safe operation trilogy: safe ecology and safe international

Posted by santillano at 2020-04-02

The author introduces:

Miss Xi, safety operation specialist of a state-owned enterprise. From 0 to 1, the safety operation system of the enterprise has been established, and many internal operation activities have been led. Have a lot of experience and thinking in internal training, team management, SRC construction, crisis public relations, etc. The enterprise safety record will include three safety operation articles, and analyze all aspects of the enterprise safety operation from three aspects of concept, practice and vision.

Safety operation trilogy, the last one of safety ecology and safety international, mainly from the three-dimensional safety operation, the establishment of Information Alliance, the international connection of safety operation and the imagination of future safety operation, has written the vision of safety operation as a whole, three-dimensional and international. At present, I think the work of safe operation is just a start-up stage, its positioning in the enterprise and the value it can bring to the enterprise are not fully recognized by the enterprise, so there will be a lot of current and future work, and the space is also very large. I hope that in the foreseeable future, more far-reaching enterprises can confirm the existence of safe operation, and more people of insight will join in the work of safe operation.


Three dimensional operation of enterprises

1.1 valuing assets over response

1.1.1 what are assets?

On the topic of assets, although every enterprise must be involved in the actual work, and the person in charge of security actively strives for investment in assets, there are not many systematic discussions, and there is not a unified conclusion. Every enterprise wants to invest the least capital to get the most profits. It's human nature. Let's discuss what "assets" include from the perspective of safe operation? The assets discussed here are mainly divided into tangible and intangible categories. Tangible assets include traditional servers, switches, routers, etc., in short, hardware equipment that "can be seen and touched"; intangible assets include various IT systems, systems with various security functions, data management systems, backup and recovery systems, encryption systems, etc., as well as systems involved in handling the following work in the operation and maintenance process of various equipment and systems Or tools, including virus protection, audit, network, access and authentication.

1.1.2 why are assets important? In the era of Internet with such a fast pace of enterprise informatization, safe work can never be solved only by people, even if this person is a top security expert. The traditional hardware equipment must have. In addition, the important role of safety equipment (tangible and intangible) in safety work must not be ignored. In recent years, the "automation" and "informatization" advocated have been gradually realized in various fields of work, and security automation and informatization have also followed. Whether it is security equipment or security products, they are the result of the technical ability output of many top security technology people, and solve the security problems under normal circumstances. "Human" is the most uncontrollable factor, and the variable factor of human nature itself is undeniable. If such a choice is made, will the security defense capability be based on the security assets or the top security experts? The author hopes that the proportion of safety assets will be larger. From the perspective of enterprises, such selection risk will be reduced. Therefore, the essence of heavy assets is to use the top-level safety technology ability for enterprises relatively stably, to avoid the risk of "human" to a certain extent, to solve the general or general safety problems, and we can rely on human to solve the remaining and special safety problems. Of course, the importance of assets also depends on the degree of "importance". If the enterprise attaches great importance to the investment of assets, it can also solve the personalized security problem.

1.1.3 why light response? The light response here is relative to heavy assets. I always think that whether it's work or life, it's better to prepare for the future than to mend the past. "Prepare for a rainy day" mainly refers to defense in advance, and "mend the sheep after death" refers to response in the event and remedy after the event. Safe work, the ideal state is to achieve risk control, risk can not be 100% avoided, but if the risk is controllable, within the acceptable range, even if it happens, there is a prepared plan in advance. Relatively speaking, the unexpected things are much easier to solve. When we have done enough in the "heavy assets" link above, most of the risks have been eliminated, and the rest are small probability events such as "0day". Even if it happens, it's also an industry problem, not an enterprise's own security problem. Because of the above heavy assets, we can lighten the response properly, reduce the work pressure, and reduce the pressure from personnel requirements. As far as I know, state-owned enterprises attach more importance to assets, while Internet enterprises attach more importance to response. Now Internet enterprises are constantly increasing their assets, sometimes due to different factors such as the size of enterprises, industry differences and so on.

1.2 staff safety situation

The security situation of employees discussed here is mainly to discuss the management problems of employees from the perspective of security operation, which may intersect with human resources, including talent screening, background investigation, induction training, post training, promotion mechanism and dimission desensitization.

1.2.1 talent screening, roughly including HR resume screening and internal recommendation. As we mentioned in the previous article, a lot of security talents can be accumulated through external channels such as community operation. At the same time, within the enterprise, talents who are interested in security or have certain ability in security technology can also be mined through activities or virtual organization. When enterprises need to expand their own security team, these human resources will have a place to use. Based on my personal experience of helping the boss to set up a safety team, the most successful way for the person in charge at present is to recommend internally or by people in the circle. First of all, the recommender has a certain understanding of the candidates, and even some may have worked together or be friends, including personality, technical ability and career planning. Therefore, it can be targeted Recommended to the target enterprise or the person in charge can save a lot of time in selecting resumes. Compared with other industries in technology, the start of security is not too late. However, the slow progress is not due to the talents themselves, but the development of security industry is limited by the development of computer industry. Only when the computer industry develops to a certain extent, can the enterprise reach a certain scale At that time, the safety will have a certain degree of recognition. So, up to now, the gap of security talents is still very large. The sudden outbreak of security industry has brought opportunities for the development of this industry, but at the same time, a large number of talents shortage is also a dilemma that must be faced.

1.2.2 background investigation, which refers to a person's past experience, is often used as a reference to determine the future situation of this person. Security industry is a special industry, which will involve a lot of data, privacy, authority, law and other fields with confidentiality color. Especially after the promulgation of the network security law, people engaged in security work are light of unemployment and heavy of crime due to work reasons. However, due to whether it is colleges or various training schools, security related majors appear later and develop at the same time Not very mature, many people engaged in the safety industry are not from a professional background, but halfway home, so people in the safety industry are more complex in terms of education, profession, experience, etc. In order to avoid the labor dispute after a person's entry, the enterprise should carry out a thorough background investigation on the candidate before entry, which is responsible for the enterprise and the candidate at the same time. If the two sides do not match, it is a loss to everyone. The traditional background investigation usually comes from human resources, including the examination of academic qualifications, the work experience of the previous company or companies, and the validity of all kinds of certificates. However, on the basis of the traditional background investigation, the background investigation from the perspective of security should increase the level of political review or no crime certificate, gray scale investigation within the security circle, dishonest records, interpersonal relationship and performance And so on, through gray-scale means to investigate abnormal channels, get the most real data, to avoid increasing the risk of enterprises at the source.

1.2.3 in fact, the traditional induction training is carried out by human resources department, which can train some general knowledge such as corporate culture, corporate values, etc. For the induction training of safety post, the content of safety education shall be added, including safety awareness, safety operation, compliance, law, safety corporate culture, etc. Meanwhile, the management shall have safety management training, and the technical post shall have special technical training, etc. after the training, corresponding assessment standards and scores shall be included in the employment confirmation assessment. Post training, which should be included in the scope of human resources, but because human resources do not know the specific safety technology, this work is usually carried out by the safety department itself. In fact, the personnel positions of the security department are not much different from those of other technical departments, usually divided into technology (development, operation and maintenance), products, projects and operations. It is necessary to develop standardized on-the-job training manuals for different posts, and conduct irregular training and assessment, which will also be included in KPI. Promotion mechanism. The promotion mechanism discussed here is based on the original promotion mechanism in line with the requirements of human resources, adding a unique part of safety, which should include whether there is any violation of safety rules during the work, whether there is loyalty problem, whether there is personality problem, etc. In my opinion, safety work, character first, ability second, if putting the cart before the horse, there will be great events, just a matter of time.

1.2.4 the requirement for dimission desensitization should be specific to safe work or positions involving confidential information. The security work may be classified, and the authority is relatively large. Therefore, it is suggested that the enterprise must set up the post resignation desensitization period or sign the resignation desensitization agreement to avoid causing great losses to the enterprise. Each enterprise here has its own differences, which can be discussed again.

1.3 enterprise situation awareness

In this topic, it can be said in many details, and in general, it can also be said in a general and simple way. When the enterprise develops to a certain scale, safety work is not only a fire fighting problem, but also needs to be perceived in advance and defense in depth. Maybe from the industry, be clear. Traditional industries tend to directly purchase situation awareness products of security manufacturers, reducing the investment of their own technicians, and purchasing relatively mature situation awareness products to directly solve problems; on the contrary, Internet enterprises will invest a lot of costs in technicians, through the strength of technicians to develop products suitable for enterprises, reducing the risk of data security It also develops systems or products with personalized functions, and it is convenient to solve the follow-up problems such as iteration. Here, I still suggest that mature enterprises should adopt systems or products to achieve situation awareness, rather than relying on people. At present, situation awareness has become mature, and many enterprises have mature systems and products to solve their own security situation problems.


Security operations intelligence Alliance

2.1 vulnerability intelligence perception

People who do security work know that there is no system without loopholes, so no matter how perfect the system is, it can't bypass the word "loopholes". Since it can't be avoided, it should be faced and solved. The establishment of a shared vulnerability information awareness system in the industry can shorten the time of vulnerability discovery, reduce the high cost of vulnerability mining, and complement the advantageous resources among enterprises; of course, it also needs to overcome the differences in management modes and methods among different enterprises.

2.2 negative news and information sharing platform

Every enterprise hopes to have a positive market image. However, if there is a problem with safety, the negative news of the enterprise will directly destroy the image and cause incalculable loss. Once the loss is caused, it cannot be eliminated and can only be stopped in time. Establish a unified negative news intelligence alliance, the negative news of each enterprise will be reported to the other party in the first time, and the catching up time is the first key factor of stop loss. In this intelligence alliance, negative news can be exchanged, obtained at the first time and solved in a corresponding way.

2.3 management of security risk solutions

Each enterprise can jointly explore a set of mature security risk solutions, including technology, public relations, legal affairs, etc. When encountering different types of security problems, what kind of solution ideas, solutions, key time points and event handling specifications are usually adopted. Different industries, different fields and different stages will have different characteristics of safety issues. We can form a healthy safety ecology with an open mind, learn from each other's strengths and help each other.


International standard of safe operation

3.1 internationalization of white hat

In recent years, the development speed of white hat group is very fast, and white hat has made great contribution to the whole safety industry. Technology knows no borders. Our white hats should "go out", and we also welcome foreign white hats to "come in". On the one hand, enterprises should invest human and material resources to lead white hat to the world and provide more opportunities for international exchange of white hat. Now, some enterprises have opened such a door, in the way of study tours, technical exchanges, participation in foreign conferences and so on. At the same time, some enterprises have opened a platform to recruit foreign white hats to raise loopholes for their own enterprises, making up for the differences in domestic security technology capabilities, while also reaping the technical ideas of foreign digging.

3.2 on the way of international operation, Chinese enterprises should put "compliance" first and attach importance to the management of compliance risk. Chinese enterprises of a certain scale have developed their business abroad continuously. They need to abide by the laws and regulations of the local country and public interests in the project implementation place, and safety and compliance cannot be bypassed. Only when they operate under the compliance internationalization, Chinese enterprises will be protected by the local country, avoiding reputation loss, financial loss and even legal sanctions. For the security industry, for example, on May 25, 2018, the EU general data protection regulations, which took place of the data protection directive, expanded the definition of user's personal data, reached an unprecedented level of detail in the protection and supervision of personal information, and put forward higher requirements for enterprises to protect personal information. Only by fully studying the relevant foreign laws, regulations and rules, can we improve the ability of enterprise compliance risk management, establish a perfect compliance management system, reduce the loopholes of the compliance management system, and avoid uncontrollable problems, even if encountered, there are corresponding solutions.

3.3 technology exchange and internationalization of Technology

Technology exchange is a kind of activity among enterprises and technologists to show their own technical strength, share technical achievements, express technical opinions and transmit technical spirit. Sometimes, it may be some new books, new ideas, new products and so on. There is no national boundary in terms of technology. Truly advanced technology theories, viewpoints or products can travel all over the world, benefiting all technical people. The author advocates that the activities of technology exchange should be internationalized and connected with foreign advanced enterprises and technical experts to see what the outside world looks like, what the outside people are concerned about now, get the most direct and first-hand information, feel their advanced technology, learn advanced technology achievements, refer to their technical views, and make up for our technology leaders The lack of domain, the development of our strengths and the avoidance of our shortcomings. Of course, if we are leading in some technologies, we also lead foreign enterprises and technical personnel, show our technical strength and level, and promote the ecological development of international technology exchange.


The future of security operations is not far away, and some of the vision has been slowly realized.

4.1 safety operation visualization

How to embody the value of safe operation? The author believes that only the value of safe operation can be seen, the pulse can be clear, the risk can be understood, and the visualization of safe operation can be achieved, which will be a breakthrough achievement of safe operation.

4.1.1 value visibility, pulse visibility and risk visibility

For enterprises that attach great importance to safe operation, the author believes that they can build a safe operation platform on which human resources, technical resources, project resources and so on can be put. Through a certain methodology, all the resources in the enterprise are integrated and operated to achieve the optimal and reasonable use of resources and the highest availability of each resource. At the same time, it also shows the value of safe operation on the large screen through certain analysis methods and data. On this platform, it also needs to reflect the pulse, rhythm, degree and progress of each work in safety operation. Through the pulse, the situation of safety operation, the use of resources of safety department, the value of safety operation and the value of safety department, we can get a good judgment and predict the risk. The risk is visualized.

4.2 mature trust mechanism

The maturity of the trust mechanism reflects the maturity of a country and an industry. The trust mechanism can promote the development of the industry, and the benign development of the industry also promotes the trust mechanism to mature.

4.2.1 trust mechanism system

Establishing a perfect trust mechanism system can be a means of risk aversion. The perfect trust mechanism system includes trust evaluation standard system, trust value calculation model, trust value application scenario, trust management, etc. At present, the application fields of the trust mechanism are generally in the financial industry, such as credit cards issued by major banks, sesame credit of Alipay, etc., according to the background of a person, and through a certain methodology, the corresponding credit value can be assessed, thus determining a person's consumption domain and consumption scope. In fact, the problem of trust mechanism is also a very important part of security operation. When the social progress is higher, the system of trust mechanism will become perfect.

4.3 operation service

4.3.1 public test

For the work of safe operation, we discuss more about the value of the enterprise itself. Through the integration and operation of human and technical resources, enterprises can see the significance of safety operation. Imagine, if we can service the operation, not only for the enterprise, but also for the whole industry, to play a greater value is the imagination of the operation service. Crowd testing is one direction. Crowd testing, in short, an enterprise needs to find the internal risks through external credible forces within a fixed period of time. At present, the institutions that can provide crowd testing services in the market need to have certain qualifications, so, not very many. For example, as we all know, the Witkey public beta, the sky mending public beta, and the prophet public beta can provide professional public beta services for enterprises. In fact, the crowd test can be between enterprises, or between the internal security department and other departments. For example, the security department can launch such an operation service-oriented project, calling on the white hat of its community to discover security risks for the users of the business department who are cloud tenants (if they are cloud enterprises). Of course, the security monitoring work that needs to be done is necessary. On one hand, it provides additional benefits for the white hat, on the other hand, it outputs the security capability of the white hat, Provides security services for users or cloud tenants. Crowd testing is just a project of security operation service. In the future, I hope more enterprises will have more ideas and put them into practice.

4.3.2 one key safe operation system

In the future, I would like to see that the work of safe operation is like this. "One key" can quickly, completely and clearly see the whole work of safe operation. With one click, we can see that under the safe operation system, the utilization rate of human resources, the utilization rate of technical resources, and the effect achieved by the combination of human and technology are clear in context and clear in process. Through visual data and images, it shows how much value has been created for the enterprise and what work has been done for the industry. Security operation work is not a single audit only loopholes, only maintaining the community, only doing a few activities or conferences, only responding to the inspection and writing a few systems.... security operation needs to be a system, starting from the significance of the existence of the entire security sector, to establish a security work Framework, composition and operation mechanism of designers, assessment of achievements of safety work, promotion of safety work reform, and responsibility for overall operation of human and technology.

Previous content selection

Design and implementation of vulnerability management platform

Content security system construction

Security services

Design and implementation of risk management system

Security development