2020, which has just passed, has been a difficult year and a magical one. For the cybersecurity industry, there are both challenges and opportunities. The cyber confrontation between countries has intensified, and personal data leakage incidents have emerged one after another. The telecommuting and telemedicine caused by the epidemic also put forward higher requirements for network security construction, and new technologies such as zero trust, endogenous security framework, and cloud-native security are also developing rapidly.
In 2021, there will be more uncertainties, the cyber confrontation between countries will continue to heat up, extortion attacks will remain the biggest threat facing institutions, and supply chain attacks will continue to intensify. With the introduction and implementation of privacy policies and regulations in various countries, corporate compliance will face greater pressure.
The Hofu Think Tank thus released the “2021 Security Foresight Report”, which aims to provide reference and prediction for government and enterprise agencies and relevant departments. This report summarizes the security situation and security technology innovation in 2020, forecasts the cybersecurity situation in 2021, and puts forward countermeasures. Due to space limitations, it is divided into two parts, the first part of the report: Review 2020.
Part 1 – 2020 Security Situation
In the year of the epidemic, network security ushered in a big test
The new crown epidemic in 2020 is raging, endangering human lives around the world, but the epidemic has not stopped cyber attack organizations. The remote office work method brought about by the epidemic has become a new target of hacker attacks, bringing unprecedented network security risks, and global hackers usher in a carnival year. The new crown epidemic has put a test on the medical security capabilities of various countries, and the severe security situation has brought an annual “big test” to network security protection.
We sorted out the cybersecurity situation in 2020 from seven perspectives, including the international situation, government agencies, key facilities, new technology applications, individual users, and offensive and defensive games.
01 The international network fights white-hot cyber attacks and becomes public
International conflicts will intensify in 2020. Cyber attacks and military conflicts have become complementary tools. Attacks in physical space often trigger retaliation in cyberspace, and vice versa. Cyber attacks between countries are becoming more frequent and intense.
For the first time, the Security Council in March 2020 made cyberattacks a special topic. In response to cyberattacks, countries emphasize responding with forceful means. In 2020, the mutual cyber war between the United States and Iran and Israel and Iran has never really stopped and has become increasingly fierce. Israeli cyberwarfare experts even warned in May that an Iranian cyberwarfare attack that caused significant damage to Israeli infrastructure would be a “reason for war.” The United Kingdom officially announced the establishment of a National Cyber Force (NCF) in November 2020 to focus on countering cyber attacks.
In March 2020, the U.S. Cyberspace Sunbathing Council warned that the United States would face the risk of a catastrophic cyberattack. This warning demonstrates the fact that international cyberspace confrontation is intensifying, but the warning did not prevent the United States from avoiding the largest APT attack of the year that led to the fall of several important military and political institutions. This kind of cyberattacks between countries, with no sign of stopping, reflects the characteristics of the era of international cyber confrontation, which has no rules and is becoming more and more intensified. In an age where cyberattacks lack rules, the fragile balance of cyberspace has become difficult to maintain.
In January 2020, the U.S. “targeted removal” of Quds Force commanders sparked a retaliatory cyber attack by Iran against the U.S.
In April 2020, Israeli water and sewage treatment facilities were hit by multiple cyberattacks.
In May 2020, the important Iranian port of Shahid Rajay was attacked by Israel’s “highly precise” cyber attack, causing serious chaos in the port’s waterways and roads.
In July 2020, a “cyber attack” severely damaged Iran’s most important nuclear facility.
In September 2020, the United States filed a lawsuit against Iranian hackers, announcing sanctions against the Iranian APT39 hacking group.
In December 2020, at least 80 Israeli companies, including Israel’s largest defense contractor, were targeted by Iranian hackers in an alleged retaliation for the assassination of an Iranian nuclear physicist.
02 Cyber attacks focus on stealing secrets, military and government agencies face the risk of leaks
Although some security experts believe that destructive attacks on infrastructure are replacing espionage, espionage will remain the main goal of cyberattacks in 2020. The supply chain attack, which was exposed at the end of the year, led to the intrusion of many US military and government agencies such as the US Department of Defense, the Department of Homeland Security, the State Department, the Department of Energy, and the Department of Commerce, “probably the most significant cyber espionage operation in history.” In the context of the ravages of the new coronavirus around the world, attacks aimed at stealing vaccine-related research results have also increased significantly. Vaccine research institutions including Chinese medical companies, Pfizer, and Japanese vaccine laboratories have suffered cyber attacks, resulting in research related to new crown vaccines. Data is stolen. Among them, my country’s Huiyihuiying company’s new crown virus research results and technology source codes were also stolen and sold by hackers.
Statistics from the Qi Anxin Threat Intelligence Center show that in 2020, the frequency of APT attacks against key units in my country has increased significantly. In 2020, the number of APTs in the world will increase by 23%, and the number of APT attacks against my country will increase by 69%. Among them, the Chinese government, medical and national defense agencies are also important targets for foreign APT organizations to steal secrets. In the industry distribution of APT attack incidents in 2020, medical institutions accounted for 24%, government institutions accounted for 21%, educational institutions accounted for 12%, and defense departments accounted for 11%.
According to the monitoring of security experts from Qi’anxin Threat Intelligence Center, in 2020, the APT organization Dark Hotel frequently conducted cyber attacks on Chinese institutions, and used browser and VPN zero-day vulnerabilities to infiltrate Chinese government institutions to steal confidential information. APT organizations with South Asian backgrounds, such as Manlinghua, Mahacao, Rattlesnake, and Mara, conduct attacks on my country’s military industry, government, and universities for the purpose of stealing secrets almost all year round. The Chinese-language APT organization Du Yunteng has carried out targeted attacks on key universities, research institutes, government and other units in my country, stealing a large amount of military intelligence, causing serious harm to national security.
03 The surge of destructive attacks on Kwan-ki targets social chaos
Attacks on critical infrastructure and other areas related to the national economy and people’s livelihood have surged with the intent to cause social chaos and lasting damage. This is an important target of state-level hacker organizations in addition to traditional intelligence theft. Security experts at the 2020 World Economic Forum agree that utilities and critical infrastructure have become one of the main targets of cyberattacks. Attacks on the Ukrainian power grid are only a few phenomenal attacks, and such attacks on critical infrastructure have become common and frequent in 2020. As geopolitical tensions rise, 2020 has seen a further increase in disruptive cyberattacks. There has been a significant increase in the number of attacks by hacker groups on critical infrastructure sectors such as power grids, water conservancy, critical manufacturing and transportation industries. National hacker organizations can use destructive attacks to achieve the goal of threatening national economic security, national public health security, and destroying social stability without paying a high price.
In February 2020, a U.S. natural gas company shut down operations on a natural gas pipeline due to a ransomware attack.
In May 2020, the main line of Venezuela’s national grid was attacked and a large-scale power outage occurred across the country.
In May 2020, Israel thwarted several large-scale cyberattacks on its water supply, one of which nearly caused a humanitarian catastrophe.
In May 2020, Elexon, a key management agency for the UK power grid, was hit by a cyber attack that affected internal IT networks and employee computers, making critical communications impossible.
In May 2020, CPC and FPCC, the two largest oil refineries in Taiwan, suffered cyber attacks one after another, affecting the entire supply chain.
In October 2020, the Indian city of Mumbai suffered an unprecedented large-scale power outage, which directly paralyzed railway operations and put stock exchanges, medical facilities and other critical infrastructure at risk. There were reports that the outages were likely the result of a state-sponsored hacking campaign.
Compared with 2019, the number of attack alerts received by my country’s State Grid Corporation of China in 2020 has increased significantly, and the risk of attack on key information infrastructure in the power sector has further increased.
04 The new infrastructure comprehensively accelerates the lack of safety system
The epidemic has become a catalyst for digital transformation, bringing a chain reaction to network security: digital construction has made network security a strategic focus, especially with the comprehensive acceleration of my country’s new infrastructure, 5G, industrial Internet and other digital technologies have been gradually deployed, and a new generation of information technology While promoting the development of the digital economy, modernizing social governance, and advancing the development of a smart society, new security risks have been added.
The new infrastructure brings complex application scenarios and puts forward higher requirements for security protection: in the past, the scattered and partial construction mode, plug-in and additional security capabilities cannot effectively deal with the endless security loopholes, the network environment with blurred security boundaries, and The increasingly sophisticated attack methods of attackers.
During the digital transformation period promoted by new infrastructure, the shortcomings of the traditional network security protection model, such as lack of security systemization, serious fragmentation of capabilities, poor overall synergy, and lack of elastic recovery capabilities, have been greatly amplified. To build a security protection system for new infrastructure, a systematic approach is urgently needed to build a ubiquitous, integrated and practical security capability system for users, and to establish a ubiquitous network security “immunity” within the digital environment, True endogenous security.
The popularity of 5G promotes the explosive growth of IoT devices, but there are obvious security risks in massive IoT terminals, which have become an important target of network attacks. According to the statistics of Qi’anxin’s star trail platform (a honeypot system used to capture network attacks), the current average daily traffic of PoC exploits is about 3 million. Among the top ten exploits in the sample survey, nine are IoT Device Vulnerability.
05 The new crown epidemic is raging around the world, and hacker organizations usher in a carnival year
Affected by the new crown epidemic, the global remote office demand has surged, and the user and market scale have experienced explosive growth. Among them, the demand for telecommuting during the peak period of the domestic epidemic increased by 663% month-on-month. IDC’s survey shows that in 2020, enterprise cloud data exceeds on-premises data for the first time. Remote work for many Internet companies has become the norm. Remote work breaks through traditional network boundaries and brings huge security risks.
Facing the new environment, global cyber attacks surged in 2020, and hacker organizations ushered in a carnival year. The first half of 2020 saw a spike in both the intensity and severity of cyberattacks. Attacks against medical and humanitarian organizations have been particularly pronounced, with the World Health Organization reporting a 500 percent increase in attacks against it, for example. In the first half of 2020, the number of distributed denial-of-service (DDoS) attacks worldwide increased by 151%. Security firm CrowdStrike found that the first half of 2020 saw more attacks than all of 2019. According to data from the Qi Anxin Threat Intelligence Center, the number of APTs in the world will increase by 23% in 2020, and the number of APT incidents targeting the medical industry will increase by 117%. During the peak period of the epidemic, medical institutions in my country suffered a large number of attacks; the German government lost tens of millions of euros to coronavirus-themed phishing attacks in 2020; the United States detonated the most serious APT incident of the year at the end of 2020, and its attack activities also started at the beginning of the year.
The Covid-19 pandemic has led to a surge in remote work, attackers are quickly adapting to the “new normal”, and online credential trading in darknet markets has become a craze. An investigation by cybersecurity firm Positive Technologies found a booming trade in information related to corporate cyber credentials. In the first quarter of 2020, the number of darknet posts selling corporate web login credentials jumped 69% from the previous quarter.
06 The surge of personal data leakage increases the rectification of privacy violations
The need to fight the epidemic in 2020 has led to the frequent collection of personal information, although the competent authorities have emphasized the implementation of personal information and privacy protection during the epidemic prevention and control period, and notified the implementation of the requirements of “desensitization processing” and “epidemic prevention needs”. Still frequent. In addition to the leakage of personal information during the epidemic, the issue of APP violation of personal privacy is still a social hotspot in 2020. my country’s regulatory authorities continue to govern behaviors such as APP’s collection of users’ personal information beyond the scope. The Central Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly carried out the management of the illegal collection and use of personal information by apps. Apps that violate user rights and have problems in collecting personal information have been notified and taken offline. The formulation of 18 group standards, including the series of standards for the evaluation of APP user rights protection and the series of standards for the evaluation of the minimum necessary for APP to collect and use personal information, regulate the collection of user information for domestic APPs and reduce acts that infringe on users’ rights and interests. Internationally, Apple has announced that starting in early 2021, it will remove apps that track user data without permission from the App Store. There have also been a number of personal information leakage incidents in China. For example, in December 2020, the personal privacy of a girl in Chengdu, such as the activity track, was all published on the Internet, causing public opinion to pay attention to the issue of personal privacy protection under the epidemic; in November of the same year, the Fuyang Court The litigation and sentencing of the “Face Recognition First Case” raised the concerns of the whole society about the protection of personal biometric information. The necessity of implementing face recognition and the security of information collection have become the focus of social attention.
07 The imbalance of the offensive and defensive game aggravates the information system “riddled with holes”
In 2020, the game of offense and defense will show a state of aggravating imbalance.
Attacking organizations have better attack capabilities and can exploit vulnerabilities in a relatively short period of time. While attacks using a combination of long-publicized vulnerabilities are still the norm, attackers are more likely to use zero-day vulnerabilities when facing high-value targets. Attackers also use automation to change the shape of their attacks, quickly creating variants of known threats that security devices cannot identify. Zero-day exploits, identity credentials, and cyberweapons sold on darknet markets give attackers the ability to target high-value targets.
Fragile supply chains have become an important breakthrough for attacking organizations and are the weakest link that needs attention. The supply chain attack incidents that were exposed at the end of 2020 and affected more than 200 important U.S. government and enterprises have highlighted the complexity of supply chain attack methods. While direct attacks reported by government and corporate agencies decreased, “indirect attacks” through the supply chain were on the rise. According to the report of the well-known think tank “Atlantic Council”, in the public reports from 2010 to 2020, the software supply chain attacks and leaks with high influence showed an increasing trend year by year.
In contrast to the ever-evolving means of attackers, vulnerabilities in core applications, network equipment, and new technologies occur frequently. In the past two years, the number of vulnerabilities has continuously broken new records. The increasingly sophisticated means of attacking organizations, as well as the increasingly specialized division of labor and cooperation, and the “riddled holes” in the information system itself reveal a serious imbalance in the game of offense and defense, as well as huge potential security risks.
In 2019, the industry submitted 16,208 CVND vulnerability information, and in 2020, the submitted CNVD vulnerability information reached 20,136. Qi Anxin CERT has monitored 3,381 new vulnerability information in 2020 compared with 2019, of which about 46% are high-risk vulnerabilities with more serious impacts or low attack costs.
According to the monitoring of Qi Anxin CERT, for newly emerged vulnerabilities, the attackers who can launch the vulnerabilities within 0-7 days of the outbreak account for about 0.23% of the total.
A critical zero-day vulnerability in the popular video conferencing software Zoom was sold for $500,000.
Oracle released 1,576 vulnerabilities in 2020, including a large number of high-severity vulnerabilities with a CVSS score of 10 and 9.8, which can give attackers a lot of privileges.
In 2020, researchers found that the products of several mainstream security vendors that defend against cyber attacks have vulnerable vulnerabilities themselves, posing serious security risks. Since the outbreak of the epidemic, the use of VPN vulnerabilities to invade government agencies in various countries has become a popular attack method for hacker organizations.
Part 2 – Security Innovations in 2020
Digitalization Accelerates Safety Practical Innovation
“The Tao is one foot high, the devil is one foot high”, the attack and defense of the digital world are being staged all the time. The severe cybersecurity risks in 2020 have accelerated the R&D, innovation and practical implementation of security technology products, from the “zero trust” craze spawned by telecommuting, to the privacy protection technology brought by personal information protection, to the new infrastructure driven by the wave of new infrastructure. The first-generation defense system – “Endogenous Security Framework”, 2020 is a year of accelerated transformation of technological innovation into practice. In recent years, the technical concepts proposed by the Gartner organization and the RSA conference have begun to be implemented in this year. They protect cybersecurity in the digital age in all aspects from the national, social, economic and personal levels.
01 The demand for remote access surged under the epidemic, and zero trust accelerated standardization
The epidemic has pressed the accelerator button for telecommuting. Some people believe that the progress of telecommuting has been advanced by at least three to five years. However, it needs to be seen that the epidemic is only a catalyst for the acceleration of remote work. The original driving force of remote work is the digital transformation of enterprises.
In order to solve many security problems such as business exposure shrinkage, authority control, and identity recognition in remote access, zero-trust network access is considered to be the solution, and is highly valued by consulting institutions such as Gartner. Major manufacturers have also launched zero-trust identity security solutions for remote access scenarios. For now, however, the development of zero trust is still in an early stage.
In 2020, zero trust standardization work is accelerating. On August 12, 2020, the National Institute of Standards and Technology (NIST) released the official version of “Zero Trust Architecture”, which described the zero trust security principles, architecture models, and application scenarios in detail. In China, the preparation of the first national standard “Information Security Technology Zero Trust Reference Architecture” initiated by Qi Anxin has also been officially launched, which will play a huge role in promoting the standardization and implementation of the zero trust architecture.
In order to solve the problem of more fine-grained permission control, Qi Anxin’s zero-trust identity security solution innovatively applies artificial intelligence thinking to the zero-trust implementation architecture, which can adaptively adapt to users, devices and application resources, and realize fine-grained dynamic access control. , effectively reduce external security risks and internal security threats. Its key product components, such as its intelligent identity management platform, intelligent evaluation engine and trusted access control engine, realize large-scale industrialization promotion by building an intelligent resource protection platform, and support zero trust in telecommuting, cloud computing, big data centers, physical The implementation of various application scenarios such as Internet of Things, Internet of Vehicles, and Smart City will protect core assets and support the efficient and safe operation of key service applications.
02 Endogenous security framework builds a dynamic comprehensive defense system from a top-level perspective
The new infrastructure brings complex application scenarios and puts forward higher requirements for security protection: in the past, the scattered and partial construction mode, plug-in and additional security capabilities cannot effectively deal with the endless security loopholes, the network environment with blurred security boundaries, and Organized, systematic and precise network attacks.
The advent of the digital age has completely broken the boundaries between the cyber world and the physical world, bringing new security risks. The previous idea of static border protection is no longer suitable for the needs of the new era. The guarantee in the digital era requires a dynamic and comprehensive network security defense system. To this end, the endogenous security framework came into being.
The endogenous security framework starts from the perspective of “Party A’s perspective, informatization perspective, and top-level perspective of network security”, constructs an analysis model for the overall defense capability of network security that adapts to different business scenarios, designs a network security synergy linkage mechanism in complex and heterogeneous environments, and forms a network security system. A full-life-cycle network security deployment system, unified planning and step-by-step implementation of security capabilities, and gradually building an integrated security system for the digital age.
The framework deconstructs the landing manual of “ten projects and five tasks”, and gives specific deployment steps and standards for each project and task. Government and enterprise organizations can define their own key projects based on the characteristics of their own informatization and tasks. Taking a new infrastructure project as an example, according to the “Ten Workers and Five Responsibilities” manual, Qi Anxin summarized 29 security area scenarios and deployed 79 types of security components for 136 informatization components. It is suitable for almost all application scenarios, and can guide different industries to output network security architectures that meet their characteristics, build a dynamic and comprehensive network security defense system, and fully meet the security needs of the digital age.
On November 23, the endogenous security framework won the “World Leading Internet Technology Achievement” at the World Internet Conference.
03 Automation technology promotes privacy protection compliance
Since the advent of the European Union’s General Data Protection Regulation (GDPR), compliance with data security and personal privacy protection has quickly become one of the hottest topics in the security circle. With the substantial increase in the total amount and liquidity of data, the difficulty of consumer privacy protection has also increased. How to discover consumers’ sensitive data in the massive data has become a very big problem.
In 2020, privacy protection startup Security.AI won the RSAC Innovation Sandbox competition. The company emphasizes the use of AI technology and People Data Graph to realize automatic identification of data, and build a knowledge graph for people to provide model support for subsequent analysis.
In order to solve the inefficiency of traditional privacy protection solutions, Security.AI has built an automated process to realize consumer data rights request-response process, which can help customers quickly meet the requirements of regulations such as GDPR and CCPA.
In China, the illegal collection and leakage of data are also troubling issues. The leakage of private information of patients with new coronary pneumonia and asymptomatic infections is not uncommon. Hundreds of apps have been removed from the shelves for illegally collecting consumers’ personal privacy data.
Based on the technical concept of “the data does not move the program, the data is available and invisible” proposed by Academician Fang Binxing, Yunanbao, a subsidiary of Qi’anxin Data Security, took the lead in launching a more practical waterproof fort in China.
Waterproof adopts innovative data sandbox and security separation learning technology in data security and privacy protection. Data is fully analyzed and mined, and data analysts can only take away analysis model files and analysis results that do not contain sensitive data.
In response to the chaos of app privacy compliance, Qi Anxin, Bang Bang Security, and Ai Encrypt have launched complete APP privacy protection solutions covering APP privacy compliance testing, APP privacy protection assessment services, APP security testing, and APP rectification guidance. Automated/semi-automated in-depth detection of Android/iOS application behavior can help users quickly meet the “Measures for the Determination of APP’s Illegal Collection and Use of Personal Information” and avoid excessive collection of consumers’ personal data.
It is foreseeable that with the introduction of domestic regulations such as the Data Security Law and the Personal Information Protection Law in the future, the innovation in the field of privacy protection will continue to increase, and AI technology will play a greater role in it.
04 Evolution of the offensive and defensive game, the third-generation security engine cracks the 0day vulnerability problem
Security attacks are unavoidable, 0Day vulnerabilities have been repeatedly exposed, and all unsafe incidents occur under “security protection”. The existing security system needs to be reformed urgently. On January 17, 2020, the third-generation security engine “Tengu” was born. It subverted the traditional security protection idea of checking vulnerabilities and applying patches. Even without patches, it can effectively defend against attacks.
The “Tengu” engine has achieved breakthrough innovation in four aspects. The first is from large-grained to fine-grained. From the large-grained, high-level “file reliability” detection, Tengu enters into the fine-grained, low-level “memory instruction reliability” detection, which effectively solves the problems caused by malicious use of vulnerabilities in “trusted programs”. Protection flaws.
The second is to defend against 0Day vulnerabilities. It uses the trusted command collection and authorization of known systems and programs to defend against possible attacks from unknown vulnerabilities, effectively solving the industry problem of “0Day vulnerabilities cannot be defended against”.
The third is that the network can also prevent attacks. The technical uniqueness of Tengu does not rely on malicious file characteristics, specific vulnerability characteristics, specific behavior characteristics, and specific attack characteristics, so that the Tengu engine no longer relies on network queries, even in isolated networks or even without a network environment. Does not affect the protective effect.
The last is to effectively defend against backdoor problems. Through command call detection, Tengu can discover backdoor commands hidden in systems and applications, making up for the technical gap in backdoor detection in the industry.
After the release of the third-generation security engine “Tiangu”, it was soon installed and deployed in large-scale central enterprises and commercial enterprise customer scenarios, and the overall installed capacity quickly exceeded 1 million units.
05 Actual offensive and defensive exercises promote the emergence of a large number of product technology innovations
In recent years, in order to improve the network security protection level of the country and relevant key units, normalized actual combat offensive and defensive exercises have become an important means. The actual attack and defense exercise usually takes the actual operation of the information system as the exercise target, and simulates the real network attack to the maximum extent through the supervised attack and defense confrontation to test the security of the information system and the effectiveness of the operation guarantee.
In the process, it promotes the innovation and implementation of a large number of network security product technologies, such as vulnerability management, deception detection, security orchestration automation and response (SOAR), extended detection and response (XDR), etc.
For vulnerability management, the NOX-security monitoring platform launched by Qi Anxin CERT this year has relatively complete coverage. The platform integrates complete vulnerability intelligence information to help customers discover threatening vulnerabilities in a timely manner and provide complete solutions. At the same time, Qi’anxin CERT will promote the rapid upgrade of Qi’anxin’s related products, and deploy corresponding detection rules for vulnerability attacks.
The SaaS platform launched by Vulcan Cyber, a foreign start-up, can automatically integrate all public vulnerability information, Display various statuses of the entire lifecycle of vulnerability management, and output vulnerability analysis reports, thereby greatly reducing the vulnerability maintenance work of security operators.
Deception detection techniques (honeypots) are also popular with defenders. By simulating real scenarios, deception detection technology can deceive the intrusion behavior of attackers, so as to achieve the purpose of threat trapping and hiding real business. In 2020, a large number of security manufacturers, such as Knowing Chuangyu, Moan Technology, Chaitin Technology, Qi Anxin, etc., have released new versions of deception detection products. With strong simulation capabilities and deceptiveness, they can quickly distribute “simulation decoys” to the network. Each area of the attack chain comprehensively covers every link of the attack chain, and can be used to trap attack behaviors without dead ends.
In the response link, SOAR can integrate security operations-related teams, tools and processes through orchestration and automation technology, process multi-source data in an orderly manner, and continuously conduct security alarm triage and investigation, threat hunting, case handling, and incident response. Shenghuaan has launched an independent SOAR3.0 product, which is decoupled from the SOC/SIEM platform and can be integrated and linked with its own and third-party SOC platforms and advanced threat detection products. As the first security orchestrator in China that adopts a workflow engine driven by the BPMN2.0 specification, Shenghua’an SOAR has strong openness, scalability and scalability.
To further improve detection and response capabilities, Extended Detection and Response (XDR) technology is receiving more attention. At present, the more popular international practice is to deeply integrate XDR with security services. For example, Respond Analyst created by Respond Software, as an XDR engine, can automatically analyze and detect security data and logs, which can greatly improve the efficiency of this work. FireEye integrates Respond Analyst into its SaaS platform, Mandiant Advantage (MDR Platform), and leverages Mandiant’s vulnerability intelligence and cutting-edge technologies to improve its security services.
06 Actualization has become the focus of SOC/SIEM construction
In recent years, major network security incidents have occurred frequently, such as EternalBlue, Struts2, WebLogic remote code execution vulnerabilities, etc., even as strong as FireEye can not escape the “clutch” of hackers, which makes it more and more difficult for security personnel to live a “storage,” The life of Ma Fang Nanshan” has been intertwined and inseparable in peacetime and wartime.
The construction of actual combat capabilities has become the key development direction of the security operation platform SOC/SIEM equipment. Qi Anxin released a new version of the situational awareness and security operation platform NGSOC, and Venus launched the Taihe intelligent operation system TSOC.
Based on the product trends of security manufacturers in 2020, the actualization is mainly reflected in three aspects.
One is the support of normalized real network attack and defense drills to promote defense with offense.Qi Anxin NGSOC provides a large screen of the exercise situation to display the overall situation of the defender’s management information, system construction, threat operation and other information in the offensive and defensive exercise, and provide decision support for post-event investigation and filling.
The second is the three-dimensional threat early warning capability.As the center of internal threat detection and security operations in government and enterprise organizations, traditional SIEM/SOC devices that rely solely on log correlation analysis cannot grasp the full picture of intrusion events. Therefore, the SOC platform should be able to issue internal and external early warning information, correlate it with IP assets in the network, analyze the assets that may be affected, and know in advance the possible attacks on the business system and potential security risks. The security management platform launched by Venustech can timely release internal and external early warning information, and correlate with IP assets in the network, analyze the assets that may be affected, and let users know in advance the possible attacks on the business system and potential security risks .
The third is remote operation services.In addition to on-site security operations, the integration of SOC platforms and remote operation services is the focus of major security vendors this year. As an important means to solve the talent shortage of platform users, Qi Anxin can output threat analysis, security data analysis reports, traceability analysis, and incident co-processing reports based on the NGSOC platform to ensure safe operations in peacetime and wartime.
07 Government and enterprise organizations accelerate cloud migration, and cloud-native security reconstructs cloud security protection system
Since the outbreak of the epidemic, cloud computing, as an important part of digital construction, has provided stable and efficient support for the recovery of the epidemic by relying on its own powerful cloud computing power and huge cloud resources, and has further accelerated the overall development of the cloud economy.
It is foreseeable that, driven by the continuous development of “new infrastructure”, digital construction, and national policies, in different industries such as the Internet, transportation, logistics, finance, government affairs, and education, the pace of government and enterprise organizations’ cloud migration will accelerate.
In order to ensure security protection on the cloud, cloud-native security has become a hot topic in 2020 as an emerging security concept. The seamless connection of cloud-native security not only solves the security problems brought about by the popularization of cloud computing, but also emphasizes the construction, deployment and application of security on the cloud with native thinking, and promotes the deep integration of security and cloud computing. Low cost of use, supporting flexible, dynamic and complex industry scenarios.
A cloud-native security platform addresses security challenges with a unified platform that helps enterprises detect threats to cloud resources, maintain compliance, secure cloud-native applications, secure cloud network and application communications, and enforce permissions and secure identities across workloads verify.
In China, Tencent Security launched a relatively complete cloud-native security solution in 2020, and built a complete cloud security protection architecture around security governance, data security, application security, computing security and network security. In terms of security governance, build a series of governance systems from risk identification, risk monitoring and protection to response, recovery and continuous operation. Through the data security middle platform, the enterprise data security related infrastructure, technology and products are all incorporated into the cloud itself, providing data discovery, governance, encryption, and protection of the whole process of security services. At the application layer, the DevSecOps concept is incorporated into the development cycle to better manage the security of containers. At the network layer, SaaS-based cloud network security products are provided, and the overall security of the platform and tenants is guaranteed through cloud network boundary governance.
Overseas, Palo Alto Networks, a leading network security company, launched its cloud-native security platform Prisma Cloud 2.0, including a data security module that provides data leakage prevention (DLP) functions; a web application and API security module to protect web applications , and is able to integrate with CWPP’s unified proxy framework; the identity-based micro-isolation module integrates network visualization capabilities to provide end-to-end visibility of network communications; the identity and access management security module provides customers with cloud infrastructure authorization management ( CIEM) function.
The Links: BS17US25V25 C070FW02-V2