Network security experts use practice to tell you How situation awareness should be implemented and how network security situation should be handled.

Source: Internet
Author: User

Network security experts use practice to tell you How situation awareness should be implemented and how network security situation should be handled.

In a large-scale network environment, cybersecurity Situation Awareness obtains, understands, displays, and predicts the future development trend of all security elements that can cause changes in the network situation, does not stick to a single security element. The situation awareness system consists of Situation Awareness, situation understanding and evaluation, situation prediction, and security decision-making. How do they implement and collaborate with each other?

With the development of financial technology, the e-Channel business of commercial banks has expanded rapidly, such as a series of e-banking businesses such as online banking, mobile banking, and direct banking, because of its round-the-clock, high degree of openness, it has become the focus of network attacks, bringing more information security risks. Various Network Attacks and Data leaks emerge one after another. To ensure the stable and healthy development of financial technology, we must properly solve the network security problem.

In the research of network information system security technology, because existing defense methods cannot effectively cope with various complex networks and business environments, the research of network security situation awareness has become the focus of the new generation of network security technology.

Based on the current development status of cybersecurity situation awareness, this article provides a brief overview of the construction ideas of the cybersecurity Situation Awareness System of Commercial Banks.

I. What is situation awareness?

Situation Awareness (SA) is to perceive, understand, and predict the future development trend of environmental factors under certain time and space conditions, the concept of Situation Awareness originated from the estimation of the attack and defense situation of the enemy and me in the war. As early as Sun Tzu's Art of War, there was a description of "know yourself, know yourself, and know what you want.

In 1988, Endsley divided situational awareness into three layers of information processing: perception, understanding, and prediction. That is:

Perception: detects and obtains important clues or elements in the environment;

Comprehension: integrates perceived data and information to analyze its relevance;

Projection: forecasts the future trend of relevant knowledge based on the awareness and understanding of environmental information.

Ii. Network Security Situation Awareness System

Network Security Situation refers to the current status and change trend of the entire network. It is an overall and global concept. No single situation or state can be called a situation.

In a large-scale network environment, cybersecurity Situation Awareness obtains, understands, displays, and predicts the future development trend of all security elements that can cause changes in the network situation, does not stick to a single security element. Situation Awareness technology first detects and obtains various elements that affect system security, and then integrates security information by means of classification, merging, data modeling, and analysis, then, the integrated information is analyzed comprehensively to obtain the overall network security status and corresponding measures, and predict the development trend of network security, finally, it provides reliable data reference and decision-making support for information security management of commercial banks.

The Network Security Situation Awareness System of Commercial Banks proposed in this article includes the following four parts:

Situation Awareness: Proactive detection + passive monitoring for multi-dimensional and multi-level data source collection;

Situation understanding and evaluation: pre-processing, data integration, and multi-level and multi-dimensional situation evaluation of data sources;

Situation Prediction: uses the data analysis model to implement situation prediction, and presents it in a centralized manner through visualization technology, providing decision-making data to guide the agile adjustment and continuous operation of the security defense system;

Security Decision-Making: layer-4 network security situation management modes, including senior leaders, department leaders, security managers, and O & M personnel.

1. Situation Awareness

No single situation or status can be called a situation. The cybersecurity Situation Awareness System must collect situation elements in multiple layers and dimensions, including access to the following six types of data:

Data from the network security protection system: logs or alarm data of devices such as firewalls, IDS/IPS, WAF, and network security audit systems;

Data from important servers and hosts, such as server security logs, process calls, and file access. Network-based and host-based collaboration can greatly improve network threat awareness;

Data of backbone network nodes: for example, the raw network data of core exchange, the more data collected by network nodes, the more likely it is to track and confirm the network attack path;

Vulnerability Data: Vulnerability Data discovered Based on Active vulnerability assessment and penetration testing;

Direct threat awareness data: such as network attack data captured by Honeynet, and tracking and detection data of network attack sources and attack paths;

Collaborative cooperation data: includes warning data of virus and worm outbreaks published by authoritative departments, and threat intelligence provided by network security companies or research institutions.

2. Situation understanding

To ensure that the results of situation awareness are accurate and comprehensive, the data obtained must be complete to the maximum extent. Therefore, the raw data obtained by all detection devices must be analyzed. Because of the large amount of data processed, if complicated Association technology is adopted, the processing time will be long and the system's real-time performance will be poor. To meet the real-time requirements of the system, the situation understanding process of the network security situation awareness system can first adopt simple data-level fusion, and then analyze the relevance of the integrated data. The specific processing process is divided into the following steps:

Analyze the original security data and classify the data as asset data, threat data, and vulnerability data without considering the relationship between data types;

Remove redundant information, merge similar information, and correct error information to obtain standardized asset, threat, and vulnerability datasets;

Associate assets, threats, and vulnerabilities, and comprehensively analyze the security event data set.

3. Situation Evaluation

Situation evaluation is the core of network security situation awareness and a qualitative and quantitative description of network security conditions. A multi-level, multi-dimensional, and multi-granularity situation assessment framework can be used. It consists of three levels: thematic evaluation, element evaluation, and overall evaluation. Each layer evaluates the network security situation from different dimensions and dimensions at different granularities.

4. Situation Prediction

Situation Prediction in the cybersecurity Situation Awareness System is to identify and analyze network security risks based on the current network conditions, determine the security trends for a certain period of time in the future, and provide corresponding solutions.

Based on the historical and current status information of network security, you can set different scenarios and conditions to establish an analysis model that conforms to network and business scenarios, situation Prediction Based on Network threats combined with asset vulnerabilities can better reflect the development trend of network security in the future.

The goal of Security Situation Prediction is not to generate accurate warning information, but to use the prediction results for decision analysis and support, especially for network attack and defense confrontation.

5. Security Decision-Making

The Network Situation Awareness System provides different levels of security decision-making support for commercial banks, and promotes the implementation of security decisions to achieve a closed loop of perception-response:

Senior management personnel can grasp the overall security situation of the entire network, evaluate the entire network, and provide necessary decision-making support for security situation awareness.

Leaders of various departments at the management level can master the security situation of the Business Information System of the department, view the operation reports and security reports of the business system, and coordinate the O & M process and security event handling between departments.

The security manager at the execution layer can break down the work objectives of the management layer to form executable policies, indicators, rules, plans and tasks of the system; you can view the running status of security assets, security risk trends, handling of important security events, and security analysis reports of networks and business systems. You can keep track of the progress of your plans and tasks at any time, assessment of frontline O & M personnel. The security manager can generate various security report reports submitted to the Management through the system.

O & M personnel at the execution layer can continuously monitor the operation of network assets and information systems, perform security audits, handle tasks, and respond to emergencies.

Iii. Conclusion

In the future, there will be many new upgrades in the construction of the cybersecurity Situation Awareness System, including the introduction of automated threat handling mechanisms to greatly reduce the time for threat detection and response, security operation requires the participation of security personnel. During the construction of the cybersecurity Situation Awareness System, especially the automated threat handling mechanism, it is necessary to further improve the skills and security team building of security O & M personnel, this ensures the security capability of the network security situation awareness system in the future.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.