Background
Recently, I have tried to build a HIDS from scratch in the company, based on an open-source framework, combined with actual scenarios, and customized development. Before, I have tested commercial HIDS products such as Qingteng Cloud, and open-source HIDS products such as osses, osquery, yulong-hids, etc. These products identify and predict risks based on rules, databases, and behavior, and overall, they feel like passive defense. They can identify known risks, but what about unknown risks, technical personnel violations, or variant viruses? How can they be defended against? Especially when the security department has limited personnel, no one can sort out and summarize the rules. Then, even if the HIDS platform is established, it cannot be put into play.
The problems faced by host security
Diverse attack methods, fixed defense points
Compared to attackers, the business model or online service, the technical model is basically fixed. Communication is either HTTP or RPC, and there are rarely custom network protocols. The server operating system is mainly Linux and Windows, and the middleware is mainly Nginx, mysql, redis, etc. However, the attack scripts of attackers are not fixed, can be variously obfuscated and encrypted, not to mention various bypassing and anti-killing techniques. You can easily find them on github.
Establish defense strategies from the perspective of the attacker
Security defenders have always tried to guess the intentions and methods of attackers, thereby establishing defense rules and identification methods. This is relatively effective against ordinary attackers or those who take the easy way out, but the attack methods of real attackers are definitely diverse, and security defenders are always led by the nose by attackers.
Overly dependent on behavioral recognition
Nowadays, it is not appropriate to present security products without mentioning machine learning and behavioral analysis. However, just like the rules, behavioral recognition brings problems that are quite rigid and suitable for specific scenarios. Similarly, there are also serious false positives and false negatives. However, the resources invested in developing machine learning models are relatively large, but the effectiveness is minimal.
The degree of business participation is basically zero
During the construction of host security (HIDS), since it mainly revolves around the server for identification, in the process of HIDS implementation, rule formulation, and risk identification, the business basically has no participation.
Establish a thinking framework for host security defense
In my view, whether it is host security or web security, the basic defense methods are basically the same, but the perspective needs to be changed. In the past, security defense was formulated from the perspective of the attacker, but now it should be converted to a perspective based on the business model with the attack perspective as assistance.
Establish a detailed security baseline for business
Firstly, define the model of business operation. The baseline is not only at the operation and maintenance level but also needs to be deepened to the business level. Because once the online business is launched, the basic operation mode has already been fixed, such as the process name, path, output, and input, so this information can be organized into the business operation security baseline. Based on this baseline, monitor the operation of the business and the server. Once any behavior jumps out of the baseline, security should immediately step in to handle it.
Different businesses require different defense strategies
Different businesses and different environments require different defense strategies, for example, it is impossible to write content into the crontab for online business, while the test environment requires frequent writing. For database, big data, and other data servers, the main monitoring is of changes in non-data-related files to prevent ransomware.
Establish a trusted operation environment together with the business
During the early architecture and deployment review of business, it is not only necessary to pay attention to the security of the business itself, such as whether there are vulnerabilities in business logic or architecture. It is also necessary to work with operation and maintenance to help plan the online operation environment model, where operation and maintenance focuses on resource consumption, and security focuses on changes in data, files, etc., determining what is fixed and what is not.
Establish a security alarm convergence strategy
The idea of establishing host security mentioned above will inevitably lead to a result: a large number of security alarms in the early stage. There are two reasons for this: first, because the security considerations are not comprehensive enough, many situations are not considered, and alarms are therefore generated; second, business changes are large, and there are many behaviors that deviate from the security model. However, these will be greatly improved with the stabilization of the business model, frequent communication between security and business, and some automated platforms.
Specific implementation of strategies
Establish basic defense strategies
Firstly, establish a basic capability platform, including host information collection, Agent and Server, etc., so as to collect relevant data for security model judgment. Through open source and security researchers, a known security risk identification and defense can be quickly established in a short period of time. This process should not be too long; for one person, it can be completed in half a month to a month. The subsequent focus is on communication with business and operation and maintenance to formulate security models.
Determine the security baseline specifications
Operation and maintenance security baseline: determines the security baseline of servers, including specifications such as ports, processes, services, directories, users, etc.
Business security baseline: determines the behaviors during business operation, including ports, process names, file hash, directories, logs, etc.
Middleware security baseline: determines the running behaviors of Nginx, redis, etc., including version, process hash, output directory, etc.
Communication security baseline: defines communication modes, communication methods, source addresses, destination addresses, etc.
Based on DevSecOps convergence of security alarms
Due to the variability of business and operation and maintenance, it is inevitable to bring out behaviors that deviate from the security model, but these are all normal. Therefore, in the later stage, it is necessary to actively connect with the business platform and operation and maintenance platform through the DevSecOps platform, actively receive changes in operation and maintenance and business information, and timely correct the security model to achieve the convergence of security alarms.
Finally
Under the condition of limited human resources in the Security Department, through the formulation of business and operation and maintenance security baselines, not only can it cooperate with HIDS to detect host security risk behaviors, but also can formulate and implement security specifications covering all stages of business operation based on the security baseline, making the work results of the Security Department relatively more quantifiable. If it falls into the previous kind of rule formulation and attack prevention, how can the work results of the Security Department be quantified, by the number of rules or the number of attacks resisted? After all, attacks do not occur all the time, and not all rules are useful.
评论已关闭