0x00 write in front
At the end of the year, I took a holiday and went to the Arctic Circle to blow cold air. At the same time, I hope I can have a good luck to see the high-end version of "light pollution". Although people have a holiday, I can't stop thinking about safety.
I don't know what's the most popular word in the security circle last year, except att & CK Klein may not know what can happen to an operator and a slightly higher-end brand), but what's the extent of the safety operation? In 2019, each safety conference opened a separate forum or special topic for it. Although one thinks that the safety service provider (try not to mention Party A and Party B's statements here, let's call it the safety demand) Fang and the security service provider, which sounds a bit tall) talking about security operation means "opening up the market", but there are various signs that security operation has indeed reached a time that has to be mentioned, mainly because the current security industry is in the construction period under the requirements of government regulators, security service providers, and various laws and regulations As a matter of fact, we are all about the same, except that small and medium-sized enterprises buy things. Large enterprises research on their own, and super large enterprises set a benchmark. The security market needs new growth points. For security service providers, each of them has its own box equipment, so the service becomes a key point of revenue. Good security service providers will learn enough from the security service side Rich cases can be converted into products or a function. But the current situation of the company is that there is no equipment available, only relying on people, and the primary purpose is to meet the regulatory requirements of the country. So as long as the regulatory requirements are met, many customers may pay as soon as they see the cost, but the security service provider can't think so. Customers will pay as soon as they see the cost. Let's go Where to make money? Therefore, security service providers may combine some foreign security vane to "screen" the "needs" of customers, and then focus on efforts in exchange for new growth points. For customers, the safety construction is almost done. If the second year's work plan is written with the need for construction and then reported to TC or the meeting of technology leaders, the top technology head will ask, according to your description, it's almost done. How can we build it? If the construction is completed, in fact, the security is basically finished (after all, Internet services can be provided to the outside world by meeting the corresponding security and compliance standards of Internet access at the national level). Can the security team "click"? It can not only save budget but also reduce HC. So at this time, the security directors of each company began to collect new business points to prove the value of security to the business. In this link, basic security is often used as a basic existence to prove that our security is OK. As for other departments, everyone knows. At this time, one needs to talk about operation, the other needs to talk about operation. In this case, let's talk about operation together. All of the above are my guesses, and we would be grateful if they are the same.
Today, I don't want to talk about how to do the macro security operation. If I talk about that, my boss will be more professional. My level is not enough, so I can only talk about how to do my job well as a general security demand side security operation engineer. The following may be my subjective opinion and may not be correct.
0x01 security services and security operations
Back to the main point, if this subtitle is replaced by a new one, it will become a question that many new safety practitioners will ask: what is the difference between the safety engineer of Party A and the safety engineer of Party B? Through personal short-term working experience here, Party A's safety operation engineer and Party B's safety service engineer actually have the following two differences:
Different assessment methods: the assessment of Party A's safety operation engineer is often based on output, The so-called output, the output of different posts and different posts are actually different, which will be explained in detail later. As for the engineer of Party B, one of the core indicators of assessment is customer satisfaction, which is easy to say when the customer is satisfied, and the conversion into hard indicators is customer satisfaction rate (positive indicator) and customer complaint rate (negative indicator), but because most of Party B's safety In fact, service engineers only think of accidents, so this kind of long-term assessment index is often not applicable.
The difference of value realization: for both security service providers and security demanders, all the things that engineers feel are value realization (although I don't say that, I quite agree with it), because the right value is the precondition of employment relationship, in other words, if you can't realize the value required by employers, there will be no employment relationship between you Department. The value of Party A's safety operation engineer is more to solve all the safety problems during the operation of the enterprise business, while Party B's safety service engineer has more ways to realize, such as broadening the visibility of the enterprise, solving a certain kind of problems for customers, opening up the channels for customers, etc., and the specific needs are related to the specific positions.
When it comes to this, sometimes I can't help but think of a few paragraphs. For example, Party A doesn't know about safety and technology, Party B just comes to work, all of them are human flesh scanners, and so on. There are a lot of keyboard man's comments above, but as insiders, we first say whether we are right or not.
Is technology necessary for the security industry? From the perspective of the surrounding people and their actual work situation, it is not necessarily that technology can do a good job in security. Although some people will argue that you can see how powerful XXXX can dig out so six utility chains to penetrate VMware virtualization, can people with poor technology dig out so six holes. However, from the perspective of Party A's security, the result is: ignore, we can't afford to use VMware, and the use chain is the private protocol of VMware, so the open source we use doesn't affect it. At this time, we split it into the two points mentioned above. The security service provider may really think that this utilization chain is very powerful, and certainly very powerful. But from the perspective of Party A's security operation, we don't even have assets, so we can't talk about whether it's powerful or not. Even if it's powerful, it's actually not related to us. At most, it's over for friends to circle and praise. In the view of Party A, most of the work may be to fix some very low-level vulnerabilities, and it is a repetitive repair. The repair scheme is indeed the upgrade or disable component in XX vulnerability notification, but the actual situation is that not everything will make you easily upgrade and disable. In terms of the above assessment methods, the convergence of the vulnerability trend and the control of the new risks are the things with a sense of achievement. As for digging out a utilization chain, it may be valuable.
Security services are human flesh scanners: No, first of all, the value of security services is built on the balance of capital budget and service SLA of small and medium-sized enterprises, which believe that purchasing security services is a relatively cost-effective and effective way. So security service is essentially to solve the actual security problems of enterprises, which is valuable, and the value is just to help enterprises to solve the actual security problems, so it's a little unfair and objective to simply say "human flesh scanner".
0x02 how to be a good safety operation engineer
Although I may not have done well in the following, I can give you a reference, which may not be right.
A. Benchmarking awareness: as the name implies, benchmarking is to find the benchmark and learn how to do it. The difficulty lies in how to find the right benchmark and disassemble its implementation. For example: when we think about how to do open source component vulnerability management, the first thing we should do is not to immediately say a set of solutions that can run through (the solutions are feasible but not necessarily efficient, although I will still make this problem now), but to understand how peers do it, and how companies do it in the same volume, such as at What to do? How to do Google, Amazon and Microsoft. Benchmarking thinking can solve the following problems:
(1) What is the level of our current security capability in the same level of companies
(2) How far away are we from the level of our domestic counterparts and how they do it
(3) How far are we from the world-class peers? What they do can be reused
The first question helps us to understand our current situation and the goal we expect to achieve. The second and third questions can help us to understand the best practice model and operation mode of the industry. We can grasp the construction direction in the future. With the growth of the enterprise volume, we will gradually use it, but we should not follow the book, for example, Google is for safety The OS and chip are all customized. The learning cost is too high, and you can prepare the one that can't use such a high level of security.
B. OKR thinking: now that we know what we need to do, we need to break up a big goal into several small goals that can be quantified according to the results of the above research. To be honest, this part is really a little difficult. A large part of the reason is that at present, many security operation engineers are transformed from security service engineers The working mode of case makes it lack the understanding of long-term assessment. To be clear, it means that the problem of the previous customer will be solved, the next one will continue, and the next one will continue. But now you have to be responsible for the solution. It is impossible for a case to be completed. The long-term operation requires comparative data to evaluate your performance. When disassembling the goals, you will often receive various challenges from the boss, such as why to use this indicator to measure your performance, if it's not good enough, what's the problem? Will other people do this work indicator the same as you? In this case, it's back to the previous problem, value realization. In boss's opinion, he may not understand the specific realization of this aspect, of course, he does not need to understand it, because you are an expert in this area. All he needs to do is to judge whether the indicators you said can really prove the quality of your work on the premise of meeting the company's safety plan. This routine can be encountered not only in daily work planning, but also in promotion defense, such as promotion response The leader of the debate is specialized in database, and your daily work is to do security operation. At this time, if he doesn't understand your technology and doesn't approve what you said, isn't it unfair? (this is a very difficult process)
C. Data driven:
Why is there no data in the most popular sentence sprayed by the boss? Affected by the previous case by case work, data accumulation is often the most difficult part. The most difficult point is not where the data is, but the selection of key indicators and trend output. In fact, it's easy, easy and hard to choose the right indicators, but it's more difficult to say that it's easy to do it by accumulating and quantifying data. It's not the end of doing a simple visual listing of data. You have to be able to explain every fluctuation. You have to do all the work behind the big trend to generate this kind of fluctuation. In this way, you can judge whether you are doing a good job when the boss recognizes the indicators you have listed.
D. Think Ahead:
In fact, this part is equivalent to guessing the boss's mind. For example, boss asks you to collect all the malicious packet intelligence under the pypi source for intrusion detection. Although it can be solved by just clicking on the platform with the mouse or writing a one-time script, the intention of boss is not so. Do we only have pypi sources? No problem with other sources? How many sources will we have altogether? How do the upstream data of these sources come from? Is there a security audit mechanism for upstream data? Can the audit mechanism detect the problem of malicious packet poisoning? Wait, wait, wait. In fact, after a series of scenario assumptions and repeated questions, we will finally find that boss actually wants you to solve the problem of supply chain poisoning, rather than simply running a script at once. Even if this is done, how to control the increment? How to operate? Through which indicators can we judge threat convergence? Through repeated questions and FAQs, we can find that the nature of things is not as simple as we thought, but we can gradually find new risk points.
E. Product mentality:
Domestic security companies have a very big feature: few people can use without security services. On the one hand, there is a real lack of professional security product managers in China to solve the problems of interaction and risk visualization ("mapgun" does not correctly indicate risks). On the other hand, it's not easy to say it directly. People with an eye should be able to understand it. After all, foreign products are far ahead of domestic products in terms of ease of use and functionality. In fact, foreign security services are not direct Selling people, but the way of SOC + products + analysts. But from the perspective of Party A, the most taboo thing to do in Party A's safety is actually the ability fault, that is, after you leave, the company is yellow in this field. Therefore, the best way to land capability is product and operation. The ease of use of product directly determines the level of operation difficulty. In fact, the quality of safety product is an effective indicator to measure safety capability.
0x03 last
The content of this article is not for anyone or any company. It is only for entertainment. If you want to refer to it, you should be careful. For example, some people may think that you are crazy and may be direct when providing products in the security service area of the security service provider Leader, admit that the product is defective in front of the customer and promise to fix the problem. It may be reported to the big boss that you are talking about the product.
In fact, the current situation of the domestic security industry is not much worse than that of the national football team. The biggest problem of the national football team is not that the coach is not big enough. One of the biggest problems is that the youth training can not catch up. No one can play or is unwilling to play. Under the influence of some big hackers in the security circle, the new year's information security majors are determined to engage in the field of vulnerability mining and security research. However, some people with strong self-awareness may think that they can't be big enough to change careers early or join the security service industry. How about safe operation? Hello everyone, please give me a chance to operate safely. Don't look down upon it so much. I want to summarize the current situation of the domestic security industry in one sentence (just on behalf of my own point of view): college students are envied by the fierce and tiger like operation of a group of big men who dig holes and infiltrate, so they resolutely join the security industry. As a result, they find that the gap between themselves and the big men is not to be kept up with in the next day, so they enter the security service industry. After several years of work, they find that the treatment is the same as before So I want to transfer to Party A, but when I interviewed, I was forced to quantify the data? OKR? Benchmarking? I'm sorry I haven't heard of it. What about Party A? We also want to recruit people..
I may have drunk fake wine in Finland. I can't say when the article will be deleted. Maybe?
When it comes to recruitment, we are now recruiting all the big guys. As long as they are capable, they can try it, no matter whether they are the blues or the Reds.