Shulou(Shulou.com)06/01 Report--

Security is a "bottomless pit". No security person in charge of an enterprise will say that his system is 100% safe, and security is not particularly easy to measure and quantify, especially to quantitatively assess who is better and how much better than whom. Sometimes they will reflect, or be confused, "can they withstand confrontation after all with so many protective measures?" "the safety self-developed product was made and used for half a year, and then one day it was abandoned."SDL has been shouting for several years, why can't it continue to operate?" The business volunteered to seek support, but we did not have nuclear weapons. " .

This article will introduce the ideas and achievements of different stages of Yixin security construction, the challenges encountered in each stage, the pits that have been stepped on, as well as the experience and experience gained, share the development of Yixin internal security products, and explore the path of enterprise safety construction.

I. background

In 2013, the company officially began security construction, investing resources to set up a special security team and build basic security facilities. Since its inception, the security construction of Yixin Company can be divided into three stages:

2013-2016 is in the V1 stage. Phase V1 mainly realized: basic security environment (such as firewall, zone isolation, host IDS, network IDS, network access, anti-virus, etc.); gradually established and improved the company's information security system through compliance inspection before and after listing, passed the third level of equal insurance and ISO27001 certification; and established its own security emergency response center in 2016.

The period from 2016 to 2018 is in V2 stage. The main achievement of V2 phase is to improve the security technology and improve the coverage of security work; participate in some business security related work (account security, anti-crawler, SMS interface * *, man-machine identification, etc.); determine the relevant processes of SDL (not specifically implemented, only use one or two of these methods); develop some security tools such as vulnerability scanning and GitHub monitoring.

Currently in the V3 stage, the future should last for about 1-2 years. At this stage, we begin to pursue to build security capabilities that are more in line with the long-term development of the enterprise and are more focused and deeper at some point, such as the ability of secure operation and the ability of data security.

Second, the state of a few years ago

The picture above shows the status and development of information security in the industry, as well as some of the projects we have completed in security by 2016. At that stage, the work on the network boundary and IT has laid a relatively solid foundation, including network access, terminal DLP, anti-virus and so on. The effect is particularly significant in basic security, especially terminal security, which ensures that the intranet and office network are in a relatively secure environment. You don't have to deal with security incidents such as *, blackmail virus, or even APT every day, and you can release more energy to do more meaningful things.

3. SDL practice 3.1 SDL process

At this stage, we mainly refer to and draw lessons from the SDL process shared by VIPSHOP security team, and select several key links suitable for our current situation, including training, security coding standards, and so on, to promote in the company. Important project security will also participate in security requirements review and establish a good relationship with business, product, technical and other teams.

It is worth mentioning that in enterprises, cooperation with security can be divided into two types: one is "exempt from responsibility" and the other is "win-win cooperation". The two types, when it comes to things involving security, ostensibly find security, but the underlying motives are quite different. The first kind is more to avoid responsibility. I have informed you of the matter, and I have thrown the problem to you. I even don't know and don't care why I am looking for security or solving any need. The rest has nothing to do with me. If something goes wrong, I will take the blame for safety. The second is to seek secure cooperation. I know what security risks may be. I have business security requirements that I am particularly concerned about. I need to work with security to solve product security issues. To ensure the security of the system and business after launch, the two teams promote and improve each other.

The two types are quite different in the way of cooperation, daily interaction and the final security effect. There may be a variety of reasons for this situation, including: the comprehensive ability and quality of non-security personnel, the effectiveness of security training, the professionalism and influence of the security team (whether security really helps others solve the pain point, whether both parties have carried guns together).

3.2 SDL case

The above two figures show that we have done a good job. Either SDL or DevSecOps can be automatically embedded into the release process, focusing on solving the security problems of third-party components. You can not only quickly retrieve the included third-party components in the released software products, but also define rules to directly block the components with serious vulnerabilities in the construction process. This part of the work can be fully automated, supporting Maven, Gradle, Docker, etc., and will not affect the ability of continuous delivery. Unified asset management, code base, software warehouse, CICD platform will be more convenient to implement, the lowest maintenance costs, of course, this is inseparable from the ability of the DevOps team to support.

3.3 SDL threat Modeling

This year we also tried SDL threat modeling and designed suitable modeling rules for us, including focused data security requirements, audit requirements, and so on. At present, this part of the work is still in the small-scale pilot and exploration stage, and there are still many things to be solved and optimized from the process to the tools. When it is mature, we will consider investing more security testing and security service personnel to promote the company on a large scale.

3.4 SDL White Box scan

In the aspect of white box code audit, we have also invested a small amount of resources to try, encapsulating the code audit platform, the core relies on Sonarqube and Findbugs Security, and also supports writing our own rules, realizing trigger scanning, uploading source code scanning and other ways to automatically submit vulnerabilities. However, the biggest consumption of this part is the operation of the rules, the elimination of false positives, and so on. At present, we have not found a better solution, and hearing more ideas is also to simplify the rules. In the initial stage, "I would rather fail to report than false positives." At present, the main mode of use: the temporary task of security personnel needs to upload the source code to scan, scan some access items every week and send detection reports.

3.5 SDL passive scanning

Another attempt of SDL is passive scanning and playback based on the test environment traffic collected by the quicksand platform. The general idea has been shared by many people before, through the replacement of cookie, request-param focus on testing to find unauthorized access, vertical ultra vires, horizontal ultra vires and other security issues. The difficulty is also to optimize the rules and collect the commonness of the company's business (such as error page prompts, etc.). Several high-risk problems have been found before using this scan, and the input-output ratio is still quite high. However, in order to achieve higher scanning accuracy, improve the degree of automation, and achieve the effect of sustainable operation, it takes a lot of manpower to invest. Let's look at the choice of the team. Recently, we have seen some projects at home and abroad that use AI to improve the efficiency of safety testing, or even replace people to carry out manual safety testing. They do not judge whether they can land well in the short term, but agree with the saying that "people will be tired, but machines will not."

3.6 SDL vulnerability management

Vulnerability management mainly depends on insight platform, including application asset system management, vulnerability life cycle management and security knowledge base management. Insight platform was open source last year, and there are more users than we expected. from the usual communication and consultation of WeChat groups in the community, most of the users are security teams of 1-5 people, and there are many industries such as Internet, manufacturing, logistics and so on. Every time someone adds our Wechat to seek insight into the deployment and configuration of the platform and the use of features, although it takes up some of our working time to solve or solve problems (we will review software quality issues). But I'm still happy to be able to really help our security peers.

This incident also made me think about it:

First, many enterprises have limited investment in security and do need good open source solutions.

Second, the landing of the product requires some Party B's thinking, and the product sometimes needs to be subtracted, which is large and not necessarily needed by everyone, and the premise of good use is a good deployment and configuration.

Insight into the open source address of × × ight: https://github.com/creditease-sec/ × × ight

IV. Insight 2.0

This year we will open source Insight version 2.0.

First, it will optimize previous interactions, functions, business logic, etc., to improve ease of use.

Second, improve the data of vulnerability operation and strengthen the reporting function to pay attention to the overall security situation.

The third and biggest update combines the front and background functions of SRC, so that enterprises can customize to establish their own security emergency response center, and unify the vulnerability management of various sources.

The figure above shows a prototype diagram, which is currently under development, and security peers in need can look forward to it.

5. Quicksand platform

Another thing that Party A teams have heard a lot about in recent years is SOC and SIEM. There are commercial security big data products, platforms like Splunk (Splunk Enterprise Security), and open source solutions based on ELK. We choose the third, the current stage is better to achieve data collection, storage, as well as some not very complex calculations.

The data comes from the traffic image of the switch, log files, syslog of each security device, and so on. The architect designs and implements a set of preprocessing programs for data access configuration, filtering, formatting, assembly, marking, desensitization and so on. The core code is written in go to improve processing performance.

The figure above shows the architecture of the entire "quicksand" platform, as well as hardware resources, data volume, writing speed, and so on. With data, in the application scenario, it has been implemented, including asset discovery, weak password detection, information leakage detection, and so on. It can be implemented based on simple rules and does not require very complex calculations.

Specific reference: quicksand: the practice of Credit Security data platform

5.1 quicksand application: internal control

Based on the quicksand security big data platform, how to meet the more complex security analysis and association analysis scenarios is also the focus of our follow-up development.

The image above is an upper-level application previously made to meet internal control, and colleagues have also shared it on QCon to collect real-time login and query operations of the company's internal business system, online behavior of office network employees (custom rules), DNS, GitLab, WiKi, DLP alarms, etc.

The first is to meet the operational behavior of the audit business operation system, such as who accessed which sensitive data when and when, and record it for traceability.

Second, carry on the analysis, for example, the operation of a person is different from the other personnel of the post, cluster to locate the high-risk personnel, and pay attention to it.

The picture above is the information we collated about the user's assets.

VI. Self-developed WAF products

Gradually replace commercial WAF products

Have traditional WEB security defense capability

Have CC*** protection capability

Have reptile protection ability

Have the ability to protect against information leakage

Have the ability of data analysis to identify abnormal traffic 6.1 pleasant shield

Let's focus on our self-developed WAF product: pleasant Shield, which took about a year and a half to iterate through three major versions, with eight security team personnel responsible for system design, development and protection rule collection, one OPS colleague responsible for the production and deployment of the installation package, and two test engineers to assist in stress testing.

We used commercial WAF equipment, which ranks first in the Gartner quadrant, and has purchased about 10 units in the past few years. The product itself is very good, and people are more skilled and stable in use, but there are also some shortcomings:

First, the product has strong protection against traditional rule-based malicious requests, but weak protection against crawlers, which have a time window context, and turning on this part of the function will damage the overall hardware performance; second, you need to connect to the network in the form of hardware, and when you encounter the implementation of new services and new network areas, you need to put up new devices, and the implementation cycle is long. Third, the ability of horizontal expansion is not very strong, when a single point encounters a bottleneck, you can only choose to expand the capacity or split the traffic.

To sum up, we still choose to develop a pleasant shield on the premise of commercial products, which is in line with the trend of SDS software-defined security (thanks to the strong support of the company and leaders). Pleasant Shield is based on OpenResty extension and is divided into three parts: gateway, big data analysis platform and operation background management end. All configurations are shared and read through Redis. Pleasant Shield has WEB protection, CC protection, blacklist protection, semantic recognition protection, sensitive data protection, AI protection. Product design and development are based on commercial product standards: more than 100 basic rules are selected, custom rules can be added, rule blacklist and whitelist are equally divided into global and domain names, and each protection switch of each domain name can be turned on independently, report analysis and query of each blocking event are distinguished by domain name, polishing the ease of use and interaction of the product.

Platform features

Fast access to software definition and horizontal expansion

Current progress and operation

It has been iterated for about a year and a half. At present, it has been fully connected to the pleasant loan stress test peak traffic: 5000qps (2C8G)

Pleasant Shield has been fully connected to the pleasant loan at present, because it belongs to the gateway product and has high requirements for performance and stability, so it has done a lot of stress tests with the support of two testing colleagues. 2C8G's virtual machine runs Human Shield, and the QPS is about 5000, which can meet our requirements. At the same time, we monitor every service (MQ, Flink, counting service, Redis, full walkthrough, etc.), and set up a feature to view the system status in the operation backend to see the domain name access status of each pleasant shield node and the error alarm of the node. In the query of each protection event, we have also done a lot of optimization to ensure that the query can still be carried out quickly even if there are many interceptions.

Recognition of high and low frequency reptiles by machine learning

The serialized URL forms the access route according to time and uses the graph to extract the number of cycles of the loop to cluster to find the abnormal IP and SID.

Identifying the behaviors of CC*** and reptiles which are difficult to find by traditional rules is also the key goal of pleasant shield. In addition to judging the access frequency of a single interface based on UA, IP blacklist and IP\ SID, we also add algorithms to identify this kind of abnormal access.

For example, we use the "path clustering model". This part is implemented on the data analysis platform of pleasant shield: regularly extracting visits from the previous period of time, serializing the visited URL, forming an access path, using a graph to extract the number of rings (loops, a single point is also a loop), clustering to find abnormal IP and SID.

For example, marked above, the first IP visits [2835] this URL is 86 times, and the second IP visits [2821 2832] is 14 times, and then another cycle 36 times. Here to explain, the path is sorted according to time, not according to Referer, graph calculation with the class library NetworkX, interested can understand. After the launch, we found that the behavior of crawling financial articles and brushing to refresh the handmark met our expectations.

What is being done at present

These are some of the things we have been doing in the past two years, as well as some of my own experience:

The project system is conducive to the iteration of safe development, and it is clear that the output and target efficiency can be greatly improved. A bad plan is better than no plan at all. in the process of planning, such as brainstorming, people can contribute more innovations and ideas, and the plan should also pay attention to the risk points, such as how long the investment can last, whether the project will be stopped, whether the core personnel are stable, whether the chosen architecture or development language is good at the team, and so on. At the level of safety products, more and more of Party B's products are more and more suitable to the actual needs of Party A, and the landing effect is getting better and better, and the subdivided products can find more suitable solutions, except for a few large factories. Some things need to be studied and considered again and again, need to be combined with short-term, medium-and long-term changes, as far as possible to meet the long-term development needs of enterprises. Many companies still have a lot to practice and optimize in areas close to traditional security, such as security services, * * countermeasures, and SDL. Recently, we can also see that there has been a lot of discussion in this area, such as ATT&CK Matrix, such as Didi's continued construction of SDL.

This year, we have also focused on several projects, in addition to Insight 2.0 mentioned above, more to contribute to the open source community. There are also two more important projects in-house.

The first project, codenamed "Super Scanner", uses a variety of means (including internal work orders, CMDB, search engines, CMS fingerprints, etc.) to discover external assets, to monitor GitLab, dark networks, and negative public opinion, as well as the important task of improving security testing efficiency and assisting SDL promotion, reusing the previously developed distributed security service orchestration service "Sumi" and crawler service. " Discovering assets like * * and deeply integrating them into SDL "is the original intention of the project."

The second project, codenamed "Security Awareness", is the re-integration and expansion of quicksand, internal control audit and office network security systems. Data security is more and more mentioned separately, which has become one of the core issues of security. "data Security Law" has entered the legislative stage, no matter from the security construction, compliance, or the strategic development of enterprises, many enterprises in the forefront of the industry have been changing to a "data-centric security strategy". Therefore, the focus of this project is to focus on data security, pay attention to the use of data at the application layer, get through all kinds of information available for security, easily configure association relationships, and set up its own detection model for each type of business system or scenario. It can be regarded as an intelligent audit product. Of course, this is only the corner of the whole data security governance. Data security strategy, data security committee, data classification and classification, operation flow, reward and punishment system, traditional database desensitization, data leakage prevention, data file ferry, data map, big data security and so on are put together to form a complete plate of data security, and there are many and complicated things to do.

Author: Wang Zhe

First launch: Yixin Security Emergency response Center

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.