Antiy Situational Awareness and Continuous Monitoring and Early Warning Platform

Introduction

Antiy Situational Awareness and Continuous Monitoring and Early Warning Platform (Antiy Situational Awareness Platform for short) is a set of capabilities that integrate threat intelligence and in-depth analysis capabilities through awareness capabilities, support situation analysis, security strategy making, notification and early warning disposal, and interactive information asset security analysis. This is a new system of global cybersecurity control and awareness that gives users the ability to privatize threats based on their protective objectives. The platform is applicable for security regulatory departments, industry users, key infrastructure management agencies, large and medium-sized enterprises and institutions as it can provide intelligence monitoring and early warning, threat detection and awareness, in-depth analysis and disposal, and security business management and presentation of multi-angle security businesses and services. Therefore, it can not only discover the “status” of various types of attacks, but also to some extent be able to perceive the “trend” of unknown attacks, and realize the whole network security situation. This platform mainly serves two types of users: the first is to help the network security supervisory departments and functional departments to improve the network security situation within their jurisdictional areas and geographical scope, and to control the network security situation globally, and to assist upper-level leaders to make rational and trendy security Decisions. The second is to provide comprehensive depth security protection for critical infrastructure and industry users’ intranet environment, and to conduct a hierarchical assessment of asset security to effectively reduce the risk of threats to critical assets.

The overview of Antiy Internet Threat Situation

The overview of Antiy Information Assets and Risk Awareness

Functions

As the hub and brain of the entire security monitoring and defense system, the situation awareness platform can achieve collection, analysis, coordination linkage and comprehensive judgment of network traffic and boundaries, business systems and host endpoints through the coordination, management, and analysis capability of situational awareness. Specifically, it includes: accessing to heterogeneous data from multiple sources and aggregation and unified management; combing attack event chains based on security scenarios; providing accurate and timely alert of high-risk events in massive events; and focusing rapidly on high-risk assets within monitored areas and positioning the assets; enabling corresponding disposal processes such as vulnerability response, notification and early warning, and reporting and release for different threats; enabling more detailed visualization to present the attack history, status, and trends of multiple attacking scenarios; reporting threat-directed early warning based on tags and vectors.

In the face of a complex cyber-attack environment, it is necessary to build a situational awareness platform with security capabilities (for attack layers, defenses, in-depth analysis, and effective response capabilities) that can be integrated and coordinated and dynamically improved at the upper level of security products. Situational awareness platform takes asset protection as the core task and combines asset classification, attribution, and feature classification protection to track threats and hidden dangers of key assets, establishes global situational awareness, and effectively address targeted attacks on key assets. The platform collects data from traffic, endpoints, and borders through multiple points. Based on fine-grained data collection and detection, partial long-term retention policies and in-depth analysis of threats, it has an effective and in-depth network scenario correlation analysis capability that can effectively implement historical traceability of threats and waiting for similar threats in future, restore the entire attacking operation process and build the threat awareness system to detect, identify, analyze, and respond to threats. Thus, on the basis of traditional single-point defense, it can provide the user with the threat of global depth perception, overall coordination of security equipment, and dynamic detection and analysis of superior security capabilities.

Techniques

The basic working principle of the situational awareness platform is to aggregate and centralize the management of multi-source heterogeneous data and make deep mining and analysis of the events based on the security scenario. Thus to form a visualized situational presentation so that the threat can be discovered and perceived early. Effectively supporting the supervision department to inform the business process such as early warning and fast disposition. Therefore, the basic resources for security situation presentation and data analysis are relevant awareness results and threat events formed from the convergence of endpoints, networks, borders, and various detection tools. The situational awareness platform is based on Antiy Persistent Threat Detection System (PTD applicable for network), Intelligent Endpoint Protection System (IEP applicable for endpoints), Persistent Threat Prevention System (PTF applicable for perimeters) to incorporate five types of security data including third-party passive traffic monitoring and endpoints scanning, host honeypots, host detection, and mobile terminal detection, further to introduce heterogeneous data formation events into the platform through de-isomerization and knowledge processing. In addition, the platform can be connected to the clustered deployment of Antiy Persistent Threat Analysis System, which will automatically increase the analysis and awareness capabilities of the platform by automatically importing its analysis capabilities. Relying on the security threat detection capability of Antiy, it implements fine-grained vector disassembly and multi-angle tagging output. Based on this, it analyzes and retrieves events, customizes rules, trace the former events and predict future ones, as well as reports and pushes corresponding knowledge and rules. Thereby, it can effectively support the regulatory departments’ internal vulnerability response, notification and early warning, intelligence sharing and other services, and establish a corresponding workflow and results feedback mechanism.

Features

Antiy Situational Awareness Platform has three features: first, in terms of practical application value, it breaks the traditional design of some early situational awareness systems to give people the ability to visualize large screens with “map cannon” as the core and “real-time” display as the main purpose. It provides a complete business process from threat discovery, detection, presentation, alarm, analysis, judgment, early warning, and final disposal, and avoids being pleasant to the eye but of no use. It can meet the actual business needs of different user roles, such as providing threat detection methods for system operators, providing advanced security analysts with in-depth analysis of threats, and providing leadership for upper management security decision-making basis, etc. Second, in terms of analysis granularity, the full-factor data collection capabilities and fine vector disassembly capabilities can be provided by the next-generation threat detection engine and PTD independently researched and developed by Antiy. Different from many traditional situational system, it not just makes sorts and analysis of the abnormal events that have been discovered but expand the analysis ability to the full amount of the events, comprehensive targets, completed the evolution from simple analysis and risk level of the event name and label to the vector-level analysis. Antiy situational awareness can use the object tag and object vector as the basis of data for conditional retrieval, filtering, correlation, aggregation, and other analysis operations. Through the tagging of events, various threat scenes are constructed. With the help of clue vectors generated by in-depth analysis, special rules can be implemented to trace historical events of unknown and advanced threats. At the same time, by linking with security devices, it can discover similar attacks initiated by key targets in a timely manner. This scenario-based ability to trace backwards is similar to previous ones. Single detection results have stronger threat resistance and threat prevention capabilities than simple detection rules. Third, they can perform interactive visual asset management in terms of visualization. They break through traditional macro maps for platform management assets and security data, restrictions on cannon presentation methods, more detailed visual topology display of its organizational structure in three-dimensional space, multi-layer labeling of asset threats and hidden dangers, and virtualized asset management in a global, clear, and intuitive manner through rational layout, thus to provide a global search, filtering and tagging of assets, and can makes further in-depth analysis of specific assets.

Advantages

Antiy situational awareness platform has three advantages: first, owing to 17 years of deep analysis experience of malicious code and security threats, especially the long-term continuous tracking and confrontation with overseas advanced attack organizations such as Equation, White Elephant and APT-TOCS, Antiy has accumulated a wealth of threat confrontation experience, and mastered a more comprehensive threat analysis technology, which can provide high-value threat detection results, help users make more reasonable security decision-making judgments. Second, Antiy has the entire security product system for network traffic monitoring, endpoint security defense to boundary threat blocking, threat in-depth analysis. As an upper business system, this platform can well integrate and manage all kinds of products, so as to provide global awareness of security situation at the same time. Therefore, it will realize the collaborative linkage of threat detection and security response, shorten the time of discovering and disposing of problems, and give users the security detection capability of privatization. Third, Antiy has rich threat intelligence and client user groups based on its years’ accumulation, and has over one billion client-installed capacities, and more than one hundred thousand firewall-installed capacities. Based on this data, with the experience and knowledge of professional analysts, it can form a more accurate detection and analysis capability for unknown threats and APT attacks.

Cases

After 17 years of continuous accumulation, Antiy launches advanced solutions to deal with various threats, provides network security guarantees for major national and regional events, undertakes the construction of monitoring and early warning platforms for a number of large-scale projects, and has a solid foundation for security integration ability. Since 2002, Antiy has successively undertaken the nation’s large-scale backbone network traffic malicious code monitoring and large-scale analysis system construction, the establishment of a centralized detection and analysis system for malicious code, and important cyber security project guarantee work achievements, including a state-of-the-art network situational awareness and notification system for three countries in Northeast China, Cyberspace Administration of China Situational Platform, Heilongjiang Network Information Office Provincial Area Monitoring and Early Warning Platform and so on, have been fully affirmed and recognized by the national competent authorities and users.