"Competition" and "opportunity" hidden in security operation in the cloud Era

The era of big data and cloud computing , Data and personal information become “ The gold on the cloud ”, Because it is comparable to the great value of oil , Data leakage for enterprises and individuals 、 Network attacks and other security incidents occur from time to time . This is the time , new generation SOC（Security Operation  Center, Security operations center ） emerge as the times require , It plays a more and more important role in network and information security protection .

that , Under the general trend of the cloud age , What new changes have been derived from safe operation ？ From passive defense to adaptive real-time monitoring and response 、 Intelligent security orchestration and automation , What exciting new features have emerged in the new generation of network security operation architecture 、 New technology ？ What are the new practical experiences of the change evolution supported by technology and mode ？ In the continuous game with security risks and “ sports ” in ,SOC And what new opportunities for development can be obtained ......

Based on these hot topics of security operation in the cloud era , Shanghai Wuqi Intelligent Technology Co., Ltd CTO Fu Kui 、 Zhangrunzi, senior safety researcher of Tianshu Laboratory of Green Alliance Technology Group Co., Ltd 、 Baoqingbo, director of Tianrongxin big data analysis product line 、 Tencent security SOC Xiao Yu, product leader 、 Tencent security SOC Liuguize, product director And other senior experts in the field of digital security operations , On 3 month 27 Gather at Tencent safety thought sharing , around “ Under the cloud age SOC The transformation and evolution of ” The topic of , Jointly explore the construction of safe operation in the cloud era .

01

Cloud SOC— The cloud age brings new life to security operations

The titled 《Cloud SOC— The cloud age brings new life to security operations 》 In his speech , Tencent security SOC Xiao Yu, product leader Bring us the cloud age SOC Operation problems and solutions ：

We are no strangers to the problems faced by security operations in the cloud era , There will still be many things 、 Human miscellaneous 、 A bad situation .

among ,“ Things more ” Reflected in the large number of events , This problem still exists after the cloud era , It is difficult to deal with the accumulation of a large number of security incidents , It makes the safety operation personnel tired .“ Human miscellaneous ” Because it involves some third-party accounts , User behavior is a new challenge for security operators , not long ago Solarwinds The incident broke out , The reason may be that there are a lot of untraceable account numbers in supply chain management , Supply chain management 、 Personnel account management is not done well .“ It 's not good ”, Assets in the cloud era have the characteristics of rapid extinction and new construction , More flexible than traditional environment , But it is more likely to re derivative assets , Sorting out asset management is also a problem faced by the cloud era .

thus , There are some new demands in the cloud age , For example, the service provider in the platform mode 、 Consumers will have security demands , The service provider shall ensure its own safety management and consumer safety , The consumer also hopes that its own safety management will be in place .

Besides , The division of responsibilities between platforms and tenants in cloud scenarios is also a new requirement . Tencent has put forward a new concept , be called Cloud SOC, What it wants to solve is the problem of security and management .

The tenant and multi environment modules are used to solve management problems , The way to deal with the safety problem is to monitor and dig deeply , Use visualization, open platform and other technical means to solve problems .

in general ,Cloud SOC Will send relevant safety information , Including cloud logs 、 Third party data is collected into the system for operation , The security system includes defense 、 testing 、 The corresponding 、 Prediction model , At the same time, both the platform and the tenants .

The security thinking of this system , In terms of defense , Strengthening yourself is the best defense strategy , At the same time, an organic closed loop is created in the detection and corresponding modules , Take reliable service as the basic guarantee to support the operation of the whole system .

among , Defense needs to be solved “ It 's not good ” The problem of , tencent Cloud SOC It can pass through the end 、API Connect the original assets with the third-party assets , And at this point , Tencent has many years of service experience 、 Experience in obtaining asset data from traffic .

In the cloud ,Cloud SOC Of CSPM（ Cloud security situation management ） It refers to the management inspection of cloud security risk configuration , Use this mechanism to automatically inspect cloud assets , Configurations that do not meet the requirements will be identified as risk assets by the platform , And remind the safety operation personnel .

in the light of “ Miscellaneous personnel ” The problem of ,Cloud SOC Will be in the detection and corresponding two links , Through Tencent's own XDR Small loop ,SIEM, And intelligence UEBA Pattern , For reliable traffic and endpoints , Get accurate intelligence information , Then sum up , Capture real threat information , Improve safe operation coverage , So as to carry out quality alarm and response .

From the perspective of management thinking ,Cloud SOC The driving force of the mode is still the platform as a whole + people , Rely on monitoring 、 Analysis response and summary report , Plus operations experts / Attack and defense experts , Make the platform run efficiently .

On the other hand , On the division of responsibilities between the platform party and the tenant ,Cloud SOC Naturally, from the perspective of both sides , Put some clear labels on the platform side and the tenant side to distinguish the data , Use classic and mature RBAC Perform function related control . Besides , This data tag can also be extended to all platform models , Assign the responsible person of relevant data to the platform party or the tenant , And take advantage of the cloud platform , Unified management and operation of relevant data functions .

Now , tencent Cloud SOC It has been tested in practice , For example, in an enterprise or institution ,Cloud SOC Using strong detection response closed loop construction “ rehearse ” Best protection , In a large financial organization ,Cloud SOC Available in the VPC or IDC Deploy , Realize unified management of multi environment data , And adapt to the upper and lower links , Achieve global manageability 、 Controllable and safe operation .

02

Safe operation SOAR Easy！

Next , Shanghai Wuqi Intelligent Technology Co., Ltd CTO Fu Kui brought 《 Safe operation SOAR Easy》 Share the theme of ：

I have been a front-line security operator before , Personally experience some painful status quo , For example, 40 million events are received every day , But the events that can be effectively handled are less than 10 individual . There are too many human interactions in the process of safe operation , laborious . Although over the past 20 years , Safe operation is based on safety theory 、 technology 、 product 、 The operation level of customers has been improved , The detection time is getting shorter , But security operators also face automation 、 Intelligent 、 Network weapon operation platform “ rival ”, The vast majority of users can only respond to emergencies with bare hands —— Communication depends on shouting , Response by hand . To change the status quo , We use it   SOAR Help us quickly carry out safe operations .

at present , Many manufacturers at home and abroad have followed up SOAR Related technology , And achieved minute level and second level response . The basic idea of everyone is through the graphical script editing interface , Use low code or no code to realize the arrangement of security event response process , Support data interaction and task scheduling .

SOAR It can be an independent platform , It can also be a built-in module . In the actual landing ,SOAR The emergency response is fast, accurate and stable , Its outstanding performance has been recognized by the industry . Today we can rely on systems , Implement common security event response scenarios 80% Landing of the above steps . With a typical threat IP Take the disposal process as an example , After comparison with manual operation, it will be found that ,SOAR Automatic disposal can realize minute level and second level , Time efficiency alone has improved 84 times , This does not include the processing site of personnel costs . actually ,SOAR In practical application, it can produce different effects in different scenes , It can not only realize emergency response , It can also quickly complete event analysis 、 The diagnosis 、 synergy 、 Write a report, etc , Avoid the waste of labor . and , such “ tricks ” Once precipitated, it can be reused .

at present , The fog flag is HoneyGuide Through virtual warfare and AI Robots solve the problem of collaboration in the event response process , Help customers accelerate safe operations with orchestration and automation . Besides , In addition to automated response , Fog flag also hopes to use natural language to interact with robots , Improve safe operation efficiency . Orchestrate automated responses based on scheduling and AI Safe operation of man-machine cooperation , Fog flag SOAR It can realize minute level or second level emergency response , The manual operation time is greatly saved .

SOAR It is an effective means for digital experience to help the security team achieve operation inheritance and skill accumulation , By giving full play to the wisdom of human engineers and the intelligence and speed of machines , Finally let “ Security goes beyond the speed and scale of the attack ” Make it possible .

Last , I have to mention that , Automation is always the means , Continuous operation is flexible . The operation team should have ideas , Take the initiative to adopt strategies , Think actively , Achieve your goals with automation , You can't rely entirely on tools , That's the most important thing .

03

Thinking and Practice on the development of intelligent safe operation technology

Zhangrunzi from Tianshu Laboratory of Green Alliance Technology Group Co., Ltd Also shared a topic of 《 Thinking and Practice on the development of intelligent safe operation technology 》 Keynote speech of ：

The pain of the security operation team is similar , Although the solution ideas and methods are slightly different , But the general trend is to rely on automation to counter the difficulties brought about by the information explosion . 

The number of safety experts is limited , Warning of fatigue and painful combat methods , It forces the iterative development of safe operation technology , From traditional single point attack and defense to border defense , And then to the security operation center , The next step for safe operation is intelligent operation .

Gartner Put some key technical labels on the safe operation , such as SIEM、UEBA etc. , lately SOAR、XDR And so on are also hot topics , But it seems that these are lack of internal security mechanisms , Privacy protection requirements also cause system black boxes . at present , There are also some key challenges for safe operation , For example, the operation needs to pay equal attention to details and situation , Data inflation finding security threats is like looking for a needle in a haystack , Recall model high false alarm , technology / The platform has low interaction or no interaction , And lack of Lubang security .

To deal with these problems , We proposed AISecOps, That is to put people widely 、 Machines and process resources are combined for operation .

actually , The research ecology of intelligent operation and maintenance has been formed at home and abroad , All we have to do is automate 、 Bring intelligence into operation .

Conceptually speaking ,AISecOps There are four elements , namely “ Intelligent drive safe operation , Guided by safe operation objectives , By people 、 technological process 、 Based on the integration of technology and data , For prevention 、 testing 、 Respond to 、 forecast 、 Network security risk control such as recovery 、 The key link of offensive and defensive confrontation , Build trusted security intelligence with a high level of automation , The ability to assist or even replace people in providing various safe operation services ,” Our ultimate goal , It is to support the operation with technology , And the technology itself can be operated .

To make the technology itself operational , We need to make a model to guide the direction , Think about the stages of operation covered by what you are doing . You can see from the above picture that , We are still far from automated operation , be in L2-L3 Stage , Only in limited scenarios , Use data analysis , Get the information through . 

In order to support the complete automation operation , We need to move from perceptual recognition to cognitive production , And then to the whole process of generating strategies , Get through the man-machine coordination cycle . This is our working model and thinking , The goal is to hope that human-computer collaboration can be realized in the future 5-10 In many scenarios, the case was fully automated .

The picture above shows AISecOps Of 16 A cutting-edge technology map , Can provide guidance on what we should do next .

at present , Some of the work we are doing includes hyperfusion knowledge map , It can support all data at the bottom 、 Multi scene DSL Language design , Establish a fusion data analysis mechanism .

On this basis , Create different detection units for different scenarios 、 Recall unit 、 Risk assessment module 、 An orchestrable recommendation engine for feedback interpretation units , Let the engine learn the different preferences of experts or operators .

Besides , We have also preliminarily created an interpretable engine based on the open source text type interpretation model , It can automatically extract keywords , Currently only text is supported , But the following will support figure .

In order to support man-machine collaboration in a data-driven manner , We use the rule extraction engine , Tell experts about learning results through interpretable models , And find out the rules in the knowledge extracted from the recommendation engine , Form rules and strategies , Then through the search engine , Use unified language abstraction to solidify knowledge .

Sum up , The experience of security experts is hard to replicate , Human energy is limited , But machines can do it . First of all , The data-driven approach is only a temporary solution , Faced with key decisions , It should be divided into specific circumstances , However, supporting decisions and strategies with data is the fundamental starting point of our technical route ; Choreographable capabilities should support different business scenarios , Respond at every operational step ;“ Teaching a man to fish is better than giving him a fish ”, Be able to explain why data-driven can solve all problems ; The last point is to build trusted security intelligence “ Comrades in arms ”, Guarantee AI The security of .

Safe operation cannot be achieved in one step , We hope to solidify the knowledge in safe operation , Form armor for making machines , You can't ask everyone to be Superman , What we need to do is to make machine type armor .

04

Build an intelligent in-depth safety analysis system

Baoqingbo, director of Tianrongxin big data analysis product line Shared the theme of 《 Building an intelligent in-depth safety analysis system 》 A wonderful speech ：

My sharing focuses on security analysis , The two key words are “ Intelligent ” and “ In depth ”.

First of all, introduce the current situation of network security in China . According to the CNCERT Statistics ,2019 year , The network asset sniffing events for China's industrial control systems are about 14,900 All the , a 2018 About 4,451 There was a significant increase in the number of cases . After analysis , Sniffing originated in the United States 、 Switzerland 、 France and other foreign countries 130 Countries and regions , The goal involves our energy 、 manufacture 、 Networked industrial control equipment and systems in key industries such as telecommunications . A large number of key information infrastructure and network asset information of networked control system are sniffed by foreign countries , Bring hidden dangers to the security of cyberspace in China . The state attaches great importance to this , From the 13th five year plan to 《 Network security law 》、《 Class protection 2.0》 To “ The fourteenth five year plan ”, The state requires the establishment and improvement of a key information infrastructure protection system , Enhance the ability of security protection and maintaining political security , Enhance network security threat detection 、 Monitoring and early warning 、 Emergency command 、 Attack traceability , In particular, it is necessary to speed up the security technology innovation of artificial intelligence .

AI enabled security analysis , Is the core of this speech . Have to say , At present AI Enable security analysis in specific scenarios , There are also some difficulties , Such as data annotation 、 Feature handling 、 Evaluation of results , And engineering problems , Especially for zero day 、APT Advanced Attack 、 Long term latent unknown threat ,AI May not play a good role . At this time , Usually, behavior analysis is adopted , Find exceptions through time series analysis .

Network security analysis scenarios can be divided into “ Known, known ”、“ Known unknowns ” and “ Unknown unknown unknown ” Three parts , In response to different levels of analysis needs , We have established an intelligent in-depth security analysis system .

This set of intelligent in-depth safety analysis system , It mainly includes intelligent detection 、 Automatic disposal and intelligent research .

After the typical data processing flow on the left , Enter intelligent detection , This is the first step of sharing in depth , It's also the core step . here , The system will perform correlation analysis 、AI analysis 、 behavior analysis 、 Special analysis and other analysis engine means , Use deep learning 、 Machine learning and graph analysis , Build a deep learning model , Carry out intelligent detection in series or in combination .

Then enter the automatic disposal process , This step can eliminate false alarms and intelligently merge alarms , Aggregate the single point alarm with higher dimensional instructions for intelligent disposal .

For those that cannot be handled automatically after the regulations , Go to the next step of intelligent research and judgment , After studying and judging the steps of visualization and global data analysis to find key data , The system will start from the key data , Provide the basis for experts to do intelligent research and judgment in the form of human-computer interaction , Such as various built-in data processing operators 、 machine learning 、 Feature handling 、 Result evaluation and model deployment operators , Connect after research and judgment SOAR To respond .

Sum up , Through intelligent detection 、 Automatic disposal and intelligent research and judgment , We have established a set of in-depth safety analysis system , With these abilities , Only then can we have the foundation to consider what kind of value the artificial intelligence enabled network security can bring .

05

Talk in the round table forum SOC future

At the end of the activity , Several experts also took the form of a round table forum , Discussed SOC The latest evolution and development trend of , In the new era SOC Where the pressure and opportunity lies .

thus , This wonderful event gathering experts in the security field has come to a successful conclusion , Let the audience and online netizens have a good understanding of SOC Technology and rigor have a clearer understanding , return fully loaded .

Safety is an enduring topic , As long as there is network coverage , New security issues will continue to emerge , Whether you are a security practitioner , Or ordinary network users , Security issues are closely related to us , More security issues , Please pay attention to our follow-up activities ~