About the author

Liu Yixiang, who serves as the head securitiesSafe operationThe man in charge, is the founder of the A9Team.

Acknowledgments: This article condenses the author's five years of practical experience in the field of security operations. We would like to express our sincere thanks to Mr. Xu, Mr. Lu and Ms. Rong for their selfless support and help.

I. Logical Architecture Design and Practice for Security Operations

It's been 5 years since safety operations caught fire in China, and we've been following it since 2018, witnessing and practicing the whole process of its development. It's not an easy thing to talk about safety operations, and there are very many big names in China trying to define it and trying to talk about it.

My logic is a thing has what use it is, know how to use in order to produce value, and know the definition of what is the use? Want to make the best use of things, you need to master the principle of things, to know the reason why, in order to do not stagnate in things, grass, wood, bamboo and stone can be a sword. Therefore, it is necessary to figure out the external ecology and internal logic of security operations. Speaking of ecology and logic of the framework there are many, this time we use IT people are familiar with and very classic computer IPO design model.

The IPO design model for computers (input, processing, output) can be used for any number of things, and it makes the prerequisites, how to achieve them, and the goals very clear in a very concise way. Similar to myFramework for reflectionThe same, it can reason inwardly about structure, it can reason outwardly about ecology, and it can be endlessly recycled. The so-called One Flower, One World is about inward reasoning about structure and can be endlessly recycled inwardly, the same logic as the West's endless dismantling of the smallest unit of physics.

This logic architecture diagram is designed to be strongly relevant to my work environment, where the broad logic can be referenced but the details are best avoided. The key information has been shown in the diagram, and only a brief description of the operational logic diagram follows.

The first level of logic, the computer input, processing, and output (IPO) model, in which input (I) and output (O) are the external environment for safe operations and output is the response to theinformation securityThe overall responsible part of the input is the need for drivers and resources, while the processing (P) is the internal structure of the safety operation.

The second layer of logic, the internal structure of security operations (P), the core or the operation of assets, vulnerabilities, threats. Threat operation first, mainly security events, security alerts. Vulnerability operation second, the vulnerability here is synonymous with vulnerability, vulnerability is the common translation of vulnerability. Asset operation third, mainly servers, terminals, network equipment, IOT and so on. The fourth support operation, mainly system survival, security verification, automation, attack and defense confrontation, review and so on, of which automation, attack and defense confrontation, review is the most important.

The third layer of logic, the internal structure of assets, vulnerabilities, threats. The practice of asset management is shown in the article "Advanced Practice of Security Asset Management", and the practice of vulnerability management and threat management will be shared in detail later in the article.

II. Design and practice of technical architecture for safe operation

There are many different technical architecture diagrams for security operation, and I have drawn several versions before, but none of them are satisfactory. Recently, under the prompting of Mr. Xu, I asked Mr. Lu to teach me, and spent about a week to complete the following architecture diagram, during which I asked Ms. Rong to help me when I was stuck in my thinking, so I'd like to thank Mr. Xu, Mr. Lu, and Ms. Rong for their help. I would like to thank Mr. Xu, Mr. Lu, and Ms. Rong for their help. The following is an introduction to the design ideas and module focus.

The first layer of logic, security business logic, centers on the tool layer, capability layer, and scenario layer, plus portal and asset support. Security tool layer, mainly the native security system, the dotted line represents the non-physical system, used to grasp the coverage of security tools, operational status. Security capability layer, mainly abstracting security capabilities from security devices, is used to grasp the coverage and operation status of security capabilities. Security Scenario Layer, mainly abstracts security scenarios from security capabilities, and is used to observe the coverage and operation status of security scenarios. Security portal layer, mainly to manage each security scene, reporting is very important.

The second layer of logic, mainly after the layering of the various layers of operational logic. The security tool layer, using the logic of the very classic defense-in-depth (DiD), recognized as a very effective architecture, recognition and versatility are very high, can be based on the need to cover the core process of IT services. The security capability layer, using the logic of NIST'scyber securityFramework IPDRR functional modules, and adaptivesecurity architecture(ASA) is similar and has significant advantages in terms of authority, generalization, and ease of understanding. The security scenario layer, which employs the logicrisk managementThe three modules (Assets, Vulnerabilities, and Threats) are based on the Operations module.

The third layer of logic, the main introduction to the operation of the security scene, events, alarms, vulnerabilities, assets as the core operating objects, attack and defense confrontation, demand management as the main input, strategy optimization, review, learning will continue to improve. Other third layer modules are similar in design and will not be introduced one by one.

III. Five-year safety operation practice experience

The following content will chat from the timeline or one, two or three stages to facilitate the reference of those who are in different stages of safety operation.

1. Principle progression, from the three synchronizations, to the three follow-up principles.

I went through the notes and article records, it was the first mention of the three synchronization principles in the company before July 2018 (the circle is not sure if it is the first mention), and it was found to be basically impossible in nearly 5 years of work practice.Synchronized planning is impossible, the main reason is that security is the armor (attributes), and it can only be done based on IT planning only when IT planning is complete; synchronized construction is impossible, the main reason is that the security vendors are lagging behind, and there is simply no Good program and equipment; synchronized operation is also impossible, mainly because of lagging security personnel. It's okay as an ideal, but it's impractical.

2. Work progression from random, to comprehensive, to focused.

In the first phase of security operations, the logic of work is to do what comes, although there is no planning, but this adaptive way of working is still relatively good, at least most of the things done are priorities.

In the second phase of safety operations, the logic of the work is an all-out attack, which is the least effective way of working, leading to total exhaustion, slow progress and no guarantee that what is being done is a priority.

The third stage of security operations, work only to deal with the key work, the problem only to deal with life-threatening problems, the rest of the back of the queue, there is time to deal with. Personally, I think there are not many really important things in the security operation work, the smallest since cha-cha cycle, manage invasion response, vulnerability repair, attack and defense verification can be. There is time and resources to do intelligence gathering, asset management, and the rest of the back of the queue.

3. Organizational progression, from professional, to growth, to echelon.

The first stage, no team management experience, no team people are difficult to recruit, the requirements for personnel is professional can be, growth, expression, communication, collaboration, etc. can give way.

The second stage, 1-2 years of team management experience, team size of 3-7 people, the requirements for personnel is professional + willingness to grow, no willingness to grow people do not recruit, with a very painful.

The third stage, there are 3-5 years of team management experience, team size of more than 7 people, the requirements for personnel is professional + growth + echelon, personnel grouping to form the echelon is the first priority, recruiting the first line of growth for the second and third lines, and make every effort not to recruit the second and third lines.

4, process progression, from no process, to SOP, to SOAR.

In the first phase, there are no safety processes, and the quality of the work relies on the competence of the personnel, their responsibility, spot-checking, and generally doing a good job of spot-checking.

The second stage, write standard operating procedures (SOP), security work due to the scope of large (many things) and professional (deep), do SOP difficulty and workload is very large, resulting in low returns; in addition, SOP from writing to use between the experience of the conversion layer is too much, and the security personnel are generally very strong personalities, look at the degree of compliance, understanding, implementation is a big problem; concluded that it is not recommended.

In the third stage, after the security operations automation system (SOAR), the security work allows security personnel to write directly into the script, as long as the quality of the script is controlled, you can avoid most of the problems of the second stage, very recommended; can not be realized in SOAR on the security process, it is recommended to achieve the level of collaborative processes, do not engage in operational processes.

5. Tools for progression from compliance, to specialization, to expertise.

In the first phase, the probability of ending up with the most effective tool (security product or appliance) is very low due to various factors such as regulatory requirements, company culture, procurement compliance, business environment, leadership style, business relationships, etc. It is only possible to say that compliance is good enough.

In the second stage, the security operation goal is to push back the requirements of security products, for the important system of the defense system in the class of confrontation must be technology-led, otherwise the security operation work can not guarantee the effect at all; functional implementation of the class can be dominated by other factors.

The third stage, the attack and defense against the class of tools required to advance, professional and at the same time, we must also examine the supplier's ability to operate the tool for a long time, if there is no combination of a tool behind the attack and defense research + attack and defense validation + product development team, then the product is no future.

6, other advanced, events, alarms, vulnerabilities, assets, intelligence, etc..

Due to the length of the article and time and energy problems, other aspects of the advancement of the later then separate article to share, not here to expand. The complete PPT of "Security Operation Advanced Practice" has been shared many times in the industry, if you need it, you can add my WeChat to find me to get it.

IV. Present and future of security operations

1. SIEM is dead, the whale falls and all things are born.

In my practice environment and experience, SIEM does not apply to SMEs.SIEM appeared around 1995, when there were very few professional security products, and security detection capabilities could only be achieved by collecting various system logs to write alert rules.Its shortcomings are very obvious, such as only receiving information can not control security devices, such as the effectiveness of the use of the heavily dependent on the ability to write rules.

Security industry after decades of development, most of the various security areas have very professional security products, using SOAR + security devices to do security operations, the effect is better than SIEM, the investment is lower than SIEM, the difficulty is lower than SIEM.

2. The way to go, operational automation.

80%'s safety operations work automation. We have been practicing safety operations automation for three years since 2020 until now, and at the end of this year we have calculated that the 90+ new automated scripts in 2023 will save 22+ man-years; the 100+ scripts in 2022 have not been counted. Automation mainly solves the problem of operational automation, it cannot solve the problem of decision automation, which is the difficulty we have encountered and the direction to go in the future.

The core value of security operations automation is not automation. As opposed to the labor savings of automation, it allows all security devices to be interconnected, allows the capabilities of security devices to be accessed once and reused everywhere, and allows securityOperational IntelligenceIt became possible to move safety operations from the manual age to the industrial age.

3. The ultimate goal, operational intelligence.

It realizes 80%'s full second adaptive disposition of events and alarms, and realizes 80%'s adaptive repair or pre-hardening of vulnerabilities. At the same time, this is also an A-side solution to realize zero transformation and zero trust, and it can be said that it is the only way to make the concept of zero trust really come to fruition (at least for the time being). This is an ideal, not a dream, because the data asset management of the entity portrait is available, the interconnection of security devices SOAR is realized, and the event, alarm and vulnerability data that drive the decision-making are also available, only the entity risk portrait is missing, the policy calculation output, and the channel for the execution of SOAR can be carried.