the computer, and if the computer commits the infection and the program to the cloud Security network, then the traditional model Other computers that use the secure cloud service have a greater chance of avoiding infection by the program. In other words, the cloud security system is more to avoid the damage caused by an unknown security threat, allowing vendors and users to discover new security threats more quickly, regardless of the unknown threat detection technology.
The choice and path of cloud security
When "cloud security" was used as a noun to attract public attention, all the security vendors were announcing their support for cloud security, a scene that looked similar to how UTM had just come out. How to correctly view the effect of cloud security, how to choose the real support of cloud security products, these problems need to buy security products users seriously.
As far as the current situation, the choice of the first-line manufacturers of products to obtain a stronger protection, and this is not just from the brand and credibility. For a cloud security system, the amount of input and the number of users, equivalent to the size and density of the cloud, also determines the quality of the cloud's work.
First generation cloud security technology: Massive collection to deal with the massive threat
The cloud security technology, which was first integrated into the security product, focused on returning information collected from the end-user to the security cloud, while returning the analysis results to the end customer. The benefits of this approach are the ability to leverage the vast computational power of cloud security systems and shared security threat information to provide more timely and efficient protection services for end users. In traditional security protection mode, security vendors often rely on manual methods to collect security threat information.
With the popularity of high-speed Internet connections, a new security threat is fully capable of spreading across the global network within hours or even less than one hours, and the old security response system is riddled with loopholes. After the cloud security system is applied, the vendor can transfer the threat collection to the end-user's computer more accurately, based on its access behavior and infection, to get a more accurate picture of the emergence and spread of security threats.
For security operations that are clearly potentially disruptive, the cloud security system will automatically label it as a security threat, so that when other computers perform the same or similar operations, they will receive warnings from the cloud, thus gaining immunity from the security threat at a near real-time rate. In fact, in a well-functioning cloud security system, a new threat is identified and identified, taking a very short time, even less than the terminal computer updates the virus signature and the time it takes to complete signature loading, which provides a good technical basis for improving the response speed of security products.
Second generation cloud security technology: more comprehensive and thorough cloud security
In fact, the first generation of cloud security technology in product function, more is based on information collection, really can produce effects of few security features. In the second generation of cloud security technology applications, a notable feature is that the security function of the cloud security system more fully and widely used. At present, a number of mainstream security vendors have launched a cloud Security 2.0 technical characteristics of the product. With the first trend of technology to promote cloud security technology, the latest version of the product line are integrated with the so-called file reputation security technology.
As the name suggests, as with web reputation technology, which detects web address security in the cloud, file-reputation technology is designed to determine whether a file located on the client contains a malicious threat through cloud security. In traditional signature recognition technique, the hash value of different parts of the file is compared with the hash value of the detected file, which can be used to judge whether the file is infected.
Unlike the traditional way of placing signatures on the client side, the file reputation technology based on the cloud security system supports the placement of information in the cloud (such as a global cloud security network or a cloud security server in a LAN). The obvious benefit of doing this is that the protection system does not recognize the latest security threats during the time interval from the update file release to the client deployment update.
By connecting to a cloud server, the terminal computer always gets the latest protection. If the first generation cloud security technology improves the speed of discovering security threats, the second generation cloud security technology allows security protection to detect and identify the latest security threats with near-real-time speed.
Next Generation Cloud security technology: Smart Cloud
It is believed that in a very long time, almost all security features will be seamlessly connected to the cloud, thus enabling the security of the clouds level. After solving the core problem of security threat response speed, the quality improvement of security protection will be the next proposition of cloud security.
Because of the huge resource rationing the cloud security system has, users will undoubtedly have great interest in the extent to which they can replace manual analysis and manipulation. In fact, this is an important indicator of the ability to improve the protection of safety products in nature.
On the other hand, end users should expect to have more operations and management of the security cloud through their own product interface. In the past, customization capabilities for client-side protection products will be shifted to the cloud, where users can determine which security features need to be connected to the cloud and which features must use a local protection engine. In 3.0 or even 4.0 of the cloud security technology system, users will gain greater freedom, the new era of security will also be launched.
In order to better simulate the common security objects such as Management center, Server client, workstation client and so on, we have enabled five computers in this evaluation process, one is used as the Management Server, the other computer as the terminal computer.
In the context of the network environment, we use a TP tl-r860 router as a connecting device, all test computers are connected to the device in the form of hundred Gigabit Ethernet. At the same time, the device also has access to 2Mbps netcom broadband to provide Internet connection. During the testing process, we completely separated the product test, that is, after the complete test of a product, and then test another product, to avoid mutual interference in the testing process.
The evaluation of 4 products, including trend technology OfficeScan10.0, Panda adminsecurebusiness. We feel some regret that, because the other two test makers are about to release a new product version, so in this review to hide its real manufacturers and product names. Here, we will review them in general to give readers an idea of the latest developments in these products. The article uses x and Y to indicate the name of the product that is hidden from its real manufacturer.
In the performance aspect, the system resource occupancy after the product installs and the product running speed are the focus of attention. By comparing the disk space usage before and after the installation, we can understand the product to the hard disk consumption. At the same time, for the Management Server, client processor and memory resource usage, the test engineer also gives the corresponding evaluation. The speed of the detection engine has been a reserved item for evaluating the performance of security products, and this test is done by scanning a system partition that contains 4GB files. To determine whether the product's detection engine supports the file fingerprint mechanism, the test is performed two times, and the computer restarts each time to make the time record more accurate.
We selected 100 samples of malicious programs that were collected from the actual application environment. It covers a number of common malware categories such as worms, trojans, scripting viruses, adware, and hacker tools. In addition, there are some unauthenticated programs in the test sample that may contain security threats to verify the capabilities of the participating products in detecting unknown threats. During the testing process, the detection engine for all products has the ability to identify and identify the highest, and all options that help improve detection are enabled.
As another core security protection module, the firewall also sets up a number of specialized test projects. Based on the online detection tool provided by the GRC website, we can understand what the shieldsup! of a computer's network port looks like. This instrumentation analyzes the first 1056 ports of the computer and provides additional test results that the computer responds to ping requests. In addition, a set of tools is used to test whether the firewall component reacts correctly when using various methods to establish outgoing connections on a terminal computer. The following is a description of the working mechanism of these test tools.
· Leaktest: The tool establishes an outward connection on the computer being tested, and if the firewall component discovers the behavior of establishing the connection, it is considered to be able to recognize the basic outward connection activity.
· Firehole: The tool calls the default browser in the system to transfer data to a remote host, creating a DLL with intercepting capabilities on the computer, thereby disguising the browser process for sending data.
· Pcflank: Like the Firehole tool, the tool verifies that a program trusted by a firewall uses the Windows OLE Automation mechanism in working mode when calling another program.
· Zabypass: The tool uses direct Data Interchange (DDE,DATADIRECTEXCHANGE) technology to access data on Internet servers using IE browsers in the system.
· Jumper: The tool will generate a DLL file, and then close and restart the program after it is hooked to Explorer.exe to execute the DLL. This test also examines the firewall component's ability to prevent DLL injection and the ability to protect registry key locations.
· Ghost: Spoofing the firewall component by modifying the PID of the browser process to send information to the Internet through the system default browser, primarily to test whether the firewall can implement process-level monitoring.
Cloud Security Test
For today's hottest cloud security technology, a number of test projects have been dedicated to this evaluation. First, our engineers will verify that the test product supports cloud safety networks and which cloud security features are supported. For example, a Web site that contains malicious code can be used to determine whether a parametric product supports cloud web threat recognition. In addition, we will try to use the product's cloud capabilities to detect the previous 100 malware samples, compare their detection rate and processing power compared to the use of the traditional scan engine is improved, so as to verify the cloud security mechanism for product effectiveness to play a role.
Management mechanism test
Management capability is the most important part of enterprise security products, through the inspection and evaluation of the capabilities of terminal management, terminal deployment, authority management, configuration management and so on, we can obtain first-hand evidence of whether the product management mechanism is robust and effective.
At the same time, product clients have the characteristics, especially the management end of the client's authorization and control, but also the network version of security products need to focus on the issue.
In terms of ease of use, we follow some common assessment methods in the software industry to perform muscle event tests that reflect physical operational burdens, screen utilization tests for interface design, and memory load tests that reflect the operational processes.
Combined with the analysis of Interface element arrangement and interface guidance, the paper finally forms a comprehensive evaluation of software usability. In the usability testing process, it is mainly oriented to the control center module of the parametric product, and does not evaluate the terminal software deployed on the server and workstation.
In this review, we found that cloud security-type products are less burdensome to clients by comparing the application of cloud security products and traditional forms of products. Trend technology has almost completely implemented the product cloud security, whether from the infrastructure or from the core features, cloud security technology is fully functional. But the panda's cloud security application, then stays in the backstage auxiliary service aspect, the user from the front-end function also does not have the clear understanding cloud security The concrete application state. In contrast, x and Y have achieved considerable results in the field of cloud security applications, and have a considerable amount of cloud security network support, which provides considerable help for the discovery and collection of security threats.
Through the evaluation, we also found that the current mainstream enterprise-class security products are not moving towards a complete convergence of the development path. Based on different market understanding and different customer orientation, different manufacturers in the construction of their own products, all reflect the distinctive features and design features.
From the application group of products, trend technology is a product that can adapt to any user group, and its performance is fairly balanced. The panda is more suitable for enterprises with the characteristics of system platform hybrid and external network connection, for example, some business enterprises.
Because the product in each aspect has the good performance, moreover integrates the formidable 2 level cloud security technology, the trend science and technology has obtained the evaluation "the champion" without dispute. Whether it is protection or management capabilities, trend technology can fully meet the needs of SME users, we strongly recommend users to consider the application of this product to protect their own corporate network, the efficiency and security intensity of the promotion are considerable.