当前位置:网站首页>Case ① | host security construction: best practice of 3 levels and 11 capabilities
Case ① | host security construction: best practice of 3 levels and 11 capabilities
2022-07-06 20:05:00 【InfoQ】
In the near future , The first in China, jointly launched by Xintong academy and Ivy League 《 Host security capacity building guide 》, Received widespread attention in the industry , This guide combs the host security capability requirements of different industries 、 Product capability evaluation process , Help users in different industries build adaptive host security capabilities and provide better strategic guidance .
Then how to build the host security capability of the government industry ?
This paper sorts out the demand priorities and key points in the construction of host security capacity in the government industry , And best practice cases of host security in the government industry .
Scan the code to download the full version 《 Host security capacity building guide 》
Security challenges facing the government industry
In recent years, China has accelerated the construction of a digital government , Improve the level of government services , Relevant regulatory authorities have issued 《 Government cloud security requirements 》、《 National government information project construction management measures 》、《 Information security technology government information sharing data security technical requirements 》 And so on , It puts forward systematic and comprehensive requirements for the construction and management of national government informatization projects , Promote government agencies to further strengthen the construction of network security .
The government affairs platform carries the information and data of hundreds of millions of citizens , Once the server is attacked and lost , The government system will face tampering 、 Implanting viruses and other huge security risks . The general security challenges faced by government departments are mainly reflected in :
1、
Advanced Attack
Government departments have many functions , There are complex network systems among departments . The government industry often faces persistence from hackers 、 Highly targeted attacks .
2、
Intrusion detection is difficult
The intrusion detection ability of traditional security system is limited , especially Linux Server , Lack of an effective collapse detection system . Combined with the , There are constantly emerging loopholes in the network system , Traditional intrusion detection technology can not effectively deal with these changeable security problems .
3、
Regulatory compliance requirements
Government agencies must comply with national laws and regulations , Meet various regulatory requirements and safety standards from the country and industry , Avoid business losses .
4、
E-government cloud security
The scale of e-government network platform continues to expand , The security of the new architecture network cloud platform has attracted much attention , Virtualization is one of the most widely implemented technologies in cloud computing data centers at this stage .
Security problems of government and important information systems occur frequently , This requires the government to improve the ability of network security protection , Carry out efficient host security product selection , Ensure that important information and data are not maliciously tampered with and used .
Government industry host security maturity
The more perfect the host security capability of government agencies , More host security capabilities are covered , The more it can provide better security protection for the host and its hosted services . In the early stage of informatization construction of government industry , The safety construction of the government is mainly driven by compliance , When selecting the safety model of the host , Government agencies pay more attention to the basic level ability of host security and virus detection and killing ability . With the complication of attack tactics deepening , Government agencies need to supplement the enhanced level 、 Advanced host security capability .
Recently released 《 Host security capacity building guide 》 Mentioned in the report , The host security capabilities required by the government industry are divided into three levels , That is, the basic level host security capability 、 Enhance the security capability of the first level host and the security capability of the advanced level host . The report disassembles these three levels of capabilities :
One 、 Basic level host security construction requirements
1、
Asset count
System administrators usually need to effectively inventory and manage the host assets in the network environment , When the host size is too large , It takes time and effort to check and analyze information , To further improve the management efficiency of large-scale cluster hosts , Need to improve automation , Reduce human intervention .
Basic requirements for asset inventory :
- The host found : It can automatically discover hosts , For different network conditions , Provide a variety of exploration methods .
- Application inventory : Automate the inventory process 、 port 、 account number 、 middleware 、 database 、 Big data components 、Web application 、 Web frame 、Web More than ten categories of security assets such as sites .
- Asset search : Provide key assets ( host 、 account number 、 Process, etc ) System wide Correlation , Joint search across multiple assets .
2、
Risk discovery
The ability of risk discovery can enable security managers to reinforce the system before an attack occurs , Risk reduction points exist .
Basic requirements for risk discovery :
- It can update and respond to new vulnerabilities in real time .
- Ability to set scanning preferences .
- Reduce host resource consumption , Be able to adapt to a specific host 、 Specific circumstances .
- Vulnerability scanning can be integrated with existing patch management systems .
- Support for all operating systems .
- Support to judge the impact of vulnerability repair .
3、
Intrusion detection
Host intrusion detection refers to the ability to identify the intrusion events that occur in the host and analyze its intrusion signs , Help security personnel monitor and analyze the intrusion process .
Basic requirements of intrusion detection :
- It's easy to operate , Convenient operation and maintenance in the later stage .
- Minimum system occupancy , Can adapt to a variety of systems .
- Be able to record events correctly , And send intrusion warning messages to the security administrator
- Be able to conduct effective intrusion analysis 、 Incident handling and evidence collection .
- Easy to access and view logs , Provide log filtering function , Easy to operate and search .
4、
Compliance baseline
Compliance baseline capability refers to the operating system 、 database 、 Middleware, etc. for configuration security detection , And provide description of test results and reinforcement suggestions , Help government agencies to strengthen system security , Reduce intrusion risk and meet security compliance requirements .
Basic requirements of compliance baseline :
- It can realize one key automatic detection , And provide repair suggestions according to the test results , Meet the compliance requirements .
- Support custom baseline , Make self-examination and rectification in advance by formulating strategies , Flexible response to various strength Standards .
- Based on domestic and foreign baseline Standards , Such as waiting for insurance 2.0、CIS The benchmark , Build rich Checklist The knowledge base .
- It can adapt to different operating system environments , Support scanning operating system 、 database 、 Middleware etc. .
5、
Virus killing
Virus detection and killing assume the security role of the host entrance , Prevent malicious programs from entering .
Basic requirements for virus detection and killing :
- Integrate multiple influential virus detection engines , And regularly update the detection Library .
- Fit common usage scenarios and ISO requirements .
- Actively block and isolate the confirmed virus .
- Quickly verify the virus found , And analyze its intrusion path .
- It can restore the content of the host that has been maliciously modified .
6、
Document integrity
Document integrity capability can help government agencies monitor key system documents 、 Directory etc. , To detect any unauthorized changes .
Basic requirements for document integrity :
- The ability to establish file integrity monitoring for files or directories that are commonly used or have compliance requirements .
- Be able to detect unexpected file changes .
- Provide customization of monitoring rules , Reduce reporting noise , And alert and notify the file change events that need special attention .
Two 、 Strengthen the security construction requirements of level host
1、
Memory horse detection
Recent years , The heat of attack and defense exercises is getting higher and higher . In the game between attack and defense , The defender uses it comprehensively NDR、EDR And other professional safety products , Traditional file upload Webshell Or the backdoor residing in the form of file is easy to be successfully detected , The utilization rate of memory horse has increased rapidly .
Basic requirements for memory horse detection :
- Can detect memory Webshell、 Process memory injection 、 Malicious DLL loading and other common memory horses .
- Memory backdoor detection should not affect the operation of the main business program .
- Can find malicious code running in the process memory , And send an alarm to the user in time .
- Provide analysis and description of the characteristics of malicious code .
- Use the ability of accurate detection to verify the repair results of the memory backdoor .
2、
Host honeypot
The host honeypot hosts by arranging decoys 、 Network service or file , Entice the attacker to attack the bait , So as to capture and analyze the attack behavior , Understand the tools and methods used by the attacker , Speculate on the intention and motive of the attack .
Basic requirements of host honeypot :
- Set honeypots to confuse attackers , Collect real data on actual attacks and other unauthorized activities .
- By deploying honeypot files , Monitor the operation behavior of files in real time , Lure hackers to attack , Avoid disclosure of real business documents .
- Monitor suspicious port scanning behavior in real time and record , Analyze the purpose and motivation of hackers , Timely fix system security vulnerabilities , Avoid real attacks .
3、
Micro isolation
Micro isolation architecture can be used for intranet ( East West ) Flow protection , Meet the development needs of the industry . Under the micro isolation framework , host 、 operating system 、 Containers become sensors , In case of policy violating access , Immediately trigger an alarm or deny access , Only authorized traffic can be released , In Intranet 90% The above unsafe network access can be eliminated .
Basic requirements of micro isolation :
- Zero trust : Realize the access between networks based on the concept of zero trust , Only after the administrator grants credit can you access , Block the access of non credit machines in time , Stifle potential threats .
- visualization : The access between networks is visual to users , When illegal or malicious access occurs , Can distinguish legal and illegal access through different colors .
- The adaptive : Network access policy adaptation . Policies should automatically adapt to changes in the network environment , Timely distribute and implement the latest strategies .
- Continuous monitoring : Abnormal or illegal access behaviors that may occur in the network should be monitored in real time and continuously .
3、 ... and 、 Advanced host security construction requirements
1、
Supply chain security
Software supply chain attack has low cost 、 Features of good effect ,SolarWinds、Log4j2 And other supply chain security incidents have caused great impact , Software supply chain security has been widely concerned .
Basic requirements of supply chain security :
- The person in charge of supply chain network security should cooperate with the relevant teams in the product development cycle , Fully consider the employees of suppliers and developers 、 technological process 、 Safety problems in tools, etc .
- Maintain and manage your own SBOM, Be able to accurately identify key information . At the same time, it needs to support asset information in the cloud native environment .
- Government agencies using cloud native technology , Should be based on DevSecOps idea , Adopt an integrated approach that extends from the development phase to runtime protection , Realize the safety of the whole software life cycle .
2、 Threatening to hunt
Threat hunting is an active 、 Hypothesis driven threat discovery activities , It aims to find controls that are not covered in the passive monitoring function 、 Activities or attackers TTP.
Basic requirements of threat hunting :
- Judge whether the behavior is normal or abnormal : Summarize laws from the behavior of government agencies , Generate relevant models , And regularly check whether there is any behavior that breaks the original law , Effectively identify normal and abnormal behaviors .
- Understand the organization's high-value goals : You need to know the target of the attacker , Sort out all high-value goals of government agencies .
- Data association analysis : Connect several kinds of raw data , Global analysis , Relational query , Find abnormal behavior , Realize the timely discovery of unknown threats and the path traceability of known threats .
- Predict how to be attacked : Attackers exploit weaknesses in organizational structures and data flows , Try to get valuable data without being noticed .
Host security construction cases in the government industry
Based on the host security requirements priority and capability requirements of the government industry , Ivy is for the government industry , Introduced a host based adaptive security scheme 、 Security intensive management scheme 、 Real time intrusion detection scheme 、 E-government cloud security solutions and other comprehensive solutions , And has achieved 1 It's a lightweight Agent Unlimited expansion ,500,000+ Government industry Agent Deployment volume , covers 100+ Central ministries and commissions and local administrative agencies , Support large-scale re insurance activities in total 100+ Important achievements of , Become a host security service provider trusted by government agencies .
Below , Ivy will provide a cross regional host security defense system construction scheme for a Provincial Seismological Bureau , Let's analyze the implementation of the plan in detail .
One 、 Background Overview
The Seismological Bureau is not only for the central government and local governments at all levels , And high-speed rail 、 Nuclear power and other major national infrastructure industries provide professional earthquake information , It also provides convenience for the public 、 Easy to understand earthquake information service . The network assets of Seismological Bureau are important information infrastructure , It is also the earthquake department that carries out earthquake monitoring 、 prediction 、 Network basic platform for scientific research .
Two 、 Program requirements
The Seismological Bureau administers the national earthquake monitoring and prediction work , Protecting the security of the server carrying the core business is the basis of the work , However, there are several prominent problems in the host security .
1、
Enhance the ability of safety protection
In recent years, cross regional network attacks have increased year by year , The scope of influence has gradually expanded , It is often a small loophole , It needs the whole network to deal with , It is necessary to enhance the safety protection capability of the seismic network .
2、
Improve the ability of risk discovery
When the resources of the security operation and maintenance team are limited , How to improve the ability of risk early warning and discovery , Avoid carrying out safety emergency work after a safety incident .
3、
Meet the level III requirements of equal warranty
Users who log in to the operating system and database system need to be effectively identified , For important user behavior 、 Audit the abnormal use of system resources , And then meet the regulatory requirements such as insurance compliance .
3、 ... and 、 Solution
- Rapid deployment with automated operation and maintenance tools , Quickly realize the security guarantee ability of servers in the decentralized industry LAN .
- Ivy vine has been deployed on the two core business systems of the Seismological Bureau business network and the station network center network Agent, Through model analysis and calculation , Discover risks and threats in real time .
- Through expert remote online consultation 、 On site support services to achieve in-depth analysis of security strategy risks 、 track 、 Handle 、 close , Form a closed loop of safety management .
Four 、 Program benefits
“ In order to accurately predict earthquake information , It is inseparable from the huge business system support , And behind this business network , It is the adaptive security platform of sinomeni host . We use Ivy security solutions , Greatly improve the ability of risk discovery and response .” The customer commented on Ivy's host security platform .
Ivy League has gained recognition in helping the government informatization process of the Seismological Bureau and the construction of host security protection , Help the Seismological Bureau to achieve safe and efficient operation and maintenance , Reduced labor costs ; Find all kinds of intrusions at the first time , Minimize losses ; Establish a reasonable security defense system , Meet the compliance requirements of the supervisor .
summary
The driving factors for safety construction in different industries are different , And the risks faced by the business relationship are different , Each industry has different priorities for the construction of host security capabilities , Should be in manpower 、 With limited financial resources , Give priority to the most urgent needs 、 Capacity building that best matches business security requirements .
This paper mainly analyzes the priority of government agencies' demand for the security capability of each host and the requirements for capacity building . Next , We will launch more detailed financial 、 Operator, 、 A large enterprise 、 Guidelines for host security capacity building in Internet and other industries , You are welcome to pay attention to . If you want to know more about or try the host security products for free , You can call 400-188-9287 turn 1, Establish contact with our security advisor .
For details , Scan the QR code to download the complete report !
Scan the code to download the full version 《 Host security capacity building guide 》
边栏推荐
- Speech recognition (ASR) paper selection: talcs: an open source Mandarin English code switching corps and a speech
- 系统与应用监控的思路和方法
- Appx代码签名指南
- Phoenix Architecture 3 - transaction processing
- Understand yolov1 Part II non maximum suppression (NMS) in prediction stage
- 使用ssh连接被拒
- Pay attention to the partners on the recruitment website of fishing! The monitoring system may have set you as "high risk of leaving"
- 手把手教你学会js的原型与原型链,猴子都能看懂的教程
- The "white paper on the panorama of the digital economy" has been released with great emphasis on the digitalization of insurance
- 信息系统项目管理师---第八章 项目质量管理
猜你喜欢
VMware virtual machine cannot open the kernel device "\.\global\vmx86"
OceanBase社区版之OBD方式部署方式单机安装
Tencent Android interview must ask, 10 years of Android development experience
Blue Bridge Cup microbial proliferation C language
Tencent architects first, 2022 Android interview written examination summary
Tencent T3 teaches you hand in hand. It's really delicious
Node.js: express + MySQL实现注册登录,身份认证
企业精益管理体系介绍
BUUCTF---Reverse---easyre
Chic Lang: attributeerror: partially initialized module 'CV2' has no attribute 'GAPI_ wip_ gst_ GStreamerPipe
随机推荐
Leetcode 30. Concatenate substrings of all words
Cesium Click to draw a circle (dynamically draw a circle)
部门树递归实现
Phoenix Architecture 2 - accessing remote services
PowerPivot - DAX (first time)
Monthly report of speech synthesis (TTS) and speech recognition (ASR) papers in June 2022
Selenium advanced operations
HDU 1026 search pruning problem within the labyrinth of Ignatius and the prince I
Hudi vs Delta vs Iceberg
《数字经济全景白皮书》保险数字化篇 重磅发布
An East SMS login resurrection installation and deployment tutorial
mod_ WSGI + pymssql path SQL server seat
Microservice architecture debate between radical technologists vs Project conservatives
技术分享 | 抓包分析 TCP 协议
颜色(color)转换为三刺激值(r/g/b)(干股)
RT-Thread 组件 FinSH 使用时遇到的问题
爬虫(14) - Scrapy-Redis分布式爬虫(1) | 详解
精彩编码 【进制转换】
Learning and Exploration - function anti shake
Introduction to enterprise lean management system