华为安全沙龙安全威胁情报体系的建设与应用forHW

First Level Text,Second Level Text,Third Level Text,Fourth Level Text,Fifth Level Text,Master Title Slide Headline,安全威胁情报体系的建设与应用,什么是安全威胁情报,当前信息安全防护体系面临困境,难以从海量的安全事件发现真正的攻击行为，,IDS,、,SOC,等传统安全产品使用效率低下,某一点确认的安全事件不能及时在组织内及时有效地进行共享，组织内部难以有效协同,不同类型、不同厂商的安全设备之间的漏洞、威胁信息不通用，不利于大型网络的维护管理,斯诺登等事件揭示的,NSA,对我国的攻击手段，目前的手段难以有效识别发现，亟需对现有安全体系进行升级,应用安全威胁情报技术,建设安全威胁情报平台,攻防速度之争！,速度！速度！还是速度！,Attack,Begins,System,Intrusion,Attacker,Surveillance,Cover-up,Complete,Access,Probe,Leap Frog Attacks,Complete,Target,Analysis,TIME,Attack,Set-up,Discovery/,Persistence,Maintain foothold,Cover-up,Starts,Attack,Forecast,Physical Security,Containment&,Eradication,System Reaction,Damage Identification,Recovery,Defender,Discovery,Monitoring,&Controls,Impact Analysis,Response,Threat Analysis,Attack,Identified,Incident,Reporting,Need to collapse,free,time,ATTACKER FREE TIME,TIME,安全威胁情报是？,一些“热”词：,Security Intelligence,安全，安全情报,Threat,Intelligence,威胁情报,Security,Threat Intelligence,安全威胁情报,Cyber Threat Information,Sharing,网络威胁信息共享,Intelligence,Aware,情报感知,Intelligence,Driven,情报驱动,Intelligence,-Aware Security,Control,基于情报,感知的安全控制,Context Aware,情境感知,信誉库,OSINT,Dell SecureWorks,RSA NetWitness,Live,/,Verisign iDefense,Symantec,Deepsight,McAfee Threat Intelligence,SANS,CVEs,CWEs,OSVDB(Vulns),iSight,Partners,ThreatStream,OpenDNS,MAPP,企业外部的安全威胁情报源,（,含开源及商业）,IBM,QRadar,Palo,Alto Wildfire,Crowdstrike,AlienVault OTX,RecordedFuture,Team Cymru,ISACs,/US-,CERT,FireEye,/,Mandiant,Vorstack,CyberUnited,Norse,IPViking/Darklist,企业内部的安全威胁情报源（提供安全情境）,Directory user,information,(personal e-mail,access,user privilege,start/end date,),Proxy information,(content,),DLP,&business unit risk(trade secrets/IP,sensitive,docs,),IT,Case history/,ticket tracking,Malware detection,/AV,alerts,Sensitive,business roles,Application,usage&,consumption,events(in-house,),Database,usage/access monitoring(privileged,),Entitlements,/access outliers(in-house,),User,behavior,association,based on geography,frequency,uniqueness,and privilege,情报平台,Threat intelligence platforms,（,TIPS,）,预计至,2018,，,50%,的一线组织和,MSSPs,将会使用以,MRTI,为基础的,TIP,平台（目前不到,5%,）,安全威胁情报应用示例之,RSA,NetWitness Live,Live gathers the best advanced threat intelligence and content in the global security community,Live Manager provides configurable manager with a dashboard,Aggregates&consolidates only the most pertinent information,Transparent integration with customers live and recorded network traffic,安,全,全,威,威,胁,胁,情,情,报,报,应,应,用,用,示,示,例,例,之,之,RSA,NetWitnessLive,RSAFraudactionDomains,RSAFraudactionIP,NWAPTAttachments,NWAPTIP,NWAPTDomains,NWSuspiciousIPIntel,NWCriminalVPNEntryDomains,NWCriminalVPNEntryIP,NWCriminalVPNExitIP,NWCriminalVPNExitDomains,NWCriminalSOCKSnodes,NWCriminalSOCKSUserIPs,NWInsiderThreatDomains,NWInsiderThreatIP,APTFilenames,PalevoTrackerIP,PalevoTrackerDomains,QakBot C2 Domains,CriticalIntelligenceDomains-SCADA,CriticalIntelligence IP,s-SCADA,DynamicDNSDomains,TORExitNodes,TORNodes,eFaxsites(dataleakage),iDefenseThreatIndicators,ISECExposure BlacklistDomains,安全威胁,情,情报应用,示,示例之,RSA,NetWitness Live,安全威胁,情,情报应用,示,示例之,IBMQradar SIP,Bridgessilos,Highly scalable,Flexible&adaptable,Easydeployment,Rapidtime to value,Operationalefficiency,Proactivethreat management,Identifies critical anomalies,Rapid,extensive impactanalysis,安全威,胁,胁情报,应,应用示,例,例之,IBMQRadar SIP,Context andCorrelationDriveDeepest Insight,ExtensiveDataSources,DeepIntelligence,Exceptionally Accurate andActionableInsight,+,=,SuspectedIncidents,Event Correlation,Activity Baselining&Anomaly Detection,Logs,Flows,IP Reputation,Geo Location,User Activity,Database Activity,Application Activity,Network Activity,Offense Identification,Credibility,Severity,Relevance,DatabaseActivity,Servers&Mainframes,Users&Identities,Vulnerability Info,Configuration Info,SecurityDevices,Network&VirtualActivity,ApplicationActivity,安全威,胁,胁情报,应,应用示,例,例之,IBMQRadar SIP,Turnkey log management,SME to Enterprise,Upgradeable to enterprise SIEM,Integrated log,threat,risk&compliance mgmt.,Sophisticated event analytics,Asset profiling and flow analytics,Offense management and workflow,Predictive threat modeling&simulation,Scalable configuration monitoring and audit,Advanced threat visualization and impact analysis,SIEM,Log Management,Risk&Configuration Management,Network Activity&Anomaly Detection,Network and Application Visibility,Network analytics,Behavioral anomaly detection,Fully integrated with SIEM,Layer 7 application monitoring,Content capture for deep insight,Physical and virtual environments,FullyIntegrated Security Intelligence,安全威,胁,胁情报,应,应用示,例,例之,McAfeeThreat Intelligence,安全威,胁,胁情报,体,体系的,建,建设,STIX-StructuredThreatInformationeXpression,TAXII-TrustedAutomated eXchange of IndicatorInformation,CybOX-Cyber ObservableeXpression,MAEC-MalwareAttributeEnumerationand Characterization,OpenIOC-Opensourced schemafrom Mandiant,IODEF-Incident ObjectDescriptionExchangeFormat,CIF-Collective IntelligenceFramework,IDXWG-Incident DataeXchangeWorkingGroup,标准是,最,最好的,建,建设参,考,考,主要协,议,议和标,准,准比较,STIX,标准要,点,点浅析,STIX,标准要,点,点浅