[Industry Dynamics] Xintong Institute and Aoki jointly released the "Guidelines for the Constitution of Safety Capacity Construction"

Recently, the cooperation unit of Our Journal of Our Journalist and the Xintong Institute jointly launched the first domestic "Guidelines for the Constitution of Safety Capacity Construction". This guide sort out the safety capacity requirements and product capacity assessment process of the safety capabilities of different industries, and help users in different industries to build adaptive hosting safety capabilities to provide better strategic guidance.

Here are the contents of the "Guide" to combine the content of the "Guide", and analyze the requirements of the needs of the safety capacity of the government industry's host, and the best practical cases of the best practical cases of the safety of the government industry host.

1. Analysis of key safety capabilities for the host

With the continuous evolution of attack methods, the safety protection technology of hosting is also continuously updated and iterated, which has derived a series of hosting safety products with different detailed categories. The security capabilities can be divided into three levels according to maturity and matching user needs: Basic level, enhancement level and advanced level.

1. Basic level: Four Capability

The main enterprise of the safety capacity of the foundation-level host is generally less than 1,000, the number of safety teams is between 1-5, and the annual host safety budget is between 200,000 and 1 million yuan. This type of enterprise needs to use a limited budget to build the most basic and important security capabilities to solve most of the security issues, mainly including assets, risk discovery, intrusion detection, compliance baseline, etc.

Asset check: You can't protect the assets you can't see. All threats and vulnerability operations need to rely on asset development. In order to further improve the management efficiency of large -scale cluster hosts, it is necessary to improve the degree of automation and reduce artificial intervention.

Risk discovery: Risk discovery capabilities can make safety managers systematic reinforcement before attacking invasion to reduce risk points.

Invasion testing: The host invasion test refers to the ability to identify the invasion incident in the host and analyze the ability of their invasion to monitor and analyze the invasion process, which mainly includes two methods: misuse detection systems (knowledge -based testing) and abnormal abnormalities Detection system (behavior -based testing).

Compliance baseline: Compliance is the basic criterion for corporate safety protection. If there is insufficient baseline management and system reinforcement, it is difficult to respond quickly and control during emergencies.

2. Enhanced level: Four capabilities

The main enterprise for building a enhanced hosting safety capacity, the number of hosts is generally between 1,000 and 6,000 units, the safety team is between 5-10 people, and the annual host safety budget is between 1 million and 50 million yuan. This type of enterprise business is more complicated and is vulnerable to advanced attacks. Therefore, in addition to basic security capabilities, it is necessary to have virus check -killing, document integrity monitoring and control, memory horse detection, and main honeypot and other enhanced security capabilities. Essence

Virus investigation: Virus check and killing the security role of the host entrance to prevent malicious procedures from entering. On the one hand, it takes less time and financial resources to test and prevent virus in advance; on the other hand, from a business perspective, the virus may cause customer personal data to leak or spread through fishing mail, resulting in the loss of corporate reputation.

File integrity: File complete performance is critical to ensure the security and compliance of the enterprise information system. It can help enterprises monitor key system files and directory in order to detect any unauthorized changes.

Memory horse detection: In order to improve the hidden behavior of behavior and the possibility of bypass application rules, non -file attacks based on macro and scripts can achieve the above goals and become a trend. The two most common methods are memory webshell and malicious code of memory, and the corresponding detection capacity is necessary.

Substation honeypot: Subject honeypots are arranged by laying bait hosts, network services or files to seduce the attacker to attack the bait, so as to capture and analyze the attack behavior, understand the tools and methods used by the attacker, and speculate that the attack intention of the attack intention And motivation.

3. Advanced level: three major capabilities

The main enterprises that build advanced hosting safety capabilities, the number of hosts is generally more than 6,000, the safety team is more than 10 people, and the annual host safety budget is more than 5 million yuan. Such enterprises have high business value and complicated business relationships, and they are very attractive to attackers. They are susceptible to malicious attacks launched by threats from hostile organizations and rich resources. To this end, enterprises need to have more advanced hosting security capabilities, including supply chain security, micro isolation and threat hunting.

Supply chain security: When corporate network security capabilities are strong, attackers often transfer their attention to suppliers, and suppliers are becoming the weakest link in the supply chain. Strengthening the security capacity of supply chain has become an inevitable choice for enterprises.

Micro isolation: Digital transformation of enterprises, and business clouds have caused traditional boundaries to disappear. The traditional firewall is only effective for the north -south direction, and the east -west direction cannot be controlled. Once the attack penetrates the border, the interview between the internal network lacks a credit mechanism. The micro isolation architecture can provide protection for east -west traffic and meet the development needs of the industry.

Threat hunting: Breaking hunting is an active, assumption -driven threat discovery activity, which can help companies find control, activities or attackers in the passive monitoring function.

2. Analysis of the safety capacity requirements of key industries

In the actual operation of the enterprise, the driving factors of safety construction in different industries are different, and there are differences in the degree of risk facing business relationships. Comprehensive construction costs and talent technical foundations. As the same, under the conditions of limited manpower and financial resources, you should give priority to completing the most urgent need and the most matched capabilities to build the most important capacity. Third, host safety construction process

When the company builds the host safety capacity based on the host safety platform, there are two problems. First, the host safety products are relatively newer product categories, especially the product form based on the Agent model. Many companies are not familiar with them. Make full use of these systems; the second is that the enterprise has its own unique needs, and different departments in a single enterprise may also have their own special needs. For example, the security department and the operation and maintenance department need to divide the demand into different priority. Therefore, when the company is building a host safety capacity, it is necessary to combine the needs of the industry and enterprises to clarify the safety capacity of the platform that needs to be possessed. At the same time, it also needs to comprehensively consider the overall performance of the platform. In addition, when enterprises build hosting safety capabilities, they need to consider testing factors such as qualification assessment, cost assessment and contract signing.

Fourth, summary

In the entire security protection system, the host carries the core business and data of the enterprise. It is the most popular attacking target of an attacker and the last activity position of the attacker. For the last mile of security, the safety of the host became the key. However, in terms of hosting safety construction, the focus of security capabilities required by enterprises in different industries and different stages of development is different. On the one hand, enterprises should combine the needs of the industry and enterprises to clarify the safety capabilities of the platform that need to have. On the other hand, they also need to comprehensively consider the overall performance of the platform, and comprehensively consider many factors such as qualification assessment, cost assessment, and contract signing. The "Guidelines for Safety Capability Construction" by analyzing the development trend and key technical requirements, and sorting out the requirements of the needs of the safety capacity of key industries during the construction of the safety capabilities of the hosting, clarify the safety construction process and evaluation elements of the host Products, build an efficient hosting safety ability system.

Scan the QR code download complete report

- END -