Executive Summary
Today’s cybersecurity operations center (CSOC) should have everything it needs to mount a competent defense of the ever-changing information technology (IT) enterprise. This includes a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals. Yet, most CSOCs continue to fall short in keeping the adversary—even the unsophisticated one—out of the enterprise.
如今的信息安全運營中心(CSOC)需要做好一切準備來應對不斷變化的IT領域。這需要一系列復雜的入侵探測和保護技術,廣泛的安全情報以及不斷與時俱進的工作人員。然而,大多數的信息安全運營中心(CSOC)依然在競爭當中處于下風——即使是最不成熟的對手。
The deck is clearly stacked against the defenders. While the adversary must discover only one way in, the defenders must defend all ways in, limit and assess damage, and find and remove adversary points of presence in enterprise systems. And cybersecurity experts increasingly recognize that sophisticated adversaries can and will establish lasting footholds in enterprise systems. If this situation were not bad enough, more often than not, we are our own worst enemy. Many CSOCs expend more energy battling politics and personnel issues than they do identifying and responding to cyber attacks. All too often, CSOCs are set up and operate with a focus on technology, without adequately addressing people and process issues. The main premise of this book is that a more balanced approach would be more effective.
對抗的天平似乎對防守方是不利的。因為攻擊者只需要找到即使僅僅一種破解的方法就能達成目的,然而防守方卻必須做到面面俱到,還要做到降低損失,找出系統中被攻擊者利用的漏洞。信息安全專家們逐漸發現高級的攻擊者們能夠在企業系統當中找到持久的立足點。而這還不是最壞的情況,往往防守者最大的敵人是自己。許多信息安全運營中心花在制定政策和員工問題上的精力和時間比與攻擊者較量的還多。大多數時候,信息安全運營中心的設立主要立足于技術層面,對人員和政策的制定等管理方面疏于考慮。本書著重在于平衡這兩者之間的關系以致于讓兩者達到一個更好的平衡。
This book describes the ten strategies of effective CSOCs—regardless of their size, offered capabilities, or type of constituency served. The strategies are:
1. Consolidate functions of incident monitoring, detection, response, coordination, and computer network defense tool engineering, operation, and maintenance under one organization: the CSOC.
2. Achieve balance between size and visibility/agility, so that the CSOC can execute its mission effectively.
3. Give the CSOC the authority to do its job through effective organizational placement and appropriate policies and procedures.
4. Focus on a few activities that the CSOC practices well and avoid the ones it cannot or should not do.
5. Favor staff quality over quantity, employing professionals who are passionate about their jobs, provide a balance of soft and hard skills, and pursue opportunities for growth.
6. Realize the full potential of each technology through careful investment and keen awareness of—and compensation for—each tool’s limitations.
7. Exercise great care in the placement of sensors and collection of data, maximizing signal and minimizing noise.
8. Carefully protect CSOC systems, infrastructure, and data while providing transparency and effective communication with constituents.
9. Be a sophisticated consumer and producer of cyber threat intelligence, by creating and trading in cyber threat reporting, incident tips and signatures with other CSOCs.
10. Respond to incidents in a calm, calculated, and professional manner.
In this book, we describe each strategy in detail, including how they crosscut elements of people, process, and technology. We deeply explore specific areas of concern for CSOCs, ranging from how many analysts a CSOC needs to where to place sensor technologies.
本書主要介紹了十種對于信息安全運營
中心(無論規模,提供的服務或是保護的領域)來說都行之有效的策略:
1. CSOC的職能涵蓋了事件監測,調查,響應,協調以及計算機網絡防御系統的設計開發,運行以及維護。
2. 平衡好CSOC規模相關的能力/敏捷性,這樣CSOC才能更好地完成其職能。
3. 給予CSOC足夠的權利,在企業部門之間有理有據地高效執行其職能。
4. 讓CSOC專注其力所能及的職能,而不是去做一些超出其范圍的職能
5. 對于員工的挑選上要著重質量而不是數量,招募那些對自己工作有激情的專業員工,對軟,硬件都有平衡的考量,并且提供員工足夠的成長空間。
6. 對每一項需要選用的技術或者工具都有深入的認識,既要了解它的全部潛能也要知道它的局限性以及如何彌補其中的局限。
7. 對傳感器的部署和調教需要再三修正,已達到較低的信噪比。
8. 悉心保護CSOC的系統,架構和數據,同時部門之間要有透明并高效的溝通
9. 成為一個成熟的網絡安全情報的消費者和提供者,創建,交互網絡安全情報,與其他CSOC相互交換安全事件特征和特征簽名等信息。
10. 對于安全事件的報告要做到冷靜,客觀,有計劃以及專業
本書將對上述的每一點進行更加深入詳細的討論,包括它們如何協調人員,規程和技術三者的關系。我們還會深入地討論CSOC的一些特定的領域,包括組建CSOC需要多少員工,哪里去部署嗅探設備等等。
