Executive Summary
Today’s cybersecurity operations center (CSOC) should have everything it needs to mount a competent defense of the ever-changing information technology (IT) enterprise. This includes a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals. Yet, most CSOCs continue to fall short in keeping the adversary—even the unsophisticated one—out of the enterprise.
如今的信息安全运营中心(CSOC)需要做好一切准备来应对不断变化的IT领域。这需要一系列复杂的入侵探测和保护技术,广泛的安全情报以及不断与时俱进的工作人员。然而,大多数的信息安全运营中心(CSOC)依然在竞争当中处于下风——即使是最不成熟的对手。
The deck is clearly stacked against the defenders. While the adversary must discover only one way in, the defenders must defend all ways in, limit and assess damage, and find and remove adversary points of presence in enterprise systems. And cybersecurity experts increasingly recognize that sophisticated adversaries can and will establish lasting footholds in enterprise systems. If this situation were not bad enough, more often than not, we are our own worst enemy. Many CSOCs expend more energy battling politics and personnel issues than they do identifying and responding to cyber attacks. All too often, CSOCs are set up and operate with a focus on technology, without adequately addressing people and process issues. The main premise of this book is that a more balanced approach would be more effective.
对抗的天平似乎对防守方是不利的。因为攻击者只需要找到即使仅仅一种破解的方法就能达成目的,然而防守方却必须做到面面俱到,还要做到降低损失,找出系统中被攻击者利用的漏洞。信息安全专家们逐渐发现高级的攻击者们能够在企业系统当中找到持久的立足点。而这还不是最坏的情况,往往防守者最大的敌人是自己。许多信息安全运营中心花在制定政策和员工问题上的精力和时间比与攻击者较量的还多。大多数时候,信息安全运营中心的设立主要立足于技术层面,对人员和政策的制定等管理方面疏于考虑。本书着重在于平衡这两者之间的关系以致于让两者达到一个更好的平衡。
This book describes the ten strategies of effective CSOCs—regardless of their size, offered capabilities, or type of constituency served. The strategies are:
1. Consolidate functions of incident monitoring, detection, response, coordination, and computer network defense tool engineering, operation, and maintenance under one organization: the CSOC.
2. Achieve balance between size and visibility/agility, so that the CSOC can execute its mission effectively.
3. Give the CSOC the authority to do its job through effective organizational placement and appropriate policies and procedures.
4. Focus on a few activities that the CSOC practices well and avoid the ones it cannot or should not do.
5. Favor staff quality over quantity, employing professionals who are passionate about their jobs, provide a balance of soft and hard skills, and pursue opportunities for growth.
6. Realize the full potential of each technology through careful investment and keen awareness of—and compensation for—each tool’s limitations.
7. Exercise great care in the placement of sensors and collection of data, maximizing signal and minimizing noise.
8. Carefully protect CSOC systems, infrastructure, and data while providing transparency and effective communication with constituents.
9. Be a sophisticated consumer and producer of cyber threat intelligence, by creating and trading in cyber threat reporting, incident tips and signatures with other CSOCs.
10. Respond to incidents in a calm, calculated, and professional manner.
In this book, we describe each strategy in detail, including how they crosscut elements of people, process, and technology. We deeply explore specific areas of concern for CSOCs, ranging from how many analysts a CSOC needs to where to place sensor technologies.
本书主要介绍了十种对于信息安全运营
中心(无论规模,提供的服务或是保护的领域)来说都行之有效的策略:
1. CSOC的职能涵盖了事件监测,调查,响应,协调以及计算机网络防御系统的设计开发,运行以及维护。
2. 平衡好CSOC规模相关的能力/敏捷性,这样CSOC才能更好地完成其职能。
3. 给予CSOC足够的权利,在企业部门之间有理有据地高效执行其职能。
4. 让CSOC专注其力所能及的职能,而不是去做一些超出其范围的职能
5. 对于员工的挑选上要着重质量而不是数量,招募那些对自己工作有激情的专业员工,对软,硬件都有平衡的考量,并且提供员工足够的成长空间。
6. 对每一项需要选用的技术或者工具都有深入的认识,既要了解它的全部潜能也要知道它的局限性以及如何弥补其中的局限。
7. 对传感器的部署和调教需要再三修正,已达到较低的信噪比。
8. 悉心保护CSOC的系统,架构和数据,同时部门之间要有透明并高效的沟通
9. 成为一个成熟的网络安全情报的消费者和提供者,创建,交互网络安全情报,与其他CSOC相互交换安全事件特征和特征签名等信息。
10. 对于安全事件的报告要做到冷静,客观,有计划以及专业
本书将对上述的每一点进行更加深入详细的讨论,包括它们如何协调人员,规程和技术三者的关系。我们还会深入地讨论CSOC的一些特定的领域,包括组建CSOC需要多少员工,哪里去部署嗅探设备等等。