Liu Minghao analyzes JD Finance's Zeus security defense platform

I am very happy to have the opportunity to share with you some of our practices and explorations in security at JD Finance. I am Liu Minghao from the JD Finance security team. I am currently responsible for the overall security management of JD Finance, including the establishment of security processes, response to security vulnerabilities, as well as discovery and mining, and security compliance work.

The topic I will talk about today is the security defense platform of JD Finance Zeus. The introduction mainly consists of four parts. The first part is about the business security level, discussing the challenges and status quo we are facing. The second part is how we ensure the safe operation of the business. The third part is to ensure the safe operation of the business. We have built a security defense platform. How is this platform used in actual applications? Through small examples of the security incident handling process, everyone can understand how our platform works and what role it plays. The fourth part is the future planning of the security platform and the outlook for its direction.

At present, the main security challenges we face in our business come from two aspects. The first aspect of risk comes from problems caused by external treasury injection, bad debts, CSRF, etc., or from the security issues of our program itself. The second level is due to the characteristics of our business itself and negligence in the security design of business logic, which leads to some business security risks. Therefore, the threats and challenges we are currently facing are not only those we have learned before, but more are the security risks brought by our business scenarios.

Ensure safe operation of the business

Based on the risks and challenges we faced, JD Finance built a Zeus security defense platform. In the initial stage of building the Zeus defense platform, we first set a goal and positioning for this platform. First of all, we focused on solving the overall security risk problem, including the detection and defense of business security and technical security we talked about earlier. Second, we went deep into the important business scenarios in all important business platforms to solve the security risks encountered in registration, login, business activities, and business processes. Third, we need to solve the basic external protection problem, such as our convenience for CSI or catalog, and some external detection such as treasury injection. Fourth, we hope that this is a platform for storing and real-time querying logs of all business traffic. We can query a certain user or IP in the entire business traffic, the access to all our online businesses during this period, and the current abnormal operation behavior. The last point is that we hope that it can identify and analyze the abnormal behavior of users in our business from the perspective of data flow, without embedding the core logic of our business and reducing the efficiency of the system, and can process online traffic data such as big promotions. The above is our definition and goal of this platform.

After continuous development and improvement, we have achieved the following functions.

*** is the behavior security detection. Our behavior security detection is mainly based on two levels. First, we will establish a model for abnormal user behavior analysis to judge and analyze the user's abnormal operations or abnormal behaviors. Second, we will establish a normal behavior data model system for each normal user to grasp the normal login of this user, so as to judge some of the user's behaviors. The second function is the Web security detection function, which is also to build an SQL platform based on our full flow, and use SQL to detect security issues including XSS, CSRF, etc. The third module is the host security detection platform. We position it as a HIDS function, including file integrity checks, malicious file checks, host traffic checks, etc. *** is a vulnerability scanning platform. We have built a vulnerability scanning platform based on WCIF, including the work of emergency and daily security inspections. After completing the above modules, we have further integrated and optimized the entire system.

A brief introduction to the functions of each module of the entire platform

The behavioral security detection platform consists of four main functions. The first function is traffic collection, the second is traffic analysis, the third is data storage, and the fourth is rapid response. First, traffic collection will reorganize and collect all online traffic access requests. We will then send the reorganized HTTP to the Redis core message queue, and then through Redis, Storm analysis clusters, and then Redis to retrieve relevant access logs, and analyze and judge user behavior through the analysis model of user abnormal behavior. At the same time, it is stored in Elasticsearch and then queried and displayed through Kibana.

The second part is the Web security detection platform . The Web security detection platform is also based on the whole process, and a Suricate is built to detect Web security threats, including XSS, SQL, CSRF and other related risks.

The third function is the host security detection platform . Our host security detection platform is deployed on each server through an agent to achieve server file integrity and malicious code scanning, as well as login behavior monitoring, construction monitoring, and host traffic monitoring, etc.

***One platform is a vulnerability scanning platform built based on W3AF . It is an active mobile profiling platform. We will use it to respond to emergencies and conduct daily security vulnerability inspections.

[[164812]]

*** is the planning of this platform. First of all, it is privacy protection. We will integrate some DLP functions on the Zeus platform in the future. For example, we will pay more attention to personal privacy information and prevent personal privacy information from being leaked. This is a function we need to improve, and it is currently in progress. The second function is user portrait. We should now do some user portrait work from two dimensions, from the two dimensions of user security portrait and device portrait. Later, we will add credit portrait and human portrait to further improve the accuracy of our judgment of some user behaviors. After that, it is threat intelligence. We are now also cooperating with some other threat intelligence providers, including some third-party threat intelligence providers to provide us with some interfaces, so that we can judge the current daily business behavior and give a prediction. Through the overall threat intelligence, including security event monitoring, scanning, etc., we will deepen the function of the entire security situation awareness, provide this function to the business, and make a security situation prediction for the implementation of the subsequent functions.

*** Let me talk about our plan. We are currently still focusing on vulnerability-centered defense, and are gradually transforming to a threat-centered approach. Now we are in the era of big data, and ultimately we still have to drive the goal of business security through data mining.