Big Data + scenario-WebRAY Intranet security governance

Big Data + scenario-WebRAY Intranet security governance

With the advent of the big data era, enterprises should not only learn how to mine the value of data, but also do their best to implement security integration to avoid more powerful attacks and reduce risks. Recently, at the "OWASP 2015 China Application Security Forum-Big Data Analysis of business security" meeting, Mr. Xiaowen, founding Human Rights of WebRAY, said: "Everything has two sides, this is also true for big data. Although hackers have kept an eye on it, big data can also be used to counter attacks. The Intranet exception detection technology based on big data analysis is ready to effectively detect and block Intranet attacks ."

WebRAY was founded on human rights]

APT defense ideas "Turn around" intranet

The enterprise intranet carries a large amount of core assets and confidential data. Although users use layered network security protection products, SOC, monitoring center, network management system, and traffic analysis system are checked everywhere, however, attacks and leaks on the Intranet have not been reduced. The reason is that it is related to the traditional protection technology that cannot be changed over the past few years, and also to the scenario of Intranet intrusion events.

So what is "traditional" and "scenario? Quan Xiaowen provides the following answers:

He pointed out that "the current situation of Intranet protection is a discrete and unsystematic protection method, while a large number of security events or malicious and unintentional internal staff are caused, or long-term latent or unexpected departure intention. Therefore, in order to discover the 'walking track' of illegal personnel stealing data on the Intranet, we must use the APT AttacK Defense ideas to create a normal behavior model for intranet-customized scenarios by obtaining samples, then, it analyzes the internal network traffic or the behavior on the terminal server to implement situational awareness, which is a new starting point different from the traditional defense solution and a trigger point for subsequent monitoring and analysis."

It is understood that the difficulty of APT attack prevention is that hackers use highly customized code, sometimes only apply "once", then lurking, because there is no known characteristics, therefore, these attacks are hard to be detected by traditional detection methods. Static detection cannot detect deep attacks, but dynamic detection cannot detect targets in a single way because of a large number of combinations of environments, in this case, all information needs to be associated for analysis. For the Intranet environment, WebRAY advocates the deployment of successful experiences, association analysis, and other technologies that effectively deal with APT attacks in enterprise intranet scenarios, this must be separated from the big data technology as the "pivot ".

Big Data brings new opportunities for "scenario" Analysis

The importance of Intranet security is self-evident. Therefore, users deploy security attack protection products, terminal virus prevention, server reinforcement, network isolation, identity authentication and security audit systems, what is the purpose of this series of actions? An effective process is formed: warning, monitoring, tracing, and security event responsibility identification. However, there is always a gap between reality and dreams.

Quan Xiaowen said that the application of big data technology has brought new forms and opportunities for Intranet detection and warning. "Because traditional security information stored Based on SOL cannot be integrated and analyzed, we can only store data that can be defined and discard data that cannot be defined, data integrity is weak. The big data system uses NoSQL unstructured storage. This technology breaks through the SQL storage mode adopted by systems such as SOC and can store all the data and ensure data integrity ."

As a big data analysis platform, data integrity must be ensured during the collection and storage phases. The WebRAY solution collects data traffic, server status, and security device logs and related information from the router bypass, at the same time, the vulnerability scanner is used to actively scan the detection data and construct factors for big data analysis, which improves the accuracy of identification. In addition, big data analysis also allows WebRAY to propose an advanced 5W1H analysis method in the industry. This method serves as the main line to meet the goal of building users' Intranet security processes, situational awareness of internal control management is realized.

The situational awareness factors in the 5W1H analysis system include Who, When, Where, What, Why, and How. These factors can be used to construct access behavior scenarios from "subject" to "object. The subject is a person or application, and the object is an application or data. Situation analysis first focuses on audit objects and Audit actions, that is, What and How are the main associated objects to discover any abnormal phenomena. Common abnormal scenarios include abnormal logon behaviors (abnormal time, abnormal IP address, multi-IP logon, frequent logon failures, etc), business violations (malicious business ordering, business-only query-not-handled, high-frequency business access, business bypass, etc.), shared accounts (one account for a short time to change the IP address, one IP Address has multiple accounts ). In addition, the application of the 5W1H Analysis Method in network events can solve problems such as the accuracy and integrity of evidence, and solve the bottleneck of evidence storage by merging, changing, simplifying, and canceling evidence.

Five steps for Intranet Security"

To effectively protect business security, OWASP 2015 China Application Security Forum focuses on "How to use big data analysis to ensure business security. The internal control security method "Big Data + situational" proposed by WebRAY was highly recognized by the participants. At the same time, Quan Xiaowen also suggested that enterprises manage internal control security, you can perform the following five steps to Detect Intranet exceptions in big data analysis:

The active collection, scanning, and detection of network threats in phase 1, as well as monitoring and identification of evidence, correspond to abnormal logon behaviors. Data Association, analysis, and normalization in phase 3, corresponds to abnormal traffic behaviors such as source IP address forgery and DDoS attack identification. The in-depth analysis in stage 3rd is used to form a complete backtracking process and determine the 5W1H element of an individual event, the 5W1H chain of the hybrid mode and the credibility system library for the Who chain are formed. The calculation and expert database intervention in the 4th stage starts after the first three stages. At this time, the complete event process can be reproduced, the expert's intervention aims to proofread the event tracing process and carry out responsibility matching through the built-in event analysis template. The 5th stage is responsible, this includes preliminary identification results, presentation of relevant issues and evidence chains, and updating the WHO credit database.

Finally, Quan Xiaowen said: "users need to pay attention to the 2nd stage and define security scenarios in advance, its complete functions include data association analysis, merging, forming the Key-Value format paradigm, NOSQL storage, and convenient retrieval, the objective is to solve abnormal information such as repeated logon systems, remote logon, and bypass logon. This stage is also the key to making full use of 'Big Data + situational information'. It is the advantage of scenario-based, visualized, perceived, and accountable Big Data Intranet security ."