introduction
In the current complex and severe network security environment, major domestic enterprises have begun to form their own network security teams, strengthen the construction of their own security capabilities, and move towards the integration of network security operations. However, enterprise security operations have gradually transformed from passive to proactive, becoming a dynamic process that combines people, management and technology to comprehensively cover network security monitoring, early warning, protection, detection, response and disposal. If an enterprise wants to fully realize this process, it is necessary to combine the management system, technical system and personnel system, and carry out the construction of the enterprise's safe operation system through "equal emphasis on management and technology, and equal emphasis on prevention and protection". In recent years, many studies on security operation systems have focused on security personnel protection technology platforms, which will bring limitations to the automation and intelligence of security operation management after the system is completed. This article starts from the concept of "safety operations" based on trustworthiness, full scenarios and actual combat, combines the actual situation of the enterprise and the best practices of safety operations in the industry, proposes an overall framework of the safety operation system, and details the characteristics of safety operation capabilities, Standardized processes and support guarantees provide guidance for realizing the integration of enterprise network security operations.
1 Overall framework of safety operation system
Carry out the construction of enterprise safety operation system from three dimensions: technology, management and personnel. Utilizing big data, artificial intelligence, SOAR and other technologies, and through the collaboration of cloud and ground experts, we provide "eight types of security capabilities" that are all-weather, continuous, practical and automated. Starting from multiple perspectives such as normality, overall situation, supervision and compliance, we build a security operation center through an "inside-out" approach to provide enterprises with "eight security supports."
2 Goals of safe operation and construction
Enterprises should start from their own current situation and design an integrated enterprise safety operation construction plan to achieve the following goals:
-
Make enterprise security operations comply with the protection requirements of relevant national and industry laws and regulations, while achieving the business goals of security monitoring of "dynamic perception, intelligent monitoring, proactive response, and panoramic visibility" to ensure that network security incidents are visible, accurate, and Look deeply.
-
It can continuously manage and control the network security risks faced by each business module of the enterprise and reduce security risks. Build a security operation system with "advanced technology, safety and reliability, and complete services" to better ensure the safe, stable and reliable operation of networks, communications and information systems.
-
It is necessary to cover the entire chain of the enterprise's "basic operation guarantee, asset security management, threat risk detection and control, vulnerability detection and control, security risk reporting and processing, security risk verification and measurement, security inspection and risk prevention" to form a management of the entire life cycle of enterprise security operations. The closed loop enables enterprises to fully possess the operational support capabilities of "threat warning, collaborative confrontation, manageability and controllability, and intelligent defense".
3 Capabilities and characteristics of safe operations
Enterprise security operations should have the following four key capabilities:
3.1 Cloud and local threat intelligence capabilities
It should be able to track hot events in cyberspace in a timely manner and conduct threat reputation ratings, retrieve security events such as hot vulnerabilities at any time, and understand expert-level security trend analysis, especially in-depth correlation and multivariate analysis. It is necessary to be able to trace the source of security incidents, identify the culprit of the incident, and finally display it through a visualization platform.
3.2 Ability to perceive network security situation
It should be able to realize the overall display of enterprise business system security, situational awareness, traceability of attack events and early warning functions of potential threats. It can sense the present and grasp the current security situation; it can investigate the past and restore historical attack processes; it can predict the future and provide early warning of future threats.
3.3 All-weather threat monitoring and analysis capabilities
When a security incident occurs, it should be able to detect security threats in a timely manner through event monitoring or auditing, and provide operational suggestions as soon as possible to reduce losses and impacts; after a security incident occurs, it can trace the source of the attack, confirm the root cause of the security incident, and take measures Eliminate safety hazards and avoid recurrence of incidents.
3.4 Comprehensive collaborative security operation capabilities
It should be able to achieve effective integration of people, cloud, ground, and machines through basic security protection and system security operations. The cloud security team should have the capabilities of active defense, threat perception, vulnerability analysis, risk warning, intelligence sharing and information transmission, and work with the enterprise's local security team to achieve all-round collaborative security operations.
4 Standardized process for safe operations
4.1 Security operation planning
As the saying goes, "Everything is done in advance, otherwise it will be ruined." Only with planned and safe operations can we be busy without chaos and get twice the result with half the effort. Safety operation planning requires both logical thinking and a combination of reality and reality, and remember to stack up. The overall safety operation goals and directions can be pragmatic, the vision should be long-term, and the goals should be set high. However, the specific measures and actions must be pragmatic, down-to-earth, and broken down into action plans one by one to ensure the effectiveness of the final plan and ensure the safety of the enterprise. Operational suitability. The overall idea of security operation planning can be divided into five stages: demand analysis, status quo investigation, security maturity assessment, risk analysis, and blueprint description:
Demand analysis stage: According to the requirements of different industries and regulatory standards, sufficient communication is carried out in the early stage of the survey and the demand survey form is sorted out.
Current situation research stage: Conduct research and analysis on the current status of enterprise security operations, sort out existing security risks and security control strategies, etc.
Security maturity evaluation: Combining the current status of the industry and best practices, comparative analysis is performed to evaluate the network security maturity level of the enterprise.
Risk analysis: Summarize the existing risk points of the enterprise, prioritize high and medium risk points, and propose an overall security optimization plan.
Blueprint description: Prospect the future development and requirements of the enterprise, and describe an overall safety operation planning blueprint that conforms to national calls, industry requirements, and future development.
4.2 Design of safe operation plan
The safety operation system includes three basic elements: people, technology and process. "People" are the core, "technology" is the infrastructure and carrier, and "process" is the orientation. The three basic elements complement each other, influence and restrict each other, and jointly determine the safety The effectiveness of the operation system. The basic element "people" emphasizes personnel organization, highlights the important role of people in any system, establishes personnel responsibilities and formulates safety strategies, safety specifications and safety functions. "Technology" covers the entire life cycle of security operation system construction. Starting from a business perspective, it classifies corporate assets, sorts out key business flows, determines key links in risk control, and ultimately implements specific security functions. "Process" is the bridge between "people" and "technology". Each process is given specific goals, scope and responsibilities, which can provide favorable guarantee for subsequent safe operation management. Enterprise security operation plans must be designed around the three basic elements of people, technology and processes.
4.3 Security Operation Management
Establish a security management system based on various management contents in security management activities, and ultimately implement it into daily management operating procedures, forming a comprehensive network security operation system consisting of security policies, management systems, and operating procedures to guide And effectively standardize the network security operation and management of departments at all levels within the enterprise. Enterprises should not only formulate strict management system regulations and release procedures, methods and scope, but also regularly review and revise the safety operation management system.
5 Operational Indicators for Safe Operations
5.1 Security baseline indicators
Combining enterprise security assessments, evaluation indicators, and legal and regulatory requirements such as the Cybersecurity Law, Data Security Law, and Class Assurance 2.0, formulate baseline specifications for enterprise systems, networks, security equipment, and security management. With the help of security baseline automation tools, specific security configuration requirements in the enterprise business environment can be achieved and closed-loop management can be achieved: initial assessment -> reinforcement -> re-assessment -> re-reinforcement -> review to improve and improve the review workflow.
5.2 Vulnerability management indicators
It is necessary to make full use of vulnerability intelligence information, intelligence triggers the operation of vulnerability management processes, intelligence participates in vulnerability repair response level analysis, and establishes a rapid response mechanism. Ability to complete security scans, device vulnerability library upgrades, vulnerability troubleshooting, and patch repairs on time and as required to ensure a 100% vulnerability repair rate. After the vulnerability is disclosed, the rectification should be completed within the specified time and fed back to the enterprise information management department. For example, high-risk vulnerabilities should be completed within 3 working days, medium-risk vulnerabilities should be completed within 7 working days, and low-risk vulnerabilities should be completed within one month. , forming a closed-loop vulnerability management.
5.3 Daily safety duty
Conduct regular inspections and issue reports on the operating status of all online systems, networks and security equipment of the enterprise. Combined with corporate information management department notices, industry notices, security notices from security vendors, etc., cooperate with business departments to carry out various security reinforcement work as soon as possible to minimize the impact of vulnerabilities, viruses and Trojans, and ensure the continuity and security of the company's key businesses Stable operation.
5.4 Equipment monitoring and management
Develop daily inspection plans, pay attention to the operation log information of important equipment through the security operation management center, analyze equipment operating conditions, and promptly handle security event alarms of various security equipment and important business systems; cooperate with business departments to complete the rectification and review of various risk items , proactively provide rectification suggestions for common technical problems such as patch management, log management, policy management, etc.
5.5 Equipment security management
Regularly sort out the corporate security equipment ledger and clarify management responsibilities at all levels. Strictly follow the requirements of the safety operation management system, update the safety equipment management system at least once a year, clearly divide asset management responsibilities, and simultaneously update the equipment responsible person labels so that whoever is in charge is responsible.
5.6 Security risk detection
It should be able to identify potential security threats in the enterprise's operating system, use vulnerability detection, threat detection, suspicious event monitoring and other methods to conduct security risk detection of possible threats, and conduct threat analysis on this basis (including security threat analysis, security Hidden danger analysis, security status analysis of important information systems, etc.) to form a threat analysis report. The company's newly launched business application systems should be able to conduct security testing, including host vulnerability detection, security baseline verification, etc., output system online security testing reports, and assist business leaders to make rectifications.
5.7 Security risk control
It should be able to regularly carry out vulnerability scanning, security detection and security assessment according to the business requirements of the enterprise. Provide necessary upgrade suggestions and configuration optimization suggestions based on the actual situation of the enterprise, as well as optimization plans for related reinforcement suggestions. Comprehensive assessment is conducted based on the importance of enterprise business modules, asset protection and other factors, and priority recommendations for vulnerability repairs are quickly given to minimize security risks.
6 Support and guarantee for safe operations
In order to ensure the long-term stable operation of the business system and the security of business data, the security guarantee mechanism for safe operations and personnel management should be improved to continuously improve information security management. This includes formulating the overall security policy and strategy for information security work and clarifying the overall goals, scope, principles and security framework of security management work. Establish a safety management system based on various management contents in safety management activities, and establish procedures for daily management operations performed by operators. Form a comprehensive security management system consisting of security policies, management systems, operating procedures, etc. to guide and standardize information security management within the enterprise. The safety management system should be in accordance with strict management system regulations and release procedures, methods and scope, and should be reviewed and revised regularly.
6.1 Process system guarantee
Establish a complete set of security processes, formulation, operation and maintenance work plans and inspection standards applicable to all levels of the enterprise environment, so as to standardize and streamline network security operations in the target environment, and ensure the safe operation of various business systems in a long-term and stable manner. The implementation of security process assurance should have a relatively fixed model, that is, "people continue to operate under the guidance of security policies with the help of certain security technical means." If safety management means cannot be clearly expressed, it will be difficult for safety technical means to be effectively utilized. Therefore, security management ideas and methods must first be clarified in the form of a policy document, and then security processes must be appropriately formulated based on the policy. Safety management must adhere to the principles of clear responsibilities, division of labor and unified management, and coordinate safety management work at different levels and different management scopes under a centralized command management mechanism. Specifically, it should include but not be limited to strategic management, management organizations and personnel, system operation, system construction, etc.
6.2 Technical platform capability support
Security operation platform capability assurance mainly includes two categories. One is to significantly improve the coverage of vulnerability management, threat management, and event management, and the other is technical capabilities to improve security operation efficiency. The former category mainly refers to the linkage of security equipment, which realizes the automation of vulnerability, threat, and event monitoring through equipment, and improves the coverage of effective monitoring. The latter category refers to security operation management platforms, which mainly realize automated management capabilities of vulnerabilities, threats, and events.
6.3 Personnel capability support
Personnel capabilities are the core element of a safe operation system, and an efficient operation system is inseparable from a high-quality operation service team. The enterprise should have a complete job setting, necessary staffing and a reasonable organizational structure, cultivate a comprehensive operational talent echelon that is both proficient in business knowledge and capable of solving complex problems, and improve the organizational management, emergency response, communication and coordination of operational personnel, etc. Linkage capabilities, efforts to build a professional, standardized, quasi-military operation support team to protect corporate network security operations.
7 Conclusion
This article introduces the overall framework of the enterprise's security operation system, and details the construction goals, four major characteristics of the security operation capability, and standardized processes of the security operation system. It also summarizes the operational indicators and support guarantees behind the security operation system, helping enterprises to effectively break through the limitations of realizing the automation and intelligence of security operation management after construction, and providing direction for enterprises to truly build an intelligent and integrated security operation system. .
The security operation system is the foundation for enterprise network security construction. It supports and guides the needs and direction of enterprise security construction in the future. How to continuously improve it, give the business higher security capabilities, and create more value for the enterprise will be the key to the sustainable development of network security operations. Thinking and optimizing propositions.