Shulou(Shulou.com)06/01 Report--

Understanding *, defense and superimposed innovation through the sliding ruler model

At present, the sliding scale model, which is a common model of mutual recognition among capable security vendors, divides the whole security capability system into five stages, namely, architectural security, passive defense, active defense, threat intelligence and attack.

From the perspective of structural security, it is a process of self-strengthening, mainly considering security fully in the process of planning and establishing security. this also corresponds to the general secretary's three-synchronization principle of "network security and information construction should be synchronized".

From the point of view of passive defense, people often think that passive defense is not good, but in fact passive defense is a very basic security measure. For example, the port rules or IP segment rules added in the firewall narrow the flexibility that people may move. Set up some corresponding basic logs to ensure that those who use them must leave traces. Although they are not enough to expose highly capable people, they are the basis for effectively countering them and implementing follow-up security policies.

On this basis, it includes the upper-level active defense means of monitoring threats, responding to confrontation, and continuously improving their understanding of threats. Above this level, there is the accumulation of threat intelligence, including low-level intelligence (for example, IOE beacons, hashes) and high-level threat intelligence and high-level threat intelligence.

From the perspective of the national security strategy system, attack must also be included. At the April 19 forum, the General Secretary said that "the essence of network security lies in confrontation, and the essence of confrontation lies in the contest of capabilities between the two ends." attack is a kind of deterrent capability. However, from the perspective of the practice of an industry, system or security product system, the security system is generally related to architectural security, passive defense, active defense and threat intelligence.

The value and cost of situational awareness

We believe that the two have differences on the level, and there are interrelated parts at the same time. Generally speaking, effective protection runs through the means of passive defense and active defense, which is actually used to deal with the defects in the security level of the architecture, and to make up for the deficiency of passive defense through active means. Situational awareness is a kind of superstructure and a high-value means. Then to a certain extent, effective protection constitutes the relevant basis of situational awareness.

Figure 1 value and cost of situational awareness

Reconstruct the relevant capability links according to the requirements of situational awareness

The biggest difference between situational awareness and SIEM and SOC is that the basic links and probes of situational awareness should be reconstructed according to the requirements of situational awareness, rather than, the existing terminal protection product is an antivirus software, which collects the file detection log; the existing link is an IDS, which collects the package detection log. From my point of view, whether it is the flow side, the end side, or the analysis side, it is necessary to establish a set of full-element collection capabilities that meet the requirements of situation awareness in terms of endpoints, traffic and analysis capabilities according to the requirements of situation awareness.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.