jianghaike's safety every month (whole book)

Posted by lipsius at 2020-04-05

Antan laboratory Jiang Haike

(originally published in April 2013, programmer's magazine, compared with the edition of the magazine, this paper updates the diagram and adds two supplementary notes at the end of the article.)

RSA conference, as the largest information security technology exhibition in the world, attracts the attention of the whole security industry. This is the third time we have attended this conference.

In order to have more exchanges, we decided to arrive in Silicon Valley one week before the opening of RSA conference. At this time, it happened that mandiant company released the report called APT1: expositionone of China's cyber espionage units, which caused global shock. This naturally became a topic that we were often asked about during our stay in the United States. Another domestic scholar who attended the meeting said that when he visited friends, their nanny asked about similar topics.

The day before RSA conference, we attended another security technology conference Bsides SF. Mandiant company also delivered a speech entitled "Chinese advanced persistent threads". The whole article basically has no technical content, and is totally "political". Judging from the history of Bsides meetings, this kind of content is unlikely to enter the room in the past, which shows that the current "China's cyber threat" breath is the most important.

The RSA conference was also full of strong "similar" atmosphere. My colleagues have met with such situations several times. When the presenter saw that it was Chinese watching, he stopped the presentation or refused to communicate. But this did not happen in the previous two sessions.

Even from the signature books of the conference and bookstores, you can feel the taste: for example, the cover of Hacking Exposed 7: Network Security Secrets & solutions is re labeled "hacking exposed the PLA" to distribute; another thin book in the bookshop, called 21stcentury Chinese cyberwarfare, is sold at a high price of $70.

In the United States, the media and public opinion were basically one-sided, and there was no voice from China. On the contrary, in the theme report of RSA conference, adishamir, the leading information security figure, is the s of the three authors of RSA, who has published the only sound that seems relatively neutral: "an American company has released a XX page report these days, saying that there is a large building in Shanghai, China, where XXX people have invaded the United States from the Internet; then there may be a Chinese public in a few days Division also issued a XX page report. There is also a building in the United States, where XXX has invaded China from the Internet. " For a well-informed old man, the meaning is very simple. Since they are all the same, what's the point of shouting.

Shortly after the report was published, the US military budget was settled. Although the military expenditure was cut, the net military expenditure was not reduced but increased.

As a traditional anti-virus worker, we have been focusing on Stuxnet, Duqu and flame worms in the direction of apt. In terms of the level of events such as sabotaging the operation of uranium centrifuges, we believe that this is the beginning of cyber war. There is no doubt that the United States is one of the important suspects in this series of events (the other is Israel). In this context, the United States not only received almost no condemnation in its previous actions, but also could reasonably blame China, and occupied the high ground of global public opinion very effectively. The maturity of its strategy and comprehensive impact on international ecology can be seen.

From the Internet, I found a message: an American official expressed the view to the effect that "American intelligence agencies also obtain information through the Internet, but we will not provide Airbus information to Boeing." From this point of view, this may be an appeal and expression of the United States for the network order, the principle of engagement and the potential rules.

Every year, RSA conference has an innovation and entrepreneurship competition called "innovation sandbox". At this year's competition, Herbert Hugh Thompson, executive chairman of RSA conference, summed up the key words of security industry over the years in his speech. However, he found that the technology and market that really grew later were not focused on at that time:

Key words prediction of RSA conference over the years

Fireeye is undoubtedly the hottest star enterprise of RSA conference this year, which is related to its identity of anti apt ruler enterprise. Two years ago, fireeye's booth was very small, and the disclosure of technical solutions was cautious and conservative. We only know that it combines the traditional traffic box directly with the front-end virtual machine analysis; last year's fireeye has been exposed, but it is still a bit mysterious; this year's fireeye is relatively open, not only releasing the product manual, but also turning two-thirds of the booth into a lecture hall Continue to introduce and explain the plan.

Many traditional anti-virus workers have questioned how useful a single dynamic solution based on sandbox can be without the ability of traditional anti-virus engine to detect known malicious code?

But from the observation of the past two years, I have more understanding of the value of similar programs:

1. Sandbox solutions do have inherent advantages in the detection of format overflow vulnerabilities. Not only because this method can find unknown vulnerabilities, but also because of the limited means of format overflow, anti virtual machine, anti tracking and other technologies can not be as flexible as PE samples, so the success rate of sandbox is higher.

2. The governance ability of IT network in American enterprises is very strong, and there are few security events in the network itself, so once security events are found, they may be serious events. On the contrary, poisoning is frequent in China, and high-risk events are easy to be submerged.

Mobile wireless security is the hot spot this year, byod is hot, in contrast, MDM looks a bit like all the intermediate concepts, and it's getting old before it's mature.

Compared with the competing kernel capabilities of windows security vendors, Android system does not open the bottom layer to security vendors, but security vendors are still looking for solutions, such as replacing the traditional driver layer firewall through VPN. Security vendors can always find a location in the OS scenario. This is also a kind of tenacity.

We can also see that the Internet model is driving changes in many traditional fields. For example, an app protection team provides online encryption solutions, rather than selling local software dogs and shell tools like traditional PC software protection enterprises.

As a traditional network and mobile anti-virus engine manufacturer, our main mission in Silicon Valley is to find new users. And every time we visit a local enterprise, we are confronted with a problem: is your engine deployed on VirusTotal?

The first time I faced this problem, I couldn't help blushing. Because of the interface problem, our virus database in VirusTotal can't be updated for a long time, so it's almost impossible to detect, and we don't plan to integrate the mobile detection engine into it.

When I explain this question, I get the answer instead: This is good, so that we have the possibility of cooperation. If your engine is already on VirusTotal, it doesn't mean anything to us. After detailed inquiry, I learned that the mainstream security companies in Silicon Valley have almost purchased the highest level account of VirusTotal, which is used as a trusted resource. This is quite different from our idea. In order to ensure the exclusivity of samples, some domestic enterprises are not willing to use VirusTotal for malicious code detection. From this example, we can see the foundation of mutual trust and interaction among American enterprises.

Of course, competition also exists. For example, some manufacturers talk about the pressure of fireeye's rise on them. But the information from the exhibition is that fireeye and these competitors all choose the same enterprise's white list authentication service. This is bit9, another hot manufacturer this year, which mainly provides high-quality white list solutions. We also visited Solera's SOC products, which can comprehensively analyze and manage logs from old NetScreen to emerging Palo Alto networks, fireeye and other manufacturers.

Silicon Valley security enterprises do not pursue the position of all-round, big integrators. They establish their own enterprise personality and strengths, create their own irreplaceable unique value right of discourse, and seek other personalized manufacturers to cooperate when they have other needs.

Entrepreneurship and M & A is an important ecosystem for Silicon Valley to generate interest iteratively. Therefore, RSA conference's innovation sandbox is also of great concern to the industry. This is an entrepreneurial competition in the field of security. Through selection, the contestants will finally make comments during the exhibition and get the ranking and investment.

This innovation sandbox continues to be led by entrepreneurs with deep business background of Silicon Valley mainstream enterprises. Two of my colleagues have been listening to the sandbox for two consecutive times, and the evaluation of the participating companies of this sandbox is not as high as last year. But still feel the entrepreneurial culture of Silicon Valley and high tolerance for entrepreneurs - judges help contestants actively find highlights.

A company we talked to last year about dynamic analysis solutions was acquired by McAfee for $14 million this year. It is said that some domestic enterprises also participated in the bidding, but the bid was only half of McAfee's and failed. I used to wonder that for an old anti-virus enterprise like McAfee, dynamic analysis is a strong point in itself. Why do you need to restart it? My colleague 8W's analysis is in place: McAfee's move is to deal with the competitive pressure of fireeye's solution, and establish a new product line through M & A, compared with the separation from the original technology. In public opinion and flexibility have more advantages, but also easier to be seen and understood by the financial market.

From NetScreen, Fortinet, Palo Alto networks, to fireeye, new and cutting-edge Silicon Valley enterprises continue to rise with capital power, constantly impact the existing pattern, form new threat response and consumption hot spots, and become the surging power of American security industry and technology. The mature venture capital and capital market in the United States provide a continuous impetus for the rise of new and cutting-edge enterprises. The pressure of these new and cutting-edge companies also makes the old giants choose to continuously acquire those small companies that follow imitation and micro innovation in solutions. This kind of entrepreneurial process, whether IPO success or M & A, is accompanied by the process of wealth and honor, which greatly enlivens the enthusiasm of entrepreneurship and creation.

Silicon Valley enterprises are also the barracks of iron and water. But what surprised me was the totally different talent flow orientation from that in China. Many of the friends we know started from NetScreen or McAfee, and then they went to Palo Alto networks. This year, some of them appeared in new start-ups such as fireeye.

Before I came here, I heard that a start-up company of Berkeley's famous Chinese scholar, Mr. dawn song, was acquired by fireeye, but I didn't expect that dawn song would appear in the exhibition stand and enthusiastically explain their APK file security analysis demonstration system to the guests. Miss dawn Song said she was busier now than when she was in Berkeley. It reminds me of the work scenes of Palo Alto networks and other startup stories of Silicon Valley security companies I knew when I started my business. When communicating with the old network security enterprises, I feel that these colleagues who work in large companies are nine to five earlier and have put more energy into life and family. But some of them are destined not to settle down in life. Some of them may return to the "garage" or join a start-up company to start a new fantasy rafting.

The continuous flow of such first-class talents from large companies to small companies is hard to imagine in the domestic security community. I once said half jokingly to a colleague of an information security management organization in China, "your large-scale recruitment directly cuts into the weakness of our professional security enterprises. In the past, the talent ecology of China's professional information security enterprises has been struggling, and then there has been the corruption of the underground economy. In the past, there was the temptation of high salary of Internet oligarchs. On the left, there is the growth space of staying abroad. Now on the right, there is more attraction of your civil servant's treatment. "

Perhaps compared with the distrust and force majeure background of apt, I can't help thinking about the domestic industrial ecology.

If small and medium-sized enterprises are the basic cornerstone and yardstick of social economy, which will not be denied by the mainstream economic circle, then what will be the future fate of these independent and weak professional information security enterprises in China compared with the Silicon Valley stars?

A few days after returning to China, it was just the release of "2012 overview of China's Internet network security situation". What we can see is the crisis and undercurrent. China has a long way to go from social operation to people's life to establish a real information security guarantee. We are not afraid of road risks, but it is important to know where the road is?

Through the window of my office, I saw the few blue sky in Beijing in the near future and inquired about my faith that I had never lost:

I firmly believe that the collective rise of independent information security enterprises is the hope of a country's information security industry, and the most important cornerstone of a country's information security is that every individual citizen can obtain sufficient information security guarantee.

(thanks to my colleagues Claud and angel for proofreading and lying for drawing)


Supplementary Note 1:

I have been criticized by colleagues in the industry that this article is narrow-minded and subjective. From the perspective of an anti-virus researcher, RSA does not present a panoramic view of the global security industry. I accept this issue. I admit that I have always been very subjective. This RSA trip is also very utilitarian, narrow-band, and of course, my poor English. In the days of the exhibition, in addition to the agreed exchanges, I only went to look at the booths of several manufacturers that I was more concerned about. As a staff member of the exhibitor, this is my work and perspective; but as the author who agreed to this edition of programmer, when I tried to build a more complete image in my mind, I suddenly found that I did not complete the information preparation, which is quite a shame and regret.

I always don't think I'm a good author. I usually just describe my observation, feelings, experience and judgment. I seldom look for and check more materials. I even dislike too much reference and quotation. But that's what I am. I solemnly declare that this style will not change in ten years.

Supplementary Note 2:

  At the end of the article, I mentioned that "every individual citizen gets sufficient information security guarantee". A friend saw the saying "every citizen" and asked me if I had reconsidered desktop users and the market. I think if my friend and friend would guess like this, maybe I didn't express enough, then I need to explain that what I said here is not "every power" Brain "is not" every node ", I mean" every citizen ". The information security here includes not only the written rights given by law, but also the actual rights and interests and objective circumstances of individual citizens in the judicial, administrative, technical, educational and other aspects.