Takulandirani ku nkhani yachisanu pamndandanda wokhudza yankho la Check Point SandBlast Agent Management Platform. Nkhani zam'mbuyo zitha kupezeka potsatira ulalo woyenera: , , , . Lero tiwona kuthekera kowunikira mu Management Platform, yomwe ndikugwira ntchito ndi zipika, ma dashboards (Mawonedwe) ndi malipoti. Tikhudzanso mutu wa Threat Hunting kuti tizindikire zowopseza zomwe zikuchitika komanso zochitika zosasangalatsa pamakina a ogwiritsa ntchito.
zipika
Gwero lalikulu lachidziwitso chowunikira zochitika zachitetezo ndi gawo la Logs, lomwe limawonetsa zambiri pazochitika zilizonse komanso limakupatsani mwayi wogwiritsa ntchito zosefera zomwe zikuyenera kuwongolera njira zanu zosakira. Mwachitsanzo, mukadina kumanja pa chizindikiro (Blade, Action, Severity, etc.) ya chipika cha chidwi, parameter iyi ikhoza kusefedwa ngati. Zosefera: "Parameter" kapena Zosefera: "Parameter". Komanso, pa Source parameter, njira ya Zida za IP ikhoza kusankhidwa, momwe mungayendetsere ping ku adilesi / dzina la IP kapena kuyendetsa nslookup kuti mupeze gwero la IP ndi dzina.
Mu gawo la Logos, pazosefera zochitika, pali gawo la Statistics, lomwe limasonyeza ziwerengero pazigawo zonse: chithunzi cha nthawi ndi chiwerengero cha zipika, komanso maperesenti a parameter iliyonse. Kuchokera m'ndimeyi mungathe kusefa zipika mosavuta popanda kugwiritsa ntchito bar yofufuzira ndikulemba zosefera - ingosankha magawo osangalatsa ndipo mndandanda watsopano wa zipika udzawonetsedwa nthawi yomweyo.
Zambiri pa chipika chilichonse zimapezeka mugawo loyenera la chigawo cha Logs, koma ndibwino kuti mutsegule chipikacho podina kawiri kuti mufufuze zomwe zili. Pansipa pali chitsanzo cha chipika (chithunzichi chimangodulidwa), chomwe chikuwonetsa zambiri za kuyambitsa kwa Tsamba la Prevent of the Threat Emulation blade pa fayilo ".docx" yomwe ili ndi kachilombo. Chipikacho chili ndi zigawo zingapo zomwe zikuwonetsa tsatanetsatane wa chochitika chachitetezo: mfundo zoyambitsa ndi chitetezo, tsatanetsatane wazamalamulo, zambiri za kasitomala ndi kuchuluka kwa magalimoto. Malipoti omwe akupezeka pa chipikacho akuyenera kusamaliridwa mwapadera - Lipoti la Kutsanzira Zowopsa ndi Lipoti la Forensics. Malipoti awa amathanso kutsegulidwa kuchokera kwa kasitomala wa SandBlast Agent.
Lipoti la Kutsanzira Zowopsa
Mukamagwiritsa ntchito tsamba la Threat Emulation, mutatha kutsanzira mumtambo wa Check Point, ulalo ku lipoti latsatanetsatane lazotsatira zotsanzira - Lipoti Loyeserera Lowopsa - limapezeka mu chipika chofananira. Zomwe zili mu lipoti lotere zikufotokozedwa mwatsatanetsatane m'nkhani yathu . Ndizofunikira kudziwa kuti lipotili ndi lolumikizana ndipo limakupatsani mwayi woti "mulowe" mwatsatanetsatane gawo lililonse. Ndizothekanso kuwona kujambula kwazomwe zikuchitika pamakina, kutsitsa fayilo yoyipa yoyambirira kapena kupeza hashi yake, komanso kulumikizana ndi Gulu Loyankha la Check Point Incident Response.
Lipoti la Forensics
Pafupifupi chochitika chilichonse chachitetezo, Lipoti la Forensics limapangidwa, lomwe limaphatikizapo zambiri za fayilo yoyipa: mawonekedwe ake, zochita zake, malo olowera mudongosolo komanso momwe zimakhudzira katundu wofunikira wakampani. Tinakambirana za dongosolo la lipoti mwatsatanetsatane m'nkhani ya . Lipoti loterolo ndilofunika kwambiri pofufuza zochitika zachitetezo, ndipo ngati kuli kofunikira, zomwe zili mu lipotilo zikhoza kutumizidwa mwamsanga ku Gulu la Check Point Incident Response Team.
Smart View
Check Point SmartView ndi chida chosavuta kupanga ndikuwona ma dashboards (View) ndi malipoti mumtundu wa PDF. Kuchokera ku SmartView mutha kuwonanso zipika za ogwiritsa ntchito ndi zochitika zowunikira oyang'anira. Chithunzi chomwe chili pansipa chikuwonetsa malipoti othandiza kwambiri ndi ma dashboards ogwirira ntchito ndi SandBlast Agent.
Malipoti mu SmartView ndi zolemba zokhala ndi ziwerengero zokhudzana ndi zochitika pakanthawi kochepa. Imathandizira kukweza malipoti mumtundu wa PDF kumakina omwe SmartView imatsegulidwa, komanso kukweza pafupipafupi ku PDF/Excel ku imelo ya woyang'anira. Kuphatikiza apo, imathandizira kulowetsa / kutumiza kunja kwa ma templates a lipoti, kupanga malipoti anuanu, komanso kuthekera kobisa mayina a ogwiritsa ntchito m'malipoti. Chithunzi chili m'munsichi chikuwonetsa chitsanzo cha lipoti lomangidwa mkati mwa Threat Prevention.
Ma Dashboards (Mawonedwe) mu SmartView amalola woyang'anira kuti apeze zipika za chochitikacho - dinani kawiri pa chinthu chomwe mukufuna, kaya ndi tchati kapena dzina la fayilo yoyipa. Monga malipoti, mutha kupanga ma dashboard anu ndikubisa data ya ogwiritsa ntchito. Ma Dashboards amathandizanso kulowetsa / kutumiza ma templates, kukweza pafupipafupi ku PDF/Excel ku imelo ya woyang'anira, ndi zosintha zokha kuti muwone zochitika zachitetezo munthawi yeniyeni.
Zigawo zowunikira zowonjezera
Kufotokozera kwa zida zowunikira mu Management Platform sikungakhale kokwanira popanda kutchula gawo la Overview, Computer Management, Endpoint Settings ndi Push Operations. Magawo awa afotokozedwa mwatsatanetsatane , komabe, zingakhale zothandiza kuganizira za kuthekera kwawo pakuthana ndi zovuta zowunikira. Tiyeni tiyambe ndi Overview, yomwe ili ndi zigawo ziwiri - Operational Overview and Security Overview, zomwe ndi dashboards zomwe zili ndi chidziwitso chokhudza makina otetezedwa otetezedwa ndi zochitika zachitetezo. Monga mukulumikizana ndi dashboard ina iliyonse, tigawo ta Operational Overview and Security Overview, mukadina kawiri pagawo lachidwi, limakupatsani mwayi wofikira gawo la Computer Management ndi fyuluta yosankhidwa (mwachitsanzo, "Desktops" kapena "Pre- Maonekedwe a Boot: Yathandizidwa "), kapena ku gawo Lolemba pa chochitika china. Gawo la Security Overview ndi dashboard ya "Cyber ββββAttack View - Endpoint", yomwe imatha kusinthidwa ndikusinthidwa kuti isinthe zokha.
Kuchokera pagawo la Computer Management mutha kuyang'anira momwe wothandizila ali pamakina ogwiritsira ntchito, momwe mungasinthire nkhokwe ya Anti-Malware, magawo a disk encryption, ndi zina zambiri. Deta yonse imasinthidwa zokha, ndipo pa fyuluta iliyonse kuchuluka kwa makina ogwiritsa ntchito kumawonetsedwa. Kutumiza deta yamakompyuta mumtundu wa CSV kumathandizidwanso.
Mbali yofunikira pakuwunika chitetezo cha malo ogwirira ntchito ndikukhazikitsa zidziwitso za zochitika zovuta (Zidziwitso) ndi kutumiza zipika (Zochitika Zogulitsa kunja) kuti zisungidwe pa seva yamakampani. Zokonda zonse ziwiri zimapangidwa mu gawo la Endpoint Settings, ndi Zochenjeza Ndizotheka kulumikiza seva yamakalata kuti itumize zidziwitso za zochitika kwa woyang'anira ndikukonzekera ziwonetsero zoyambitsa / kulepheretsa zidziwitso kutengera kuchuluka / kuchuluka kwa zida zomwe zimakwaniritsa zomwe zikuchitika. Zochitika Zogulitsa Kunja amakulolani kuti mukonze kusamutsidwa kwa zipika kuchokera ku Management Platform kupita ku seva ya log ya kampani kuti ipitirire. Imathandizira SYSLOG, CEF, LEEF, SPLUNK mawonekedwe, ma protocol a TCP/UDP, makina aliwonse a SIEM okhala ndi syslog wothandizira, kugwiritsa ntchito TLS/SSL encryption ndi syslog kasitomala kutsimikizika.
Kuti mufufuze mozama zochitika pa wothandizirayo kapena ngati mukukumana ndi chithandizo chaukadaulo, mutha kusonkhanitsa mwachangu zipika kuchokera kwa kasitomala wa SandBlast Agent pogwiritsa ntchito kukakamiza mu gawo la Push Operations. Mutha kukonza kusamutsa kwa zosungidwa zomwe zapangidwa ndi zipika ku ma seva a Check Point kapena ma seva akampani, ndipo zosungidwa zomwe zili ndi zipika zimasungidwa pamakina a wogwiritsa ntchito mu bukhu la C:UsersusernameCPInfo. Imathandizira kuyambitsa njira yosonkhanitsira zipika panthawi yodziwika komanso kuthekera koyimitsa ntchitoyo ndi wogwiritsa ntchito.
Kuwopseza Kusaka
Threat Hunting imagwiritsidwa ntchito pofufuza mwachangu zochitika zoyipa ndi machitidwe odabwitsa m'dongosolo kuti afufuzenso zomwe zingachitike pachitetezo. Gawo la Threat Hunting mu Management Platform limakupatsani mwayi kuti mufufuze zochitika zomwe zili ndi magawo odziwika pamakina ogwiritsira ntchito.
Chida cha Threat Hunting chili ndi mafunso angapo omwe adafotokozedweratu, mwachitsanzo: kugawa madera kapena mafayilo oyipa, kutsatira zopempha zomwe zimachitika kawirikawiri ku ma adilesi ena a IP (zogwirizana ndi ziwerengero wamba). Mapangidwe a pempho ali ndi magawo atatu: chizindikiro (protocol ya network, chizindikiritso cha ndondomeko, mtundu wa fayilo, ndi zina zotero), wothandizira ("ndi", "si", "kuphatikiza", "mmodzi wa", ndi zina zotero) ndi pempha thupi. Mutha kugwiritsa ntchito mawu okhazikika muzofunsira, ndipo mutha kugwiritsa ntchito zosefera zingapo nthawi imodzi mukusaka.
Mukasankha zosefera ndikumaliza kukonza zopempha, mutha kuwona zochitika zonse zofunika, ndikutha kuwona zambiri zamwambowo, kuyika chinthu chomwe mwapempha, kapena kupanga lipoti latsatanetsatane la Forensics ndi kufotokozera za chochitikacho. Pakadali pano, chida ichi chili mu mtundu wa beta ndipo mtsogolomo chikukonzekera kukulitsa luso, mwachitsanzo, kuwonjezera zambiri za chochitikacho mu mawonekedwe a Miter Att&ck matrix.
Pomaliza
Tiyeni tifotokoze mwachidule: m'nkhaniyi tidayang'ana kuthekera kowunika zochitika zachitetezo mu SandBlast Agent Management Platform, ndikuphunzira chida chatsopano chofufuzira mwachangu zochita zoyipa ndi zolakwika pamakina ogwiritsa ntchito - Kusaka Ziwopsezo. Nkhani yotsatirayi idzakhala yomaliza mndandandawu ndipo m'menemo tiwona mafunso omwe amafunsidwa kawirikawiri okhudzana ndi yankho la Management Platform ndikukamba za mwayi woyesera mankhwalawa.
. Kuti musaphonye zofalitsa zotsatirazi pamutu wa SandBlast Agent Management Platform, tsatirani zosintha pamasamba athu ochezera (, , , , ).
Source: www.habr.com