Shulou(Shulou.com)06/01 Report--

Analysis of the current situation of domestic SOC and how to improve the preface

The military term "information warfare" was put forward by the United States in the early 1980s to today when information security incidents occur frequently. Computer network technology has spread from the initial application of national defense and scientific research to our lives, and has become a basic part of our social structure. The growing intensity of information warfare has led to the status of information security rising to the national level, and the scope of information warfare extends from military and national defense to commerce, organizational groups and individuals, and the importance of information security is gradually strengthened.

By 2014, more than 40 countries had promulgated national security strategies in cyberspace, and the United States alone had promulgated more than 40 documents related to cybersecurity. On February 27, 2014, the Central leading Group on Cyber Security and Informatization was established. The leading group will focus on national security and long-term development, coordinate and coordinate major issues related to network security and informatization in the economic, political, cultural, social and military fields, study and formulate strategies, macro plans and major policies for the development of network security and informatization, promote the building of national cyber security and the rule of law based on information technology, and constantly enhance the ability to ensure security.

The defense of information security is much more difficult than *, the main reason is that the real * * is hidden in a large amount of normal data flow, coupled with the difficult extraction of behavioral features, the diversity of * * channels and the uncertainty of * * space and other factors, directly lead to the high rate of missing report. Confucius' Weiling Gong in the Analects of Confucius mentioned that "if you want to do good work, you must first sharpen its tools." in terms of personal technology, China is not inferior to the United States and Russia. However, in the absence of global information security monitoring and associated alarms, the limited security experts also omitted most of the risks. In view of this kind of situation, what we urgently need is a set of SOC system which can model based on threat and intelligently judge the authenticity of risk.

First, why to use SOC

With the intensification of information industrialization, various industries are becoming more and more dependent on information, and it is becoming more and more important. Therefore, when information becomes an asset, how to ensure the security of the information system has become the most important task in the process of information system construction.

The construction of the internal network system of an enterprise is not completed at one time, and it usually focuses on the application system and basic equipment, but does not pay enough attention to the construction of its information security system and insufficient investment. in this case, it leads to the lack of systematic design of the information security system. This kind of information security system will be pieced together by products of different manufacturers and different periods, which can only resist security threats from some aspects, while each subsystem "fighting on its own" forms a defense island for each other. it is impossible to achieve cooperative defense and can not maintain the consistency of security policies. At the same time, various servers, application systems, network equipment and security devices of its intranet will generate a large number of security logs, operation and maintenance logs and alarm events during its operation. in the face of a large number of scattered security information, different interfaces and alarm windows of various products, even professional information security managers are often at a loss, it is difficult to find the real security risks.

For the above situation, there is an urgent need to establish a security operations center (SOC). The purpose of this is not to strengthen security, but to centralize the logs of the whole network and information security for monitoring, analysis and storage. If you want to control the security of the whole network, you must first accurately understand the security operation status of the whole network. The real value of SOC to enterprises is not only simple security protection, but also help enterprises have the ability to perceive security threats as a whole and systematically.

II. Incompleteness of SOC products

Complete SOC products require the ability to collect and standardize equipment logs from different manufacturers and provide monitoring, alarm, rules, filters, assets, reports and other functions. If you can not flexibly use the functions of SOC for threat modeling, association rules, etc., then such SOC can only achieve the function of SIEM (Security Information and event Management), that is, all logs are collected, securely stored, analyzed, alerted, audited and reported on compliance. This only solves the problem of log storage and audit, and can not reduce the workload of security analysts, nor can it fundamentally solve a large number of false positives and omissions. This is also the main reason why many enterprises can not achieve the desired results after buying SOC products.

The establishment of SOC threat model needs to be combined with the internal asset environment of the enterprise, take security event management as the key process, behavior analysis as the framework, and adopt the idea of security domain division to design. As for the association and merger log is to be completed through the establishment of rules, and the actual situation of each enterprise and the main security threats are different, so such rules need to communicate with users, according to the actual situation. These are not problems that can be solved by simple products.

In essence, SOC is not a simple product, but a complex system. It has both products and services, as well as operation and maintenance (operation). SOC is an organic combination of technology, process and people. SOC products are the technical support platform of SOC system, which is the value of SOC products. We can neither exaggerate the role of SOC products nor underestimate its significance.

III. Methods of SOC event collection and analysis

The first task of SOC is to collect, merge and classify logs. The reason for the confusion of massive false positives and alarms caused by network equipment and security device logs is mostly due to repeated security events. For example, an administrator received 1000 log alarms, but through correlation analysis, it was found that it was caused by a * * person using Xposts alarm * and DoS tools. After merging, the number of logs was 2, the number of statistics was 1000, and the categories were Xlog alarms * and DoS tools.

Taking the following common * * as an example, (DDoS***, network * *, Web***, brute force cracking * *, rigid wood creep), we can use these five types of events to establish rules, and define the names of associated events based on * * results and hazard levels, such as information disclosure, system unavailability, agent * *, and so on. For different scenarios, we need to use different security devices for alarm sampling and analysis, and improve the compatibility of rules in the test. As far as the alarm is concerned, this analysis method only forms an event alarm before there is no SOC, which greatly reduces the alarm quantity.

Case analysis

In June 2014, a US cyber security company released a report that Chinese soldiers have implemented Internet * to Western countries to help develop China's satellite and space programs.

The EOS security team to which NASA belongs successfully used manageable security services to prevent APT***, from allegedly stealing RSA, some SecurID technology (the root certificate of RSA) and customer data. As a result, many companies that use SecurID as certification credentials, including Lockheed Martin, Northrop and other US defense contractors, have been exposed and important information stolen. Then * At this time, RSA had no choice but to report to the federal government, and the federal government immediately issued an early warning. After receiving the early warning, NASA sent the most experienced Earth observation system (EOS) security team in big data to monitor. The EOS team used Splunk for analysis, which successfully blocked *. Therefore, the performance Supervision and Management Center of the United States honored NASA's cyber defense success. Identify it as a federal cyber security best practice of continuous Information Security Monitoring (ISCM), provide funding and research funding, and make the results public.

In fact, NASA began to admit that their previous risk management strategy was to "wait" for events to occur, respond efficiently if found, and then repeat. This usually means that the risk response ability of NASA is very slow, and almost always after the occurrence of * *, data or system complete destruction, especially APT's 0dayrisk response * makes the continuous risk management strategy do not work at all. After the promulgation of sma2.0 in the United States in 2010, the principle of SP 800-37 is to "transform a static security control assessment and risk determination process into a dynamic process." It must be shifted from decentralized clerical evaluation (ex post facto) to more effective continuous monitoring (operational). " The safety management of NASA has undergone a "change of direction". Under the business philosophy of "only measurement can be improved", continuous monitoring is used to measure risk and improve safety.

NASA believes that there are three key points to their success.

1. Continuous monitoring of Continuous Monitoring

Continuous monitoring is for continuous compliance testing of the running system, and the use of rules for association analysis and early warning, so as to provide sufficient information support for security analysts.

two。 Risk Scorecard Risk Score Cards

NASA uses the risk scorecard Risk Score Cards to evaluate the security performance of each center, and provides information such as the cause of the risk in a searchable way. In order to improve their safety performance, NASA centers will actively complete the repair work within the limited time.

3. * tree Attack Tree

NASA divides the process into reconnaissance, targeting, capture and network, installation of tools / programs, malicious hazards, and so on. NASA effectively thwarted this time by using Splunk to search for suspicious behavior through such a model.

Fourth, how to improve the shortcomings of SOC products through the security event analysis model

The technology and application of SOC in Europe and the United States have been very mature. SOC is not a simple product, but a complex system engineering, including products, operation and maintenance, and services. In product embodiment, SIEM represents SOC products, and MSSP (manageable security service provider) is responsible for the operation and maintenance of SOC. This requires MSSP to have rich experience in SOC operations, standard operation and management processes, complete SOC operations team, senior security experts and security analysts, the ability to build SOC security models according to different customer environments, and mature risk alarm and response mechanisms. The SOC given by the industry is defined as a centralized security management system that takes assets as the core, security event management as the key process, and adopts the idea of security domain division to establish a set of real-time asset risk model to assist administrators in event analysis, risk analysis, early warning management and emergency response processing. Building a security operation center requires the following three elements: technology, process and personnel, while the manageable security service widely used abroad is based on the services provided by the security operation center. the fundamental principle of this service is the use of security event traceability and evidence chain analysis model and standardization process.

SOC based on security event analysis model can solve the following problems.

1. Reduce costs: staffing, skill requirements, site requirements.

two。 Round-the-clock monitoring: 7 × 24 monitoring service.

3. Risk monitoring: effectively monitor security risks and provide solutions as soon as possible.

4. Identify and solve problems: identify and resolve possible security problems in a timely manner.

5. Trend analysis: professional safety trend analysis, monthly, quarterly and annual safety analysis reports.

6. Log storage and query: effective log storage and backup, fast query location. )

Through the security analysis model and standard process, the shortcomings of the above SOC products can be solved. According to the actual situation of users, the service can establish log merging, association, analysis, response and solution on the basis of security logs. Users only need to deal with this step, so that they can simply solve the problems mentioned above.

First of all, in terms of technology, the security operations center system needs to have the functions of monitoring, analysis, audit, alarm, response and reporting, and comprehensively use these functions to complete the framework of the analysis model of security event traceability and evidence chain. at the same time, it is necessary to build a dedicated security operations center site, with all the hardware conditions for safe operation.

Secondly, in terms of process, the traditional solution, after discovering a security incident through security products, is based on the personal experience of professional security experts, while the security operations center is based on the standard process of ISO 20000 or ITIL.

Finally, in terms of personnel, if the customer has a high level of business continuity, the customer also needs to set up a 7-hour 24-hour team to deal with security problems. In addition, different security technology echelons are needed in team building to ensure the escalation response of security incidents, security incident research and analysis, and the formulation and exercise of contingency plans. These are the key points that must be considered in building a security operation center.

V. the reasons for restricting the development of China's SOC and its future demand

The introduction and development of domestic SOC is very different from that of foreign countries. on the one hand, when domestic SOC is proposed, most users have a low degree of fuzzy recognition of SOC. On the other hand, due to the restriction of domestic system, policy, application environment and traditional understanding, the outsourcing of security operation and maintenance has been excluded. Therefore, the domestic SOC appears in the form of products for users in all kinds of industries from the very beginning, and it is precisely because of this that the core operation and maintenance and service in SOC are ignored.

Sun Tzu's Art of War says, "know yourself and know the enemy, and you will not be defeated in a hundred battles." In the game of containment and anti-containment, suppression and anti-suppression in the field of cyber security between China and the United States, it is very important to have a comprehensive and comprehensive understanding of the strategy, capability, industry and technology of the United States. However, it is a pity that in the past, China's perspective has been focused on key basic technologies for a long time, focusing on Microsoft, Intel, Google, Apple and other manufacturers, but ignoring the star cluster of information security enterprises, a powerful and independent force in the US industrial system. They are also the cornerstone of America's global strategic capabilities. And through the Snowden incident, the public also know that their subtle interaction with the vast state apparatus of the United States has strengthened the latter's intelligence ability to cover the world.

At the same time, for such new technologies as cloud computing and big data, we need to pay more attention to security issues when issuing corresponding technical standards. In fact, domestic communications companies have begun to face up to the problem of information security earlier, and there have been many successful cases of using equipment from domestic manufacturers to replace equipment from American companies. In these situations, there is an urgent need to develop local MSSP manageable security service providers to establish a domestic SOC system to control the overall situation and threats of information security.

To sum up, only on the basis of the cooperation of tangible products and intangible security management services, can core secrets be avoided from being peeped by similar "prism" projects.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.