how to do a good job of chief security officer - enterprise security system and architecture implementation - security village

Posted by millikan at 2020-03-23

Recently, when chatting with friends in the circle, they are often asked several similar questions: "why do we rarely hear about the positions and personnel of real CSO and CISO in China", "how to be a security director of an enterprise", "what kind of ability should an enterprise security director have?" and so on. In addition, several media reporters are more interested in the topic of network security in the past two weeks and want to collect Some materials, a few security aspects of the manuscript, some basic concepts do not understand me to discuss, such as "security is to dig holes, right?" "Does the enterprise security team work every day to catch hackers?" I feel it's necessary to write something and make some voice as much as I can. It doesn't matter whether it's right or not. Right should be a reference for gossiping.

First of all, CSO and CISO haven't been promoted to a formal position in many enterprises. What we see now is actually "the first person in charge of information security of the company", which is easy to understand. The concept of "how to be a good chief security officer" here is also the concept. In addition, the scope of discussion is limited to Party A's company, that is, the field of "enterprise security". After a lot of preparation, I got to the point. The twelve basic ability elements of the chief security officer.

Article 1: business understanding and empowerment

Business, business, business, important things say three times! As a high-level security personnel, they should have sufficient knowledge and understanding of their own businesses and industries. What is the business model? What makes money? How is the money spent? What is the architecture of the business? What are the core business capabilities? What are the core business processes that support these businesses? What are the supporting business processes and functions? Division of business responsibilities? Key business personnel, teams? What are the systems supporting the core business? Key personnel of technical team? And so on. Ask yourself more why. It's not difficult to get information and understand clearly. Even in large Internet companies and large groups, taking core business as the starting point, it's completely feasible and the time is acceptable. With the accumulation of these information, information security work can be done more realistically and more in line with the business, and the value of information security can be more easily reflected. When the business has confidence and trust in the information security team, the days of working together, endorsing and empowering each other will not be far away. Seeing too many examples, the security personnel shut themselves in the office, pondered over the plans and codes, what departments and teams of the business were involved in and what they were doing, and expected them to escort the business, do you believe?

Article 2: Security Governance and strategic planning

When it comes to security governance, the first response of many system making friends is to "set up a company level information security committee". How can we say that, of course, there are channels and discourse power to senior leaders, but if there is no information security work, we will not do it? Can't do it? Obviously not. In addition to the organizational guarantee and resource input generally mentioned, the security governance here is more considered in the following five aspects:

1) Strategic consistency. The strategy and focus of information security should always be consistent with the business strategy, layout, expansion and other capabilities. This sounds simple, and it is not easy to do. Especially in organizations with rapid development and change, it tests the security leader's business understanding, large team management ability, and resource delivery ability. If not, the common consequences are that the safety team becomes fire fighters, the business "runs naked", and the leaders gradually lose confidence in safety, etc., what does it mean? Don't waste words.

2) Value realization, information security is valuable! People who are not safe will not object to it, but how can it be reflected? That is how to achieve it? Enterprise information security should not only be security products and security technology, but also be afraid of the deep lane. The security technology that can not be recognized by business and ultimately produce application effect is the self entertainment of the information security department in the "hooligan" style. Whether it is prospective research or practical landing technology and products, how the cost input of the information security department is transformed into productivity, product technical barriers, commercial competitive advantage and business support ability are all tests of CSOs' ability.

3) Risk optimization, "the uncertain factors affecting the realization of objectives" (the definition comes from Nicholas Simon Wu, very simplified understanding for reference only). Information security work has never been aimless, let alone a touchstone of ability preference and preference. What is the focus of work? In places that may affect the survival and development of current and future businesses, and in areas that may lead to the company's return to zero, optimizing risk management capabilities, optimizing information security battlefield situation, and changing from passive to active capabilities are key optimization requirements for information security risks. Guided by business and risk, driven by threat, from the depth of management, technology, and people; from the depth of business capabilities, security risk management and control capabilities, security supervision and audit capabilities; from the depth of business extension areas, virtual boundary areas, and core competence areas, comprehensive security risk integration and optimization are carried out to improve the ability of perception, control, disposal, and iteration.

4) The efficiency of resource delivery: if the mountain is not high, the immortal will be famous, and if the people are not many, they can use it. In security governance, we need to solve the problem of security resource delivery efficiency. The total number of security personnel is limited, the recruitment is difficult, the internal team size is limited, and the financial support is within a certain budget range. We need to manage whether we can reasonably use resources and maximize the value, whether we use ROI (return on investment) measurement or ale (annual expected loss) and control cost difference and other methods The management skills put resources in a reasonable way, "good steel is used on the blade", but in this respect, the management maturity of the safety team and the ability to fully understand and control safety are facing great challenges.

5) Measurement and evaluation, measurement and evaluation of security effect, and measurement and evaluation of resource use are the core of result presentation in security governance. The value that cannot be measured can be used as a beautiful PR statement. However, if you try to use this statement to find senior managers to ask for resources and talk about performance, the result may not be beautiful. There are not many contents that can be referred to in the security index system and evaluation method, but the risk management and index measurement method in the financial industry and the information security measurement method in iso27004 can be referred to, but the basic thing that can be implemented in practice is that the targeted evaluation index constructed according to the actual business situation of the enterprise combined with the security system is easier to play a role, such as the specific capacity of the construction type The coverage rate, accuracy rate, recall rate and stability of the points, the average event response time and average vulnerability repair time of the operation class, etc.

These five aspects are the key issues in security governance, and also the key success factors to test the management ability, global vision ability and control ability. In addition, for the security strategic planning mentioned above, it is suggested that those who need to look at the EA (Enterprise Architecture) method, if you need to have a strong security capability background.

Article 3: safety risk management

Many people have heard of the concept of risk-based information security, but there are not many in the industry. The traditional security risk assessment starts from assets, threats and vulnerabilities, with iso13335 as the main reference method. Most of Party B's security companies are in this routine. The advantage is that the methodology is mature, the reference basis is sufficient and the universality is strong, but there are also some obvious shortcomings, such as assets are mainly traditional assets, such as servers, equipment, information systems, starting from the asset list Point, in the case of large-scale enterprises, fast-growing enterprises and heavy data assets, there will be problems such as excessive methods, unclear earnings, difficult changes, and not prominent priorities, which will lead to a large discrepancy between the risk assessment results and the actual situation. In addition, the consistency with business scenarios is low, as if the risk assessment team is talking to itself.

In the traditional enterprise risk management method, business is the core perspective, through the core business value chain > business process > business risk > risk management and control measures > risk assessment audit and other links, the enterprise risk management is gradually implemented, at the same time, through risk management, risk tolerance preference, etc., the risk management and control behavior and resource investment are restrained and modified. The reference methods include enterprise comprehensive risk management, coso-erm, iso31000 and other domestic and foreign best practice requirements. The advantages of these methods are that they are universal, especially the compliance requirements of capital market and corporate governance requirements of listed companies are well followed, the risk system framework is comprehensive, and the decomposition levels are linked. The short board is that after introducing the requirements of security risk management, the analysis process of security perspective, the corresponding solution implementation ability and the security technology are lacked in the system structure Whether the docking of mainstream safety control requirements such as safety management can achieve the expected effect depends on whether the implementation team has comprehensive risk management and solid safety ability.

Therefore, the method of security risk management can learn from each other in two schools. After the business risk, we are not eager to connect the control measures, but identify the information security related scenarios in the business risk and decompose the technical scheme and management measures.

Enterprise core business value chain =, business process =, business risk =, security risk =, security management and control =, security scheme =, enterprise security implementation practice

Business risk and security risk are linked through security threats, technical architecture and security scenarios to ensure the fit between security and business. At the same time, based on the current security technology implementation capability, continuous adaptive risk and trust assessment (Carta) is fully possible.

Based on the goal of beginning with the end in mind, this paper summarizes the classification of five common safety risk objectives for reference only.

Article 4: security technology and architecture

Security technology is not a loophole, security system is not 27001, security architecture is not a cluster deployment, very simple concepts and differences, but security personnel often confuse themselves. Safety technology and structure are the basic work of enterprise safety. The implementation of technical scheme is actually the extension and landing of safety management concept. The problems that can be solved by technology should not be controlled completely by human and system requirements, which is simple and does not waste words. Security technology and architecture emphasize the deep protection ability of enterprise security, the analysis and perception ability aiming at shortening the free attack time window, and the security technology operation ability aiming at reducing the average detection time and response time. The concept of in-depth protection has a history of more than ten years, but it is still not out of date in the field of enterprise security. From the business extension environment, logical boundary and security domain to the layer by layer perception, management and control capabilities of core component areas, the construction and operation of dynamic defense and detection mechanism, offline analysis capability, etc., the in-depth technical mechanism before, during and after the event has been constructed, so as to attack Anti confrontation provides more abundant means and scenes. When it comes to the technical architecture of enterprise security, we can see it from the horizontal and vertical perspectives. The horizontal direction can be simply listed as product area, production area, intranet area and cooperation area,

The vertical technical architecture can be divided into physical layer, network layer, host layer, data layer, application layer and management layer according to the way of technical stack. Corresponding capabilities are deployed at different levels, and information linkage and cooperative defense are implemented at different levels.

Article 5: Safety Management

There have been rumors in the Jianghu that there are various schools of safety. One of them is the management standard school, and its unique secret collection is "BS7799, ISO17799, ISO27001" (special note: some of the students who talk about management put these numbers on their lips may not be clear about the concepts of BS and ISO). Party A's safety management, consulting company and Party B's safety service team often appear. Because of the deep-rooted impression of the industry in this direction, it is thought that safety management is the splicing of some "system" and "standards" or even the rote (in fact, many people do, so it can't blame others for such impression).

Security management is a very important part of enterprise security. It provides management, system basis and process guarantee for information security. The legal society often mentions that "there are laws to abide by, there are laws to abide by, law enforcement must be strict, and violations must be punished". Safety management is the most important ability to realize the "legal environment" in the company. What can be done, what can not be done, how to do it, if there are any consequences, power and responsibility distribution, the tone of cultural environment, etc. are all contracted through various systems, norms, processes, documents, etc In a sense, the application of safety technology is also the extension and Realization of management concept. Back to the specific work, security management is not simply equivalent to system standards. According to the company's situation and management style, a company's security management specification may cover most of the common scenarios, so there is no need to get a document system immediately. Even if it is necessary to build a management system, there are different starting points in all directions. You can start from several most urgent and painful management demands, such as company account, authority management requirements, data confidentiality system, etc., to build a proper balance system between business operation and security control, which is a very test of the management wisdom of the security director. "There is no normality in the army, and the water is impermanent." there is no invisibility, but it doesn't mean that it can be "disorderly". It's the tragedy of management to make safety management a normal fire fighting. Safety management is a combination of art and technology. As a CSO in the field of safety management, a relatively high level pattern needs to be systematic and traceless.

Article 6: business safety and risk control

At present, business security has been done in-depth in Internet companies and financial industries, and the team size and technical ability have accumulated to a certain extent. Cheating, collecting wool, brushing single and roll, blacklist and black equipment, seal number, external hook and so on are common keywords in this field, especially those belonging to Internet business. However, if we put our perspective on a larger point, the industry scope is wider, and the content and keywords of business security and risk control will be more accurate and reasonable.

Business security and risk control often involve the following areas:

Article 7: safe operation

Several directions mentioned above more introduce methods, frameworks, commonly used technologies and theories. It can be understood that the perspective focuses on construction. Of course, whether it is the acquisition of perception ability, analysis ability, protection ability, etc. (no matter it is self-development, external procurement, cooperation and sharing, etc.) can be generally summed up in the dimension of construction, that is, all kinds of abilities are not From nowhere, it needs to be obtained through necessary ways, and the cost of obtaining is not only capital and human resources, but also time cost is likely to be greater than other costs for the safety of enterprises, so reasonable ways and means also test the governance philosophy of CSOs. Back to the topic of operation, focusing on construction rather than operation is a common problem of many companies. There are not many companies at home and abroad that can be admired by people even if they listen to their names. In the career of consulting companies, we are lucky to be able to provide services around the world and go deep into these companies to "see, hear, treat and save people", which is far more wonderful than we think. It's not difficult to stack safety equipment, systems and products. What's difficult is to use them. Some people are in charge of them. Only when they can use them can they bring their value into play. How can the value of safety be reflected? The value of the safe operation field can be very real and grounded. To deploy appropriate capabilities in the right place, we should focus on coverage, accuracy and recall. In the construction period, we should focus on such indicators and capabilities. Then in the operation period, mttd (average detection time) and MTTR (average response time) are more important. These two indicators reflect the ability of perceived discovery and management. Indicators and priorities are different in different periods. This is a place where detours are easy to take. In addition, in the operation state, the use of online and offline capabilities, the reasonable layout of series and parallel mode, and the use of "check" and "kill" means are also very important. Defensive disposal through online capability, defect detection and verification through offline capability, and optimization of online scene rule requirements; more complex business environment requirements can be met through synchronous intervention disposal capability in serial mode and asynchronous full-scale verification capability in parallel mode; ability to "check" and "kill" from God's perspective and judge's perspective It can meet the selection requirements of real-time confrontation and systematic overall layout confrontation.

Article 8: local government, regulatory understanding and compliance with laws and regulations

In many cases, information security can be regarded as the closest to the concept of "Jianghu" in martial arts novels, but "Jianghu" is never a place outside the law, and knowledge, understanding, respect and usage are the most basic requirements. With the deepening of internationalization, both Chinese enterprises going out and foreign enterprises coming in are inseparable from the compliance and rational application of laws and regulations. Furthermore, some industry best practices, international standards and industry guidelines should not only meet the requirements, but also become the unity of fair description of basic capabilities, attitude expression of emphasis and communication and cooperation of enterprises Speech interface ".

To carry out information security related work in China, some basic requirements need to be effectively concerned and implemented, such as the implementation of the network security law on June 1, 2017 and the supporting requirements of a series of laws and regulations; the 285 and 286 provisions of the criminal law to support judicial interpretation; the information system level protection related series; the personal information security protection specification; and the relevant requirements of the competent authorities of various industries. In global business, data and privacy protection will be the main challenges, such as gdpr (European Union general data protection program), HIPAA (Health Insurance Portability and account capability act), etc. In addition, in the Internet, finance, energy, resource-based industries, the protection laws and requirements for infrastructure in various countries are also facing increasingly stringent norms.

In addition, international standards organization (ISO) information security related standards, NIST sp-800 best practices, industrial practice requirements such as isae3402, cloud computing related security certification such as csa-star, PCI-DSS and ADSS of payment card organization are also indispensable requirements for business development.

From this aspect, the difficulty and complexity of implementation is not only a technical solution, but also a content related to human strength (although a lot of information security work is related to human strength, it's easy for compliance aspects to become big and passive due to poor communication, inaccurate understanding and other reasons). Actively communicate with the regulatory authorities, do not try to dissociate from the regulatory boundary, actively participate in influencing the rule-making process instead of passively waiting for or even concealing fraud, treat security compliance with a more open mind, embrace change with more active behaviors, and security compliance can also become the multiplier and driving force of the enterprise's security capability.

Article 9: safety audit

Security audit can be understood as two key words of "security" + "audit. The goal is technology, management, personnel related to security and the environment and ability generated by these elements. The means is audit. How to do? It can be divided into two dimensions:

In the enterprise, safety audit can be used as the last link of the three lines of Defense (the concept of three lines of defense for self searching risk management, which was put forward earlier in China and highly recognized abroad). At the same time, it can also be used as a bottom-up means to ensure the implementation of the safety plan, and the power of reasonable use is infinite.

Article 10: crisis management, security incident investigation and evidence collection

No matter how good the enterprise's security is, how perfect the construction is, how strong the ability is, and how conscientious the team is, there is no 100% security, let alone such a high demand. Therefore, we must be prepared for possible external attacks, internal leaks, commercial spies, employees' unintentional and other situations, especially in extreme cases, in case of not being in a hurry or dealing with unreasonable and timely, leading to the expansion of the situation. The crisis management plan needs to be prepared in advance. The information flow mechanism, crisis management team, necessary technology and tools, plan disposal process and other contents need to be clear, fast and accurate. At the same time, drills need to be carried out to make the contents deeply rooted in the hearts of the people. Once there is an extreme situation, the disposal of each department can form a joint force. In addition, it needs to be emphasized that crisis management is to deal with extreme situations, not general security events. Therefore, the plan emphasizes the response ability under limited scenarios (determined in combination with business scenarios), and the start of crisis response also needs strict control. General security incidents can be handled through incident investigation and emergency response. Of course, this aspect also needs to be prepared in advance, such as incident classification, response process, recovery process, investigation mechanism, coordination organization, post event recovery mechanism, etc. if the response is not good, security incidents may also rise to crisis, so whether it is an entity or a virtual security incident response and investigation team The basic requirements are organization, enough investigation technology and data reserve of event response, necessary drill and replay mechanism. The internal security incident investigation needs to accumulate, clean and correlate massive data, and finally restore the attack path and the timeline of the incident, so the data is a very important basic work, and the data integrity, stability and quality requirements are very high. The common problem is that the data seems to be all there, but the data may not be collected and connected due to different formats, different record fields or even subtle type differences, and eventually become pieces of data, leading to the fracture and loss of the whole evidence chain, so as to not outline the true nature of the event, so it is impossible to talk about effective disposal and root cause problem restoration Enter.

When it comes to the concept of evidence chain, when it comes to the level of judicial investigation, the methods of internal investigation can still be used, but the process control and specification requirements are much stricter. There are restrictions on the rules of court acceptance for the fixation, credibility requirements and electronic evidence collection of evidence chain. For example, in the investigation, we can actually go to the hard disk, storage space and various systems to analyze and find out the spider silk Ma Ji, however, can't destroy the original state and property in any investigation and analysis action when it needs to provide evidence in the court. In this case, professional tools such as encase, FK, etc. are needed to operate in a read-only environment. There are many identification centers and investigation institutions in China that can complete the above work, and the supporting technical capabilities are relatively sound, such as forensics workboxes, forensics systems and platforms for mobile phones and smart devices, which are not introduced due to the content sensitivity. In a word, judicial investigation and forensics need strict evidence chain, forensics environment, methods and actions, etc. to be used as evidence Accept the question, eliminate the false and save the true.

Article 11: organizational structure, safety awareness and internal safety brand building

Most of the content discussed above is about the construction of various management and technical capabilities. Whether it can be implemented depends on the team and people to a large extent. A reasonable organizational structure can maximize the value of people, which in turn may greatly weaken and limit. Most leaders understand this truth, but it can not be achieved in practice, or it is another matter, environmental constraints, timing Even personal decision-making is an easy factor to discount.

The setting of organizational structure can be considered from several aspects:

Suddenly, I found that if I didn't control the character code well, I wrote a little more, so I didn't say much about the safety awareness. People are the weakest link, and I have been shouting for many years. It really needs to be grasped. No matter how good the technology can play its role, it depends on people. When I meet people in the ideal design, I may be bypassed by all kinds of ways, "fearless opponents like gods, fearless teammates like pigs", Human flesh penetration is much faster than apt. we all know the truth. Let's see the effect of action.

Safety cannot be built behind closed doors. It's not too much to emphasize it several times. Whether the company can trust, whether the business can coordinate with the safety, and whether everyone is willing to pay for the safety cost (not only the direct cost, but also the indirect cost such as some convenience given up due to the safety), depends on whether it can establish a "sense of safety" and correctly recognize the safety value Card effect. When the business is going to fight, security is to pat the business brother on the shoulder and tell him "don't worry about everything, I'll work with you", or to use the technique of "thousands of miles of voice transmission" to hide far away and say "we have the most advanced technology and the best products, you can rest assured". Of course, sometimes even the matter of voice transmission is saved. What's the security and value? It's hard to build a brand, trust collapses quickly, and you can cherish it.

Article 12: resource management and efficiency control

In the last chapter, there are still many things to be written. Let's talk about resource management and utilization efficiency first. Some people with management experience know that teams should have levels. Why? Not only the echelon needs of team development, but also the actual needs of resource limitation. For example, for a team of 50 people, all the high-level recruiters seem to be very powerful, but this is not realistic. They may not have such high-level recruiters, and the capital budget is not allowed. Therefore, CSOs should plan the team level reasonably, which can be based on the distribution of work skill sets, or based on many methods such as rank calculation after considering the capital limit. Therefore, it is recommended that CSOs understand some financial knowledge, which can be seen Understand the basic financial statements and budget planning, unlimited resources that are in the game of life after opening. It is the most basic requirement to concentrate our superior forces, achieve quick results and prioritize our work. At the same time, the concurrency of multiple projects is inevitable. To control the quality and quantity, do a good job in resource pool management, PMO multi project management is still worth reference and reference. It's still a team of 50 people, doing 60 projects and products at the same time. What's the consequence. If it's you, how to lead the team of 50 people, how to plan resources reasonably, how to prioritize and how to control risks without obvious shortcomings? One is good steel envoy on the blade, the other is "let the bullets fly for a while". Don't be in a hurry. It's the leader's responsibility and responsibility that the team can't become a fire brigade.

Maybe some people will think "is there such a person?" The answer must be yes, but everyone has some focus, it is unlikely that all areas are full marks. In addition, this kind of "all-round talent" (not enough to describe the whole plank style) people are not or at least are not the top-notch in the field of technology research, nor are they likely to be the famous people in the field of attack and defense or white hat. Therefore, in the current information security environment, few people can enter the spotlight of the media and gain the popularity of fans, but they do exist 。

If you are interested, you can use the radar chart to check your knowledge system and see what you are good at.


Radar map of CSO capability elements

These twelve elements, which can be said to be the capability set of CSO, are also very likely to be a mapping set of enterprise security capability. Often, the capability of CSO determines the capability ceiling of enterprise security, just like the style of an enterprise founder will become the style of an enterprise.

Having said the ability set, how to implement these ability building in the enterprise? This topic is too big to be fully discussed, but we can say a few ideas.

1) The entry point of enterprise security

In enterprise security, the most important and basic part can be divided into two parts: iam and data. That is to say, if you want to do something right quickly in an enterprise, you don't need to start a comprehensive security risk assessment. If you don't have enough time, the effect and value are not easy to reflect. You can start from Iam and data security in advance. Iam includes It includes account number, authority, supporting access, control analysis system, etc. data security includes data use scenarios, high-risk situations, perception and control requirements. If these works are not done well, other safety work and safety products will have problems. From another point of view, the interface that a company's non security personnel can perceive security capability is also basically in three places: account, authority and data. A large number of people come together, and the survival and development space of enterprise security is also dynamic.

2) Basic capacity building

The security that can go deep into the business and bring value to the business is not necessarily the latest and the most cool technology and product. Build up the basic capacity conscientiously, so that the company has confidence, business security and employees have a sense of security. Practical, adequate and good use are the basic goals and requirements. In fact, the perception ability, protection ability and disposal ability can be put into practice, which can be divided into stages, key points and scenarios with selective layout, combination of self-study and outsourcing, and comprehensive consideration of risk exposure and time cost. It's hard to do the right thing at the right time, but it's necessary!

3) High quality business scenario application

In addition to escorting the actual business carried out by the enterprise, the method and strategic consistency requirements based on value chain analysis can make the security more active layout and preparation, which is not mentioned here. In some specific scenarios, preparing well can also play the value of security and contribute security energy for the company to achieve business goals.

4) To realize the safety value, the word "he" is used. Business integration, sense control integration and in-depth integration are the basic summary of enterprise security. Business integration, the basic way for security to realize value; sense control combination, the basic way for security to realize value; in-depth integration, the basic way for security to realize value.

Safety is the extension of manager's will, and technology is the extension of management concept.

In the end, this warm-up article "how to do a good job of chief security officer - enterprise security system and architecture practice" is basically a one-off, so there are actually some flaws in the internal logic. I feel that I haven't retouched it too much, and I don't plan to modify and improve it this time, but I really welcome friends who are interested to exchange more valuable opinions. Due to the space limitation and time pressure, all the contents are not expanded, there is no graphic summary, no detailed discussion of any technical aspects, and even many places put forward problems without giving solutions. If you have this kind of confusion, it is normal. Warm up and understand more. To expand these contents, more experience and solution sharing should be kept in the future, or the content of each chapter should be presented completely through the continuous updating of the article through sec UN, or the one-time publishing of the book is in preparation. I believe that there will be an explanation in the near future.

In addition, all the contents of this article only represent personal views and do not involve the previous work experience and content, which is more general situation. Do not sit in the right seat, and there is no need to understand the voice of the company and the team. I am myself.