Concept of security operation & maintenance integration of big data

The security operation & maintenance integration of big data could contain the following four concepts:

Data Architecture: The big data architecture is used to set up the foundation support platform and the big data technology is applied to conduct the acquisition, storage, washing, analysis, excavation, visualization, security protection, etc. to mass data.

Big data security:  Conduct the security analysis and security protection to the infrastructure, application system and business system based on the foundation support platform of data, and drive security with data.

Operation & maintenance of big data: Monitor and manage complex network, much equipment and a bulk of data based on the foundation support platform of big data to guarantee the persistence, stability, efficiency, and safety for system operation.

Solution

l   Build the new safety operation & maintenance platform as per the P2DR model.

l   The core thought changes from "deep defense" to "real-time detection and response".

l   Drive security with data

System framework

The security operation & maintenance integration system of big data includes one platform and three systems:

l   Basic support platform

l   Safety analysis system

l   Operation & maintenance analysis system

l   Application analysis system

Main application scene

l   Financial anti-fraud

l   Correction of incident with false report

l   Find the information leakage

l   Abnormal visit of WEB

l   Excavation of long-period security incident

Basic support platform

Foundation support platform could collect the log data (support the structuring, semi-structuring and non-structuring data) and network flow data, including:

l   Network/safety equipment log

l   Operating system log

l   Application and middleware log

l   Database log

l   NetFlow information of exchanger

With bypass connection, collected by network mirroring:

l   Source IP and objective IP

l   Protocol type and port number

l   TCP session status information (chain construction, chain disconnection, retransmission, etc.)

l   Dimension and quantity of message

l   Packing and unpacking

Safety analysis system

The traditional security equipment conducts the security defense based on the feature code and simple rule and could recognize the unknown threat and new attack pattern. In the meantime, many generated valuable data are distributed in the network since the equipment has independent operation basically. The possible correlation couldn't be found through analysis since the data couldn't be saved and utilized utmost due to the restriction of storage and computing power. The uniform detection and visual display couldn't be conducted to the equipment in the management, the configuration rationality of each set of equipment couldn't be judged as a whole and the weak parts couldn't be found.

Operation & maintenance analysis system

The IRIS solution helps to promote the operation & maintenance work:

l   The security operation & maintenance integration platform of big data achieves the uniform management and knowledge management of asset in the network environment.

l   Conduct the real-time monitoring and data acquisition, rapidly associate various information, generate a warning, change the passive response into the active forewarning.

l   Rapidly obtain all data in the system after the security events happen for the tracking. The evidence collection and survey time are as short as a minute, which greatly reduces the emergency response cost.

l   The machine learning, baseline analysis, pattern recognition, correlation analysis, etc. are applied to accurately find the unknown threat and abnormal account, which greatly decreases the false alarm and missing report and improves the efficiency and value for operation & maintenance.

l   Multidimensional visual display greatly simplifies the operation & maintenance work.

l   The security analysis and the operation & maintenance analysis conduct the crossing fusion and share the technology platform and technology means.

Application analysis system

l Analysis of log data

l   Analysis of network unpacking

l   The analysis is conducted by combining the business data, which could be used for the anti-fraud of bank business, anti-money laundering, credit risk control, accurate marketing, etc.

l   Or the clients are required to open the relevant data interface of business system or directly provide the business data.

l   The specific business logic shall be known.