Security operation is formed by multiple independent work subsets. By establishing an overall (universal) working mechanism, independent individuals are effectively connected in series to form an overall, continuous, and superviseable work process. Safe operation is the basis for ensuring the stable operation of business in a safe environment. As a part of the overall security operation of the organization, data security is holistic and independent. Integrality emphasizes the combination with the overall operation work, such as pre-event vulnerability detection, security disposal during the event, and post-event review analysis. Independence emphasizes the pertinence of operation and maintenance goals in the process of data security management, such as data asset sorting (such as data flow direction, data classification and classification, etc.), data security protection strategies, data security continuous assessment, and data security operation monitoring indicators. wait.
1. Index system construction
Security operations emphasize coverage, accuracy (false positives), recall (missing negatives), recurrence rate, and timeliness. (Quoted from "Knowledge of Enterprise Information Security Construction"), this article is about the construction of a data security operation system, so on this basis, the indicators that should be paid attention to for data security operations are formed.
1.1. Coverage
Level 1 (General): asset metadata management coverage, security protection technology coverage, data security continuous detection and evaluation coverage of business scope, vulnerability management coverage, etc.
The second level (improvement): coverage of data flow scenarios, coverage of rule policy protection dimensions, coverage of data differential control, coverage of data security assessment detection items, etc.
1.2 Accuracy rate (false positive)
The first level (general): the accuracy rate of asset management (management that should not be managed), the accuracy rate of data security protection technology strategies, the accuracy rate of vulnerability detection, etc.
The second level (improvement): accuracy rate of data static assets, accuracy rate of data dynamic management, data security audit, access control, desensitization, encryption policy accuracy rate, etc.
1.3 Recall rate (missing negative)
The first level (general): the recall rate of asset management (the management is not managed), the recall rate of data security protection technology strategy, the recall rate of vulnerability detection, etc.
The second level (improvement): data static asset recall rate, data dynamic management recall rate, data security audit, access control, desensitization, basic policy recall rate of encryption, recall rate of data differentiation management strategy, etc.
1.4 Relapse rate
Level 1 (General): asset management recurrence rate (same problem, continuous recurrence), data security protection policy recurrence rate, vulnerability management recurrence rate, etc.
The second level (improvement): data static asset error recurrence rate, data dynamic management error recurrence rate, data security audit, access control, desensitization, encryption basic strategy error recurrence rate, data differentiation management strategy error recurrence rate, etc.
1.5 Timeliness
The first level (general): Timeliness of asset monitoring and management, timeliness of data security protection strategy improvement, timeliness of vulnerability handling, etc.
The second level (improvement): the timeliness of data static assets, data dynamic management timeliness, data security audit, access control, desensitization, encryption basic policy timeliness, data differentiation management strategy timeliness, etc.
2. Daily working mechanism
The working mechanism of data security operation can be from the four dimensions of prediction, defense, detection, investigation/forensics, with continuous monitoring and analysis as the core, relying on the ITIL workflow, and effectively combining the established index systems to form a convergent operation system , so that the business operation is benign, and the safety and business goals are consistent. See the figure below for details:
Prediction includes means such as proactively analyzing risk exposures, anticipating attacks, and re-baselining systems.
Defense includes methods such as hardening and isolating systems, inducing attacks, and controlling interception.
Detection includes incident monitoring, identification and qualitative risk detection, isolation of incidents, etc.
Investigation/forensics includes remediation/change policy, design and modeling of policy changes, investigation and forensics, etc.
ITIL processes include Incident Management, Problem Management, Change Management, Release Management and Configuration Management.
The indicator system includes coverage rate, accuracy rate, recall rate, recurrence rate, and timeliness.
3. Emergency response
Emergency response construction can refer to PDCERF (including preparation phase, detection phase, suppression phase, eradication phase, recovery phase, summary phase) method. PDCERF is not the only method for emergency response, and the sequence of the six stages may not be strictly followed in the actual emergency process. But it is a general method of emergency response with strong applicability at present.
Preparatory stage: focus on prevention, the main work involves identifying the risks of institutions and enterprises, establishing security policies, establishing collaboration systems and emergency systems. Configure security devices and software in accordance with security policies to prepare hosts for emergency response and recovery.
Detection phase: The main detection time has occurred or is in progress, and the cause of the event. Determine the nature and extent of the incident, and what resources are expected to be deployed to remediate it.
Inhibition stage: Limiting the scope of attack/destruction, and also reducing potential losses. All suppression activities are based on the ability to correctly identify the detection time. Suppression activities must be combined with attributes such as the phenomenon, nature, and scope of security incidents discovered during the detection phase to formulate and implement correct suppression strategies.
Eradication stage: find out the root cause through event analysis and eradicate it completely, so as to prevent attackers from using the same means to attack the system again and cause security incidents.
Recovery phase: Completely restore the damaged information to its normal operating state. Determine what is required and the timeline for bringing the system back to normal, and restore data from trusted backup media.
Summary stage: Review and integrate relevant information of the emergency response process, conduct post-event analysis, synthesize and revise security plans, policies, procedures, and conduct training to prevent recurrence of intrusions.