GB/T 36635-2018 PDF English
Search result: GB/T 36635-2018_English: PDF (GB/T36635-2018)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 36635-2018 | English | 130 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Basic requirements and implementation guide of network security monitoring
| Valid |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 36635-2018 Related standards: GB/T 36635-2018
PDF Preview: GB/T 36635-2018
GB/T 36635-2018: PDF in English (GBT 36635-2018) GB/T 36635-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Basic requirements
and implementation guide of network security
monitoring
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Framework of network security monitoring ... 6
5.1 Overview ... 6
5.2 Composition of monitoring ... 7
5.3 Classification of monitoring ... 8
6 Basic requirements for network security monitoring ... 9
6.1 Interface connection ... 9
6.2 Collection ... 9
6.3 Storage ... 10
6.4 Analysis ... 10
6.5 Display and alarm ... 11
6.6 Protection of self-security ... 12
7 Guide for implementation of network security monitoring ... 12
7.1 Interface connection ... 12
7.2 Collection ... 13
7.3 Storage ... 13
7.4 Analysis ... 14
7.5 Display and alarm ... 15
Information security technology - Basic requirements
and implementation guide of network security
monitoring
1 Scope
This standard specifies the basic requirements for network security monitoring,
provides a framework for network security monitoring framework and
implementation guide.
This standard applies to the implementation of system or network security
monitoring, the design-development of network security monitoring products,
the provision of network security monitoring services.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/Z 20986-2007 Information security technology - Guidelines for the
category and classification of information security incidents
GB/T 25069-2010 Information security technology - Glossary
GB/T 28458-2012 Information security technology - Vulnerability
identification and description specification
GB/T 31509-2015 Information security technology - Guide of implementation
for information security risk assessment
3 Terms and definitions
The terms and definitions as defined in GB/T 28458-2012 and GB/T 25069-
2010 as well as the following terms and definitions apply to this document.
3.1
Network security monitoring
A set of rules, guidelines, practices for managing the security, protecting,
distributing assets (including sensitive information) within an organization
and its system’s intrinsic security, especially those that have an impact on
system security and related elements.
[GB/T 25069-2010, definition 2.3.2]
4 Abbreviations
The following abbreviations apply to this document.
FTP: File Transfer Protocol
JDBC: Java Database Connectivity
ODBC: Open Database Connectivity
PCAP: Process Characterization Analysis Package
SFTP: Secure File Transfer Protocol
SNMP: Simple Network Management Protocol
SYSLOG: System Log
TELNET: Teletype Network
WMI: Windows Management Instrumentation
XML: Extensible Markup Language
5 Framework of network security monitoring
5.1 Overview
The framework of network security monitoring is as shown in Figure 1. Through
the basic environment of the network or system, use a certain interface mode
to collect the relevant data such as logs, to carry out correlated analysis and
identification of the security incidents and threat risks, perform visualized
display and alarming, store the data generated, to grasp the overall network
security posture.
analysis. The collected data mainly includes stream data and packet data,
log data and performance data, threat data, strategy data and
configuration data, etc.;
c) Storage: Store, by types, the data in the process of network security
monitoring. The data types include structured, unstructured or semi-
structured;
d) Analysis: Process the collected or stored data according to certain rules
or models, discover security incidents, identify security risks. The analysis
content mainly includes analysis of information security incidents,
operational state analysis, threat analysis, strategy and configuration
analysis, etc.
e) Display and alarm: Visualize the results of the analysis in real time and
issue alarms according to important levels.
5.3 Classification of monitoring
According to different monitoring objectives, network security monitoring is
divided into the following four categories:
a) Monitoring of information security incident: For the incidents that may
damage or is damaging the normal operation of the monitoring object or
causing the loss of information security, according to the classification and
grading requirements of information security incidents, carry out analysis
and identification;
b) Monitoring of operation status: Carry out real-time monitoring of the
monitoring object's operating status, including network traffic, availability
status information of various equipment and system, etc., to judge the
information security state of the monitoring object from the operational
status;
c) Threat monitoring: Carry out assessment and analysis of the security
threats of the monitored objects; discover the information security risks
faced by the assets;
d) Monitoring of strategy and configuration: Check and analyze according to
the established security policy of the monitoring object and the
configuration information of the relevant equipment or system; evaluate
its security.
f) Collection of configuration data shall support the acquisition from the
operation configuration parameters of the monitoring object. The
configuration file as exported from the device or system shall be such as
able to be parsed into data of standard format.
6.3 Storage
The storage of network security monitoring data shall:
a) Carry out storage, in a classified and distributed manner, for different types
of heterogeneous data (such as standard format logs, metadata, PCAP
files, etc.);
b) Pre-process the stored data, including formatting processing,
supplementing context information, abnormal data clearing, etc.;
c) Set the retention period of monitoring data;
d) Adopt an encryption mechanism to ensure the confidentiality of important
monitoring data;
e) Adopt a verification mechanism to ensure the integrity of important
monitoring data;
f) Have backup and recovery capabilities;
g) Set access rights, authorize the use of monitoring data, audit the storage
access behavior. The audit log is kept for not less than 6 months;
h) Support distributed storage and original format data storage;
i) The source data is stored for at least 6 months. It shall set the storage
period for the analysis data, display and alarm data according to the
business needs;
j) Keep up with the unified standard time source.
6.4 Analysis
The analysis of network security monitoring shall include analysis of information
security event, analysis of operation status, threat analysis, analysis of strategy
and configuration. Each type of analysis shall satisfy:
a) Analysis of information security incident shall support:
1) Identify and verify the behaviors which damage to the monitored object
e) The alarm is graded according to the requirements of 5.2 of GB/Z 20986-
2007.
6.6 Protection of self-security
The protection of self-security of network security monitoring shall comply with
the following requirements:
a) Encrypted storage of important data;
b) It has the password strength policy, automatic verification of password
strength, user login timeout exit mechanism;
c) Monitor its own operation status and support alarms on status abnormality;
d) Monitor sensitive data operation logs and perform log audits on a regular
basis;
e) Back up important system information and data to support rapid system
recovery;
f) Support automatic synchronization of standard time. It is synchronized at
least once a day.
7 Guide for implementation of network security
monitoring
7.1 Interface connection
According to the monitoring target and the monitoring object, select the
applicable monitoring interface and evaluate the availability of the interface.
According to the determined interface type, configure the interface parameters.
Use the interface to connect the monitoring object and the collection
environment. The specific implementation of the interface connection includes:
a) Use such methods as Netflow protocol and interface, network sniffing
mode, to collect stream data and packet data;
b) Use such methods as an SNMP protocol interface, a SYSLOG protocol
interface, or a proxy component, to collect log data and performance data;
c) Use the file interface to collect the threat data;
d) Use an SNMP protocol interface, a database access interface, or an offline
b) Provide data storage and access interfaces in the form of documents to
satisfy the storage of unstructured data, such as files, pictures, videos, to
support fast retrieval;
c) Use distributed data processing technology to convert semi-structured
data into structured data, to provide data storage and access interfaces
for upper-layer applications, establish fast indexes to improve query
performance;
d) Design a system information database to store supporting data for the
operation of the network security monitoring environment itself, such as
application data including user information, authority control information,
system logs, system configuration;
e) Design a meta-database to store data describing source data, data of
analysis result, data of presentation and alarm;
f) Design the original database, to store all the collected raw monitoring data;
g) Design a subject database, to store various analysis, display and alarm
data which are classified according to the purpose of monitoring. The
subject database may be divided into sub-database as needed;
h) Design an asset information base, to store information about all collected
objects and software-hardware of network security monitoring
environment, such as asset name, type, IP, operating system, usage,
business system belonged, engineering, department, security domain,
asset supplier, confidentiality value, integrity value, availability value,
asset registration time, and other basic attributes. For different types of
information assets, it may record the specific security attributes;
i) Design an operation-maintenance service database, to store related data
entities such as work order management, duty management, knowledge
base;
j) Design statistical report library, to store comprehensive reports such as
asset-type report, vulnerability-type report, risk-type report, alarm-type
report, daily report, weekly report, monthly report, annual report.
7.4 Analysis
According to the business analysis requirements of the monitoring objects,
define the purpose of the analysis, select appropriate data analysis tools and
methods, carry out data processing, send the analysis results the display and
alarm. The specific implementation of the analysis includes:
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|