The Hillstone sBDS solution is a key component of Hillstone’s Intranet security portfolio, protecting critical assets such as servers, and leveraging Hillstone’s unique behavior-based threat detection technology to detect compromised hosts and threats within the intranet. Deployed in front of critical servers, Hillstone sBDS monitors server behavior and establishes a behavioral baseline. When the pattern changes, the advanced behavior detection engine alerts the other parallel engines of the event, where it is quickly pinpointed, characterized, and the IT security team is notified of the action with all of the pertinent information. The Hillstone sBDS solution is often tapped into an enterprise internal network traffic, and complement existing perimeter protection, such as Next-Generation Firewall (NGFW) and Network Intrusion Prevention System (NIPS).
Comprehensive threat correlation analytics for advanced threat detection
Hillstone’s threat correlation engine analyzes the details of the relationships of each individual suspicious threat event as well as other contextual information within the network, in order to connect the dots and provide accurate and effective malware and attack detection with high confidence levels.
Real-time risk monitoring for internal networks and critical assets
HIllstone sBDS allows admins to define critical assets based on their business operation priority, inspect all traffic that pass through the assets with advanced threat detection functions, and show risk and threat details for each critical asset.
Full life cycle threat visibility and insight through the cyber kill chain
Hillstone sBDS – beyond just detecting the threat – maps the threat events to the cyber kill chain (CKC) model and provides deep insights into the post-breach threat attack path inside the compromised network. Security administrators can understand more about each stage of the attack and take proper action to stop exfiltration of sensitive data from the internal network.
- Correlation among unknown threats, abnormal behavior and application behavior to discover potential threat or attacks
- Multi-dimension correlation rules, automatic daily update from the cloud
- Behavior-based advanced malware detection
- Detection of more than 2000 known and unknown malware families including Virus, Worm, Trojan, Overflow etc.
- Real-time, online, malware behavior model database update
- Behavior modeling based on L3-L7 baseline traffic to reveal anomalous network behavior, such as HTTP scanning, Spider, SPAM, SSH/FTP weak password
- Detection of DDoS including Flood, Sockstress, zip of death, reflect, DNS query, SSL DDos and application DDoS
- Supports inspection of encrypted tunneling traffic for unknown applications
- Real-time, online, abnormal behavior model database update
- 8,000+ signatures, protocol anomaly detection and rate-based detection
- Custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
- Over 20 types of protocols anomaly detection, including HTTP, SMTP, IMAP, POP3, VOIP, NETBIOS, etc.
- Support for buffer overflow, SQL injection and cross-site scripting attack detection
- 4 million virus signature database
- Online real-time updates
- Compressed file scans
- Over 3000 applications, including IM, p2p, email, file transfer, email, online games, media streaming, etc.
- Multi-dimension application statistic based on zones, interface, location, user, and IP address
- Support for Android, IOS mobile applications
- Dynamic, real-time dashboard status and drill-in monitoring widgets
- Overview of internal network risk status, including critical assets risk status, host risk status, threat severity and type, external attack geo-locations, etc.
- Visual details of threat status for critical assets and other risky host, including risk level, risk certainty, attack geo-location, kill chain mapping and other statistical information
- Visual details of network threat events, including name, type, threat severity and certainty, threat analysis, knowledge base and history
- Three predefined reports: Security, Flow and System reports
- Support user defined reporting
- Reports can be exported in PDF via Email and FTP
- Logs, including events, networks, threats, and configuration logs
- Logs can be exported via Syslog or Email
- Management access: HTTP/HTTPS, SSH, telnet, console
- Device condition alerts, including CPU usage, memory usage, disc usage, new session and concurrent sessions, interface bandwidth, chassis temperature and CPU temperature
- Alerts based on application bandwidth and new connection
- Support for three types of alerts: email, text message, trap
- Language support: English