Shulou(Shulou.com)06/03 Report--

Data-driven security architecture upgrade-"vase" model ushered in v5.0

Jackzhai

Third, "vase" model v5.0

V5.0 of the vase model designs the security framework from the point of view of security event protection. Formulate strategies in advance, deploy protective measures, raise the threshold, and block conventional ones. In the event of monitoring and dynamic detection of the protection system, through the analysis of abnormal business status, abnormal traffic, abnormal network behavior, as well as the detection of all kinds of malicious code, show the correlation analysis of security situation and behavior from many angles, find the person in time, and block the destructive behavior in time. After the source tracing, forensics, compliance analysis, on the one hand to deter violators, on the other hand is to improve the protection strategy, adjust protective measures, enter the next round of * cycle.

Comprehensive monitoring and multi-angle audit analysis are inseparable from a large number of logs and traffic data. the richer the data collected (covering the whole and for a long time), the more accurate the analysis based on big data will be. In the face of massive data collection, storage and retrieval, it is necessary to establish a "data lake" to deal with massive data in the security management center as a data management warehouse.

The "vase" model provides a "three lines and one center" protection framework based on "protection-monitoring-audit-platform", covering the whole process of confrontation interaction. The following describes the security technical measures that can be selected on the "three lines and one center":

1. Protection system:

The main purpose of the protection system is to raise the threshold for users to enter and establish a user access control mechanism. most of the traditional access control policies are managed locally. With the introduction of the hierarchical protection standard V2.0, centralized management and unified distribution of security policies have become a trend, which promotes the birth of a unified security policy description language for border security measures, including host operating systems, security devices, security middleware and so on.

Network virtualization has blurred the boundaries of the network, and the networks of some enterprises do not even have a clear boundary with the Internet, so the original five boundaries of the "vase" model have also changed. According to the understanding of network layering and abstraction, it is divided into physical boundary and virtual boundary:

A) physical boundary: there is a clear physical connection, and the network is divided into three parts: end, network and service.

(1) Network: physical network, the same as the traditional network, its boundary is divided into

Security domain boundary: the domain boundary becomes the main body of the security zone isolation, using the traditional security isolation method.

NGFW 、 IPS 、 AV

WAF

Network gate: two-way, one-way

Data exchange area: data sharing and exchange platform

AP/AC: access Gateway of Wireless WiFi Network

4G/5G and other mobile network access gateways

Business proxy boundary: the proxy gateway of the application layer

* *: link protocol channel based on encryption technology

CASB: cloud computing service proxy access

Operation and maintenance fortress machine (isolation of operation and maintenance personnel in direct contact with the server)

(2) Server: service-oriented control

Server security reinforcement

Unified Security Policy Management (with SOC)

(3) Terminal:

Terminal security management (network access, illegal outreach, media management, software installation management, patch management …)

Unified Security Policy Management (with SOC)

Information encryption middleware: end-to-end encryption control

B) Virtual boundary: network virtualization, which also includes virtual end, network and service.

(1) Network: the boundary of service flow, which establishes the virtual boundary between information systems by guiding and controlling the flow of information systems.

(2) Virtual machine: the service support part of the information system. The virtual machine can be migrated dynamically, but its externally accessible URL is determined.

(3) Virtual desktop: there are many ways to access information system services, which can be roughly divided into two categories.

Remote virtual desktop: thin terminal mode, processing function in the remote

Local container secure operating environment: that is, running an application security environment in a fat terminal

Secure browser

Terminal virtual machine

Application container

Mobile phone APP

(4) Traffic guidance technology: the boundary of virtual network can not be established without traffic guidance and control, which is generally realized by communication protocol and needs to be supported on both virtual switch and physical switch. The methods commonly used on virtualization platforms are as follows:

SDN

VPC

VXLAN

NVGRE

2. Monitoring system:

The monitoring system is designed to deal with those who go to the inside of the network, who pass the inspection of boundary security measures, pretend to be "legitimate users" and have access to business information systems. The monitoring measure is to detect the "abnormal" behavior and "sabotage" activities of these people, and block them in a timely manner. Therefore, the monitoring system is the basic support part of safety operation, emergency handling and incident tracking.

The monitoring system consists of two basic parts, data collection and correlation analysis. The more sufficient and specific the information collection is, the more effective the analysis will be. Obviously, enough information collection means that the processing capacity of massive data is needed.

A) Information collection: the information that needs to be collected for network security can be divided into three categories:

(1) Security events: security events are generally generated by discovering malicious code, network * * behavior, or abnormal access behavior. Security incidents come from a number of aspects, mainly records of security measures detection or blocking:

Virus worm detection system, such as AV, host antivirus, etc.

* Detection system, such as IDS, host IDS, etc.

Gateway blocks * * logs, such as DDOS, CC***, SQL injection, etc.

Advanced threat detection system, such as finding malicious files in sandbox, etc.

Security middleware of information system, such as password cracking, abnormal use of resources, abnormal access to sensitive information and other security event output

(2) status information: the goal of network security is to protect network core assets, and the state changes of these assets must be grasped at any time, including the following aspects:

Service status: the service status of a business information system, such as user status, service capacity, traffic, storage space, etc.

Device status: the status of the device providing the service, which can be a physical device or a virtual machine with various functions

Link state: that is, the network connectivity state

Terminal status: the terminal is the location of the user and is often the hiding place of the user.

(3) vulnerability information: its own vulnerability information. Vulnerabilities are multifaceted, including the internal discovery of known vulnerabilities and the association of new vulnerability information in external threat information

B) Association analysis: the purpose of collecting data is to find and locate those who have sex with each other. In order to adapt to the situation of advanced threats and the current situation of massive data, on the basis of traditional security detection, many advanced and multi-dimensional association analysis techniques have emerged:

(1) Network abnormal behavior detection: the multiple original access information extracted from the traffic, such as IP, URL, DNS, etc., is aggregated through big data association to form the visitor behavior trajectory.

(2) Traffic anomaly detection: extract multiple original access information from the traffic, aggregate according to the business system, form a business access distribution map, analyze the abnormal fluctuations of the business, and find DDOS, CC, worms, etc. * *

(3) Advanced threat detection: the core goal of the monitoring system is to find the senior * *. At present, the main methods are carried out from two dimensions:

File sandbox: classify the executable files on the network by blacklist and whitelist, that is, confirm that they are maliciously put on the blacklist, and confirm that they are good on the whitelist. Unknown files can be detected by means of file fingerprints (such as MD5 values), unknown files can be sent to the file sandbox detection system, the environment in which the files are running can be established through the virtual machine, the unknown files can be released and run, and the malicious behavior of the unknown files can be determined by the configured malicious model, and put into the blacklist and whitelist library, and then the file fingerprints can be directly detected.

Behavior pattern matching: first analyze the common behavior model of the * *, and then find the malicious behavior of the * * through the big data pattern matching analysis of the network behavior record.

C) threat intelligence correlation: security monitoring needs to know each other, the first three tests are the understanding of internal security dynamics, and threat intelligence is the understanding of external security dynamics. As network security has become a national strategy, it is impossible to deal with advanced threats. Threat intelligence is a systematic measure involving many contents, and the key is how the threat intelligence information obtained is used for the entire security system:

(1) types of threat intelligence: what intelligence is useful and what threat intelligence information we need

New vulnerability information

New technology, new protection technology information

New security patch information

External events, especially those in the same industry.

Newly discovered malicious code features

* organizational information, or information that threatens me, such as industry competitors

Malicious IP address, malicious URL address

Phishing website URL address

Sensitive information exposure

(2) threat intelligence format: automatic processing of threat intelligence, that is, "machine readable" threat intelligence (threat indicator IOC)

(3) threat intelligence processing: threat intelligence received can be implemented in different ways.

Security policy distribution: if a new patch is released, arrange the patch work within the network; when new loopholes are found, virtual patch measures can be deployed when there is no patch; find malicious IP addresses, deploy ACL at the border gateway, and prohibit users in the network from accessing the IP

Information bulletins: such as new technologies and security incidents, notify relevant departments to raise everyone's safety awareness

Victimization analysis: if the zombie control service IP address, you can scan the network behavior record to find how many terminals in the network access the IP, that is, it has been controlled by the zombie; for example, the phishing website URL address, through the network access to the URL record, you can give how many terminals in the network have visited the phishing website, may have been *

Early warning of leaks: it is found that the exposed sensitive information belongs to the internal business system, indicating that there is a leak in the system, and immediately deploy inventory activities to find the source of the leak.

D) Security situation: the monitoring system needs a display platform to display the dynamic information in real time, to show the relationship between its various elements in graphics and images, and to give full play to people's ability of high generalization and abstraction. Discover the implicit correlation, which is also one of the commonly used means in security analysis. The information collected and the results of the analysis are displayed according to the framework concerned by security managers, which is often called the security situation. Security situational awareness is the overall term for the collection, analysis, display and prediction of security information. Therefore, the security situation needs an index system to describe the security situation, that is, the key elements that represent the security situation that users are concerned about, and the dynamic data of these elements are combined into the security situation view. The general security situation has multiple views, such as asset status, event impact, event tracking, intelligence correlation and so on.

3. Credit system

Credit system is a series of security management measures for network users, and its core is to determine who it is, whether it has the right to do it, whether the practice is in compliance, and finally implemented in the user's behavior audit. V5.0 of the "vase" model increases the dynamic analysis of compliance behavior, which is not only evidence collection after the event, but also timely correlation analysis in the course of user behavior, and dynamically track where the user is and what he is doing.

The construction of credit system is divided into the following parts:

A) identity authentication: identity authentication is the basic support of the trust system and a cross-layer security service system.

(1) Authentication technology: account password, dynamic password, biometrics, digital certificate, electronic chip.

(2) Multi-factor: combination of multiple authentication technologies, access to important information, and additional authentication mechanisms.

(3) Network roaming: the service development of mobile access and multi-screen integration requires user single sign-on (SSO) authentication and network roaming support.

B) Authorization control: judge whether the user is accessible or not, and manage according to authorization. Due to the large number of network resources and the rapid increase of applications, discrete authorization management is difficult to support network security operation, centralized authorization management and distributed user access control mechanism is the future direction.

C) behavior log: with authentication and authorization management, you can determine whether someone's behavior is authorized. The behavior log is the record of the user's behavior, the basis for collecting evidence afterwards, and the safeguard measure against repudiation of the user's behavior.

D) based on big data's compliance test: if you look at a behavior individually, if it is non-compliant and unauthorized, the access control mechanism will reject it directly. Multiple legal behaviors are combined, but they are not necessarily legal, which depends on the results of the business realized by the user. Based on big data's compliance test, it is found that the insider is operating illegally, or the insider is impersonated and carries out the instruction behavior of the impostor.

(1) user behavior detection: it is the correlation analysis of access behavior of different business systems, analyzing the motivation and finding the exception from the time, order, content and quantity of user access.

(2) process compliance detection: it is the behavior correlation analysis of business process operation, which analyzes whether it conforms to the process operation specification from the time, sequence and action of the user's operation, so as to find the operation exception.

E) Behavioral forensics: abnormal behaviors and violations should be able to obtain a complete chain of behavioral evidence. Behavioral forensics can reproduce the scenario of the * *, analyze the loopholes in the process and management, and provide suggestions for the improvement of security policies.

4. Security Management Center

The role of the security management center is to provide public centralized security management and services. It is not only the platform of network security operation and maintenance, security emergency command, incident tracking and processing, but also the service center of users' commonly used software. Different from the traditional security management center, due to the large amount of data collected, it is necessary to establish a data lake (data warehouse) to deal with massive data, including data collection, storage and retrieval.

A) installation of software warehouse: software warehouse service provides unified installation of all kinds of software, which is not only convenient for daily installation and use, but also unified for compatibility testing, while avoiding "contamination" of the software and controlling the spread of *.

(1) Patch software: provide patch management services in cloud service mode, including patches for systems, devices, applications, etc.

(2) Common application software: provide the installation version of commonly used software, especially terminal software, based on cloud service model.

B) data lake: that is, the data layer, and the raw data collected can be divided into three categories:

(1) events: security incidents reported from various security devices

(2) Log: status, operation, etc. reported from various systems and equipment.

(3) configuration: current security configuration of the security device, that is, the current security policy

There are also three types of real-time analysis of the original data to generate new data:

(1) Statistics: data for all kinds of statistics

(2) Association analysis: new data generated by rule analysis, pattern matching, etc.

(3) Mining data: analyze all kinds of new data mined by big data.

C) Security management platform: management, providing the functions of the security management platform

(1) Asset management: the equipment in the computer room is easy to manage, but it is difficult to manage the terminals, especially those mobile terminals. Many users hope that the terminals connected to the network can be found in time, which is one of the effective strategies for discovering intranet users. With the use of NFV technology and the software of many devices, it is easy to dynamically generate and destroy, and fast and efficient management is needed.

(2) situation display: the visual display of the situation index system that users are concerned about, and it is also the workbench of the monitoring system and the command platform for emergency command and assisting leaders in decision-making.

(3) event handling: the basic work of safety operation and maintenance, that is, the tracking, tracing and disposal process of security incidents.

(4) Security policy: unified distribution of security policy, which is much better than that of traditional SOC, that is, it can issue reinforcement policies for terminals, such as Windows/Linux, batch access control policies for NGFW, and temporary security policies for IDS/ traffic collection and monitoring.

(5) Operation and maintenance management: daily safety operation and maintenance work, such as personnel change, configuration change, new system launch, equipment replacement, etc., as well as management functions such as duty handling, safety notification, violation punishment, etc.

(6) Patch management: patch management is an important work of security operation and maintenance, including patch compatibility testing, batch patch distribution, virtual patch deployment, etc.

The three safety lines of v5.0 of the "vase" model are mutually coordinated and supported. The protection system is the threshold and the protection baseline, and the defense system in depth based on "space" is established. The monitoring system aims at the high-level defense system and finds those who enter the network through the protection system. Through multi-angle, multi-time and space-time information correlation, find the abnormality of those who have entered the network. The trust system aims at the security management of the internal users of the network, finds the internal people, finds the illegal operators, and establishes the network trust system based on the users.

V5.0 of the "vase" model adapts to the new network application model, and the defense system is divided into physical network layer and virtual network layer, transferring to the application layer and to the user boundary-terminal, expanding the granularity and coverage of the monitoring system, strengthening identity authentication and authorization, and integrating more closely with the business system. Therefore, v5.0 of the "vase" model is not only more suitable for the "three synchronization" design principles required by Article 33 of the National Network Security Law, but also more suitable for security design based on cloud computing, Internet of things and other new IT infrastructure.

IV. Summary

The "vase" model has experienced wind and rain for ten years with information security, which provides convenience for the design of many network security schemes, and is one of the best reference models for scheme designers. With the release of v5.0, the "vase" model integrates the latest security concepts and the latest security technologies, which is not only suitable for traditional network information systems, but also suitable for information systems based on the new IT infrastructure, seamlessly integrated with cloud computing virtualization technology, big data processing technology, and mobile Internet applications. It will be the best reference model for pre-sales engineers to design a security scheme that meets the grade protection standard 2.0 for users.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.