Analysis of enterprise security management platform under big data

1. Introduction

Currently, the field of computer network and information security is facing a new challenge. On the one hand, with the advent of the era of big data and cloud computing, security issues are becoming a big data issue. Networks and information systems of enterprises and organizations are generating large amounts of security data every day, and the speed of generation is getting faster and faster. On the other hand, the cyberspace security situation faced by countries, enterprises and organizations is severe, and the attacks and threats that need to be dealt with are becoming increasingly complex. These threats are characterized by strong concealment, long incubation period, and strong persistence.

Faced with these new challenges, the limitations of traditional enterprise security management platforms are fully exposed, mainly reflected in the following aspects:

1. Processing of massive data

Enterprise security management platform management involves various security devices, network equipment, application systems, etc. in the enterprise network. A large number of security events and operation logs and other security data are generated every day, and the amount of data may be very huge. Faced with massive amounts of security data, it is difficult for security managers to find valuable information; on the other hand, when faced with massive amounts of data, the traditional enterprise security management platform technical architecture also encounters difficulties in data collection, storage, analysis, processing, and presentation. Different bottlenecks.

2. Multi-source heterogeneous data collection

Various security equipment, network equipment, application systems, etc. in the enterprise network may involve different types and manufacturers. Due to the product differences of each equipment, the security data faced by the enterprise security management platform is different in structure and format. Unification brings difficulties to data analysis. This problem reduces the data collection efficiency of the enterprise security management platform, resulting in performance bottlenecks.

3. Security data is dispersed and isolated

Various security equipment, network equipment, application systems, etc. in the enterprise network will be scattered in different locations on the network. If there is a lack of effective correlation between the various data, it will lead to the isolation of security information, forming an information island, making it impossible to analyze A large amount of data is analyzed holistically. At present, attack behaviors in the network are generally segmented attacks. Each step may be monitored and discovered by different security devices and exist in different logs. If only the security logs of individual devices are analyzed, it will be difficult to detect complete attack behaviors. In order to improve the accuracy of security data analysis, it is necessary to find the correlation between multiple alarms through event correlation analysis based on big data, and to discover potential threatening behaviors or attack behaviors.

4. Lack of deep mining methods

New attack methods are emerging in an endless stream in the current network environment. Different from traditional attack methods, new attack methods are more concealed and more difficult to detect using traditional detection methods, such as APT attacks. Faced with the long-term, covert and advanced nature of new attack methods, traditional monitoring technology based on real-time analysis is no longer suitable. In order to prevent the harm caused by new attack methods, it is necessary to conduct in-depth offline mining of historical security data. Clues of new attack behaviors can be found in a large amount of historical data to prevent problems before they occur.

The above problems can be summarized in one sentence, that is, massive, multi-source heterogeneous, dispersed and independent security data has brought many problems in analysis, storage and retrieval to traditional enterprise security management platforms. From this point of view, the new generation of enterprise security management platform should be supported by the big data platform architecture, support the collection, fusion, storage, retrieval, analysis, situational awareness and visualization of extremely large amounts of data, and integrate and correlate the previously dispersed security information. , independent analysis methods and tools are integrated to form interactions to achieve intelligent security analysis and decision-making, apply machine learning, data mining and other technologies to security analysis, and make faster and better security decisions. The development of big data has brought new challenges to enterprise security management platforms, but the big data technology it has spawned has also brought opportunities and new vitality to enterprise security management platforms.

2. What is big data?

The popular definition of big data is "a collection of large amounts of data that is difficult to manage with existing general technologies". It is broadly defined as "a comprehensive concept that includes 4V (mass/variety/fast/value, Volume/ Variety/Velocity/Value) characteristics that make it difficult to manage data, the technology to store, process, and analyze these data, as well as the talents and organizations that can obtain practical meaning and perspectives by analyzing these data.”

Big data has four important characteristics (i.e. 4V characteristics): Volume, Variety, Velocity, and Value.

• Volume refers to the amount of data that is so large that it cannot be effectively processed and analyzed by current mainstream software tools, so it is necessary to change the traditional data processing and analysis methods.
• Variety refers to the wide range of data sources and various forms, including structured data and unstructured data. The growth rate of unstructured data is faster than that of structured data, and it has considerable utilization value. Analysis can reveal important information that was previously difficult or impossible to determine.
• Velocity means that compared with traditional data processing systems, big data analysis systems have higher requirements for real-time performance and need to complete calculations in a short time, otherwise the results will be outdated and invalid.
• Value means that big data is valuable, but among the massive data, only a small part is truly valuable and meaningful.

3. Application of big data in information security

The application of big data in information security mainly shows that the explosive growth of data has brought challenges to the current information security technology. Traditional information security technology is no longer suitable when facing extremely large amounts of data. It needs to be based on big data. Characteristics of data environments develop next-generation security technologies. Current popular security practices rely primarily on perimeter defenses and static security controls that require predetermined knowledge of cyber threats. But this security practice is no longer appropriate for dealing with today's extremely extended, cloud-based, and highly mobile business world. Based on this background, the industry has begun to shift the focus of information security research to an intelligence-driven information security model, which is a risk-aware, context-based, flexible model that can help enterprises defend against unknown advanced network threats. This intelligence-driven approach to information security, powered by big data analytics tools, can incorporate dynamic risk assessment, analysis of massive security data, adaptive controls, and information sharing about cyber threats and attack techniques. Secondly, the concept of big data can be utilized in information security technology. For example, through big data analysis, massive amounts of network security data can be quickly and effectively analyzed to find information related to network security. It can be predicted that integrating big data into security practices will greatly enhance the visibility of the IT environment and improve the ability to identify normal activities and suspicious activities, thereby helping to ensure the trustworthiness of IT systems and greatly improving security incident response. ability.

4. Big data security analysis

Big data security analysis, as the name suggests, refers to the use of big data technology to conduct security analysis. With the help of big data security analysis technology, we can better solve the problem of collecting and storing massive security data. With the help of machine learning and data mining algorithms based on big data analysis technology, we can gain a more intelligent insight into the situation of information and network security, and more intelligently understand the situation of information and network security. Actively and flexibly respond to new and complex threats and unknown and changing risks.

In the field of network security, big data security analysis is the core technology of security event analysis on enterprise security management platforms, and the effect of big data security analysis on security data processing mainly depends on the analysis method. But when applied to the field of network security, the characteristics of the security data itself and the goals of security analysis must also be taken into consideration, so that the application of big data security analysis will be more valuable.

5. Application of big data analysis on enterprise security management platform

The mainstream technical architecture currently used in big data analysis is Hadoop, and the industry is paying more and more attention to its role in big data analysis. Hadoop's HDFS technology and HBase technology exactly match the ultra-large capacity storage requirements of big data, and Hadoop's MapReduce technology can also meet the needs of fast real-time analysis of big data.

Based on the challenges and limitations faced by the traditional enterprise security management platform introduced earlier, Hadoop technology can be applied to the enterprise security management platform and developed into a new generation of enterprise security management platform to support extremely large amounts of data. Collection, fusion, storage, retrieval, analysis, situational awareness and visualization functions.

The new generation of enterprise security management platform using Hadoop architecture has the following characteristics:

• Scalability: Supports dynamic addition and deletion of system nodes, and the cluster construction method is flexible and controllable.
• Efficiency: A distributed file system is used to store data, supporting fast reading/writing and query operations of massive data; distributed computing is used for data analysis and business operations. Each business node calculates independently and does not interfere with each other. The more nodes there are, the more The faster the multi-operation.
• Reliability: System automatic disaster recovery (HA); adopts master-slave mechanism (Master-Slave) for cluster construction. Data between nodes in the system backs up each other in real time. When a node goes down, it switches directly to the backup node and computing unit. In the event of an outage, it can be directly switched to the backup computing node.
• Low cost: The hardware requirements for each node device in the system are not high, and Java technology development can be cross-platform, and the relevant technology is open source.

In short, compared with traditional architecture enterprise security management platforms, the next generation enterprise security management platform using Hadoop can greatly improve the computing speed of data analysis, reduce computing costs, improve data security, and flexibly provide users with various analyses. Engine and analysis tools.

6. Summary

In summary, it can be seen that the big data analysis framework and big data security analysis technology can well solve the security data collection, analysis, storage and retrieval problems of traditional enterprise security management platforms. In the long run, the future enterprise security management platform should also improve the functions of the enterprise security management platform through research on new technologies such as machine learning, data mining algorithms, visual analysis and intelligent analysis based on big data analysis technology, so that it can It can analyze the network security situation more intelligently, so as to respond more proactively and flexibly to new and complex threats and unknown and changing risks. However, no matter how the technology of enterprise security management platforms develops and how it is integrated with big data, the fundamental customer problems that enterprise security management platforms need to solve and the trend of integrating with customer businesses remain unchanged. The application of big data must still serve the fundamental goal of solving customers' actual security management problems.

The above is the detailed content of Analysis of enterprise security management platform under big data. For more information, please follow other related articles on the PHP Chinese website!