Information security system is the guarantee of enterprise business sustainable development, to a certain extent, the construction mode of security management platform (SOC) embodies the idea of building the information security system, because the user can directly operate and see the security management platform.
First, the construction of the SOC idea: "Vase" model
From the functional development of SOC can be divided into three dimensions: protection, monitoring and audit, including the security incident management in advance, in the middle of the event, the whole process. But the information security contains a lot of content, the SOC should manage those content, how to coordinate the function of each part is an unavoidable problem for SOC builders. According to the three dimensions of SOC function expansion, we propose a "vase" model suitable for SOC construction planning.
Soc is neither a simple event analyzer nor the management integration of security devices, but also the core of security management of the whole network. According to the development direction of SOC function, the function platform is designed as three platforms, the data collection originates from the same data acquisition platform, it is like a vase filled with flowers, so it is called "vase" model.
Water in a vase: water refers to the information flow in the model, provides the data needed for the analysis of the SOC platform, and sends the configuration of the policy modifications to the device. The data acquisition platform is like the root of the flower in the vase. There are different ways to source information:
n network equipment, security equipment, servers, terminals and other equipment related to the security of the system log and the device itself state data, can be provided by the system itself, can also be installed by the agent to collect.
N Security events reported by the safety device. The correlation analysis of safety early warning information of different safety equipment is helpful to the position of threat.
n the original data for the network link. In fact, raw data is not only a source of behavioral audit information, it is also an important data source of security monitoring system, but the data is large, intrusion detection, virus detection, audit have their own data collection analysis method, in the Vase model, data collection unified, to avoid a link due to a variety of system requirements of multiple mirrors, The original data of the first mirror, after the preliminary specification, and then separately to the different security system analysis use.
Data collection is generally very large, can be in a certain network area to decorate a dedicated data acquisition equipment, collecting information about the region, and forwarding the center issued a security strategy. Therefore, the SOC system management of the network generally uses the hierarchical Division domain management, facilitates the management personnel management, also reduces to the SOC center bandwidth pressure.
Flower Branch in Vase: Three dimensions protection of SOC function development, monitoring, audit, both separate and interdependent, based on a platform for information collection, is the vase in the three flowers, but also formed the information security system in advance protection, monitoring and emergency control in the event, after the three-stage audit of all-round security management.
Flower in a vase: the pleasing nature of the vase is the blooming flower in the vase, the user interface of the functional platform in the model. Three functional platforms can be used separately, with their own user management interface.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/
Vase model image of the construction of the SOC display, not only to the development of SOC to provide a framework, but also to the enterprise information Security system construction to provide ideas, the SOC construction process and the construction of security links to better protect the business security. One idea of vase model is to unify the information collection platform of security system, not only can the isolated security system be connected fundamentally, but also can expand the future security demand, and truly embody the efficiency of "platform".
Second, from the function, return to functional requirements
The use of the network is different, the need for security is not the same, so in the construction of the SOC also has a focus on, as if each flower in the vase each spit fragrance, there are different.
With full administrative authority over the internal network, can be used to monitor and audit management, otherwise monitoring found problems, can not be implemented to deal with, can not eliminate the source of harm; The audit found that a certain direction to attack traces, but the network of specific equipment and personnel can not identify, the audit can not be final evidence. such as the Government Network, network access terminals and servers are manageable, can identify each person and equipment, and even for security needs, can use administrative orders to make some security regulations, such as not allow the installation of some non-business requirements of software.
For the external network, is an uncontrolled network, the best way is to increase protection. For corporate networks, the Internet is beyond its control, and protection is the primary security requirement. Protection is not only the "door" protection, to their own internal important service areas, data resources must be protected. The concept of security zones can be used to effectively differentiate some important areas and provide protection at the appropriate level of security. such as the provision of Internet services business Web site, mainly on the network export attack protection, as well as the internal integrity of their own database protection.
For operators, the Internet is the network they manage, but the network hosting business is the customer's own decision, so operators pay more attention to network equipment attacks, rather than service attacks, so the protection is mainly to network equipment protection.
We summarize some network types of security requirements, and suggest that the focus of SOC construction is as follows:
Customer |
Network type |
Focus on building |
Focus on protecting objects |
Operators |
Internet |
Network Layer Protection |
Connectivity of network services |
|
Manage Network |
interface to protect, internal focus is monitoring and audit |
Data security and service delivery |
Isp\icp |
For Internet service |
Interface protection is the key, internal need audit |
Data security and service delivery |
Government |
External network |
Internet-connected services are primarily interface protection |
Services provided |
|
Intranet |
Monitoring and auditing, important service area interface should also be protected. |
Data security and service delivery |
Large Enterprises |
An internal work network that is generally connected to the Internet |
interface to protect, internal network monitoring is the focus of important service areas to audit |
Data security and service delivery |
Smes |
The use of Internet services, internal small LAN |
Security protection is generally sufficient, mainly on the interface |
Security of data |
Financial |
Private network But with the Internet interface, providing internet-based financial services |
interface and key areas should be focused on protection, internal network needs monitoring and audit |
Data security and service delivery |
Army |
Secret-related network, Independent network |
Network monitoring and audit, the key areas should be strengthened protection |
Security of data |
This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/42468