I. The A-perspectiveSafe operation

0x1: Overview of A safety operations

With the country's commitment toinformation securityThe promotion of China's enterprises for information security awareness and attention is also increasing. Many excellent enterprises have spontaneously put forward more and more requirements for their own enterprise security. Traditional security construction often focuses on a certain or several aspects of enterprise security, and can not take into account the unified operation, or operating costs consume a lot of manpower and material resources. Whether in terms of efficiency or quality, there are more obvious shortcomings.

In recent years, with the exploration of large Internet enterprises in enterprise information security, the concept of security operation has been gradually put forward. From the analogy of traditional operation positions, the responsibility of operation is to ensure the ultimate goal and constantly diagnose and analyze, put forward the needs or problems, promote optimization, coordinate the resources of all parties, and complete the closed-loop to achieve the goal of a class of work. As for the ultimate demand of enterprise security, as the responsibility of security operation, it is necessary to diagnose and analyze the various aspects of enterprise security, put forward the requirements and needs, promote optimization, and coordinate the resources through the practitioners of security operation to the final landing.

Of course, in the current environment, party A security operations engineers often encounter a variety of problems, in order to ensure that enterprise security in all aspects of the final goal of the effect, often to take a variety of ways, methods, products, services to achieve, and even some of the party A security operations engineers will therefore take the initiative to organize the development of a number of procedures to make the whole process become more controllable. From the party's demands, we can clearly feel for the enterprise security is the most direct and urgent party's immediate needs.

0x2: Responsibilities and skill needs of our security operations staff

The most important thing is the problem solving ability of the safety operation personnel, which is especially important in the key nodes such as planning the safety operation system according to the local conditions, diagnosing the safety status of the enterprise, putting forward the problems and demands, promoting the rectification of the problems and coordinating the resources of all the parties to realize the operation of the final landing of the closed loop. Therefore, the skills that security operation personnel should have under the perspective of Party A may be:

• Background in information security technology, full knowledge and understanding of security construction, experience in information security management, good ability to express clear summaries, and ability to utilize his/her abilities to solve problems in different scenarios.
• Have somesecurity servicesWith the background of development, operation and maintenance and other related knowledge, and have some experience in security management program consulting, able to propose reasonable solutions according to different scenarios.
• Good communication skills to work well in a collaborative coordination between security engineers, security development engineers, business and R&D.
• Data-driven awareness, ability to use data to drive optimization analysis and ability to develop relevant tools on your own.
• Strong sense of responsibility and ability to proactively make various optimizations and adjustments to achieve goals

0x3: Specifics of A's safe operations

The basic security operation is to include threat intelligence, Web vulnerability detection, traffic monitoring, terminal monitoring and protection, and situational awareness, which covers the enterprise's measures to deal with all kinds of network attacks.

Security Operations is a process of configuring the security operations ecosystem in any of a number of ways, depending on the needs of your organization and security operations products. It includes technologies such as information and data collection techniques, security information and incident management tools, workflow and vulnerability response management and prioritization, threat intelligence and machine learning operations, risk management governance and enterprise downside risk assessment, workflow and automated data processing.

II. Safe operation from B's perspective

0x1: Overview of your safety operations

In the concept of B-side security is gradually popularized, domestic security vendors gradually from security technology product development to the process of approaching customer demand-oriented, B-side security vendors in the face of the customer's operational needs in the process, but also put forward a lot of their own solutions.

On the one hand, party B security vendors have the basic conditions to provide the appropriate services; on the other hand, according to industry trends and enterprise security maturity, in order to better adapt to the market environment to launch the appropriate products and services is also to cater to the needs of market development.

B-side security operation also from the beginning of the traditional security perspective on-site services, to provide the corresponding security operation-related platform, and then to the enterprise security operation series of solutions change.

From the focus of safety operation, Party B's perspective pays more attention to the prevention and control of each key link. Party B's perspective of safety operations can be based on different assets belonging to the region for relatively detailed and meticulous division, roughly divided into strong control zone, regional control, border protection, exposure surface. From the support system can be roughly divided into management system, technical system, operation system. By sorting out the contents of each system, the focus of each aspect of safety operation from Party B's point of view can be seen more clearly.

An overview of your safety operations is shown below.

0x2: Responsibilities and skill needs of your safety operations staff

According to the needs of Party B's security operation service capability, there are certain needs or requirements in red team attack, enterprise defense, operation improvement and optimization, security incident or hidden danger disposal, threat intelligence, technology empowerment and security management.

Party B's skill requirements for safety operators are more specialized relative to Party A's requirements.

• Basic ability to monitor exposed assets, security protection control strategies, threat hunting, emergency response, security operations and maintenance related to security operations.
• Demonstrated ability to execute security response on the ground.
• Some software development skills and ability to participate in full-cycle safety operations work, construction, development and other services.
• Demonstrated ability to drive projects to different maturity levels of execution, documentation, management, evaluation, optimization, and linkage independently.
• Good communication skills, able to assist in following up and analyzing the problems in the safety operation link, and able to assist the person in charge of safety operation of Party A to carry out the related work.

0x3: Specifics of your safe operation

Therefore, Party B generally defines security operation as a centralized security management system that focuses on assets, takes security event management as the key process, adopts the idea of security domain division, establishes a set of real-time asset risk models, and assists administrators to conduct event analysis, risk analysis, early warning management, and emergency response processing.

III. Differences between Party A's safety operations and Party B's

The safe operation of Party A and Party B is a complementary and mutually reinforcing relationship.

• Party A's safety operation is responsible for the results, and pays more attention to the effectiveness and efficiency of problem solving. It is good at using systematic management methods to quantify the risks, unify the management, and establish a set of safety operation system, and gradually reduce the risks through the landing optimization process.
• Party B security operations pay more attention to the generality and relevance, what are the common solutions in different scenarios, what are the targeted problem solutions, and tends to the governance of the risk to speak of the effectiveness of the strategy, through the content of the advantages of the Party B strategy, product, and ultimately the formation of products or services to assist the Party A for the security of the landing.

Simply put, it means that Party A focuses on the results of effectiveness and efficiency, and Party B focuses on the output of its own safety accumulation through the form of product and service, and pays more attention to the enhancement of effectiveness.

In fact, from the point of view of the overall maturity of security operations, a mature security operations need to have a platform for execution, recording, management, evaluation, optimization and linkage, and the development of this platform, whether it falls on Party A's self-research or with the help of the platform developed by Party B and the use of the security operations are gradually moving towards maturity of the process.

IV. Security Operation Pain Points

0x1: Excessive security device alarms

With the increase of security products in enterprise security, security operation engineers have to deal with more and more security event alarms. And due to the varying quality of products used in operations, resulting in the generation of many alarms, especially in some operators or data center scenarios, the daily alarm volume of security events is becoming more and more. Even some security devices monitor the success of false alarms accounted for 80% of all security events.

With too many alarms, there are many false alarms that have no way to be handled and remedied in the first place, thus causing security operators to be overwhelmed in responding to security event alarms, which in turn affects the efficiency of the daily operation process.

0x2: Large-scale business scenarios

No adaptable security operation platform can be used directly. In many Internet enterprises, due to their own business systems are relatively complex, and large-scale business data interaction process to achieve security operations, tightly rely on traditional security operations to cope with is not enough to deal with their complex business scenarios.

As a result, enterprises either take the approach of developing their own platforms or use products with relatively powerful detection capabilities and relatively flexible rule configurations to cope. Either way requires a certain cost to maintain, but relatively speaking the latter is the choice of the vast majority of enterprises.

0x3: False alarm issues

As we all know, wasting time trying to determine a false alarm event is often a pain. There are two possible reasons for this.

• One is the significant increase in time and labor costs for security event analysis
• One is that false positives are not only in successful security events, but also in unsuccessful security events due to false positives that result in missed positives.

Therefore, the process of security operations through the selection of equipment products, security equipment, policy updates, security equipment, custom rule base on the ease of use, will be the daily security operations face.

Often in many scenarios, certain business data departure false alarms are also considered to be unique and more common problems, which also requires customized and relatively flexible alarm configuration to deal with.

0x4: Defense Gap

Because traditional enterprise security does not operate the security defense products as a whole, there are greater collaboration difficulties in the process of forensic research and judgment, tracking and tracing, and often need to frequently log in and switch between different product platforms to query and compare the data analysis and correlation, and therefore tend to be missed in fragmented data analysis, resulting in gaps in the defense.

Advanced threat intelligence management system can play the role of different technology and key data related clues in response to this part of the security operation, sharing or calling intelligence data in the appropriate link, and playing the role of collaborative analysis and judgment. Of course, we can also set up automated countermeasures according to the level through the design of workflow, and automatically respond when triggered to proactively respond.

0x5: Knowledge synergy issues

In addition to security products, the inability to share intelligence from the security team also leads to the inability to process investigations in parallel with the team in the first instance; these investigations are often segregated but interconnected, and some of the investigative records about the adversary's tactics, techniques, and processes, etc., should be able to be shared with the team in the first instance.

0x6: Confusing environment

The chaotic environment is characterized by a lack of collaboration and inefficiency among teams when action is required, and a lack of a management platform where teams coordinate with each other to monitor task schedules and results. For example, threat monitoring analysts, security operations centers, and incident response teams should be able to work together to reduce emergency response and remediation times.