Author: panzhuting
This article describes the characteristics, implementation concepts, and principles of network security emergency response from the perspectives of "looking at emergency response", "Three Views", and "Three Views of emergency response. The article first introduces the unique position and complexity of emergency response in network security, while the macro, medium, and micro aspects of the "three view theory" correspond to the three levels from top to bottom, the top-level decision-making layer includes decision support and risk management. The middle-level operation layer is embodied in the management of security products and security tasks. The bottom-layer Implementation Layer is embodied in security components, security Products and standardized security services. Security Emergency problems must break through the micro-limitations, implement specific actions to the implementation layer quickly, and use corresponding measures to solve the corresponding responsibilities and problems, the middle view is the engine of emergency implementation.
1. Check for emergency response
1. Security Functions
Emergency response can cover the entire cycle.
Emergency functions are often seen as scaling the PDR (protection, detection, and response) model to "recovery" in the PDRR (protection, detection, response, and recovery) model ". In fact, if we look at it from the complete system of business continuity management, emergency work covers the entire functional domain like the PDR model. From the initial preparation phase to detection and subsequent response (suppression, elimination, recovery, and follow-up ). From this we can see that the unique position of emergency in network security is a major event covering the entire network security process.
2. From the perspective of security objects
How should people analyze problems and protect emergency contacts? There is an obvious trend now, that is, people are paying more and more attention to the impact of business security events. The security domain method has once again aroused widespread attention in the industry. It is a good method for analyzing and understanding security objects (assets and businesses.
The "3 + 1 Security Domain Method" mentioned here is a simplified security domain design method. The basic principle is that a network is not only composed of switches, routers, hosts, and other devices, but composed of network structures. If a network device is understood as a network atom, a network structure is a molecule; typical network structures include the Client-Server structure and end-to-end structure. Analyzing the network from this idea forms the "3 + 1 security domain method ".
According to this method, we can divide networks and systems into four types of domains: the access domains of local computing, the Service domains of local computing, and the interconnected domains formed by connecting them to each other, another is the support domain, which is called the "3 + 1 security domain method ". If we use this way of thinking to correspond to different emergency response content to understand the user's assets, we can clearly see that:
In the service domain, centralized computing recovery, distributed computing recovery, and storage recovery are available.
In the access domain, the recovery is mainly for end users.
In the interconnected domain, there is a problem of redundant backup of networks and links. The network itself is elastic, but network backup is required when a serious destructive problem occurs.
In terms of form, the support domain is inserted into the network. Different from the connection methods of access and service, the support domain does not directly affect core services, but indirectly. The support domain is often the location of the emergency command and coordination center.
3. From the perspective of threats and risks
Risk management is closely related to the two factors of influence and possibility. From the two factors of risk, the possibility of incidents handled by emergency work is generally relatively small, but the impact may suddenly occur. In general security work and emergency work, we can take two sets of ideas from risk management and business continuity management separately. The two methods have differences and similarities. For example, asset analysis and evaluation are included in risk management, and business impact analysis (BIA) is included in business continuity management ).
4. Assets-protection measures-Threats
Looking at security issues from the three different perspectives of assets, protection measures, and threats is helpful for a more comprehensive view and simplifying the handling of problems. For different business characteristics, it is worth pondering what ideas should be taken to look at the security events and what methods should be used to provide protection.
2. Three Aspects
For emergency response, here we will introduce a unique observation angle, namely the "three view theory ". The "Three view theory" refers to the analysis of the entire problem from three aspects: Macro-view, Middle-view and Micro-view. The "Three view theory" seems to be a very virtual concept. In fact, it is a big idea and a big view. This idea exists not only in the information security field, but also in other fields.
First, from the perspective of the scope, the macro, medium, and micro correspond to the global, local, and single point respectively. The problems that involve the whole organization are global and macro issues. Some local problems mainly involve some departments or businesses of the organization. If they only involve one or several individual or business components, this is a micro-scope, and there is no need to mobilize macro resources to solve these single points of failure. In order to achieve the desired effect with the least amount of resources, we must distinguish the nature of the event before handling the problem.
Second, from the perspective of the degree of materialization, the "three views" Have another feeling. The macro-level comparison is ineffective and modeled, while the micro-level comparison is real and physical. From this perspective, if a security event occurs on a micro level in terms of security devices, detection functions, resources, and systems, if problems occur in processes, systems, and large systems, the structure shows that the content is more abstract, more modeled, and belongs to the middle layer; then, the value, mission, and business at the macro level are displayed. At this macro level, vendors need to look at security events from the user perspective. As we all know, security always has potential. When there is no problem, security is often not paid enough attention, and the business may be abandoned when it is busy, it is common for users to think about security when problems arise. If the security work to be done cannot be connected with the decision-making and the Mission and business value of the Organization, the work will not succeed, and how to reach the decision should be the key consideration; of course, it is also necessary to achieve the microscopic level. It cannot be a task, or a project that is immersed in a micro-level environment. As a planner, we must have a sense of better coordination of Micro-, medium-, and macro resources. At the "Three Views" level, we must take both pragmatic and pragmatic actions into account.
Using the "Three Views" approach, we can also analyze many problems. For example, the ITIL system that everyone is paying attention to now, we can use the "Three Views" approach to look at one of the projects-capability management projects. ITIL Capability Management has three different sub-processes: resources and capabilities are managed at the management level, which is very specific. Then, the corresponding service capabilities are managed at the upper level, the management content is streamlined, and the top layer becomes mission-oriented, focusing on business capability management, which corresponds to the macro level. Therefore, different standards and methods have more or less "Three Views" in it.
Third, from the perspective of information security incidents, the intrusion events on common servers are specific and micro-tasks, worms, torrents, and servers with high impact on damages have risen to the medium level. Comprehensive/critical business problems are classified into macro-level events. It is necessary to determine the level of the event in a timely manner so that the problem can be solved more quickly and in a targeted manner.
Fourth, the distribution of information security products can also be seen from the "Three Views. Image
FirewallIntrusion detection, anti-virus, encryption, and other products implement a specific function, such
FirewallNetwork protection is implemented. encryption is used to implement channel encryption, data encryption, and confidentiality. These are all micro-methods. If the Security Operation Center SOC (Security Operation Center) combines various Security functions, this combination, combination, and matching are already structured. High-level tools at the macro level include decision support and risk management systems. When leaders are concerned about a specific data, they must be able to connect to the specific data immediately to provide correct decision-making support to the leaders. In fact, most of the products in the industry are at the micro level, and the combination functions and platform products at the middle level are also gradually concerned, but they are far from being implemented at the macro level.
Similarly, for information security services, we can also classify the system's assessment and reinforcement services into a micro level, and understand security domain analysis and integration services, comprehensive risk assessment and other services as a medium level; the decision-making support services such as business risk consulting and ROI analysis are clearly at the macro level.
The "Three Views" is an idea and a viewpoint. The "taste" of the three levels varies. From the microscopic perspective, single point of view, grass-roots, physical systems, local, functional, and implementation are all microscopic, while the system structure, middle-level, and specific operational and systematic aspects are middle-level; in terms of value, mission, and business. We should also pay attention to the organization level and responsibility of the "Three Views". In case of problems, we should be responsible and responsible. Generally speaking, the decision-making layer is the high-level leadership of the Organization, mainly responsible for decision-making and strategic formulation. The intermediate operation layer is embodied in the operation, management, and execution of security products and security tasks; the grass-roots organizations are responsible for implementation, operation and specific operations.
3. Watch emergency response from 3
The above section describes some basic concepts about how to use the "Three Views" approach to analyze the problem. What is the network security emergency response from the "Three Views" perspective?
In many cases, people will immerse themselves in the micro-level, while security emergency response is often a macro-and medium-level problem. They must break through the micro-level limitations, and must implement fast and specific actions to the implementation layer; it is necessary to take measures at the corresponding level to solve the corresponding responsibilities and problems. It is necessary to coordinate, control, feedback, and manage the security elements at the operation layer to achieve the mission and decision-making of the Decision-Making layer. Therefore, the middle view plays an important role in the overall emergency response system and is the engine of Emergency Response implementation. The above are the basic principles of the Three-view emergency response. The following is a detailed analysis:
How can we break through the micro limitations? To break through this limitation, we should first focus on how to solve the problems more effectively. For example, security events such as bank hard disk data loss, system viruses, and worms often look at these problems from a micro perspective. After the bank's hard disk data is lost, the main consideration is how to restore the lost data in the hard disk. from another perspective, as long as the hard disk is backed up, the lost data can be easily retrieved, you do not need to invest too much effort in Hard Disk Recovery. If you look at the problem comprehensively, from preparation, detection, suppression, clearing,