Release time: 2021-06-07 09:56 Source: People’s Post and Telegraph
share
This year, the International Telecommunication Union determined the theme of World Telecommunication and Information Society Day as "Accelerating Digital Transformation in Challenging Times". So, what technological innovations in the ICT industry are refreshing? Which innovative products are helping customers solve practical difficulties? After self-recommendation by enterprises, recommendation by editors and evaluation by the review committee, the 2021 "People's Posts and Telecommunications" 5.17 Typical Demonstration Case Collection has been officially announced a few days ago.
This collection of typical demonstration cases fully reflects the hot spots and development directions of the current ICT industry, attracts widespread attention from the upstream and downstream of the entire industry chain, and stimulates enthusiasm for participation. This solicitation of typical demonstration cases covers the three major sections of "technical innovation", "application innovation" and "industry innovation". After three stages of preliminary evaluation, review materials and general evaluation, the recommended list of 17 typical demonstration cases was finally determined.
"Qianxin Wangshen Cloud Lock Server Security Management System (hereinafter referred to as Cloud Lock)" was selected as a typical demonstration case of innovation in the network security industry.
In recent years, computer network attacks emerge in an endless stream, and communication security is also facing a huge threat. After the "Prism Gate" incident, information security was elevated to a national strategic level. In 2017, extortion attacks using the vulnerability "Eternal Blue" swept the world, and the adverse impact of information security risks on key information infrastructure and servers in the isolated network has been concretely reflected.
Frequent extortion, mining attacks, and data leaks have almost become synonymous with security incidents in recent years. The realization of the attack goal depends on the successful intrusion and privilege escalation of the server. If it's just a pile of security devices, 0day (no security patch) vulnerabilities are almost dead with one blow.
Unclear server assets, invisible risks, lack of effective protection against unknown threats, and inaccurate attack traceability are the four core challenges facing server security. Qi Anxin Cloud Lock innovatively adopts a lightweight server-side Agent, with the core idea of strengthening the server operating system and applications and improving the server's endogenous security capabilities, and builds a server-side protection system from three stages: preliminary preparation, offensive and defensive confrontation, and retrospective analysis .
The three stages correspond to the three key capabilities. In the preparatory stage, being able to draw portraits of customers' business behavior is a very critical ability. Based on machine learning, Cloud Lock can sort out "white (legal) behavior" from the perspectives of service behavior, application, outreach process, login and file operation, laying the foundation for subsequent abnormal monitoring.
In the stage of offensive and defensive confrontation, Cloud Lock emphasizes the integrated protection idea of system layer, network layer and application layer. Among them, RASP (Application Runtime Self-Protection), which works inside the scripting language interpreter and can fine-grainedly monitor application script behavior and function call context, and then discover malicious exploitation of vulnerabilities, can be used in highly intensive attack and defense scenarios, especially 0day In the actual combat exercise of flying all over the sky, it can effectively reduce the lag time window caused by the asymmetry of offensive and defensive information, and provide effective server-based intrusion protection against unknown threats.
In the retrospective analysis stage, accurate and rapid positioning is emphasized. Through the full log monitoring of processes, files, and network behaviors on the server, as well as the analysis and matching of the EDR behavior engine & Qi Anxin threat intelligence monitoring engine, Cloud Lock can accurately locate the fallen assets from the perspective of the server, and monitor abnormal outreach. Combining the ATT&CK framework to restore hacking methods and attack stages, it can provide data support for threat hunting platforms and big data analysis platforms from the perspective of server behavior.
Qi'anxin Cloud Lock's customers cover government, banking, energy, operators, education, medical care and other industries, and there are many large and medium-sized head customers. Taking a large bank customer as an example, the bank has more than 30,000 servers, hosting multiple important business systems such as the official website, shopping mall, mobile banking, corporate business, corporate information, and office OA. In the preliminary preparation stage, based on the real attack data received by the business system in the customer's real environment within seven days, Cloud Lock sorted out the medium and high-risk attack types that the customer should pay most attention to, and gave targeted protection strategy suggestions.
According to the pre-test operation situation, the customer chose to enable the protection strategy of deploying cloud locks in the external service environment in batches, and pushed the full amount of logs to its security operation center (SOC) in the form of syslog, and the SOC platform received and analyzed them and "concerned events" Type" related logs to confirm the attack and attack source IP. For the attack source IPs recorded in multiple device logs, the customer decided to block them with one click.
To sum up, the core value of Cloud Lock is reflected in: first, reduce costs and increase efficiency, and realize efficient management of server assets; second, realize effective protection against unknown threats; third, reduce exposure and accurate traceability.
Knowing yourself and the enemy, effective tools combined with comprehensive services and mature processes can win all battles.