Network-connected end devices remain a major cybersecurity point of vulnerability.

網(wǎng)絡(luò)連接的終端設(shè)備仍然是主要的網(wǎng)絡(luò)安全漏洞點(diǎn)。

Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.

網(wǎng)絡(luò)訪(fǎng)問(wèn)控制（NAC）技術(shù)提供了封鎖網(wǎng)絡(luò)訪(fǎng)問(wèn)的能力，在某種程度上，這是其他網(wǎng)絡(luò)防御產(chǎn)品無(wú)法做到的。

Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.

當(dāng)今企業(yè)中的網(wǎng)絡(luò)威脅主要集中在整個(gè)網(wǎng)絡(luò)連接設(shè)備范圍內(nèi)的多個(gè)攻擊面上。

Over the past few years, the number of endpoint attack surfaces has expanded considerably.

在過(guò)去幾年中，終端攻擊面的數(shù)量已經(jīng)大大增加。

This trend is expected to continue and increase exponentially in the years immediately ahead.

預(yù)計(jì)這一趨勢(shì)將在未來(lái)幾年繼續(xù)呈指數(shù)級(jí)增長(zhǎng)。

Endpoint attack surfaces are expanding in terms of client platform diversity, and include:

終端攻擊面在客戶(hù)端平臺(tái)多樣性方面正在擴(kuò)展，包括：

• “Traditional” stationary desktop devices
• “傳統(tǒng)”固定桌面設(shè)備
• once the majority
• 曾經(jīng)占多數(shù)
• now increasingly in the minority of device types
• 現(xiàn)在越來(lái)越多的設(shè)備類(lèi)型

• The explosion of mobile device types and numbers, from laptops to tablets to smartphones
• 從筆記本電腦到平板電腦再到智能手機(jī)，移動(dòng)設(shè)備類(lèi)型和數(shù)量激增
• Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
• 員工、承包商和供應(yīng)商擁有的“BYOD”（自帶設(shè)備）設(shè)備需要網(wǎng)絡(luò)訪(fǎng)問(wèn)
• Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
• 需要網(wǎng)絡(luò)連接（有線(xiàn)和無(wú)線(xiàn)）的“IoT”（物聯(lián)網(wǎng)）設(shè)備數(shù)量呈指數(shù)增長(zhǎng)

And also in terms of platform depth:

而且在平臺(tái)深度方面：

• Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
• 多個(gè)操作系統(tǒng)平臺(tái)（Windows，OSX，iOS，Android，Linux）和版本
• Multiple application and database platforms (OpenStack and proprietary)
• 多個(gè)應(yīng)用程序和數(shù)據(jù)庫(kù)平臺(tái)（OpenStack和專(zhuān)利）
• Multiple storage technologies (SAN, NAS, DAS, Cloud)
• 多種存儲(chǔ)技術(shù)（SAN，NAS，DAS，云）
• Both wired and wireless connections
• 有線(xiàn)和無(wú)線(xiàn)連接
• Multiple device configurations
• 多個(gè)設(shè)備配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.

每個(gè)特定的設(shè)備和平臺(tái)都提供了自己獨(dú)特的攻擊面漏洞集。

All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.

所有這些都需要從網(wǎng)絡(luò)連接的角度進(jìn)行積極的管理，以確保它們不會(huì)對(duì)企業(yè)環(huán)境構(gòu)成威脅。

This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

這需要確保所有設(shè)備都能夠被準(zhǔn)確識(shí)別，所有設(shè)備都經(jīng)過(guò)適當(dāng)?shù)男扪a(bǔ)和更新，以確保O / S和應(yīng)用程序級(jí)漏洞得到修復(fù)，并且設(shè)備使用最新的反惡意軟件/防病毒軟件定義獲得網(wǎng)絡(luò)訪(fǎng)問(wèn)權(quán)限。

Current cybersecurity trends

當(dāng)前的網(wǎng)絡(luò)安全趨勢(shì)

• Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
• 網(wǎng)絡(luò)安全最佳實(shí)踐長(zhǎng)期以來(lái)一直采用主動(dòng)的設(shè)備管理方法。有許多工具可以實(shí)現(xiàn)這一目標(biāo)，但近年來(lái)經(jīng)歷的持續(xù)網(wǎng)絡(luò)入侵、數(shù)據(jù)泄露和業(yè)務(wù)中斷表明，終端設(shè)備管理仍然是企業(yè)和組織環(huán)境中的一個(gè)重大弱點(diǎn)，無(wú)論大小
• Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
• 勒索軟件專(zhuān)注于利用網(wǎng)絡(luò)客戶(hù)端終端的漏洞，在2013年至2016年間迅速增長(zhǎng)，目前每年的勒索支付額約為10億美元。
• Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
• 在過(guò)去的3年中，電子郵件釣魚(yú)攻擊的利潤(rùn)率仍然更高，每年為17億美元。
• Both ransomware and email exploits focus on the endpoint
• 勒索軟件和電子郵件攻擊都集中在終端上
• Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
• 此外，預(yù)計(jì)未來(lái)幾年物聯(lián)網(wǎng)設(shè)備的數(shù)量將呈指數(shù)級(jí)增長(zhǎng)（這一過(guò)程已在進(jìn)行中），企業(yè)網(wǎng)絡(luò)連接的數(shù)量也將相應(yīng)增加
• The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
• 物聯(lián)網(wǎng)設(shè)備產(chǎn)生的網(wǎng)絡(luò)流量將不同于任何現(xiàn)有經(jīng)驗(yàn)（預(yù)計(jì)到2021年將有250億臺(tái)設(shè)備從現(xiàn)在的100億臺(tái)設(shè)備增加到現(xiàn)在的250億臺(tái)），并且無(wú)法通過(guò)手動(dòng)方式進(jìn)行管理（即根據(jù)需要對(duì)所有警報(bào)作出響應(yīng)，實(shí)時(shí)或以日志形式掃描流量）。需要基于策略的自動(dòng)和“預(yù)先規(guī)定”安全管理。NAC解決方案提供這種能力。
• The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
• 網(wǎng)絡(luò)防御的成本繼續(xù)攀升，預(yù)計(jì)將繼續(xù)攀升。我們甚至不知道目前的網(wǎng)絡(luò)犯罪活動(dòng)給我們?cè)斐闪硕啻蟮膿p失，但最近華爾街日?qǐng)?bào)保守估計(jì)，2017年每年的損失為2億美元（其他估計(jì)從3美元到6億美元不等，預(yù)計(jì)到2021年會(huì)達(dá)到更高的水平）。
• In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
• 就企業(yè)每年在網(wǎng)絡(luò)安全防御產(chǎn)品上的支出而言，據(jù)估計(jì)， 2015年全球網(wǎng)絡(luò)安全支出為75億美元; 預(yù)計(jì)2017年將增加至100億美元; 到2020年進(jìn)一步達(dá)到200億美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

簡(jiǎn)而言之，攻擊面迅速擴(kuò)大，漏洞仍然是一個(gè)主要問(wèn)題，網(wǎng)絡(luò)安全成本明顯失控，企業(yè)成功應(yīng)對(duì)這些挑戰(zhàn)的能力仍然不足 - 通常以最簡(jiǎn)單的方式。實(shí)際上，大多數(shù)重大漏洞都是由于操作系統(tǒng)和各種應(yīng)用程序組件的更新和修補(bǔ)方面的操作不足造成的。除此之外：思科估計(jì)即使IT部門(mén)通過(guò)監(jiān)控和警報(bào)提醒潛在問(wèn)題，實(shí)際上只有56％的活動(dòng)警報(bào)得到響應(yīng)。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.

顯然，從任何組織的網(wǎng)絡(luò)安全角度對(duì)網(wǎng)絡(luò)連接設(shè)備進(jìn)行有效的運(yùn)營(yíng)管理都需要嚴(yán)格和嚴(yán)格地協(xié)調(diào)正確的工具，技術(shù)，人員和流程。NAC技術(shù)為企業(yè)構(gòu)建現(xiàn)代有效的網(wǎng)絡(luò)防御框架提供了必要的關(guān)鍵基礎(chǔ)組件。

NAC As a Key Component of Your Cyber Defense Framework

NAC是您的網(wǎng)絡(luò)防御框架的關(guān)鍵組成部分

At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.

在當(dāng)前的形勢(shì)下，網(wǎng)絡(luò)攻擊已經(jīng)超出了企業(yè)有效應(yīng)對(duì)的能力，顯然需要重新評(píng)估網(wǎng)絡(luò)防御戰(zhàn)略。對(duì)于NAC供應(yīng)商來(lái)說(shuō)，有一個(gè)非常大的機(jī)會(huì)來(lái)提出增加NAC采用率的理由。由于該行業(yè)的總市值（2017年約為6.85億美元）預(yù)計(jì)在未來(lái)3-4年內(nèi)將接近10億美元，因此這一市場(chǎng)是否會(huì)繼續(xù)增長(zhǎng)并不重要，而是取決于增長(zhǎng)的幅度和速度。這就是說(shuō)，媒體對(duì)網(wǎng)絡(luò)防御和網(wǎng)絡(luò)思想領(lǐng)導(dǎo)的最大份額目前集中在看似更新、引人注目的網(wǎng)絡(luò)防御創(chuàng)新上，如基于SIEM和ML-AI的預(yù)測(cè)分析，而不是網(wǎng)絡(luò)訪(fǎng)問(wèn)控制。然而，人們?cè)絹?lái)越認(rèn)識(shí)到，沒(méi)有“一刀切”的辦法來(lái)構(gòu)建有效的網(wǎng)絡(luò)安全防御框架。因此，市場(chǎng)趨勢(shì)是以一種為特定企業(yè)提供最佳解決方案的方式整合網(wǎng)絡(luò)安全產(chǎn)品系列中的工具。鑒于其在提供安全網(wǎng)絡(luò)訪(fǎng)問(wèn)方面的基礎(chǔ)作用，NAC需要處于任何網(wǎng)絡(luò)網(wǎng)絡(luò)防御體系結(jié)構(gòu)的最前沿。

Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.

傳統(tǒng)的戰(zhàn)略和工具也必須集成到這種新的多層網(wǎng)絡(luò)防御方法中。傳統(tǒng)防火墻曾經(jīng)是安全工具包中的主要工具（如果不是唯一的話(huà)），現(xiàn)在被認(rèn)為不足以提供必要的防御屏障。這是因?yàn)?，與許多安全方法一樣，它們只解決了挑戰(zhàn)的一個(gè)方面——在本例中是保護(hù)網(wǎng)絡(luò)外圍。然而，如果有人通過(guò)暴力攻擊或網(wǎng)絡(luò)管理員的簡(jiǎn)單錯(cuò)誤配置而破壞，那么僅外圍安全就不能阻止攻擊在網(wǎng)絡(luò)內(nèi)部橫向傳播。同樣，使用簡(jiǎn)單的終端安全性：當(dāng)終端受到威脅時(shí)，連接到同一網(wǎng)絡(luò)的所有設(shè)備也可能變得非常脆弱。

So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:

因此，盡管人們普遍認(rèn)為需要采取多層次、綜合的方法來(lái)確保有效的網(wǎng)絡(luò)防御，但網(wǎng)絡(luò)安全產(chǎn)品市場(chǎng)已經(jīng)充斥著大量競(jìng)爭(zhēng)產(chǎn)品、平臺(tái)和相互矛盾的主張。Genians有機(jī)會(huì)幫助潛在客戶(hù)，澄清在這個(gè)已經(jīng)變得非?；靵y的市場(chǎng)中最重要的關(guān)鍵安全成分。例如：

• The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
• 出現(xiàn)“SDP”或“軟件定義周界”作為NAC的替代方案。這是一種誤導(dǎo)，因?yàn)樗皇峭ㄟ^(guò)重新定義邊界來(lái)“移動(dòng)邊界”。無(wú)論是基于軟件還是面向硬件，例如傳統(tǒng)防火墻（實(shí)際上是硬件和軟件的組合），僅外圍安全就存在問(wèn)題。總是存在著周界滲透的危險(xiǎn)。SDP也是一種未經(jīng)市場(chǎng)測(cè)試的全新技術(shù)，因此在這一點(diǎn)上，其數(shù)量非常未知。
• CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
• CASB或云訪(fǎng)問(wèn)安全代理在云客戶(hù)和供應(yīng)商之間提供安全性。特性和功能因云供應(yīng)商而異，因此客戶(hù)必須注意了解其特定的CASB/云供應(yīng)商安全產(chǎn)品的價(jià)值。同樣，安全性需要作為一個(gè)復(fù)雜的、多方面的挑戰(zhàn)來(lái)處理，而不是一個(gè)單一的解決方案可以解決的問(wèn)題。這些云代理解決方案決不應(yīng)被視為全面的防御框架。

Summary

總結(jié)

Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.

云計(jì)算帶來(lái)了極大的靈活性和顯著增加的基礎(chǔ)設(shè)施復(fù)雜性。對(duì)于大多數(shù)企業(yè)來(lái)說(shuō)，重要的是要記住，“云”不是一個(gè)單一的整體，而是一個(gè)包含內(nèi)部和外部組件的物理/虛擬基礎(chǔ)設(shè)施組合平臺(tái)。實(shí)際上，它很可能包括多個(gè)云供應(yīng)商。因此，術(shù)語(yǔ)“混合”和“多云”環(huán)境。

Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.

安全解決方案將需要有效地解決這種新的復(fù)雜性。因此，基于nac、siem和ml/ai的預(yù)測(cè)分析工具最好一起用于聯(lián)合、全面的網(wǎng)絡(luò)防御解決方案。NAC可以在這個(gè)集成框架中發(fā)揮主要的、關(guān)鍵的作用，它可以作為指揮者協(xié)調(diào)來(lái)自SIEM、分析和其他安全工具的所有有意義的信息，以確保在正確的時(shí)間以正確的方式采取行動(dòng)，減輕網(wǎng)絡(luò)威脅。

In summary, enterprises need to:

總之，企業(yè)需要：

• Reevaluate their Cyber Defense Strategy
• 重新評(píng)估他們的網(wǎng)絡(luò)防御策略
• Understand there is No “One Size Fits All” Solution
• 了解沒(méi)有“一刀切”的解決方案
• The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
• “縱深防御”的最佳方法是多層集成
• Beware of Untried Approaches – “The Shiny New Objects”
• 謹(jǐn)防未經(jīng)嘗試的方法-“閃亮的新事物”
• Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
• 建立NAC作為您的安全框架的中心和基礎(chǔ)——您的網(wǎng)絡(luò)防御指揮官