ZTE SOC solutions to usability and scalability guidelines for the design, operation and maintenance personnel will

be from a complex mass of equipment configuration and log information in the freeing, the energy focused on discovering and dealing with a variety of important security event; the same time puts separate security equipment consisting of an organic whole, the event-based asset monitoring and control association analysis, to detect security risks, security incidents and business security risks, combined with knowledge of security policy and security monitoring, enabling customers to realtime control of the network's security posture. System Functions 1. Asset Management (P/N: ZX-SC-ASM)

The hosts and network are maintained to cover the critical hosts and networks and as a risk management unit. The terminal can be registered, confirmed, requested for change, and inquired. The host and network can be maintained to cover the critical hosts and networks. The group of hosts or networks can be maintained as a risk management unit. 2. Security Event Management (P/N: ZX-SC-EM) The hosts and network are maintained to cover the critical hosts and networks and as a risk management unit. The terminal can be registered, confirmed, requested for change, and inquired. The host and network can be maintained to cover the critical hosts and networks. The group of hosts or networks can be maintained as a risk management unit.

Event Management (P/N: ZX-SC-EM-EVM) The security events can be searched by date, agent, source IP, destination IP, and event type, and they also can be realmonitored.

Log Collection (P/N: ZX-SC-EM-LGC-QN) The log collector module collects the event logs from a variety of log sources. There are seven ways supported to collect the event logs from different device types: SNMP, SYSLOG, FILE (TEXT/CVS/XML), OPSEC, FTP, WMI and ODBC.10 For different device types, we configure different plug-ins to collect the event logs. Each of plug-ins can collect a predefined set of events from different devices with the same device type, and each of predefined events has default Possibility and Severity specified. The default Possibility and Severity will bused as the initial Possibility and Severity, when the filtered-generalized-merged 15 events are queued for correlation analysis. The configuration about how to collect logs can be done on the agent end, or on the device or system end, or on both ends. The acquired logs will then be feed to the log filter module.

Correlation Analyzer (P/N: ZX-SC-EM-CRA) The correlation analyzer module deals with cross correlation, characteristic correlation and logical correlation against the merged event logs. The correlation rule is used in the correlation analysis process to adjust the possibility and severity of specific events, and there are three types of correlation rule (cross correlation rule, characteristic correlation rule and logical correlation rule). The correlation analysis engine can also be configured to detect those events which could be missed by IDS. For example, we can set the time window long enough to get more event logs correlated and analyzed to discovery specific event patterns, which otherwise would be missed by IDS with a short time window.

Accident Respond Policy (P/N: ZX-SC-EM-ARP) The module is policy management. It can define the response policies and provide the interface for the third. 3. Risk Management(P/N:ZX-SC-RM) The module is for monitoring the vulnerability, threat of host, network equipment.

Risk Assessment (P/N: ZX-SC-RM-RAM) The host risk can be monitored by host name, host IP, host value, attacker IP and attacked IP. The network risk can be monitored by network name, network IP, network value, attacker IP and attacked IP. The vulnerability can be monitored by host name, host IP, start time, end time, vulnerability name and vulnerability level. Also, the vulnerability detail can be viewed, and the event knowledge about the vulnerability can be maintained in the SOC event libraries.

The risk statistic can be reported by physical area, host risk and network risk. The risk group can be configured to group the user with their business risks. The risk associated with specific risk group the user belongs to, is considered as a risk adjustment factor in the correlation analysis process.

y y

Risk Statistic (P/N: ZX-SC-RM-RSAT) The risk statistic can be reported by physical area, host risk and network risk. Risk Control (P/N: ZX-SC-RM-RCT) The risk group can be configured to group the user with their business risks. The risk associated with specific risk group the user belongs to, is considered as a risk adjustment factor in the correlation analysis process.

y y

Risk Inquiry (P/N: ZX-SC-RM-RIY) The module can be reported by physical area, host risk and network risk. Vulnerability Management (P/N: ZX-SC-RM-VMT) Thousands of network security vulnerabilities have been discovered and exploited every year. Network security status has been increasingly severe as the number of vulnerabilities is increasing together with various attack measures. It has been proved that 99% attack events utilize un-patched vulnerabilities. Only if users could discover these vulnerabilities of their network and prepare for precaution works before attackers take action, the losses of attacks can be effectively avoided. 4. Policy Management (P/N: ZX-SC-PM) The module is system policy management, including collection policy, correlation policy The correlation analysis servers can be configured to be different functional groups. The functional group includes: cross correlation, characteristic & logic correlation, event storage, event qualification, event distribution. The log collection agents can be configured to cover the deployed log collection servers. The correlation policy can be configured to define correlation analysis rules, event storage and distribution rules, and event response plan. 5. Compliance Management (P/N: ZX-SC-CM) The SOC Compliance Insight (SCI) collects relevant enterprise events across all locations and sources, and then correlates this data in real time to detect compliance violations, data breaches or other fraudulent activity. All auditrelevant information is stored in accordance with mandated retention policies, and visualized through dashboards and reports.

ISO27001 Rule Group (P/N: ZX-SC-CM-ISO) ISO27001 checklist group With SCI solutions in place, organizations can not only achieve ongoing compliance, they can also safeguard their assets and enforce corporate policies and processes. As the security compliance automation, auditing and reporting tool, SCI can do the following things: Collect logs from numerous applications, operating systems, and platforms. Archive logs in a secure database while enabling you to search and retrieve logs for forensic analysis. Normalize logs into the generalized W7 language, which puts cryptic log terms into everyday business terms such as who, when, what, and where (from where, on what, where to).

Compliance Reporter (P/N: ZX-SC-CM-CRT) The report show the situation for compliance Produce detailed reports on security compliance that can be easily understood by business managers and auditors. The compliance-specific events originated from the switch, router, firewall, and other applications can be extracted from log depot, and then be analyzed and audited based on the pre-defined internal control and regulatory compliance policies. The events which violate the policy rules can then be reported as policy exception for extra scrutiny. 6. Security Report (P/N: ZX-SC-SR) Security Report supports querying online reports, setting periodical reports, and adding report query tasks on the server.

Risk Report (P/N: ZX-SC-SR-RRT) Real-time report: It provides the statistics reports of the last 60 minutes and the last 24 hours. History report: It provides the statistics reports of the last 24 hours, last one day, last seven days, last week, last 30 days, last month, last 12 months and last year.

Accident Report (P/N: ZX-SC-SR-ART) You can set a report task to customize the report to be generated, statistical time, and generation period. The ZX-SC-SR can generate reports periodically. For the periodically generated reports, the ZX-SC-SR can send them to the Email addresses set by users and keep the latest 100 reports for each user to view online. The reports can be exported as the PDF, EXCEL and HTML files.

Asset Report (P/N: ZX-SC-SR-ATR) Real-time report: It provides the statistics reports of the last 60 minutes and the last 24 hours. History report: It provides the statistics reports of the last 24 hours, last one day, last seven days, last week, last 30 days, last month, last 12 months and last year.

Vulnerability Report (P/N: ZX-SC-SR-VRT) The module shows the vulnerability report Real-time report: It provides the statistics reports of the last 60 minutes and the last 24 hours. History report: It provides the statistics reports of the last 24 hours, last one day, last seven days, last week, last 30 days, last month, last 12 months and last year.

Report Distribution (P/N: ZX-SC-SR-RTD) You can set a report task to customize the report to be generated, statistical time, and generation period. The ZX-SC-SR can generate reports periodically. For the periodically generated reports, the ZX-SC-SR can send them to the Email addresses set by users and keep the latest 100 reports for each user to view online. The reports can be exported as the PDF, EXCEL and HTML files. 7. Security knowledge (P/N: ZX-SC-SK)

Alert Announce (P/N: ZX-SC-SK-AlA) The alert announce supports generating alarm analysis reports for various types of alarm events to facilitate online viewing. The supported alarm reports include: Alarm trend analysis report: It monitors the alarm quantity trend of all devices. This helps analyze the period when exceptions occur frequently.

Security Knowledge (P/N: ZX-SC-SK-SKN) The libraries are provided, to detail the attack information to help the security staff to treat the security-related events. The organization security policies, procedures, guidelines, templates and example cases can be distributed, for the employers to understand the latest information security technologies and policies. 8. System management (P/N: ZX-SC-SM) The terminal can be maintained to include those unregistered terminals. The physical area can be configured to organize the terminal, host and network by their physical location. The user roles can be configured to authorize the user specific access to system functions. The system runtime parameters can be configured to set the environment variables of correlation analysis server runtime, the framework service runtime, event storage runtime, vulnerability runtime, risk metric, user action logging, real-time event viewer runtime and database backup plan. 9. Dashboard reporting (P/N: ZX-SC-DR) The specific security view items can be configured to be placed in the Dashboard. Each user will have one Dashboard view, and he or she can configure the Dashboard views to include the security view items specific to the user role. Highlight Features ZTE SOC solutions have the following feature:

y y y y

Products meet the ISO27001 risk assessment model, base risk configuration database, assessment criteria library. Compatible OSVDB, CVE, Microsoft Bulletin and other weaknesses standards and different manufacturers vulnerability scanning tool, firewall, IDS/IPS, routers/switches and other security equipment. Business nature: follow the "pre-analysis and control and, after the audit" business design principles, to provide, including the "Risk Assessment - Security control - security audit" process including closed-loop business process support. System architecture advantages: follow the "modular design, components deploy" development principles, to provide "technology platform - Business Products - comprehensive solution" the evolution of system features robust solutions of rapid customization capabilities with customers.

Intelligent security analysis: through the integration of IT assets, vulnerability scanning, security log collection, log correlation analysis (vulnerability/threat correlation, security event correlation and asset correlation features) to provide automated support for the risk assessment process.

Security information represents and manages change: to provide a unified risk view and manage "cockpit" feature. Global analysis of security and dynamic control, reducing management complexity and management costs. Successful Case ZTE SOC had be successfully implemented in many domestic and foreign operators, and gained many successful implementation cases and experience.

y y y y y

China Mobile (Tianjin) Network Management Project China Mobile (Inner Mongolia ) SOX OA System Repair Project China Telecom (Sichuan) SOC Project Ethiopia Telecom Network Project Ethiopia E-government Network Project