Shulou(Shulou.com)06/01 Report--

1 Overview

The low immunity of information security is the basic current situation of information security in our country, because the detection and treatment of security threats in our country is still in the stage of manual detection and post-audit processing. Compared with the current technical means such as big data's application and APT***, the way of manually examining risks has been quite backward and is in a state of being passively beaten internationally. Nowadays, industrialization and APT*** internationalization have taken shape, information security is related to national security, if our life is in the hands of others, the routine is in the control of others, which is a great threat to information security. In these situations, there is an urgent need to develop a local intelligent, high-performance, high-accuracy SOC system "security operation center" to counter the above risks.

The development and application of SOC in China is relatively backward, and it is generally sold as a software product, while the practical application of SOC is still in the theoretical stage. Nowadays, the vast majority of SOC in China are used as centralized collection and management of SIEM logs, while the core association analysis and risk monitoring (SOC security operation and maintenance service or manageable security service) is still in its infancy. This kind of abnormal situation is due to the restriction of domestic system, policy, application environment, traditional understanding, European and American blockade of SOC technology, and so on, which forces the domestic SOC to not get progress and development.

Nowadays, to build a set of intelligent and highly available SOC system, it is necessary to have powerful SOC products, real-time and accurate threat intelligence and professional SOC security operation and maintenance services.

1. SOC products with high performance and powerful correlation analysis engine based on big data technology

2. SOC security threat detection model

3. Threat intelligence from outside / inside

4. Easy-to-understand risk display platform, intelligent alarm platform and powerful reporting system

2 Taihe Plan

In April this year, Qiming Star officially released the Taihe security threat analysis cooperation plan, and announced the first batch of partners, including manageable security service provider-Nuoheng Information, threat intelligence service provider-Skyline Friendship and Micro-step online, Security threat Intelligence Alliance-beacon, leading the general trend of open, connected and collaborative development of SOC security management platform.

This signal indicates that domestic SOC has changed from single selling products to SOC products + MSS services + threat intelligence to realize the practical delivery of SOC. This also confirms that more and more domestic SOC customers have greatly improved their requirements for practicality.

3 underlying technical requirements of SOC products

An excellent SOC product is the basis of practicality, and its ability is directly related to the stability of the system, the time spent in query analysis, the depth of intelligent threat detection and the accuracy of risk monitoring in the operation and use of SOC.

3.1 big data Enquiry

In the face of the increasing collection of information and data, the traditional relational database has long been overwhelmed. As the most important tool of SOC security analysis and audit-log query and analysis, the efficiency of query directly affects the work efficiency of security analysts.

3.2 correlation Analysis engine

The correlation analysis engine is the core of SOC, which, like the engine of × ×, will directly affect the technical ability of × × ×. The efficiency and function of the correlation analysis engine also directly determine the ability of SOC to detect risk events.

An excellent correlation analysis engine, in addition to be able to ensure the high-speed, real-time and stability of the engine itself in the process of high-intensity log analysis. It also requires the flexibility of writing logical conditions, the comparison, calculation and judgment of values between log fields, and the functions of referencing and outputting all kinds of assets, filters, form data and so on.

3.3 Deep log formatting

Log formatting is a necessary work for all SOC vendors, and it is also the basis for SOC log readability and association analysis. The most critical content involves the completion of fields such as defining * object, * technology, risk nature, operation, result, and so on. The accurate and complete definition of log semantics can save the work pressure of security analysis engineers in association analysis and log audit.

However, this work is also the most difficult, time-consuming and time-consuming part of the log modeling process, so it is necessary to invest a large number of security experts to study the logs, and classify and audit each log of all the devices supported by SOC according to the corresponding log classification standards. Therefore, many SOC manufacturers deliberately avoid this part of the content, or use relatively rough classification, machine learning and other ways to complete this work.

4 Security threat detection model 4.1 Security threat detection model architecture

Security threat detection model is the basic framework of SOC association analysis and detection. Only when SOC is deployed strictly according to the security threat detection model can many core functions of SOC be associated to form a complete system. The main contents include association references and hierarchical structures, such as "user assets, detection rules, dynamic threat library, filter, alarm system, etc."

4.2 threat scenario Library

The threat scenario library is the case source for writing detection rules. It records and studies the characteristics and behavior of the cases encountered in the real customer environment and the new results studied in the experiment, and converts them into detection rules for the real environment.

The practice and accumulation of threat scene database directly affect the quantity and quality of detection rules, which determines the practical results of SOC.

4.3 sources and use of threat intelligence

Threat intelligence can be divided into external threat intelligence and internal threat intelligence in the practicality of SOC. Both of them can also be referenced by the association analysis engine in the security threat detection model, which can greatly improve the accuracy of security event testing and reduce false positives.

External threat intelligence comes from threat intelligence service providers, and its advantages are that it has a wide range of sources and a wide range of information, and its disadvantages are also obvious to customers, and the hit rate is too low. In order to solve this problem, we need to use a very fine filtering mechanism, which is defined by * categories, assets, vulnerabilities, objects, and so on, and then dispersed to the security threat detection model for detection rules.

Internal threat intelligence mainly comes from customers' black and white lists and dynamic threat libraries. The dynamic threat database can extract the information of * events, add these key information to the data table for updating and processing, and use the * information for advanced threat detection and post audit and analysis.

5 presentation and delivery of SOC security

SOC presentation and technical support is an indispensable part of SOC operation and maintenance. Even if the SOC construction of the customer is intelligent, but when it comes to the change of assets, the new security, the adjustment of security policy and so on. It is essential to need the support of manageable security service providers. Security is a process of continuous update and construction, and SOC security operation and maintenance is no exception.

5.1 display platform

SOC is such a complex system that even engineers with some experience in safety analysis need months to years to learn to move from being able to use it to being proficient. It is obviously not realistic for most customers to learn to use and approve SOC.

In order to better improve customers' recognition of SOC, we need a set of display platform based on SOC secondary development, which will show the results of association analysis to customers more intelligently and simply, so as to replace customers' customized SOC development work. The display results should take the related events as the data source, including situation awareness, multi-dimensional and multi-type risk trend statistics, alarm event details and evidence chain, etc.

5.2 reporting system

After the practical results of SOC are recognized, the customer's requirements for reporting will increase. The customization and automation of the report will involve all departments and even positions of the customer. At this point, the customization function of the SOC reporting system will be directly related to the viscosity with the customer.

5.3 Intelligent alarm platform

Intelligent alarm function is a necessary function of the SOC platform, in principle, it can notify customers of monitored risk alerts in a variety of ways, such as e-mail, Wechat, SMS and so on. However, how to control the number of alarms, how to send security event details, event descriptions, suggestions and other information to customers intelligently in stages is the difficulty of this technology.

5.4 knowledge base

The matching of the knowledge base and the threat scene database is the basis for the realization of intelligent display platform, customized report and intelligent alarm. In addition, the supporting knowledge base can also realize the replicability of the experience of security experts, that is, the process and methods of analyzing and dealing with similar risks of security experts can be input into the knowledge base for reference and use by junior security analysts. Based on standard process and SLA in security operation, quick response and risk management are realized.

5.5 SOC security operation and maintenance service support

The vast majority of SOC operations and maintenance in Europe and the United States are done by professional manageable security service providers. In the large-scale operation and maintenance of SOC abroad, manageable security service providers have studied and accumulated a large number of best practices, and the relevant operation and maintenance standards, real-time response mechanism, SLA and so on are certified by ISO. The experience, emergency support capability and practicality of the security analysis team have been very mature.

Choosing a manageable security service provider with rich experience in security operation and maintenance is a necessary condition to ensure the real-time monitoring and response of customers' practical results and risks of SOC.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.