Shulou(Shulou.com)06/01 Report--

Development trend of Security Management Software Technology

In the network era, enterprises gradually rely on digital information, the value and importance of IT resources to business will change rapidly with the growth of enterprises, the information age will bring great changes to social production and life style, and the problem of network security is becoming more and more serious. In the face of all kinds of rampant violence, relying solely on information security products is not enough to protect corporate networks and businesses. At this time, security management has become the inevitable trend to deal with the challenges of information security, and also conforms to the old saying of "three-point technology, seven-point management". In the process of the development of safety management, we rely on the continuous accumulation of knowledge to solve customer practical problems, and determine the trend of technological development.

First, the goal is there, basically unchanged

The goal of the use of security management software has not changed much for a long time, but this does not mean that the usage scenario of the system is unique. From the point of view of the responsibilities and perspectives of system users, they are mainly divided into three categories:

CEO,CTO and other senior executives analyze the internal security situation and trends from a macro point of view, which can assist them in making relevant decisions on business and assets.

CISO and other information security supervisors, grasp the department security operation and maintenance situation, improve the department service level and service quality

Security management personnel, such as front-line personnel who monitor operation and maintenance, centrally manage information security resources, timely detect / track suspicious behavior from internal / external, collect evidence and trace the source afterwards, be able to deal with the new *, reduce the time of manual analysis, and improve its work efficiency.

Second, if you don't attach importance to safety, you will be approached.

On the one hand, enterprises in the network era gradually deepen their dependence on digital information, the mythical Moore's Law of IT continues, the processing power of hardware is constantly enhanced, and the degree of informationization is deepening, resulting in more and more data; the network bandwidth is increasing, the ability to transmit data is strengthened, and the application and development of the Internet are changing with each passing day. The value and importance of IT resources to the business will change rapidly with the growth of the enterprise.

On the other hand, the information age has brought great changes to the social production and life style, but the security problem is becoming more and more serious. In the enterprise, there are more and more network applications, more and more self-built systems, loopholes are constantly found, but the release of patches is not timely; black gold industry chain continues to scale, the strength is getting stronger and stronger, and the production capacity of malicious software is further enhanced.

Safety response on the one hand, the enterprise manpower cost is increasing, can not set aside enough time for manual analysis; on the other hand, general enterprises also lack of security professional team to follow up and learn all aspects of security knowledge for a long time. As a result, security-related systems and devices go their own way, or even run under unknown circumstances. In this state to "protect" the development of the business, the result is like a spear against a strong ship, it is only a matter of time before it is infringed by * or malware.

Third, the development direction revolves around the actual demand

Security management software has gradually developed from collecting and displaying information to high expansion, macro-assisted decision-making, micro-operation suggestions, and the combination of sustainable development and expert services.

3.1 the combination of macro and micro from the perspective of security

The network security work should obey the overall strategy of organizational information construction and realize the perfection of the system security system iteratively. There is no absolute security, so it is impossible to have unlimited investment security. Strategic priority, reasonable protection and risk balance are very important. In the security risk analysis, the closer combination of macro and micro, the combination of quantitative analysis and qualitative analysis of risk is the future development trend.

One of the cores of safety management is risk analysis, and security risk analysis must be instructive to security work. The core of risk analysis is the ability to identify the hidden dangers faced by enterprises and detect security events in time, so as to give macroscopic security risk status and suggestions to reduce risks on the one hand, and micro-identification of risk changes caused by security incidents on the other hand, give reference methods to deal with security incidents. The results of the risk can provide reference and suggestions for the actual management work, so as to realize the assistant decision-making from the macro security trend analysis to the micro security incident processing. As a result, risk analysis is no longer an awkward position of analysis for analysis. in the end, what role and effect of those network devices deployed can be found in the combination of macro and micro.

3.2 hierarchical storage of massive data

Nautical data processing, distinguish between logs and security events, hierarchical processing is the general trend. In the process of security incident analysis, we will find that most of the logs generated by many systems are not security events. if we store and analyze these information indiscriminately, it will greatly reduce the return on investment of our security management construction. The effective way of nautical data processing is the combination of traditional log analysis and security event analysis, hierarchical storage, hierarchical analysis, and convenient backtracking; the combination of automatic real-time analysis and manual analysis after the event.

For the basic logs, complete or partial storage is carried out according to the needs of the audit, and the relevant data can be backed up to the low-cost cloud by means of non-database storage and compression.

For a small number of security events, on the one hand, we use a variety of analysis engines to analyze the events, on the other hand, through the traditional database and NoSQL and other storage means to improve the speed of query and analysis.

3.3 Analysis engine layering

The analysis engine is often the bottleneck of the security platform to find problems, real-time, high efficiency, which determines the performance-to-price ratio of the security management platform. In the actual analysis process, it is found that many * can be easily found through log features, such as abnormal increase of log data, abnormal growth of log data, and no log data (or log data reduction exception). And these do not need to be found by association analysis. Just like the hierarchical storage of massive data, the hierarchical analysis of security events is the development trend of analysis engine.

Real-time event analysis is mainly divided into basic layer analysis and research layer analysis.

Basic layer analysis: complete the transformation from logs to events at this layer, including key log identification, identification of key events from ordinary background events (event identification and classification must be complete), and data merging and filtering through common technical means. Preliminary abnormal event discovery, through the application of the basic analysis engine, including feature matching analysis, statistical threshold analysis, the security event results will be transmitted to a higher level for further analysis.

Research layer analysis: the transformation from event to early warning, work order and risk processing is completed at this level. the multi-engine analysis architecture includes trend-based development analysis, state machine analysis, data mining analysis, multi-attribute association analysis, and association analysis between multiple types of events.

The actual effect of security management, usually the landing degree of management analysis rules, universal prefabricated scenarios of association analysis, personalized rule setting, and continuous upgrading are the direct sources to maintain the vitality of the security management platform. Combined with cloud and security services, it is a better choice for most enterprises.

3.4 Visualization goal determines shape

There are two most important scenarios in the visualization technology of security management: the presentation of global security situation and real-time monitoring, and the post-event analysis.

In the presentation of the global security situation and real-time monitoring, it is a major trend to reduce complexity and combine macroscopically to microscopically. Complex configuration, dazzling display effect can not bring substantial results to ordinary business managers. A brief introduction to the clear prefabricated template enables managers and operators to focus on the problems to be solved, and the interactive way of drilling down layer upon layer combines macro states and trends with micro events and loopholes to integrate qualitative monitoring and quantitative analysis.

In the post-event analysis of security events, the correlation analysis method of clustering analysis, image analysis and attribute automatic association is the development trend of security incident analysis. It can provide powerful assistance for administrators to accurately locate, judge the impact and formulate countermeasures from a variety of visualization effects. Accurate positioning is the premise of dealing with the problem after the analysis. when there is an attempt or behavior, it can quickly and accurately locate the target of the problem, which is the inevitable way from finding the problem to solving the problem. The effective visualization technology in accurate positioning can help managers locate the problem area and influence area in time.

3.5 centralization of safety products and implementation of safety management

In the past few years, security management and network management have gradually merged. In the future, asset and business security management (terminals, hosts, devices, applications) and security incident analysis and processing will be more closely integrated to establish a comprehensive security management architecture for enterprises.

Security management must be managed, including:

Terminal security, which is an indispensable part, including terminal policies and malware detection

Monitor and audit the operation of mainframe and equipment to ensure that the work of each administrator should be authorized and reviewed, so as to avoid the power vacuum in IT.

Configuration check, backup and recovery of host, network equipment and security equipment, regular automation work can find problems as soon as possible and recover in time

Operating system and application vulnerability (patch) management and operation monitoring, continuous vulnerability and patch tracking, can be prepared in advance.

Safety management is not blindly faster than those who are, but the combination of supervision, prevention in advance, early warning and positioning afterwards, in order to make safety management play the greatest role. Only by doing these "management" work well can we change from passive response to active management. By standardizing terminal security, strengthening host supervision, regular configuration check, backup and recovery, regular loophole inspection of the mainstream general systems used, and automatic access to system patches, all these are completed automatically in security management and combined with the system operation and maintenance system, so that IT management departments will focus on policy formulation and maintenance to avoid waste of resources and decline in service quality caused by passive response.

3.6 combination of security management products and remote services

At present, there is no safety management product once and for all, which is completely intelligent and has a long way to go. Therefore, the combination of security services and security management products is one of the ways to maximize the effectiveness of security management software.

In most cases, the occurrence of * * can be found through the analysis of the security management platform, but it requires timely upgrading of analysis rules, 7 × 24-hour monitoring, professional analysis and accumulation of different events, and constantly improve the event processing knowledge base. The security management software and the remote online real-time service established by the professional security management service center can reduce the cost, obtain timely consultation and service, and control the risk to some extent. For most enterprises that lack professionals, it is worth trying to use security management products combined with security services.

Safety management is still on the way

In the security information management, if you want to solve all the security problems in the last system, I'm afraid it can't be realized for a long time. With the change of the times and the continuous change of technology, the temptation of information is becoming more and more attractive, which requires our weapons to keep pace with the times and the security ability of security managers to keep pace with the times.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.