Shulou(Shulou.com)06/03 Report--

Data-driven security architecture upgrade-"vase" model ushered in v5.0

Jackzhai

I. background

In the past decade, it can be said that the great development of network technology decade, cloud computing, big data, mobile Internet, Internet of things and other new technologies gradually mature, social, e-commerce, smart city … The real society is entering the virtual world constructed by the network in an all-round way, and the network is becoming an indispensable "necessity of life" for people to eat and wear.

As the network carries more and more transactions and faces more and more security threats, the loss and scope of network security problems are also escalating. To sum up, there are the following aspects:

Nationalization of network security: the United States ranks the Internet and land, sea and air as one of the four major areas of national sovereignty, and the Internet begins to have "national boundaries." in the virtual world, there are not only the police, but also the army. the smoke of cyber war is sweeping our entire "global village." The cyber forces of various countries have stored a large number of loopholes. As a cyber weapon between governments, loopholes have become "arms commodities" in trading, and the scope of technology sharing is getting smaller and smaller.

Grey industry chain: where there is money, it is easy to be *, the political interests of some people, the malicious competition between enterprises, the theft of personal privacy information. The technology has been completely market-oriented, and the industrial chain has evolved quite maturely, developing * *, * * websites, dissemination * *, targeted access to information, black market for illegal information trading, professional companies for fraud organizations, bank card withdrawal companies. The consequence of the maturity of the industrial chain is that there are sufficient funds to invest in the development of various technologies, the army of employees is full of talents, and the operation efficiency of the industry is getting higher and higher.

White hat marketization: if there is a black hat industry to earn money, there is a white hat "obligation" to protect. Although the situation is "equally dangerous", under the promotion of both black and white, loophole excavation has become an unprecedented popular high-tech industry. Some are like the "arms race" during the Cold War, which objectively promoted the high yield of loophole goods. In order to cope with the deteriorating network security situation, * personnel training, loophole excavation awards, commercial white hat public testing …... * Technical personnel have become urgent recruitment for many enterprises and governments.

There are also great changes in network security technology, so that * has more ideas and perspectives, and more advanced and covert methods can be chosen:

Cloud computing promotes service centralization: cloud computing services are supported by virtualization technology to build a huge data center, and its internal network boundaries are blurred, especially between information systems. The traditional idea of security is boundary-based access control. Now that the boundary shrinks from the network layer to the application layer, everyone is in a room. Access is OK, but it is difficult to control. In a word: there are too many adults in the family, so it is difficult to control.

Popularization of mobile Internet: with the popularity of 4G mobile technology, social software has been transferred from PC to smart terminals, mobile phone number has become the second "× ×" of modern people, and it is real-time online, everyone can be "live" on the Internet, personal information security has become the focus of the whole society, location, photos, private chat …

Internet of things and smart city: computer and computer, computer and human, human and environment. The Internet of everything on Earth... In just a few decades, the network has gone to every corner of the earth, dynamic, static, living and inanimate. The result of the development of the network is that there is so much data that no one can see it, and it is not easy to find the data you need, which gave birth to the technological change of big data. Using big data to manage huge amounts of data, using big data correlation to analyze the whereabouts of each object, and finding those hidden, big data has become a new technical tool for both parties.

Encryption and decryption has once again become the focus: security is inseparable from encryption and decryption technology, for security needs encrypted information, so that others can not understand; in order to monitor network information and understand the information transmitted on the network, it needs to be decrypted. The Prism Gate incident in the United States has exposed government surveillance, making everyone believe that end-to-end source encryption is the inevitable choice in the future. However, the confrontation between encryption and decryption technology is different from before. on the one hand, cloud computing can provide super password-cracking computing power, and big data association analysis can effectively reduce the space for password deciphering. Traditional encryption algorithms are greatly challenged. Whether you disclose your algorithm or choose a longer password, it will be deciphered sooner or later. On the other hand, the development of new encryption technology is slow, and the industry pays great attention to the commercial use of new mode encryption technologies such as homomorphic encryption and quantum encryption. To be able to provide frequent encryption for the majority of users of the Internet of things is also a difficult problem faced by traditional cryptographic technology. therefore, to establish a commercial cryptographic service center for personal services, so that everyone can dynamically choose encryption algorithm and key length, it is a change in cryptographic application mode to be able to easily achieve end-to-end encrypted communication on various social networks.

To sum up, highly targeted advanced threats have become the mainstream of network security, and students for the purpose of showing off are no longer the focus of security defense. On the one hand, after years of network security publicity and construction, most networks have a certain defense capability, raising the technical threshold of *; on the other hand, * * is more targeted and more technical. A few years ago, the word APT was very popular, and the subsequent response product technology also came into people's field of vision, sandbox technology, threat intelligence, security big data analysis. However, people still feel that APT defense is too difficult, the industry began to quietly popular the term "advanced threat detection", as little as possible to mention APT, step by step.

The "vase" model, released in 2007, is used as a reference model for network security scheme design, which allows scheme designers to analyze user security needs, deploy network security measures, and build a guarantee scheme that meets the technical standards of hierarchical protection. Ten years later, the "vase" model is constantly upgraded and evolved with the deployment of technology and new application models. V5.0 of the "vase" model is another major upgrade of technical architecture and security concepts.

Second, the evolution of the "vase" model v5.0.

The "vase" model is a reference model for network security scheme design. Based on the dynamic defense idea of the PDR model, a multi-dimensional three-dimensional defense system of "three lines and one platform" is established, which is defended beforehand, blocked during the event response, and improved after the audit. Self-learning and self-improvement are carried out in the process of confrontation to form closed-loop management control. " The "vase" model gives suggestions for the selection and combination of safety products on each line, which allows the scheme designer to easily write the guarantee scheme and ensure the effectiveness, compliance and landing of the scheme.

With the development of security technology, the "vase" model also needs to evolve and incorporate the latest security technology, which is suitable for the latest network environment and applications. The core concept of the v5.0 upgrade of the "vase" model has changed as follows:

1. Logic hierarchical abstraction: in order to adapt to new business models such as network virtualization and user terminal roaming, the "vase" model introduces further hierarchical logic, which includes three angles:

a. The network layer is separated into physical and logical: the network transmits traffic, the security of the network is actually the security of its traffic transmission, the network cable is only the physical transmission medium, and the virtual network has no physical medium. Physical network takes network cable as label, IP routing and forwarding, logical network takes information system traffic as label, adopts flow control method, establishes protocol encapsulation channel, and realizes policy routing forwarding. The network topology diagram used by operation and maintenance is also divided into physical and logical, the physical network topology diagram is consistent with the tradition, and the logical network topology diagram is abstract. In the physical network topology, each information system is intertwined. In the logical network topology, the internal structure of each information system is clear and the boundary between the information systems is clear.

b. Separation of network behavior and information content: with the popularity of business transmission encryption technology, the method of content security detection by restoring content through network traffic is more and more limited; with the exponential growth of bandwidth, the cost of in-depth analysis of traffic is also getting higher and higher. The "vase" model separates network behavior analysis from content security monitoring, that is, the network layer is separated from the application layer. Network behavior is at the network level, focusing on the packet header information of data, that is, the connection relationship of users' network access. Through the asset information database, IP can also be associated with business information systems and users to form user behavior tracking. The content security of the application layer can be traced back to the in-depth analysis of the traffic after the × × device, or to the terminal or server for content detection, that is, the information will be detected after decryption. Reflected in the "vase" model, the deployment mode of the monitoring system has changed greatly. User behavior audit is divided into network behavior big data analysis and business process big data analysis.

c. Identity authentication is separated from information system: identity authentication is the foundation of authorization management and the foundation of user behavior audit. With more and more business information systems, decentralized identity management and authorization control become more and more complex, especially when the role of personnel changes, the workload of changing authorization is unimaginable. The separation of identity authentication from information system and the establishment of a unified identity authentication and authorization management system have become the basic implementation requirements for the establishment of network trust system.

2. Data-driven security: in the early days of network construction, security is event-driven, such as viruses, worms, leaks and downtime. Safety is emergency fire fighting; with the development of business information, such as insurance standards, risk assessment … Business began to drive security construction, defense, monitoring, trust "three lines and one platform" system construction, three points of technology, seven points of management, network security has become a part of normal management; the threat comes from the desire for value. As the network carries more business, the higher the value, the greater the security threat. The security defense system is becoming more and more complex, massive log data need to be analyzed, complex process operations need to be audited, and network security has entered the era of "data-driven security". The emergence of big data technology has accelerated this evolutionary process, which is reflected in two aspects of network security:

Security big data: apply big data processing and analysis technology to deal with the new problems faced by network security, that is, the detection of advanced threats. Whether it is sandbox detection of unknown files, network behavior analysis based on traffic, or business behavior audit based on logs, it is not only necessary to support the rapid collection, storage and query of massive data, but also to model based on * behavior. portrait of * *, multi-dimensional attribute association analysis

Big data Security: the large concentration of data itself has attracted the attention of higher-level people, and the theft and disclosure of the value of the data has intensified all kinds of new data centers. The value of the concentration of business information system data is very direct; the detailed network behavior data record implies personal privacy, and the centralized business log can analyze the trade secrets of enterprise business logic. Big data's construction has led to a continuous rise in the security level of the data center.

V5.0 of the vase model separates the data processing and analysis operation and maintenance in the security management platform to form a "data lake" at the bottom, which supports the upper layer to realize all kinds of security analysis based on big data.

3. Security situation Awareness: the introduction of virtualization and big data is a "vase" model that uses new technologies to deal with advanced threats. Implemented in the three lines of defense in depth established by the "vase" model, the monitoring line has obviously become larger. To deal with experts and unknown new threats, monitoring and trust system is the focus.

a. "confidant": the first step of situational awareness is to find out the current situation on the network, assets, vulnerabilities, device status, application status, sensitive data location … More importantly, the current user's status, where to access, how to access, what business to access, whether sensitive information is involved, whether sensitive operations are involved.

b. "know the enemy": to know your opponent, it is not enough to dig only from your own network, to obtain security information from external sources, collectively referred to as threat intelligence. Threat intelligence is tempting, but difficult to achieve, mainly due to a variety of information, a wide range of sources, difficult access, and difficult to find information that is really valuable to yourself:

i. There is a lot of information related to threat intelligence, such as vulnerability information, new malicious code samples, security incidents, * * author organizations, new * technologies, emerging * tools, malicious URL addresses, phishing sites, leaked sensitive information. How to standardize this information, collect and cluster it automatically, and then promote it to the demanders, requires cooperation in many aspects, that is, the establishment of threat intelligence standards is the key.

ii. How to use threat intelligence is also a very real problem. How to turn the collected or bought threat intelligence into "useful" information for users requires that operators not only analyze the substance of threat intelligence, but also be familiar with the "family background" of their own networks. understand what the threat this information poses to you, and give corresponding suggestions. If you receive a new vulnerability information, according to asset management, you can immediately detect which systems in the network have this vulnerability and how to deploy defense measures immediately; and if you find that a malicious URL is a certain * * returned site, immediately check which terminals in the network have been "occupied" through network traffic or terminal log, that is, the URL has been contacted. For example, if you find a new * * file, through traffic restore or terminal search, check which terminals in the network have been captured, immediately give the infection situation, and deploy to check and kill.

iii. Threat intelligence sharing is what everyone wants, from countries to enterprises, but high-value threat intelligence often becomes a reserve weapon for cyber warfare, or translates into a competitive advantage for security service providers, even if it is paid sharing. it's also limited to a small range. The current situation is as follows: on the one hand, low-value or even false mass of useless information is everywhere, on the other hand, targeted and valuable information is difficult to collect. Therefore, it is necessary to establish a big data analysis platform to mine their own useful information.

c. Assistant decision-making: mastering the real-time security situation can not only provide monitoring services for emergency command, but also predict the effect of the scheme, predict the security situation, and provide a basis for leaders' decision-making.

It is not only the integration of new technology, but also the absorption of new ideas is the focus of the improvement of the "vase" model. " The "vase" model is designed based on the idea of PDR, which carries out in-depth defense against the process of security incidents, and is divided into three parts: pre-strategy defense, in-process monitoring and response, and post-audit improvement, and forms a closed-loop, spiraling process that can self-improve learning. " On this basis, the vase model v5.0 absorbs the latest safety ideas and enriches and improves the architecture design of security. It is mainly reflected in the absorption and introduction of the following two model ideas.

(1) sliding ruler model

Sliding scale model is an evolutionary model of network security construction, which is applied to the self-improvement development process of network security builders. From the initial infrastructure security construction, to passive compliance defense, to business-driven active defense with monitoring as the core, and finally to collecting threat intelligence for security situation analysis and controlling the overall security situation, the final development is the offensive defense stage with the ability to counter the attack. The construction of each stage is based on the basis of the previous stage, so it is called superimposed evolution. " The "vase" model is more suitable for the first three stages, especially the passive defense stage of the second stage, to build a defense system in depth, but it is lack of advanced threat capability. " The vase model v5.0 has been improved to make up for this deficiency, strengthen the monitoring and audit ability, meet the active defense requirements of the third stage, and introduce big data technology and threat intelligence technology, which is suitable for the fourth stage of construction.

After nearly a decade of equal insurance promotion project, and the formal implementation of the 2017.6.1 Network Security Law, the security management construction of most users has entered the late stage of the second stage, and some industries have reached the late stage of the third stage. At this time, the introduction of vase model v5.0 provides users with the required scheme design reference.

(2) Adaptive security architecture

Gartner proposed adaptive security architecture (ASA) in 2014, which regards security protection as a complete process of "perception-evaluation-prediction", which can be understood as four quadrants, namely "defense", "detection", "traceability" and "prediction". ASA emphasized that security protection is a continuous and circular process. Defense can raise the threshold, but can not block all security measures. Fine-grained, multi-angle and continuous monitoring is the second measure to find those who block it and reduce losses. That is to say, ASA enhances the role of emergency handling in the security system. Is the main means of dealing with advanced threats.

V5.0 of the "vase" model absorbs the adaptive and large monitoring ideas of ASA. On the basis of the security management platform, it establishes the security situation analysis and display, and supports a powerful monitoring and analysis platform. Of course, the underlying architecture can not be separated from the support of big data technology.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.