Review 2019 | See the Security Operation from the Development of Network Security

New technologies such as cloud computing, big data, Internet of Things, mobile Internet and artificial intelligence bring new information industry revolution, as well as new vulnerability risk, and the network attack area is further expanded. In addition, the shortage of network security professionals makes the network security protection more difficult.

Verizon's 2019 Data Breach Investigation Report (DBIR) analyzes more than 41,000 network security incidents and 2,000 data breaches in 86 countries. The report points out that since 2018, cloud storage configuration errors, BEC and intellectual property theft have all been on the rise, and attacks motivated by commercial espionage have increased. In the past 12 months, a quarter of network intrusions and reconnaissance have been related to data leakage. Generally speaking, most attacks are driven by economic interests.

Behind all kinds of ransomware attacks, data leakage, transnational telecommunication fraud and other events emerging in endlessly, and the continuous growth of black and gray industry scale, it is not only driven by economic interests, but also related to political competition. The resulting impact is not only economic loss, but also social stability and national security.

Development Trend of Network Security Industry

Driven by national policies and regulations, digital economy, security responsibility awareness, market demand and other factors, the market scale of network security industry continues to develop rapidly. IDC Global Semi-annual Network Security Expenditure Guide, 2018H2 shows that global network security expenditure will reach 106.63 billion US dollars  in 2019, with a year-on-year growth of 10.7%. IDC forecasts that by 2023, the global network security expenditure will reach 151.2 billion US dollars, and will continue to grow at a compound annual growth rate of 9.4%.

In 2019, the total expenditure of China's network security market will reach 7.35 billion US dollars, and the CAGR (compound annual growth rate) of 2019 to 2023 is 25.1%. The growth rate continues to lead the global network security market. By 2023, the scale of China's network security market will grow to 17.9 billion US dollars.

According to IDC , in 2018, the global network security investment structure is dominated by security software and security service, accounting for more than 81.1%, while China's network security investment structure is dominated by security hardware products, with hardware investment accounting for more than 61.3%.

Although China has a leading advantage in the growth rate of industrial development, compared with the global market, there is still a significant gap between the development of China's network security industry and that of developed countries.

Li Dewen, Vice Director of the Network Security Industry Development Center of the Ministry of Industry and Information Technology, pointed out the five existing problems of China's network security industry in the "China Network Security Industry Development Summit Forum 2019":

Firstly, the overall scale is small, and there is a lack of leading enterprises.

Secondly, the basic software and hardware are controlled by others, and there is a lack of key technologies.

Thirdly, the independence is not obvious, and there is a lack of targeted support policies.

Fourthly, the security investment is low and the market potential needs to be stimulated.

Fifthly, there is a large talent gap and structural imbalance between supply and demand.

In addition, it is needed to pay attention to the problems existing in China's network security industrial structure. China's network security market started late, and the security service market is still in the embryonic stage. As an inevitable trend of network security industry, network security service has become the major fieldwhich global network security manufacturers pay close attention to. The security hardware products are highly demanded by users in China market.

Depending on network security equipment is not enough for network security protection which also requires specifying the goal and expectation through systematic security planning. Combined with actual security protection needs, all kinds of security resources are integrated, including security products, security services, threat intelligence and security data. During centralized security situation awareness, security management, command and scheduling, emergency response, security monitoring and other activities are carried out regularly. However, Security Operation Center(SOC) is an ideal state that can be realized on the technical level. By establishing a unified SOC and relying on the continuous monitoring, detection, evaluation, rectification, scheduling, it forms the closed-loop management of network security operation to improve the ability of network security risk management. Therefore, more and more traditional security vendors and cloud service providers begin to carry out the strategic layout of SOC.

Development Trend of Security Operation Center

Gartner report shows that in 2019, the industry kept an eye on the implementation or maturity of the SOC again, focusing on threat detection and response. With the increasing complexity and impact of network security attacks, and the increasing complexity of network security tools which generate a lot alerts, enterprises hope to establish or reactivate the SOC or outsource this function. By 2022, 50% of SOC will be transformed into modern SOC with integrated incident response, threat intelligence and threat hunting capabilities, and the proportion is less than 10% in 2015.

Enterprises are investing in more sensitive tools and focusing on maintaining a balance between response and detection or prevention. As the numbers of complex alerts and tools increases, so does the need for operational centralization and optimization, which means that the SOC is now a business asset.

2019 China Network Security Industry Analysis Report shows that the mainstream Chinese security vendors are also actively carrying out the strategic layout of the SOC at present, while most security vendors' SOC solutions are mainly based on network security threat intelligence platform, security operation detection platform, situation awareness platform and security event automatic orchestration platform plus security services, focusing on the platform construction and equipment delivery. A small number of security vendors are promoting the construction of city level SOC, focusing on the delivery of security governance capability or independent security operation capability.

Network Security Protection Concept of Security Operation Center

The SOC should not only emphasize technology, but also the combination of products and tools. It should also be a long-term security risk management solution that emphasizes security compliance as the premise, business risk management as the core, "security event management" as the guidance, "security risk solution" as the demand, and "network security guarantee" as the goal.

In terms of network security governance, we believe that the SOC should include the following contents:

★ Research on deep security attack and defense to realize the transformation from passive protection to active protection of network security 

The traditional network security governance is carried out in the way of "fire-fighting", which is too passive and has no mechanism to actively explore security threats and security risks. Therefore, in terms of the security operation, it is needed to solve the passive situation of traditional network security risk governance. The research of security attack and defense should be carried out.The network security protection should be viewed from the perspective of attackers, and the passive security defense should be turned into active security protection.

★ Achieve accurate and rapid response security incidents and improve network security protection capability through multiple SOC linkage and coordination

Traditional network security protection is carried out only based on the internal security operation resources of the enterprise or organization, lacking of multiple center linkage mechanism, unable to respond complex and changeable network security attacks quickly. But with the help of the technical strength and experience of the external professional team it can solve this problem.

★ Deal with traditional security threats and inefficient disposal with a refined professional security personnel system.

As the network environment of security operation is a more complex network environment, which includes various types of equipment and systems, the network security operation needs to be divided according to the specialty of the operation environment, to provide professional and refined event response and handling capabilities for security operation.

★ With the concept of security operation ecosystem integration, collect and analyze massive, accurate and high-frequency threat intelligence, and improve the ability of security threat prediction

The SOC needs to integrate multi-party security threat intelligence, establish a massive threat intelligence database, analyze the network security risks and threats in the operation environment accurately with big data technology, and provide the security situation prediction ability for the operation environment.

In terms of professional personnel training and research on new security technology, the SOC, together with universities and enterprises, has established a security research laboratory to explore and study the network security response measures under the new technology environment.So as to cope with the new security challenges brought by the new technology and the shortage of professional security talents.

Based on the project experience in the past two years, Venustech SOC has summarized the core elements of the construction of security operation system, including realizable security operation policy(POLICY), perfect security operation tool (PRODUCT), standard security operation process (PROCESS), closable loop security operation platform (PLATFORM) and professional security operation team (PROFESSIONAL), called "5P". Through the organic combination of 5P, Venustech adopts security operation management policy to drive the implementation of technology, which will improve policy in return,   and provides the enterprise users with the comprehensive network security governance ability.

As a leading enterprise in the network security industry, Venustech has always been at the forefront of the security construction team in smart cities, constantly exploring new solutions to network security construction, putting forward the concept of "independent third-party operation" and establishing SOC. Up to now, it has carried out security operation business in more than 30 Chinese provinces and cities. In the future, Venustech will continue to build a smart city SOC and inject strong network security protection capabilities into the healthy operation of smart city.