data based, insight security

Posted by trammel at 2020-03-28

[introduction] at the beginning of December, I received a written interview from China informatization weekly. In view of several questions raised by reporters, this paper discusses some views on the current big data security analysis. The reporter refined the content of the interview and published it together with other interviews as a special issue. Now, some of the original questions and answers of the written interview are published as follows for your reference. You are welcome to correct them.

The content and function of my answers in the written interview are more detailed, which can be used as a supplementary explanation of my opinions in that report.


1. What is the bottleneck of big data security analysis? What needs to be done to break through as soon as possible?


With the gradual formation of big data technology ecology, big data technology has gradually become a shelf technology. Based on these technologies, the data collection and storage technologies in the process of big data security analysis have been mastered by advanced enterprises, and the visualization level has also made rapid progress. The bottleneck is mainly the application scenarios and security analysis scenarios. Big data technology is a kind of basic technology, its rise and development are originally from Internet enterprises. Internet enterprises have developed big data technology to solve their practical problems. The application of big data technology in the field of security analysis belongs to the innovation and progress in the field of security analysis. However, how to apply it needs to find security pain points and create value from data. It is still necessary to combine with the security business scenarios to solve the very difficult problems that cannot be solved or solved by traditional technology through big data technology. The way to break through as soon as possible is to combine security business scenarios, drive security analysis with scenarios, and drive technological progress with data. At the same time, the lack of security analysts, business analysts, domain engineers and other technical personnel is also a major bottleneck restricting the development of big data security analysis applications. In the context of big data analysis, there are higher requirements for analysts' personnel and skills.

2. In the process of security data collection, collation, analysis and visualization, how to help customers realize security data visualization and finally move towards data-driven security?


Data driven security refers to approaches and means, not goals. The goal of security has never changed. Moreover, data-driven security is only one of many security methodologies.

At present, the capabilities of both sides of the network have been unequal, * * * has the upper hand, * * * time consumption is far less than defense time consumption. ***In fact, data-driven security is to make up for the time-consuming defense in order to identify and respond, block and counteract as soon as possible.

In this process, data intake, collation, analysis and presentation are very particular, and each link is very important, and linked. Visualization is a kind of presentation mode, which mainly faces two kinds of roles. One is analysts, who help them conduct interactive analysis more efficiently, which is called threat hunting. The other is the management and decision-makers, to help them understand the overall security situation of the network, timely grasp the security of our situation, enemy situation and war situation, in order to make clear and effective decisions.

As long as the role positioning is clear, the problem of who to do visualization is clear, and the goal and realization way of safety data visualization are well designed. We can define different scenarios according to different roles, and set them as a set of goals. Then we can sort out the information and models needed and the data relied on by these information from top to bottom, and then how to ingest these data.

In the process of data visualization, we should not blindly pursue cool display effect, but pay more attention to the expression of content, that is, the presentation of insights obtained from data security analysis. In this sense, it is more important to help customers realize visibility to security than visualization to security. We often say that to see threats and security is more about insight and insight.

3. What innovations does your company have in helping customers establish a data-driven mechanism to "see" threats and establish a deep Protection System? At present, there are more successful cases. Can you introduce them in detail?

Answer [excerpt only]:

Under the current situation of network confrontation, the traditional security protection system and thinking of enterprises and organizations must be changed. We must recognize that our network has been exposed to corruption. We must change from passive protection to active protection and intelligent protection, or even adaptive protection. We must change from simple defense to active confrontation. We must change from independent defense to cooperative defense system. Security requires confidants, as well as knowing the other. In other words, we need to see the concept of "establishing a deep Protection System" from a new perspective, and establish a "high-dimensional deep Protection System". This kind of high dimension refers to not only considering the depth of the path, but also considering the time depth, management depth and physical depth of the prevention. Because our opponents are always trying to launch the high dimension, we have to build the high dimension depth.

In response to new threats and new security challenges, Gartner proposed the concept of adaptive security architecture in 2014. Gartner believes that it is inevitable for the company to pay more attention to detection, response and prediction, and improve the existing prevention mechanism through continuous monitoring and response to all safety elements. This kind of monitoring is based on the security analysis based on the security data warehouse.

Security analysis is data-driven security analysis, which emphasizes the application of advanced analysis technology on data to generate more valuable security insights, knowledge and intelligence than ever before. Advanced analysis technology is different from the previous analysis technology based on features and rules. Advanced analysis technology more uses advanced statistics, machine learning and other behavior based analysis technology.

In the face of the current challenges of network security, combined with the development of new technologies, I agree with Pan's new security analysis methodology - full paradigm security analysis system. The so-called "full paradigm security analysis" system emphasizes the comprehensive use of four security analysis paradigms to build a complete security analysis system. The four paradigms are as follows:

1) The first paradigm of security analysis: trial and experiment, i.e. empirical analysis, such as * * * test;

2) The second paradigm of security analysis: model, feature, that is, classical feature detection, * * * modeling, etc;

3) The third paradigm of security analysis: simulation, simulation, such as sandbox, virtual execution;

4) The fourth paradigm of security analysis: big data security analysis.

In the face of the current network threats, only by synthesizing the above four security analysis methods can we build a relatively complete security protection system. And big data security analysis plays a leading role in it.

4. What is the value of data-based security technology in security defense? What is the future trend and direction of data-based security technology?


The most critical value of security analysis is to identify loopholes, threats and * * as soon as possible, and further help us assess risks, carry out emergency response and disposal, guide enterprises and organizations to improve defense control mechanism, enhance compliance, and deliver security situation and defense effect to management, and ultimately improve the effectiveness of the whole * * confrontation.

Just in November, sans released the latest issue of security analysis and intelligence research report. According to the report, the top five values of security analysis are: more accurate risk assessment, detection of external threat based on malicious code (such as 0day *), access to network and terminal behavior visibility, establishment of behavior baseline to identify behavior abnormalities, compliance monitoring and management.

Combined with the development trend of security analysis in the world, Gartner's analysis report, and our analysis and Practice on the differences of domestic customers, I think that the development trend of data-driven security analysis technology in the next few years will be: intelligence, intelligence, interaction and cooperation.

Intelligence: This is the core of data-driven security analysis, emphasizing that it does not rely on the analysis of existing features and rules. In the future, this aspect will be further enhanced, and more advanced statistics, machine learning and situational awareness technologies will be introduced into security analysis.

Intelligence: security analysis will rely more on security intelligence, and intelligence driven security analysis will prevail. With the help of intelligence, we can improve the efficiency of analysis and adapt to the changes of confrontation environment more quickly. At the same time, the results of security analysis are more output in the form of intelligence. Security intelligence here can be divided into strategic intelligence, operational intelligence and executive intelligence. Technically, it can be divided into vulnerability intelligence, Threat Intelligence and * * intelligence. From the source, it can be divided into internal intelligence and external intelligence.

Interactivity: since security intelligence is not mature in the medium term, security analysis, especially advanced security analysis and threat hunting, will rely more on human-computer interaction. The system is more to provide a set of convenient and efficient analysis tools for people as much as possible, and the security analysis will be more of a personal computer promotion system, or human authorized system.

Cooperation: the cooperation here includes not only human-computer cooperation, internal and external intelligence cooperation, but also everyone cooperation due to domestic reality. The so-called "everyone cooperation" refers to the situation that enterprises and organizations make up for the shortage of their own security analysis capabilities, resources and analyst skills through external talents / forces. This can be an overall or partial outsourcing of security analysis facilities and services, or a personnel outsourcing, knowledge outsourcing, personnel training, etc. Enterprises and organizations need to find security analysis partners, and security analysis manufacturers also need to build an ecosystem.