Tencent security operation center integrates ueba capabilities to help enterprises ensure internal network security

The arrival of the era of digital economy , It is also accompanied by increasingly severe network threats . Relative to external intrusion , Internal threats are more harmful , And more hidden , It is difficult to prevent and deal with . According to the 2019 According to the annual survey data , Global enterprises have lost more than 10 billion yuan due to information security incidents , And more than 60% The loss was caused by internal problems . Major network security incidents broke out in the world , Most of them are also sensitive data leakage caused by employees' illegal or unintentional operations 、 Identity is falsely used and other internal threats lead to . And relative to external intrusion , Often invade first 、 Control an internal device , And then attack from the inside . The threat is more harmful , And more hidden , It is difficult to prevent and deal with , Internal security threat has become an urgent security problem .

To help enterprises better deal with internal threats , Tencent security operation center （SOC） Launched UEBA Analytical ability , Exception based on account number 、 The equipment is abnormal 、 Four security scenarios of horizontal mobility and data security , Help customers to be efficient 、 accuracy 、 Timely detection of risks , So as to improve their own internal security protection ability , Effectively reduce the impact of internal threats .

UEBA （User and Entity Behavior Analytics, User entity behavior analysis ） As an important analysis technology of anomaly discovery, it has been paid more and more attention . It combines Office 、 Production log , Third party security product alarm （ Such as hids,nta etc. ）, Focus on analyzing the risks of users and devices . Through risk detection and behavior analysis of users and equipment , It can be timely 、 Accurately perceive the internal security situation .

and UEBA Ability to serve as Tencent's security operation center （SOC） Key subsystems of , Through the self built rule analysis engine 、 Portrait detection engine 、 Machine learning detection engine , Quickly analyze the massive security alarm data of the whole network . Build a baseline for the behavior of entities in the network , Then detect the deviation of users or entities according to the baseline “ normal ” High risk operation of the mode , So as to detect the security short board or suspected attack behavior in the network , Help enterprises reduce the risk of internal threats .

stay UEBA With the support of ability , Tencent security operation center （SOC） Identify and discover internal network security threats 、 Enhance the visibility of network security events 、 The ability to reduce the management cost of the network security team has been greatly enhanced . For example, when employees are late in phishing websites 、 The simple password is cracked, resulting in the loss of the login account password , Or the device has a security vulnerability and is controlled by an intruder , As a result, hackers use vulnerabilities to conduct a series of horizontal penetration activities on the intranet .UEBA Can record 、 Analyze such account exceptions , And give an alarm in time after analyzing the suspicious behavior of the account ; At the same time, it can analyze the access of end users or entities to sensitive data , Find out the threats in time before the information leakage of the enterprise 、 Eliminate risk .

More Than This ,UEBA The capability can also help the security operation and maintenance personnel to strip the cocoon from the massive logs , Efficiently handle massive alarms , More granular threat detection , So as to reduce the management difficulty , Improve alarm accuracy , Effectively reduce the management cost of network security team .

In general , Tencent security operation center （SOC） Of UEBA At present, the company has six product advantages ：

First of all , Make full use of what the customer has purchased , Give alarms to targeted safety products , At the same time, the high-value alarm is analyzed , Bind each alarm to a user 、 A device , It is convenient for the safety operation and maintenance personnel to study and judge ;

second , Focus on scoring users and entities , And build a set of soft associations 、 A data-driven scoring framework , So as to efficiently handle massive alarms , Remove the impact of false positives ;

Third , Provide “ Intelligent timeline ” Operation mode , By putting users 、 account number 、 All kinds of anomalies and activities on assets and applications , Connected in a chronological order , Do continuous user and entity abnormal behavior detection ;

Fourth , Based on the rules, a comprehensive high-frequency lateral movement rule is constructed , Link all risk behaviors of users from login to logout , It can accurately describe the horizontal movement scenario of malicious threat ;

The fifth , Through the rule analysis engine 、 Portrait detection engine 、 Machine learning detection engine , Support multiple types of detection problems ;

The sixth , Build a user entity portrait system , Store rich data indicators , Help security operation and maintenance personnel to quickly study and judge risks .

In the foreseeable future ,UEBA It will become the core technology of enterprise network security protection , It plays an important role in reducing the risk of internal security threats . As the leading brand of industrial Internet security, Tencent security , We will continue to give full play to our technical strength and practical experience , Continue to explore more sound network security solutions , Help enterprises cope with internal and external network security threats , Protect the security of digital economy and high-quality development .