Building an E2E Cyber Security System 2019/Conference... · 2019-04-17 · Asset management Personnel management Partner management Physical & environmental management Security check

Building an E2E Cyber Security System

Security Level:

James Chu, Ph.D.

[email protected]

Huawei Enterprise Business Group

Agenda

2

Build an E2E Cyber Security System1

Huawei Cyber Security Strategy2

Huawei Cyber Security Solution3

Security level3

Digital Transformation vs. Cyber Security

• Ease of copy

• Ease of spread

• Hard of right

management

• Privacy

protection

• Data security

• Break of geographical

restrictions

• No distance restrictions

• Border of nations

• Border of

departments and

enterprises

Financial security, transaction security, business

continuity

Digitalization

MobilityBig data

E-transaction

Open & all

connection

Cloud SDN/NFV AI 5GIoT Mobility

Security level4

Content of Cyber Security

National cyber security

Critical infrastructure security(Telecommunications, Finance, Electricity,

Transportation, Oil & Gas)

Enterprise cyber security

Data leakage prevention

Attack defense

Anti-privilege

Classification Work content

Security level5

Measure for Cyber Security

Personnel

Environmentinformation

Element

Operation

Management Technology

Measure

Security level6

Basic Ideas: System, Process, Hierarchy

Prior to

employment

During

Employment

Termination of

employment

Border of internal & external

network

Within the department or

enterprise

Active discovery and

processing

Full of process, all life cycle

Defe

nse o

f dep

th

Daily management and all

education

Key asset/personnel

management

Violation detection and

handling

Security level7

E2E Cyber Security System

Management

system

Technology

system

Operation

system

OrganizationPolicy &

specification

Asset

management

Personnel

management

Partner

management

Physical &

environmental

management

Security check

& audit

Security

awareness

Security

compliance

Terminal side

protection

Cloud/DC side

protection

Network

separation and

data exchange

Security

technology &

tools

Security

products

IT maintenance

security

Incident

emergency

response

Risk

assessment &

security

hardening

Attack analysis

and resistanceBCM/DR

Right/privilege

management

Cyb

er s

ec

urity

sys

tem

Agenda

8

Build an E2E Cyber Security System1

Huawei Cyber Security Strategy2

Huawei Cyber Security Solution3

Security level9

Cyber Security Is Top Priority of Huawei

"In light of the foregoing, Huawei hereby undertakes that as a crucial company strategy, based on compliance with

the applicable laws, regulations, standards of relevant countries and regions, and by reference to the industry best

practice, it has established and will constantly optimize an end-to-end cyber security assurance system… tackling

the challenges of cyber security through partnerships with governments, customers, and partners in an open and

transparent manner. In addition, Huawei guarantees that its commitment to cyber security will never be outweighed

by the consideration of commercial interests."

– Statement on Establishing a Global Cyber Security Assurance System

"As a company, cyber security and privacy protection are our top priorities. We are committed to building trust and

high quality into every ICT infrastructure product and solution we develop."

– An open letter to all Huawei employees

Over the past 30 years, Huawei has served more than 3 billion people worldwide, supporting the stable operation of more

than 1,500 carrier networks in over 170 countries and regions, we have maintained solid cyber security records worldwide,

and earned the trust of tens of thousands of customers.

Security level10

Cyber Security Strategy Is “Built-in” to Everything We Do

Carrier Network BG

Cyber Security Officer

Consumer BG

Cyber Security Office

Enterprise BG

Cyber Security Office

GSPCApprove the strategy, planning, policies, roadmap, and investment;

Resolve conflicting strategic priorities and audit.

GSPOLead the team to develop the security strategy;

Drive the implementation of cyber security assurance internally;

Support GR/PR and global accounts customers externally.

GSPO OfficeCoordinate to formulate detailed operation;

Support the strategy & implementation;

Audit and monitor the implementation.

Region/BG/BU CSOs

Develop region/BU/BG cyber security

strategy and planning, and drive the

implementation;

Work with GSPO to identify changes to

BG/BU/departmental processes to

ensure the cyber security strategy and

requirements are fully imbedded.

GSPO Office

CEO

Ren Zhengfei

GSPO

John Suffolk

GSPC Ken Hu

PACD

LA

MKT

REGION

CHR

BP&IT

Audit Cyb

er

Se

cu

rity

an

d P

riva

cy

La

b

Su

pp

ly C

ha

in

Cyb

er

Se

cu

rity

Off

ice

Pro

cu

rem

en

t

Cyb

er

Se

cu

rity

Off

ice

US

A C

SO

Canada C

SO

Austr

alia

CS

O

P&

S /

20

12

La

b

Cyb

er

Se

cu

rity

Off

ice

UK

CS

O

Independent Cyber

Security Lab

Germ

any C

SO

Fra

nce C

SO

Neth

erlands C

SO

…

Cyber Security

Transparency Center

1500+ full-time security people

Security level11

Every Part Of Huawei, And Every Person, Is Included

No. Area Focus

1 Strategy, Governance and Control Having an overall strategy and the accountability to make it happen

2 Standards and ProcessesUsing the best standards and approaches to protect against threats

and risks

3 Laws and RegulationsMaking your products and operations legally compliant in every

country you operate in

4 Human ResourcesGetting the right people, in the right roles with the right behaviour to

limit insider issues

5 Research and DevelopmentDesigning, building, testing products in a secure way that builds on

the above building blocks

6Verification: Assume nothing,

believe no one, check everything

Many eyes, many hands many checks. Tiered independent

approach to security verification

7 Third-Party Supplier ManagementGetting your suppliers to take security seriously – 70% in the box is

not Huawei’s

8 Manufacturing & LogisticsManufacturing products that secure each step along the way – right

through to delivery

9 Delivering Services SecurelyEnsuring installation, service and support is secured. No

tampering, fully auditable

10Issue, Defect and Vulnerability

Resolution

As issues arise, solving them quickly and ensuring customers

technology is secured

11 Traceability

Root-cause analysis demands an ability to forward and reverse

trace every person and every component from every supplier in

every product for every customer.

12 AuditUsing rigorous audit mechanisms to ensure every part of Huawei

conform to the strategy

E2E Cyber

Security

Assurance

System

Strategy, Governance

andControl

Standards and

Processes

Laws and Regulations

HR

R&D

VerificationThird-Party Suppliers

Manufacturing and Logistics

Delivering Services Securely

Issue, Defect and

Vulnerability Resolution

Traceability

Audit

Security level12

Security activities integrated into Decision Check Points, Contract and Technical Reviews/Other Reviews or Check Points

Security

RequirementSecurity Design

Security

DevelopmentSecurity Test

Security Delivery

and Maintenance

Security requirements analysis

Security threat analysis

Security architecture/feature design

Open source & third-party software selection

Code security review

Static code security

scan

Security test solution

and cases

Security test

Security patch

development (including

open-source & third-party

software)

Configuration Management R&D Tools, Build Management Open-Source & Third-Party Software Management

Concept

TR1

Plan

TR2 TR3

Development

TR4 TR4A TR5

Qualify

TR6

Launch

GALifecycle

Charter CDCP PDCP ADCP

IPD

Reference to industry

best practices

OpenSAMM: Open

Software Assurance

Maturity Model

BSIMM: Building

Security In Maturity

Model

SDL: Security

Development Lifecycle

Security baseline, criterion, guide etc.

Huawei Adopts a Built-in Approach Through Clearly Defined and Specific Security

Activities and Requirements Within the Product Development Process, and Checks

Those Activities at DCP and TR Check Points, to Ensure Effective implementation

Security level13

Organizations and

IT platforms

Target

Method

Requirements &

processes

PET/SQE/TQC/CEGPQMD ST Procurement cyber security and privacy work team

SRM

Build a Secure Supply Chain Together with Supplier

Partners

Strict qualification Systematic prevention Rapid handling

Continuous improvement

PQMD: Procurement Qualification Mgmt Dept

PET: Procurement Engineer Technology

SQE: Supplier Qualify Engineer

CEG: Commodity Expert Group

TQC: Technical & Quality Certification

SRM: Supplier Relationship Mgmt

Platform

We have signed cyber security agreements with more than 3400 cyber security related suppliers worldwide, requiring suppliers to comply with relevant security regulations and industry security standards, and prohibiting the implantation of Trojans, backdoors, malicious code, and vicious viruses.

Supplier

sourcing

Material

sourcing

Supplier

qualification

Problem handling

& emergency

response

Supplier

selection

Supplier daily

management

Supplier portfolio

managementSupplier exit

Cyber security is a

basic requirement

and minimum

standard

Security

requirements are

incorporated into the

material sourcing

and qualification

process

Have to pass the

security assessment

and sign the security

agreement; no

security, no business

Inspection on high-

risk suppliers and

improvement on

security risk

assessment

Rectify security

vulnerabilities and

issues; version

updates or patches

Security

requirements are

incorporated in

supplier selection

process

(TQRDCESS)

Supplier security

performance

management process

(categorized into

strategic, preferred,

approved, conditional,

and phase-out

suppliers)

Security

requirements are

incorporated in

supplier exit process

(TQRDCESS); poor

security performance

suppliers will exit

Minimum

requirements for

suppliers

Material security

specifications

Technical quality

risk assessment

Security testing

and qualification

for new materials

Cyber security

system self-

assessment

Cyber security

assessment

Cyber security

agreement signing

Security system

self-assessment

Security risk level

assessment

Performance

evaluation

SCAR workflow

problem closure

CERT, Vulnerability

warning and

emergency

response

Application of

security

performance

evaluation results

in supplier selection

Supplier portfolio

management

Management of

exit of suppliers

with low

performance

Our Supplier Security System Checklist Provides a Comprehensive Assessment on How the Supplier Performs Relating to Security Policies, Procedures and Standards

Security level14

Report vulnerability to

Release security advisory to

Responsible disclosure implies that the vulnerability finder and vendor work together diligently to produce a timely

resolution to reduce user’s risks associated with the vulnerability.

Transparency MitigationTrustworthiness Improvement

Huawei PSIRT

Vulnerability Finder Coordinator

Coordinator Other Vendors

We Adopt Responsible Disclosure Processes with Vendors, CERT Organizations and

Security Researchers; We Coordinate the Resolution of Product Vulnerabilities

Security level15

Banbury, UK

Brussels, Belgium

Bonn, Germany

Dubai, UAE

Shenzhen,China

Toronto, Canada

Global Hub

Regional Hub HCSTC Brussels：Communication, Innovation and Verification

Huawei Cyber Security Transparency Center is to Serve as an Open, Transparent and

Collaborative Exchange Platform with Key Stakeholders

Security level16

Customer requirements Cyber security statements BCG and cyber security policies

Legal requirements in various states

Huawei Cyber Security Strategy and Values

Security vetting Whistle-blowingSecurity

accountabilitySecurity education & proactive

learning

Security position management

Staff in security

positions

All staff

Staff in common positions

Pre-job: clean

background

On-job: clean behavior

Off-job: clean assets and

permission

Establish

whistle-blowing

mechanism

Cyber security

accountability

system

Identify cyber

security

positions and

define job

descriptions

and update

competence &

qualification

criteria

Off-job staff security

requirement publicity

Commitment letter signing

On-job regular

security audit

Off-job security

permission

& asset cleanup

Pre-job security

background vetting

Commitment letter & NDA

Background vetting

Staff awareness education

BCG and commitment

letter signing

Integrate cyber security into HR enabling management

HR process management Cyber security education organization Cyber security courses &case management

Proactive learning motivated by job

qualifications

Integrate cyber security into HR management elements

We Promote Employees’ Awareness and Competence to Avoid the Risks Due to Employees’

Inappropriate Behavior

Agenda

17

Build an E2E Cyber Security System1

Huawei Cyber Security Strategy2

Huawei Cyber Security Solution3

Security level18

Huawei Capability on Cyber Security/Information Security

Consulting service(Strategy & Plan, Information security system construction, Attack

resistance)

Practice & experienceCritical infrastructure security, Enterprise internal security, E2E security

guarantee to customers

Security solution & productsFirewall, VPN, IPS, Anti-DDoS, CIS(Anti-APT)

Security level19

Huawei Information Construction Practice

Virus blocked per

month

550,000

Network threat blocked

per month

492,000

SQL injection/cross-

site attack blocked per

year

3,000,000

Malicious sites blocked

per day

20,000

Employees

180,000+

Covering

countries/regions

170+

Nationalities

150+

Global office sites

1000+

Organization &

Capability

Principle & Policy

Information & Process

Awareness & Culture

Technology & platform

Security level20

Huawei Cyber Security Consulting

Cyber security

consulting

National cyber

security

strategy/whitepaper

Government cyber

security system

planning &

construction

National CIRT/CERT

planning &

construction

Enterprise cyber

security system

planning &

construction

Security level21

Huawei Security R&D History

2002

VPN

Encryption

Card

2006

2008

2010

2012

2004

Commercial

Cipher

Certificate

IPSec VPN

High-speed Card

TSM

Entered the

Enterprise Market

Security

Competenc

e Center

SRG

Box

10GE

Firewall

1TIDS

100M Firewall

NP-based

Firewall

First 40G

Anti-DDoS

100G

High-end

Firewall

Full-series UTM

Products

2013

NGFW

2017

Sandbox

Challenger

100M

FW

Anti-DDoS

CIS

2015

vNGFW

Recommended Cloud Sandbox

Security level22

Huawei Security Products Portfolio

Cloud

Security

AntiDDoS1000

Network

Security

USG6000/6000E

Mid-range and low-end NGFW IPS & IDS

NIP6000

Device

Security

CE and S

switch modules

SVN5000

Security access

gateway

USG9500

TB-level NGFW

Anti-DDoS

Software

firewall

USG6000V

Sandbox

FireHunter6000

Security plug-in Big data intelligent

analysis system

Security

MgmtUnified control

system

IoT security CIS

USG9000V

HOTHOT

SecoManager

NEW

NEW

AntiDDoS8000

Security

ServicesThreat signature database

updatesEmergency response Security consulting

Copyright©2018 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding

the future financial and operating results, future product

portfolio, new technology, etc. There are a number of factors that

could cause actual results and developments to differ materially

from those expressed or implied in the predictive statements.

Therefore, such information is provided for reference purpose

only and constitutes neither an offer nor an acceptance. Huawei

may change the information at any time without notice.

把数字世界带入每个人、每个家庭、每个组织，构建万物互联的智能世界。

Bring digital to every person, home, and organization for a fully connected, intelligent world.

Thank you.