Alibaba Cloud's security muscles behind Singles' Day shopping carnival

Brother Tao: Wu Hanqing- chief security researcher of Alibaba Cloud and head of Alibaba Cloud Security
Wu started to study security technologies from 2000 and has been active in China's security community, with a huge influence in the security sector. Wu joined Alibaba in 2005 and is an early builder of Alibaba security. He designed, in succession, the application security systems of Alibaba, Taobao, Alipay, and Alibaba Cloud. From 2012 to 2014, Wu acted as a partner of Anquanbao, the first SaaS-based security service provider in China, and started his own business, committed to providing better cloud security products and services. He returned to Alibaba in 2014, taking charge of Alibaba Cloud Security. Wu is the author of Web Security: A WhiteHat Perspective and has a WeChat account and a Zhihu account: Taosay Blackboard.
I. The cloud safeguarding the Double 11 shopping carnival
1. Could you introduce to us the unsung heroes who secured the smooth shopping experience for these shopaholics during the Double 11 shopping carnival - Alibaba Cloud and Alibaba Cloud Security?
Brother Tao: Alibaba Cloud's vision is to provide 70% of the world's computing capacity, and its services include the cloud computing in the traditional sense, big data, middleware and security.
Alibaba Cloud Security is a product and service to ensure user security. Apart from basic defense and security services against attacks, it also offers full-stack security solutions. Currently Alibaba Cloud Security has had a dozen of security products, involving various security aspects such as network, server, application, and business. Alibaba Cloud Security business is growing very fast. It is now protecting more than 37% of websites nationwide, defending against 50% of DDoS attacks to China's internet. It verifies the feasibility of SaaS in the security sector in the real sense.

2. What business security systems does Alibaba Cloud have? Who are their key protected objects?
Brother Tao: Alibaba Cloud targets large, medium-sized and small enterprises from various sectors. It is working on the infrastructure and hopes the cloud computing can become a public service like the electricity, water and coal supplies. Power plants do not differentiate their customers by industry when supplying the power, so should cloud computing. Alibaba Cloud Security targets all the industries, no matter the size of the customer. However, different customers may have different service needs and standards, which is understandable, just like power supplies which is also divided into the residential electricity and industrial electricity. The service standards vary, but the products are the same.

3. Alibaba Cloud protects others like a guardian, but who will protect it in turn?
Brother Tao: Alibaba Cloud Security technology is also used to protect Alibaba Cloud. All our technologies are tested and matured inside Alibaba before they are made available to the customers as products. So our products lay special stress on the practical effects. With regard to Alibaba Cloud's own security systems, we pay high attention to the confrontation ideology of “red army-blue army” and will invite white hats throughout the industry to conduct security tests on the products. In this process, we will rely on the “visibility” ability of Situation Awareness to perceive each attack attempt, and ultimately restrain the overall numbers of security events and loopholes. All these functions, such as the precognition intelligence and situation awareness are available as products and services in the Alibaba Cloud Security product system.

4. What is the difficulty in protecting on-cloud customers?
Brother Tao: Cloud computing is a large-scale computing activity. Any transaction will become complicated and hard to handle once it becomes sizable. But this also opens an opportunity for innovation. A typical feature in the large-scale computing scenario is the “small probability events becoming a normal”. For example, a regular website may not experience one DDoS attack all year round. But in Alibaba Cloud, we have to defend against thousands of DDoS attacks every day. In such an attack magnitude, it is impractical to rely on manual handling. This forces us to make technical innovation. So we achieve fully automated guard against DDoS attacks with no human intervention needed at all. The whole process from detection, response to defense can be completed within one second for any DDoS attack.

II. What's unique about Alibaba Cloud Security?
1. You always mention the situation awareness of Alibaba Cloud Security. What is it actually and what is magic about it? What is the source of your big data analysis models? What do you rely on for building the models?
Brother Tao: Situation awareness is different from the traditional SIEM for two critical reasons. Now many security manufacturers have started to tap into situation awareness, but most of them just change the name of SIEM. This is a misunderstanding of situation awareness.
The earliest application of situation awareness in the security sector was proposed after I officially launched the Alibaba Cloud Security Situation Awareness product at the Alibaba Security Summit in July 2015. The speech by President Xi Jinping in April 2016 also urged to pay attention to the situation awareness of network security. The visibility empowered by situation awareness constitutes the foundation of the entire security field.
Situation awareness has two important features which differentiate itself from other security products. The first one is its being based on the raw data and its full respect for the original data. Currently Alibaba Cloud Security analyzes more than 500T of incremental data every day and the data stock amounts to more than 100P. This enables us to analyze the firsthand information from the raw data, instead of obtaining secondary sources from some third-party security devices. The most valuable information all rests in the raw data. When our algorithms are updated, we can still calculate the new values based on the old raw data.

2. Alibaba Cloud Security underscores full-chain monitoring and warning. Can you explain to us how they are achieved?
Brother Tao: We collect data from sensors in various dimensions, including network, server, database, and Layer-4 and Layer-7 data, as well as operation logs and system logs. Because Alibaba Cloud Security is deployed throughout the chain, including not only the full-network scanner, but also the traffic analysis and data analysis at the application layer, as well as server agents. Thanks to these, we can observe different phenomena from different perspectives. At the same time, Alibaba Cloud also provides APIs in various dimensions. Through the RAM authorization, we can call some data provided by the cloud computing itself, and make comprehensive diagnosis by integrating all the data.

3. What new black technologies is Alibaba Cloud Security working on? What are the goals?
Brother Tao: We hope to bring the powerful computing capability of Alibaba Cloud to the full play in our security field. We know that the liberation of computing capabilities has generated a huge opportunity for deep learning and AI.
For example, we are studying how to let a computer system replace the security experts in all the manual work, including all the evaluation result analysis, strategy maintenance and responses. All these jobs requiring advanced thinking and experience can be completed by the machine automatically, while they used to be completed manually by experts. But we think it is feasible to let machines handle the tasks, and in some cases, the machines can do a better job than humans.
This is a huge project on which we are stepping up our effort. We would like to call this upcoming AI project “Cloud Security Junior” and I hope it will be a star employee among us.

III. What should we rely on to safeguard “Double 11”?
1. We know that “Double 11” is around the corner. Can you introduce what basic services and support that Alibaba Cloud needs to provide for the upcoming “Double 11” shopping carnival? Can these services and support perceivable by shopaholics of the “Double 11” shopping carnival?
Brother Tao: Security actually owns the support attribute and is similar to the O&M. So well-performed security measures are usually not perceivable. Like how we protected the G20 summit, the “Double 11” shopping carnivals in the past several years have been smooth thanks to the support of Alibaba Cloud Security. The challenge of “Double 11” shopping carnivals comes from the massive access requests, posing a demanding requirement for many solutions in such scenarios.
For example, during the “Double 11” shopping carnival, we need to conduct centralized statistics and analysis on the traffic per second to domestic and overseas zones for security checks and responses. This indicates a very big challenge for analyzing several TBs of traffic across regions, requiring high stability and real-timeliness. If the checking capability is disabled for just one minute, it is likely to introduce a significant stress on the back-end servers, leading to an overall failure of the “Double 11” performance. So “Double 11” is a final exam.
What's more, we applied the WAF technology for the first time in last “Double 11” shopping carnival, and will continue to use it this year. That is to say, every request in the “Double 11” will go through the security check of WAF, which requires a strong detection capability and elastic technical architecture. WAF supports dispatching more than 1 million policies at the same time, which is never seen on other security facilities. The unique scenario of “Double 11” breeds these technical breakthroughs.
At last but not least, the customers may be able to perceive our presence in that we adopted a “lossless traffic-limiting” technology during the “Double 11” shopping carnival. Because nobody can predict the peak traffic of the “Double 11”, and the servers at the back end may never be enough, we adopt a “queuing mechanism” for requests that exceeding the system load for security control. This mechanism will not drop your connection, but it makes you wait until it is your request's turn for system processing. This is something like queuing up for buying the iPhone out of an Apple store. People don't rush up in a crowd, but wait in good order.

2. What contingency plans does Alibaba Cloud have for emergencies? Especially during the “Double 11” when an emergency will render all the shopping attempts unavailable?
Brother Tao: We have a professional emergency response team to handle all the critical situations, including loopholes in products, security incidents on the cloud, some problems reported by external sources, and some severe cases from customer complaints. We will collect all the information extensively beforehand, designate personnel on duty during the process to motivate all competent teams to respond, and organize postmortem observation and replays of the effect.
We may often face some major security vulnerabilities in cloud computing that may influence hundreds of thousands of users. We can observe how some advanced threats sprawl and spread, or “security epidemic” as we call it internally. In fact, if we can stop the spread one hour earlier, we may save tens of thousands of users from suffering loss. So our emergency response team is racing against hackers. All the emergency responses have a precondition: the problems should be observed by us. This is what situation awareness is capable of. So the “visibility” capability of situation awareness is our foundation.
During the “Double 11” shopping carnival, we have a dedicated support team to design dozens of pre-plans for various security emergencies. They started rehearsals of these pre-plans as early as several months before the “Double 11” to ensure these plans are effective. They are on duty around the clock throughout the entire “Double 11” carnival.

3. You have invested so much effort to make sure all of us can buy buy buy. Can you name a few examples of the emergencies during the previous “Double 11” and how Alibaba Cloud Security teams managed to head off the danger?
Brother Tao: In the “Double 11” shopping carnival last year, many scalpers tried to snap at the flash sales products. Through threat intelligence, we managed to analyze the rough distribution of scalpers nationwide, and the tools and resources they used. Before the “Double 11”, we made sudden launches of policies to block the tools and resources of the scalpers on primary websites with high traffic, so that the normal business services can be ensured. Our risk control strategies have met very frequent confrontations. It is common that an algorithm has to be updated once every half an hour.

4. We heard that live broadcasting business has been added to the “Double 11” shopping carnival this year. It sounds so amazing. Does Alibaba Cloud offer some special support for this feature?
Brother Tao: The live broadcasting business is faced with two major security issues: one is the live broadcasting interruptions by DDoS attacks, which may render all the previous marketing effort in vain. So the anti-DDoS pre-plan should be in place during the live broadcasting, and the network quality should also be maintained stable with no jitters to avoid compromising the live effects; Second, some live videos also provide bullet screens, and some illegal and illicit information may appear in the bullet screens, generating negative impact. So the live video's UGC needs to be checked. The AliGreenNet of Alibaba Cloud Security is born to provide the checking and blocking services.

5. Could you introduce how Alibaba Cloud eradicates a threat of the “Double 11” shopping carnival?
Brother Tao: During the “Double 11”, some mobile manufacturers will usually launch some large promotions of flash sales to attract a number of scalpers for purchasing and stockpiling, which disturbs the market orders. Therefore, we will grasp the overall situation through threat intelligence and some black industry analysis. This task is done by our dedicated intelligence teams and data analysis teams. These intelligence will be applied to WAF during the “Double 11” support for blocking in key procedures. Meanwhile, the attackers often change their attack sources and tools and confront with our policies. So we must observe the effectiveness of our policies in real time. This task is done by our support teams and data analysis teams.

6. Apart from the businesses of Alibaba Group, which customers of Alibaba Cloud also enjoy business booms during the Double 11 shopping carnivals?
Brother Tao: Alibaba is a large ecology system. Throughout the “Double 11”, apart from the Tmall and Alipay of Alibaba that will witness huge traffic growth, the express delivery industry and the ISV supporting the e-businesses also need to face the peak traffic stress.
Our Aliexpress is an international C2C service and the biggest e-business in Russia. It once screwed the Russian postal service over because of a promotion activity. Similar issues also happen in China, which is also why Alibaba Group launched the Cainiao logistic service. We hope to optimize the global logistic system.
So many businesses in Taobao and Tmall may need to handle dozens of times of orders during the Double 11 of what they handle during regular time, which imposes heavy pressure on their ISVs (such as CRM systems, stock management systems, and commenting systems). Jushita provided by Alibaba aims to relocate these ISVs on the Alibaba Cloud to provide more powerful security protection. In fact, in Alibaba's “Double 11”, 90% of orders will flow to these ISVs.
This year, Alibaba Cloud Security will work with Jushita to provide integrated security support for these e-businessISVs so as to ensure the smooth “Double 11” shopping carnival.

7. “Double 11” is around the corner. Do you have something to say to the numerous shopaholics?
Brother Tao: “Double 11” is a miracle of China, and of the world. Behind every order of the “Double 11” is the consumption of large-scale computing resources and verification of the big data applications and security technologies. The revelry of shopaholics creates the top technical feast in the world. This is not only a success in business, but also witnesses one after another boundary breaking moves of the technology circle. The result is that we co-build the future of the world together. We are here because of you.