Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account


NSA: five principles for operating SOC (including interpretation)

2024-07-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >


Shulou( Report--

NSA's Network Security threat Operations Center (NSA Cybersecurity Threat Operations Center, referred to as NCTOC) is equivalent to a SOC of NSA, which, with the cooperation of CYBERCOM, is used to implement security operation on the non-secret information network of DOD in the United States. This network of DOD is spread all over the world, facing all kinds of threats all the time. Under the perennial operation of NSA, we have summed up a lot of operational experience. For operators, the NCTOC team summed up five major SOC operational principles:

1) the establishment of a defensible border (Establish a defendable perimeter) DOD after years of JIE (joint information environment) construction, the exit to the Internet has been greatly reduced, and 99% of the traffic to and from the Internet has been routed through only a few gateways. In this way, the defensibility of the network boundary has been greatly improved, on the one hand, it greatly reduces the attack of the opponent entering | invading the network | hitting surface, on the other hand, you can concentrate on threat monitoring at these exits. In addition, defensible boundaries mean using a combination of heuristic and behavioral analysis methods based on known characteristic indicators and applying them to host-based (endpoint) and network-based platforms to observe and interfere with network activity in real time. [interpretation] combined with the author's own experience, the author believes that boundary determination is indeed a very important pre-work for defense, regardless of whether the boundary is physical or virtual, entity-based or identity-based, single-layer or multi-layer, the boundary can be virtualized, but not blurred. In addition, a defensible boundary means an attack as controllable as possible. The article refers to the most basic (but not simple) focus on Internet exports for large enterprises. And that's why the federal government put a lot of effort into TIC (trusted Internet access) before implementing Einstein 2. Similarly for DODIN, through JIE's single security architecture design, there is a significant reduction in the number and type of Internet exits at the Internet boundary, and an integrated network security design (deployment of JRSS) for the boundaries of all war zones connected to the network.

2) ensure visibility of the entire network (Ensure visibility across the network) visibility and continuous monitoring of network traffic must run through all levels of the network, including gateways, intermediate nodes, and endpoints. If a rule alarm is triggered in the network, the analyst must be able to pinpoint and isolate the actual endpoint host that generates the alarm activity. The process must have an effect in minutes, not hours.

In addition, as more and more traffic is encrypted, SOC must build a solution to this to ensure that complex threats mixed into legitimate network behavior can be seen. [interpretation] when we talk about situational awareness, in fact, a very basic ability is Visibility. There was a round of domestic hype a few years ago, but now it talks less, but in fact, the pursuit of network security has not diminished. Further, what is seeing? In terms of objects, it is more important to see not only traffic and logs, but also various entities, especially network entities and endpoint entities, and be able to integrate these observations. In terms of content, it is to see the running status of various entities in the network, interact with each other, distinguish between normal and abnormal entity states and their behaviors, and be able to identify attacks | intrusions and violations, and depict the process of their development and changes (for example, attack | chain attack). As far as the goal is concerned, seeing is not the goal, finding that the problem is not the goal, seeing is just a means, how to respond quickly and deal with it is the goal. At this level, it also expands the extension of "seeing", that is, seeing not only helps operators to find problems, but also helps responders to deal with problems quickly.

3) enhanced Best practices (Harden to best practices) security events are usually caused by the fragility of hardware and software that are not updated in a timely manner or are not compliant. In addition, when a vulnerability is disclosed or a patch is released, NCTOC scans the entire DODIN (DOD Information Network) within 24 hours to identify potential attacks by malicious actors | targets (unpatched servers).

It can be said that timely updates are still one of the best defense practices strongly advocated by NCTOC, which can reduce the exposure of vulnerabilities and maximize the reliability and protection of the software. [interpretation] the core of best practices referred to here are practices for vulnerability management, vulnerability management, and patch management. As a matter of fact, this problem is easier said than done. NSA is right, but what needs more guidance is how to do it. In fact, let's take a look at the Einstein plan. two years ago, when they talked about the achievements of construction, one of the main achievements was the intelligence early warning and sharing of vulnerabilities and vulnerabilities, the rapid scanning of assets and the location of defective assets. and the time to patch. Come to think of it, a system that cost billions of dollars to achieve this, is it worth it or not? Is it difficult or not difficult to manage vulnerabilities?

4) using comprehensive threat intelligence and machine learning (Use comprehensive threat intelligence and machine learning) before using threat intelligence, it is recommended to customize threat intelligence sources according to their own network environment. For example, cyber threat activities in DODIN may be very different from those in medical units. SOC should understand the existing defensive architecture, determine which assets are valuable to the enemy, and tailor threat intelligence subscribers accordingly.

In addition, in the face of massive threat intelligence and network activity alarm information, SOC should use data science and machine learning methods to extract these massive information into actionable results (Actionable Results). Security teams should be able to respond to existing alarms and actively hunt for threats that have not been detected in the past. [interpretation] this point is easier to understand, and it has been talked about a lot in China. For information, it is no longer necessary to seek perfection, but requires accurate refinement and pay attention to effectiveness; for AI/ML, it has been integrated into a variety of security equipment and systems as a technical method.

5) creating a knowledge-seeking culture (Create a culture of curiosity) it may be misleading to measure network security based solely on the speed at which work orders for security events are closed, making responders focus more on dealing with alarms as soon as possible, rather than trying to fully master the attack / attack activity itself. After adopting a new countermeasure, how to predict the possible reaction of the enemy is a challenge for our responders. Because the persistent enemy will continue to explore the entrance to the network they are interested in and will not give up just because an attack | strike is blocked. Therefore, SOC should always strive to take pre-emptive defensive action, inject innovative thinking into their team and find out all kinds of new techniques and tactics of the enemy.

[interpretation] the so-called pursuit of knowledge can also be understood as curiosity. Only by maintaining curiosity and strong curiosity can security analysts do a good job in security work and improve their personal abilities. This curiosity / curiosity can be reflected centrally through threat hunting (Threat Hunting). The thirst for knowledge also means a huge long-term investment of personal energy, which is very tiring, and it is very difficult to maintain it, and it is even more difficult if the return is taken into account. Further, how to stimulate and maintain the curiosity of a team rather than an individual is also a big issue. Finally, in the final analysis, we talk about a core essence of security confrontation-people.

As a practitioner in the SOC field, I would like to share with you the above five principles.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security


© 2024 SLNews company. All rights reserved.