The Hillstone Server Breach Detection System (sBDS) adopts multiple threat detection technologies that include both traditional signature-based technology as well as large-scale threat intelligent data modeling and user behavioral analytics modeling, which provides an ideal solution to detect unknown or 0-day threat attacks, to protect high-value, critical servers and their sensitive data from being leaked or stolen. Together with deep threat hunting analysis capabilities and visibility, Hillstone sBDS provides security admins the effective means to detect IOCs (Indicators of Compromise) events, restore the threat attack kill chain and provide extensive visibility into threat intelligence analysis and mitigations
Comprehensive threat correlation analytics for advanced threat detection
Hillstone’s threat correlation platform analyzes the details of the relationships of each individual suspicious threat event as well as other contextual information within the network, to connect the dots and provide accurate and effective malware and attack detection with high confidence levels.
Real-time threat monitoring for critical servers and hosts
The Hillstone sBDS platform focuses on protecting critical servers within the intranet, detecting unknown and near 0-day threat attacks and finding abnormal network and application level activities of server and host machines.
Complete Indicator of Compromises and Cyber kill chain
Hillstone sBDS drills down and surfaces more threat analysis and intelligence on these IOC events, reconstructing the attack chain based on these IOCs and correlating other threat events associated with these IOCs within time and space spectrums.
Rich Forensic Information and Preemptive Mitigation
The Hillstone sBDS platform conducts threat mitigation with conjunction of Hillstone E-Series NGFW and T-Series iNGFW devices, which are positioned at the network perimeter.
- Correlation among unknown threats, abnormal behavior and application behavior to discover potential threat or attacks
- Multi-dimension correlation rules, automatic daily update from the cloud
- Behavior-based advanced malware detection
- Detection of more than 2000 known and unknown malware families including Virus, Worm, Trojan, Overflow etc.
- Real-time, online, malware behavior model database update
- Behavior modeling based on L3-L7 baseline traffic to reveal anomalous network behavior, such as HTTP scanning, Spider, SPAM, SSH/FTP weak password
- Detection of DDoS including Flood, Sockstress, zip of death, reflect, DNS query, SSL DDos and application DDoS
- Supports inspection of encrypted tunneling traffic for unknown applications
- Real-time, online, abnormal behavior model database update
- Local deception engine with regular deception models update
- Simulate to Web, Doc or Database Servers, support protocols including FTP, HTTP, MYSQL, SSH and TELNET
- 8,000+ signatures, protocol anomaly detection and rate-based detection
- Custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
- Over 20 types of protocols anomaly detection, including HTTP, SMTP, IMAP, POP3, VOIP, NETBIOS, etc.
- Support for buffer overflow, SQL injection and cross-site scripting attack detection
- 4 million virus signature database
- Online real-time updates
- Compressed file scans
- Abnormal protocol attack detection
- DoS/DDoS detection, including SYN Flood, DNS Query Flood etc.
- ARP attack detection
- Over 3000 applications, including IM, p2p, email, file transfer, email, online games, media streaming, etc.
- Multi-dimension application statistic based on zones, interface, location, user, and IP address
- Support for Android, IOS mobile applications
- Admin actions to change threat events status, open, false positive, fixed, ignore, confirmed
- Threat events whitelist, including threat name, source/destination IP, hit count etc.
- Conjunction with Hillstone firewall platforms to block threat
- Dynamic, real-time dashboard status and drill-in monitoring widgets
- Overview of internal network risk status, including critical assets risk status, host risk status, threat severity and type, external attack geo-locations, etc.
- Visual details of threat status for critical assets and other risky host, including risk level, risk certainty, attack geo-location, kill chain mapping and other statistical information
- Visual details of network threat events, including name, type, threat severity and certainty, threat analysis, knowledge base and history
- Three predefined reports: Security, Flow and System reports
- Support user defined reporting
- Reports can be exported in PDF via Email and FTP
- Logs, including events, networks, threats, and configuration logs
- Logs can be exported via Syslog or Email
- Monitoring internal network hosts and servers, identifing name, operation system, brswer, type, and network threat statistic record
- Management access: HTTP/HTTPS, SSH, telnet, console
- Device condition alerts, including CPU usage, memory usage, disc usage, new session and concurrent sessions, interface bandwidth, chassis temperature and CPU temperature
- Alerts based on application bandwidth and new connection
- Support for three types of alerts: email, text message, trap
- Language support: English
- Cloud-Bases security management
- 7/24 access from Web or mobile application
- Device, traffic and threat monitoring