Case sharing | Application and construction of Ruishu dynamic security hyper-convergence platform in the financial industry

The process of financial digitalization is accelerating. In order to facilitate customer access and rapidly develop customers, banks provide customers with a variety of access channels, including mobile banking app access, Web access, H5 access, WeChat access, mini-program access and API access. With the increase in traffic, the Web exposure risk and risk management chain brought by API business have expanded. Not only are various incidents of attacks using Web application vulnerabilities increasing day by day, but the impact of various anthropomorphic automated attacks, API business attacks, and 0day attacks on financial digital business is also rapidly increasing, and the means of attack are becoming more and more diversified.

The main goal of Ruishu Dynamic Security Hyper-convergence Platform is to respond to the threats faced by Web business, App application and API application delivery in hybrid architecture, improve the ability to quickly deploy business, respond to unknown threats, distinguish and protect automation and human traffic, fight against business attacks from APIs, ensure interface security, and build and implement an integrated protection system for application security.

1. Project Introduction

Through dynamic technology, unified protection is achieved for mobile banking apps, Web sites, H5 pages, WeChat, mini-programs and API interfaces. The data of various access clients is integrated on a dynamic security hyper-converged platform. The access data of each platform is associated and credit-scored through source IP and account information. Multi-platform business information linkage and threat perception are achieved, so as to accurately identify and intercept malicious automated illegal requests.

The architecture diagram of the dynamic security hyper-convergence platform is as follows:

Ruishu's dynamic security hyper-convergence platform has achieved "three unifications":

1. Unified protection for all-channel access <br /> Unified protection for all-channel services (mobile banking apps, web sites, H5 pages, WeChat, mini-programs, and API interfaces) is achieved, web page code hiding and automated tool protection are achieved, the web page code of the website is hidden to prevent malicious attackers from analyzing the website code and launching targeted attacks; efficient identification and protection of various automated tool attacks are achieved, such as identification and protection of website vulnerability scanning tools and batch financial business fraud tools.

2. Unified fusion analysis of cross-channel data <br /> On the dynamic security hyper-convergence platform, the integration of various access client data is realized, and the access data of each platform is associated and credit-scored through the source IP and account information, so as to realize the linkage and threat perception of multi-platform business information, and achieve the purpose of accurately identifying and intercepting malicious automated illegal requests. Through complete data records, the user's access trajectory can be seen through and the user's access behavior can be tracked. The system realizes data sharing among various businesses, forms the bank's risk control data accumulation, improves the overall risk control protection capabilities, and realizes unified data output and integration.

3. Build a unified standard for application security <br /> Establish a standard security for rapid online deployment, standardize the entire security process, and achieve heterogeneous integration to meet the seamless connection of security capabilities and reduce the cost of financial business innovation. Heterogeneous integration can quickly integrate new security capabilities, improve compatibility, and achieve rapid integration of security capabilities and rapid call of front-end applications.

2. Project Innovation

1. Web application collaborative protection <br /> Integrating the adaptability and scalability of traditional architecture and cloud application scenarios, migrating from traditional network boundaries to various Web applications, APP applications and API cloud services, building a trusted security architecture focused on business logic, users, data and applications, and fully resisting new security threats. After the system is deployed, the ability to identify and track fraud sources is greatly improved, and the entire attack picture can be controlled throughout the process, establishing a full-dimensional three-dimensional combat capability against cyberspace threats.

2. Security technology changes, turning passive into "active defense"
Dynamic security technology provides active security protection for website security without relying on rules and patches. With "dynamic protection" technology as the core, it increases the "unpredictability" of server behavior; provides active defense for the business layer, efficiently identifies known and unknown automated attacks that disguise and impersonate normal behavior, and intercepts unknown threats.

3. New ideas based on AI technology
The AI ​​intelligent threat engine uses multiple threat models of machine learning to identify abnormal attacks and block identified attack requests. Each threat model represents a specific attack category (SQL injection, cross-site scripting, OS command injection, etc.). These threat models are extensively trained and tested using hundreds of thousands of real attack samples from various sources, including CVE and Exploit DB, threat intelligence, and data collected by third-party vulnerability scanners, to discover highly concealed attacks, effectively improve detection rates, and reduce false positives and false positives. It further filters the noise of automated attacks, making big data risk control more accurate and efficient, significantly reducing the risk of online transaction fraud, and setting a new benchmark for the industry.

4. Strengthen protection against emerging bot threats
Bots protection capabilities can effectively resist efficient and large-scale attacks launched by automated tools, such as malicious crawlers, database collisions, false registrations, transaction tampering, intranet security, API abuse, zero-day attacks, etc., to ensure security upgrades at the business, application and data levels. Dynamic verification technology is based on dynamic algorithm technology. The logic and form of the terminal inspection code distributed each time are different. Attackers cannot predict the inspection content and it is difficult to bypass; even if they attempt to reverse the code, it is only effective that time and must be reversed again next time, and the cost of the attack is extremely high. Dynamic verification technology solves the problem of easy reversal and bypass in similar solutions around the world; it also uses technologies such as real operating environment verification and terminal attack behavior pattern analysis to fully grasp the full picture of the attack and accurately portray the attacker. These technological innovations have put the protection capabilities of this project at the world's leading level.

III. Project Results

At present, the dynamic security hyper-convergence platform has been running stably for nearly two years without any failures and is running well. Since the launch of the dynamic security hyper-convergence platform, it has effectively intercepted various CC attacks and automated attack behaviors. It also has the ability to protect against unknown attacks, protecting customers from zero-day vulnerability attacks, and providing security operations with enough time to repair vulnerabilities, allowing customers to respond more calmly.

At the same time, by connecting all Web, App and API applications to the platform, using dynamic security technology to collect access client information, combined with full access records, and using big data technology to uniformly summarize access logs, comprehensive correlation security analysis is performed to discover possible attack behaviors, effectively intercept various automated attack behaviors, and prevent various business attacks initiated by the black industry, such as: batch queries and abnormal transactions initiated by automated tools are effectively blocked, and overseas IP uses multiple accounts to frequently log in and trade abnormally.

In addition, Ruishu's dynamic security technology has the ability to protect against unknown attacks, protecting business systems from zero-day vulnerability attacks, and providing security operations and maintenance with sufficient time to repair vulnerabilities, allowing us to respond more calmly. It provides relevant front-line departments with automated tool interception, security alerts, and data output, and gives processing suggestions to achieve unified security threat protection and analysis.

4. Customer Recognition

The security director of a state-owned bank spoke highly of the Ruishu Dynamic Security Hyper-Converged Platform: "Using the Ruishu Dynamic Security Hyper-Converged Solution, our bank's core business systems such as personal online banking, mobile banking, corporate online banking, and recruitment websites are all included in the protection, which helps us effectively solve the following three major problems: first, unified threat protection; second, cross-channel data fusion analysis; third, building a unified standard for application security."

"Ruisu Dynamic Security Hyper-convergence Solution" won the double awards of "Expert Recommended TOP10 Excellent Solution" and "Network Security Innovation Excellent Solution" in the "Xinzhi Award·The 3rd Financial Data Intelligence Excellent Solution Selection" event

5. Experience Summary

The dynamic security hyper-convergence platform has been running stably for nearly two years since its official launch, protecting all core businesses of customers and enabling interception mode to intercept various automated attack behaviors in real time. The system has covered multiple data centers of customers, deployed multiple nodes in each data center, and achieved high business availability through load balancing devices. The promotion experience mainly includes the following aspects:

First, it has achieved a good demonstration effect in the financial industry. Web, APP, API business full-channel protection, cross-channel data integration, business security, and application security unified management are serious risks faced by all financial companies. The protection effect and benefits of this project are of great reference significance to the majority of financial companies and have great promotion value in the financial industry.

Second, it reduces the economic losses of financial enterprises. In order to improve economic benefits, financial enterprises often organize promotional activities, and a large number of wool parties also come with them using automated tools, which take away a large amount of promotional investment of financial enterprises, causing huge economic losses to enterprises. In addition, through this platform, we can clearly understand which businesses real users are more enthusiastic about, which businesses have a large number of participating users, and which activities can attract more registered users, thereby assisting business promotion; understanding the user's behavior model through user portraits can achieve precision marketing and increase revenue.

The third is to help the financial industry fight against the black industry chain. The successful experience of this project has explored a new way to fight against the black industry for the financial industry. First, it starts from the core part of the black industry chain, "automation tools", making all automation tools unable to run, thus breaking the black industry chain; secondly, based on Web, APP, API business full-channel protection, cross-channel data integration, business security perspective, and application security unified management, a security joint defense situation is formed, which greatly improves security capabilities. It has established a successful case for all financial enterprises to fight against the black industry, which can be vigorously promoted within financial enterprises.

Fourth, it has achieved a cross-industry demonstration effect. This solution includes a comprehensive protection platform that integrates multi-dimensional security capabilities such as intelligent WAF defense capabilities, Bots management and defense capabilities, application layer DDoS protection capabilities, API management and security protection capabilities, security visualization, and unified security management, and has built a unified security standard. These capabilities are also lacking in industries such as government and operators. This project can serve as a reference for various industries and play a good cross-industry demonstration effect.

At present, this solution has been widely used in domestic financial, operator, government and enterprise customers. At the same time, Ruishu Information has participated in many national-level network security security work such as attack and defense actual combat exercises, CIIE security, and the 70th anniversary of the founding of the People's Republic of China. In the attack and defense actual combat exercises in the past two years, it has participated in the defense work of more than 30 important national departments and large banks, and has achieved good results and has been widely recognized by users.