当前位置:网站首页>Case ① | host security construction: best practice of 3 levels and 11 capabilities

Case ① | host security construction: best practice of 3 levels and 11 capabilities

2022-07-06 20:05:00 InfoQ

In the near future , The first in China, jointly launched by Xintong academy and Ivy League 《 Host security capacity building guide 》, Received widespread attention in the industry , This guide combs the host security capability requirements of different industries 、 Product capability evaluation process , Help users in different industries build adaptive host security capabilities and provide better strategic guidance .
Then how to build the host security capability of the government industry ?
This paper sorts out the demand priorities and key points in the construction of host security capacity in the government industry , And best practice cases of host security in the government industry .
null
Scan the code to download the full version 《 Host security capacity building guide 》

Security challenges facing the government industry

In recent years, China has accelerated the construction of a digital government , Improve the level of government services , Relevant regulatory authorities have issued 《 Government cloud security requirements 》、《 National government information project construction management measures 》、《 Information security technology government information sharing data security technical requirements 》 And so on , It puts forward systematic and comprehensive requirements for the construction and management of national government informatization projects , Promote government agencies to further strengthen the construction of network security .
The government affairs platform carries the information and data of hundreds of millions of citizens , Once the server is attacked and lost , The government system will face tampering 、 Implanting viruses and other huge security risks . The general security challenges faced by government departments are mainly reflected in :
1、
Advanced Attack
Government departments have many functions , There are complex network systems among departments . The government industry often faces persistence from hackers 、 Highly targeted attacks .
2、
Intrusion detection is difficult
The intrusion detection ability of traditional security system is limited , especially Linux Server , Lack of an effective collapse detection system . Combined with the , There are constantly emerging loopholes in the network system , Traditional intrusion detection technology can not effectively deal with these changeable security problems .
3、
Regulatory compliance requirements
Government agencies must comply with national laws and regulations , Meet various regulatory requirements and safety standards from the country and industry , Avoid business losses .
4、
E-government cloud security
The scale of e-government network platform continues to expand , The security of the new architecture network cloud platform has attracted much attention , Virtualization is one of the most widely implemented technologies in cloud computing data centers at this stage .
Security problems of government and important information systems occur frequently , This requires the government to improve the ability of network security protection , Carry out efficient host security product selection , Ensure that important information and data are not maliciously tampered with and used .

Government industry host security maturity

The more perfect the host security capability of government agencies , More host security capabilities are covered , The more it can provide better security protection for the host and its hosted services . In the early stage of informatization construction of government industry , The safety construction of the government is mainly driven by compliance , When selecting the safety model of the host , Government agencies pay more attention to the basic level ability of host security and virus detection and killing ability . With the complication of attack tactics deepening , Government agencies need to supplement the enhanced level 、 Advanced host security capability .

Recently released 《 Host security capacity building guide 》 Mentioned in the report , The host security capabilities required by the government industry are divided into three levels , That is, the basic level host security capability 、 Enhance the security capability of the first level host and the security capability of the advanced level host . The report disassembles these three levels of capabilities :

One 、 Basic level host security construction requirements
1、
Asset count
System administrators usually need to effectively inventory and manage the host assets in the network environment , When the host size is too large , It takes time and effort to check and analyze information , To further improve the management efficiency of large-scale cluster hosts , Need to improve automation , Reduce human intervention .

Basic requirements for asset inventory :
  • The host found : It can automatically discover hosts , For different network conditions , Provide a variety of exploration methods .
  • Application inventory : Automate the inventory process 、 port 、 account number 、 middleware 、 database 、 Big data components 、Web  application 、 Web  frame 、Web  More than ten categories of security assets such as sites .
  • Asset search : Provide key assets ( host 、 account number 、 Process, etc ) System wide Correlation , Joint search across multiple assets .

2、
Risk discovery
The ability of risk discovery can enable security managers to reinforce the system before an attack occurs , Risk reduction points exist .

Basic requirements for risk discovery :
  • It can update and respond to new vulnerabilities in real time .
  • Ability to set scanning preferences .
  • Reduce host resource consumption , Be able to adapt to a specific host 、 Specific circumstances .
  • Vulnerability scanning can be integrated with existing patch management systems .
  • Support for all operating systems .
  • Support to judge the impact of vulnerability repair .

3、
Intrusion detection
Host intrusion detection refers to the ability to identify the intrusion events that occur in the host and analyze its intrusion signs , Help security personnel monitor and analyze the intrusion process .

Basic requirements of intrusion detection :
  • It's easy to operate , Convenient operation and maintenance in the later stage .
  • Minimum system occupancy , Can adapt to a variety of systems .
  • Be able to record events correctly , And send intrusion warning messages to the security administrator
  • Be able to conduct effective intrusion analysis 、 Incident handling and evidence collection .
  • Easy to access and view logs , Provide log filtering function , Easy to operate and search .

4、
Compliance baseline
Compliance baseline capability refers to the operating system 、 database 、 Middleware, etc. for configuration security detection , And provide description of test results and reinforcement suggestions , Help government agencies to strengthen system security , Reduce intrusion risk and meet security compliance requirements .

Basic requirements of compliance baseline :
  • It can realize one key automatic detection , And provide repair suggestions according to the test results , Meet the compliance requirements .
  • Support custom baseline , Make self-examination and rectification in advance by formulating strategies , Flexible response to various strength Standards .
  • Based on domestic and foreign baseline Standards , Such as waiting for insurance 2.0、CIS  The benchmark , Build rich  Checklist  The knowledge base .
  • It can adapt to different operating system environments , Support scanning operating system 、 database 、 Middleware etc. .

5、
Virus killing
Virus detection and killing assume the security role of the host entrance , Prevent malicious programs from entering .

Basic requirements for virus detection and killing :
  • Integrate multiple influential virus detection engines , And regularly update the detection Library .
  • Fit common usage scenarios and ISO requirements .
  • Actively block and isolate the confirmed virus .
  • Quickly verify the virus found , And analyze its intrusion path .
  • It can restore the content of the host that has been maliciously modified .

6、
Document integrity

Document integrity capability can help government agencies monitor key system documents 、 Directory etc. , To detect any unauthorized changes .

Basic requirements for document integrity :
  • The ability to establish file integrity monitoring for files or directories that are commonly used or have compliance requirements .
  • Be able to detect unexpected file changes .
  • Provide customization of monitoring rules , Reduce reporting noise , And alert and notify the file change events that need special attention .

Two 、 Strengthen the security construction requirements of level host
1、
Memory horse detection
Recent years , The heat of attack and defense exercises is getting higher and higher . In the game between attack and defense , The defender uses it comprehensively  NDR、EDR And other professional safety products , Traditional file upload  Webshell  Or the backdoor residing in the form of file is easy to be successfully detected , The utilization rate of memory horse has increased rapidly .

Basic requirements for memory horse detection :
  • Can detect memory  Webshell、 Process memory injection 、 Malicious DLL loading and other common memory horses .
  • Memory backdoor detection should not affect the operation of the main business program .
  • Can find malicious code running in the process memory , And send an alarm to the user in time .
  • Provide analysis and description of the characteristics of malicious code .
  • Use the ability of accurate detection to verify the repair results of the memory backdoor .

2、
Host honeypot
The host honeypot hosts by arranging decoys 、 Network service or file , Entice the attacker to attack the bait , So as to capture and analyze the attack behavior , Understand the tools and methods used by the attacker , Speculate on the intention and motive of the attack .

Basic requirements of host honeypot :
  • Set honeypots to confuse attackers , Collect real data on actual attacks and other unauthorized activities .
  • By deploying honeypot files , Monitor the operation behavior of files in real time , Lure hackers to attack , Avoid disclosure of real business documents .
  • Monitor suspicious port scanning behavior in real time and record , Analyze the purpose and motivation of hackers , Timely fix system security vulnerabilities , Avoid real attacks .

3、
Micro isolation
Micro isolation architecture can be used for intranet ( East West ) Flow protection , Meet the development needs of the industry . Under the micro isolation framework , host 、 operating system 、 Containers become sensors , In case of policy violating access , Immediately trigger an alarm or deny access , Only authorized traffic can be released , In Intranet  90% The above unsafe network access can be eliminated .

Basic requirements of micro isolation :
  • Zero trust : Realize the access between networks based on the concept of zero trust , Only after the administrator grants credit can you access , Block the access of non credit machines in time , Stifle potential threats .
  • visualization : The access between networks is visual to users , When illegal or malicious access occurs , Can distinguish legal and illegal access through different colors .
  • The adaptive : Network access policy adaptation . Policies should automatically adapt to changes in the network environment , Timely distribute and implement the latest strategies .
  • Continuous monitoring : Abnormal or illegal access behaviors that may occur in the network should be monitored in real time and continuously .
3、 ... and 、 Advanced host security construction requirements

1、
Supply chain security
Software supply chain attack has low cost 、 Features of good effect ,SolarWinds、Log4j2  And other supply chain security incidents have caused great impact , Software supply chain security has been widely concerned .

Basic requirements of supply chain security :
  • The person in charge of supply chain network security should cooperate with the relevant teams in the product development cycle , Fully consider the employees of suppliers and developers 、 technological process 、 Safety problems in tools, etc .
  • Maintain and manage your own  SBOM, Be able to accurately identify key information . At the same time, it needs to support asset information in the cloud native environment .
  • Government agencies using cloud native technology , Should be based on  DevSecOps  idea , Adopt an integrated approach that extends from the development phase to runtime protection , Realize the safety of the whole software life cycle .

2、 Threatening to hunt
Threat hunting is an active 、 Hypothesis driven threat discovery activities , It aims to find controls that are not covered in the passive monitoring function 、 Activities or attackers  TTP.

Basic requirements of threat hunting :
  • Judge whether the behavior is normal or abnormal : Summarize laws from the behavior of government agencies , Generate relevant models , And regularly check whether there is any behavior that breaks the original law , Effectively identify normal and abnormal behaviors .
  • Understand the organization's high-value goals : You need to know the target of the attacker , Sort out all high-value goals of government agencies .
  • Data association analysis : Connect several kinds of raw data , Global analysis , Relational query , Find abnormal behavior , Realize the timely discovery of unknown threats and the path traceability of known threats .
  • Predict how to be attacked : Attackers exploit weaknesses in organizational structures and data flows , Try to get valuable data without being noticed .

Host security construction cases in the government industry

Based on the host security requirements priority and capability requirements of the government industry , Ivy is for the government industry , Introduced a host based adaptive security scheme 、 Security intensive management scheme 、 Real time intrusion detection scheme 、 E-government cloud security solutions and other comprehensive solutions , And has achieved 1 It's a lightweight Agent Unlimited expansion ,500,000+ Government industry Agent Deployment volume , covers 100+ Central ministries and commissions and local administrative agencies , Support large-scale re insurance activities in total 100+ Important achievements of , Become a host security service provider trusted by government agencies .

Below , Ivy will provide a cross regional host security defense system construction scheme for a Provincial Seismological Bureau , Let's analyze the implementation of the plan in detail .
One 、 Background Overview
The Seismological Bureau is not only for the central government and local governments at all levels , And high-speed rail 、 Nuclear power and other major national infrastructure industries provide professional earthquake information , It also provides convenience for the public 、 Easy to understand earthquake information service . The network assets of Seismological Bureau are important information infrastructure , It is also the earthquake department that carries out earthquake monitoring 、 prediction 、 Network basic platform for scientific research .

Two 、 Program requirements
The Seismological Bureau administers the national earthquake monitoring and prediction work , Protecting the security of the server carrying the core business is the basis of the work , However, there are several prominent problems in the host security .

1、
Enhance the ability of safety protection
In recent years, cross regional network attacks have increased year by year , The scope of influence has gradually expanded , It is often a small loophole , It needs the whole network to deal with , It is necessary to enhance the safety protection capability of the seismic network .

2、
Improve the ability of risk discovery
When the resources of the security operation and maintenance team are limited , How to improve the ability of risk early warning and discovery , Avoid carrying out safety emergency work after a safety incident .

3、
Meet the level III requirements of equal warranty
Users who log in to the operating system and database system need to be effectively identified , For important user behavior 、 Audit the abnormal use of system resources , And then meet the regulatory requirements such as insurance compliance .

3、 ... and 、 Solution
  • Rapid deployment with automated operation and maintenance tools , Quickly realize the security guarantee ability of servers in the decentralized industry LAN .
  • Ivy vine has been deployed on the two core business systems of the Seismological Bureau business network and the station network center network Agent, Through model analysis and calculation , Discover risks and threats in real time .
  • Through expert remote online consultation 、 On site support services to achieve in-depth analysis of security strategy risks 、 track 、 Handle 、 close , Form a closed loop of safety management .
null
Four 、 Program benefits
 “ In order to accurately predict earthquake information , It is inseparable from the huge business system support , And behind this business network , It is the adaptive security platform of sinomeni host . We use Ivy security solutions , Greatly improve the ability of risk discovery and response .” The customer commented on Ivy's host security platform .
 
Ivy League has gained recognition in helping the government informatization process of the Seismological Bureau and the construction of host security protection , Help the Seismological Bureau to achieve safe and efficient operation and maintenance , Reduced labor costs ; Find all kinds of intrusions at the first time , Minimize losses ; Establish a reasonable security defense system , Meet the compliance requirements of the supervisor .

summary

The driving factors for safety construction in different industries are different , And the risks faced by the business relationship are different , Each industry has different priorities for the construction of host security capabilities , Should be in manpower 、 With limited financial resources , Give priority to the most urgent needs 、 Capacity building that best matches business security requirements .

This paper mainly analyzes the priority of government agencies' demand for the security capability of each host and the requirements for capacity building . Next , We will launch more detailed financial 、 Operator, 、 A large enterprise 、 Guidelines for host security capacity building in Internet and other industries , You are welcome to pay attention to . If you want to know more about or try the host security products for free , You can call 400-188-9287 turn 1, Establish contact with our security advisor .

For details , Scan the QR code to download the complete report !
null
Scan the code to download the full version 《 Host security capacity building guide 》
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/187/202207061205462604.html

边栏推荐

猜你喜欢

随机推荐