Security is a "bottomless pit", no security person in charge of a company will say their system is 100% safe and secure is not a particularly good measure and quantify, especially quantitatively assess who do better than anyone else, much better. Sometimes reflect, or confused, "on so many means of protection, in the end can not stand against?", "Security research products made from half a year, half a year, and then one day it was abandoned out." , "SDL cried for several years, and how it would operate not go?", "business initiative to come to seek support, but our hands without nuclear weapons." ......
This article referral Shao Yixin security building ideas and achievements at different stages, each stage of the challenges faced, stepped on the pit, and the harvest of ideas and experience, share the letter should develop internal security products, security companies to explore the construction of the path.
One, background
In 2013, the company started construction safety, to invest resources set up a special security team, to build a foundation of security infrastructure. CreditEase company's safety since construction has roughly be divided into three stages:
2013 - 2016 in the V1 stage. V1 stage main achievement: the foundation of a secure environment (such as firewalls, regional isolation, host IDS, Network IDS, network access, anti-virus, etc.); gradually establish and improve a company's information security through compliance inspections before and after the listing system, such as through the insurance three, ISO27001 certification; set up their own security emergency response center in 2016.
2016--2018 Nian in the V2 stage. The main outcome of V2 phase is to improve the security technology to improve the range of security coverage; part of the business involved in security-related work (account security, anti-reptile, short message interface ***, human identification, etc.); identifies the SDL related processes (do not go out, except for using the method in which one or two); the development of vulnerability scanning, GitHub monitoring some security tools.
We are currently in the V3 stage, should continue for the next 1 - 2 years or so. At this stage, we began to pursue more joint enterprise to build long-term development, more focused and more in-depth security capability at some point, such as the ability to secure operations, data security.
Second, the state a few years ago
The figure is a summary of previous industry in which the state of information security and development, and as of 2016 we completed a number of projects in the security. That phase of work at the network boundary, IT and other areas, to lay a more solid foundation, including network access, terminal DLP, antivirus, etc. have been implemented to complete. In particular endpoint security effect is particularly significant on the basis of security, to ensure that the internal network, office network in a relatively safe environment, not every day emergency response ***, extortion virus, even APT such security incidents, can release more energy to to do more meaningful things.
Three, SDL practice
3.1 SDL Process
Our focus at this stage as reference to the only product security team to share the SDL process, identified several key aspects applicable to our present situation, including training, security coding norms, to promote the company. The project will also participate in important security security needs assessment, business, product and technology team has established good cooperative relations.
It is worth mentioning that the cooperation in the enterprise, and security can be divided into two types: one belonging to the "safe harbor thrown pot type," a part of "cooperation and win-win model." Two types, something happens involving safety, security will find on the surface, but intrinsic motivation is different. The first is to more exemption, something I informed you, I hit you with a problem, and even how to find safe, find security solutions do not know what the demand is not concerned about the problem, and the rest have nothing to do with me , is a problem, come back safe pan; the second is to seek more secure collaboration, I know what might be a security risk, I have security requirements on the business of particular concern, and I need to work together to solve security cooperation security products, to ensure that the on-line system, security services, two teams mutually reinforcing and upgrading.
In both types of cooperation, the daily interactions, distinct effect on the ultimate security. This situation may have a variety of reasons, including: the comprehensive capacity and quality of non-security personnel, the effectiveness of safety training, professional security team and influence (whether it is someone else solved the security pain points, the two sides carry together a gun).
3.2 SDL Case
The above two graphs show is that we have done quite a good place, known as SDL or DevSecOps can, automated embedded in the publishing process, focused on solving the problem of security of third-party components, both quickly posted Software products in search of a third-party components included, you can also define rules for direct component contains serious vulnerabilities directly block in the build process. This part of the work can be fully automated, support Maven, Gradle, Docker, etc., and does not affect the ability of continuous delivery. Unified asset management, code libraries, repositories, CICD it will be more convenient platform for the implementation, maintenance costs are low, of course, can not do without this ability DevOps team support.
3.3 SDL Threat Modeling
This year we also tried SDL threat modeling, design modeling rules for us, including data security requirements, audit requirements and other key concerns. This part of the work is still small-scale pilot projects, exploratory stage, from process tools are still many things to be solved and optimized until the actual maturity, we consider to invest more security testing, security service personnel in the company's large-scale promotion .
3.4 SDL scanning white box
In the white-box code audit, we also invested a small amount of resources to attempt to encapsulate code audit platform, the core is dependent on Sonarqube and Findbugs Security, also supports write their own rules, to achieve the trigger scan, upload source code scanning, etc., automatically submitted vulnerability. But the biggest part of it is consumed for operating rules, the elimination of false positives, and there are no find better solutions, but also to hear more ideas to simplify the rules, the early "rather false negatives, false positives do not." At present the main use: security personnel on temporary duty need to upload the source code to scan, send a test report for some access to scan items every week.
3.5 SDL passive scanning
SDL is another attempt at passive scanning, for playback based platform collects sand flow test environment. Before the general idea many people have been shared by replacing cookie, request-param focus for the test found that unauthorized access, unauthorized vertical, horizontal ultra vires and other security issues. Difficulties also optimization rules, finishing in common (such as error page tips, etc.) to collect the company's business. Before using the scan discovered the problem a few high-risk, investment is still pricey output ratio. But want to do a high scanning accuracy, improve the degree of automation to achieve sustainable operating results, to put human relatively big. Specific look at the team of choice, right, recently saw some at home and abroad use AI to improve the efficiency of security testing, or even replace people to carry out the project manual security testing, not to judge whether a good landing in the short term, but agree with the word "man It will fatigue, but the machine did not. "
3.6 SDL Vulnerability Management
Vulnerability management is mainly dependent on the insight platform, including application of asset management systems, vulnerability lifecycle management, security management knowledge base. Insight platform in last year's open source, users should be more than we expected, from the exchange of consulting community groups usually micro-channel point of view, multi-user security team is 1-5 people, and there is the Internet, manufacturing, logistics and other industries . Every time someone plus when we micro letter seeking insight platform to deploy help on the configuration and functions to use, though they take the time some of our work to answer or solve the problem (we will review the software quality problem), but still very happy to be able to really help to secure counterparts.
It also made me some reflection:
First many companies invest in security is limited, really need a good open source solutions;
Second floor requires thinking of some product B, the product sometimes need to do subtraction, large and may not be everyone's needs, but also easy on the premise that better deployed configuration.
Insight ××× ight Open Source Address: https://github.com/creditease-sec/×××ight
Fourth, Insight 2.0
This year we will open-source insight 2.0.
Before the first optimizes interaction, functionality, business logic to improve ease of use;
The second vulnerability improve operational data to enhance reporting capabilities to focus on the overall security situation;
The third largest update, the merger of the former SRC, background function, so that enterprises can customize to create their own safety to emergency response centers, and unified vulnerability management from various sources.
The figure shows a prototype map, the process is currently under development, there is need for security colleagues can look forward to it.
V. quicksand platform
Another recent year to hear more of each Party and SIEM SOC team is discussed, there is a large commercial data security products, also has such a platform similar Splunk (Splunk Enterprise Security), as well as open source solutions based ELK . We chose the third, current stage to achieve a better collection, storage, and some are not very complicated calculation data.
Data traffic from the switch mirror, log files, syslog and the like of each safety device. Architects to design a set of pre-implemented program, the access configuration data, filtering, formatting, assembly, marking, desensitization, etc., with a part of the core code go to write, to improve processing performance.
The figure is the whole "quicksand" platform architecture, and hardware resources, data volume, write speed; With the data, the application scenarios, including the realization of assets currently found weak password detection, information leakage was found and so on, based on simple the rules can be achieved, does not require very complex calculations.
DETAILED Reference: sand: letter should secure internet data Practice
5.1 quicksand Applications: Internal Control
Based on quicksand security big data platform, how to meet the more complex security analysis, correlation analysis scenarios, we also want to focus on the development of follow-up.
The figure is made before an upper layer applications to meet internal and colleagues also shared the QCon on, internal business systems to collect real-time login, query, office worker Wang Yuan online behavior (custom rule), DNS, GitLab , WiKi, DLP alarms.
The first audit of business operations to meet the operational behavior of the system, such as who accessed what and when sensitive data, record keeping for traceability;
The second analyzed, such as someone different from other operating officer of the post, clustering locate personnel in high-risk, we do focus on.
The figure is the sort of information about the users of our assets.
Sixth, self-development of WAF products
Gradually replace commercial WAF products,
-
WEB with traditional security and defense capability
-
Protection capability with CC ***
-
Protection capability with reptiles
-
Have the information leak prevention capabilities
- Data analysis includes identifying abnormal traffic capacity
6.1 pleasant Shield
Let us focus our self-study of WAF products: pleasant shield, front and back probably spent about a year and a half, three big iterative version, put the staff responsible for system design, development, protection rules for the eight security team to collect, 1 colleagues were responsible for operation and maintenance of the installation package and deployment work, two test engineers to assist in stress tests.
Before we use is commercial WAF devices, Gartner ranked first quadrant of the past few years has purchased about 10 units. The product itself is very good, more skilled we use is relatively stable, but there are also some disadvantages:
- First, the traditional rule-based Product malicious requests strong protection, but the context of the time window reptiles such access protection is relatively weak, and this opening part of the overall feature of the hardware performance loss;
- Secondly, the hardware required in the form of a string into the network, encountered in the implementation of new services, new network area, the new device will need to shelves, long cycle embodiment;
- Third, the level of capacity expansion is not very strong, can only choose a single point of expansion or split traffic bottlenecks encountered, great movement.
In summary, we have selected under the premise of commercial products, a pleasant shield since the inquiry, in line with the trend SDS software-defined safe (thanks to the strong support and leadership of the company). Pleasant shield based OpenResty expanded into a gateway, big data analytics platform, back office operations end of three parts, all configured via Redis shared read. WEB protective shield includes a pleasant, the CC protection, protection blacklist, the Semantics Recognition protection, protection of sensitive data, the AI protection. Product design and development in accordance with standard commercial products: selection of more than 100 basic rules, you can add custom rules, rules and other black and white lists and sharing global domain name, and each protection switch for each domain name can be independently turned on, report analysis queries are by domain name and distinguish each intercepted event, product ease of use and interactivity made polished.
Platform Features
- Software-defined, horizontal expansion
- Fast access
Current progress and operations of the
- Continuous iteration year and a half
- Now access the full range of loans and pleasant
- Stress test peak flow: 5000qps (2C8G)
Pleasant shield now access the full range of loans and pleasant, because they belong gateway products, performance and stability requirements are relatively high, so early to do a lot of stress testing in support of the two tests colleagues. Pleasant shield on 2C8G run virtual machines, QPS in 5000, to meet our requirements. At the same time, we each service (MQ, Flink, counter service, Redis, a complete walk through, etc.) have carried out monitoring in the background operations in specially set up to view the system status function, you can see the domain name of each node connected to a pleasant shield the state, and the node is false alarms. On the Query protective each event, we also do a lot more optimized to ensure rapid still can be queried in the case of intercepting more and more.
Using machine learning to identify high and low frequency reptiles
- URL serialize access
- Time form an access route
- Extracted with FIG ring cycles
- Identify abnormal clustering of IP, SID
Recognition traditional rules difficult to find CC ***, reptile behavior, but also pleasant Shield Key objectives to be achieved. In addition to UA, IP blacklists, IP-based judge \ single interface to access the frequency of SID, we also joined the algorithm to identify anomalies such access.
For example about the "path clustering models" we use this part of the shield pleasant data analysis platform: extracting periodic access over a time period, URL serialized access, the access path is formed, extract the ring (FIG circulation , the ring is a single point) frequency and clustering to identify abnormal IP SID.
FIG example, the mark, the first IP Access [2835] This URL is 86 times, the second is access to IP [2821,2832,2827] is 14 times, 36 times and another cycle. Note that, with the path is ordered according to the time, not according to the Referer, FIG calculation library NetworkX use, may be of interest to understand the next. On the line, we discovered crawling Finance Articles, as well as refresh hands brush sign of underlying pull out the wool act, met our expectations.
Seven, currently doing
These are some of the things we did in the past two years, as well as some of my own experience:
- Project security system in favor of iterative development, a clear target output and efficiency can be improved a lot;
- Bad plan is better than no plan, in the course of the plan, such as brainstorming, we can contribute more innovation, ideas, plans have to look at risk points, such as how long it can continue to invest, will not face the risk of the project was stopped, the core staff is not stable, the choice of architecture or development language is not a good team and so avoid unfinished projects.
- In the security product level, more and more party products fit the actual demand of Party A, floor effects are getting better and better, breakdown products can find a more appropriate solution, apart from a few manufacturers, have something to Do not have to think twice about self-development, requires a combination of various long-term changes in short to medium term, try to stick together long-term development needs of enterprises.
- In terms of security services, *** confrontation, SDL and so close to the traditional security, many companies are still plenty of practice and optimization of local, recent discussions we could see more in this area, such as ATT & CK Matrix, such as drip drop continued construction of the SDL.
This year, we also focused on setting up several projects, in addition to the above said Insight 2.0, more of a contribution to the open source community. Inside there are two more important projects.
The first project, code-named "super scanner", by various means (including internal work orders, CMDB, search engines, CMS fingerprints, etc.) to find external assets, to achieve control GitLab, dark net negative public opinion, as well as improve safety test efficiency, assist SDL to promote responsibility, reuse of previously developed distributed security service orchestration service "Sumeru" reptiles and services. "Like *** as asset discovery, deeply integrated into the SDL" is the original intention of the project created.
The second project, code-named "security awareness", is quicksand, internal control and audit office network security system of re-integration and expansion. Data security is increasingly being filed separately, to become one of the core issues of security. "Data Security Act" has entered the legislative stage, whether from the security building, compliance, and strategic development of enterprises, many enterprises in the forefront of the industry has to a "data-centric security policy" change. So the focus of this project is to carry around data security, using the application layer data of interest, open up all kinds of information security available, easily configured relationship, each class of business systems or set up your own scene detection model, can it as an intelligent audit products. Of course, this is just a corner of the entire data security management, data security policies, data security committee, data classification and grading, operational processes, reward and punishment system, traditional database desensitization, data leakage prevention, data files ferry, map data, data security and other big release together, only make up a complete data security sector, a lot of things to do, but also very complicated.
Author: Wang Zhe
Starter: CreditEase NSIRT