論文使用權限 Thesis access permission:校內校外完全公開 unrestricted
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0618122-114723 詳細資訊
Title page for etd-0618122-114723
論文名稱 Title |
運用資安協作自動化變應以提高資安營運中心效率–以C公司為個案研究 Adopting Security Orchestration Automation and Response to Improve the Efficiency of Security Operation Center – a Case Study of C Company |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
53 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2022-07-14 |
繳交日期 Date of Submission |
2022-07-18 |
關鍵字 Keywords |
資安協作自動化變應、安全營運中心、威脅情資平台、自動化、分析師 Security Orchestration Automation and Response, Security Operation Center, Threat Intelligence Platform, Automation, Analyst |
||
統計 Statistics |
本論文已被瀏覽 410 次,被下載 164 次 The thesis/dissertation has been browsed 410 times, has been downloaded 164 times. |
中文摘要 |
英國前首相 溫斯頓丘吉爾說:“建造會需要花費多年的時間來完成一項艱鉅的任務,但破壞只須是一天的輕率行為”。此說法也適合用在現今的網路攻擊,因現在企業資安防禦預算所需的投資,與網路攻擊所需的資源無法成正比。駭客可能只需寄一封信件,就有機會讓企業員工無意點擊並下載後門程式,進入到內部執行竊取、破壞及癱瘓等非常行為。因此,如何有效率的阻擋惡意連線,避免內部員工因誤執行導致連線C&C,是現今企業所需要面臨的問題。 然而阻擋也只是治標不治本,所謂“知己知彼,百戰不殆” -孫子兵法。企業更需要的是瞭解該位址(IP)及網域(Domain Name) 的攻擊手法及入侵的管道等威脅情資。再透過這些威脅情資上下文的資訊,來制訂資安防禦的解決方案,方能有效的改善企業內部弱點及漏洞,降低企業突破口的數量。 因此,企業要提高內部的資安防禦能力,除了需要自動化的資安解決方案外,也需要一個具有分析檔案、IP及網域的信譽評等平台,該平台亦彙整資安新聞及情報,可提供資安工程師分析可疑的攻擊手法的威脅情資平台。 |
Abstract |
Former British prime minister Winston Churchill said, “To build may have to be the slow and laborious task of years. To destroy can be the thoughtless act of a single day.” This statement is also applicable to today's cyber attacks, Because the investment required by the enterprise information security defense budget is not proportional to the resources required for cyber attacks. Hackers may only need to send a letter, and have the opportunity to let corporate employees click and download backdoor programs unintentionally, and enter into the interior to perform extraordinary behaviors such as stealing, sabotage, and network meltdown. Therefore, how to effectively block malicious connections and prevent internal employees from connecting to C&C due to misexecution is a problem that enterprises need to face today. However, blocking is only a temporary solution, not the root cause, The so-called "Know yourself and know the enemy, you will not be imperiled in a hundred battles." - The Art of War. What enterprises need more is to understand the threat information such as the IP and Domain Name, the attack method and the intrusion pipeline. Then, through the information in the context of these threat intelligence, we can formulate solutions for information security defense, which can effectively improve the internal weaknesses and loopholes of the enterprise and reduce the number of enterprise security breach. Therefore, in order to improve the internal information security defense capabilities of enterprises, in addition to the need for automated information security solutions, they also need a reputation rating platform that analyzes files, IPs and domain name. The platform also provides information security engineers with security news, threat intelligence and ways to analyze suspicious attacks. |
目次 Table of Contents |
目錄 論文審定書 i 誌謝 ii 中文摘要 iii Abstract iv 第一章、 緒論 1 一、 研究背景 1 二、 研究動機與目的 2 (一)、 因連線方式改變,無法快速且有效的阻擋威脅連線 3 (二)、 威脅情資發散,增加資安工程師分析時間 3 三、 資安協作自動化變應(SOAR) 4 第二章、 文獻探討 6 一、 資訊安全監控中心(Security Operation Center,SOC) 6 (一)、 一線監控團隊(Tier1) 6 (二)、 二線分析團隊(Tier2) 6 (三)、 三線鑑識團隊(Tier3) 6 二、 資安協作自動化變應(SOAR)技術與架構 7 (一)、 SOAR 的定義 7 (二)、 SOAR 的架構 8 第三章、 研究方法 11 一、 研究方法選擇 11 二、 研究架構 11 (一)、 研究架構說明 11 (二)、 名詞定義 12 三、 研究對象 12 四、 研究貢獻 13 五、 研究限制 13 (一)、 C公司導入進度 13 (二)、 支援設備 13 (三)、 因應未來發展而導致架構不同 14 第四章、 個案研究 15 一、 情境一:自動化 15 (一)、 情境描述 15 (二)、 個案分析 15 (三)、 研究驗證 17 (四)、 外在因素影響 22 (五)、 改善效益 23 二、 情境二:威脅情資平台 24 (一)、 情境描述 24 (二)、 個案分析 24 (三)、 研究驗證 27 (四)、 改善效益 38 第五章、 結論成果 39 一、 研究結論 39 (一)、 情境一 40 (二)、 情境二 40 二、 後續研究與建議 40 參考文獻 42 |
參考文獻 References |
參考文獻 [1]. Raj Samani(2021).Advance Threat research report. McAfee. Available from: https://www.mcafee.com/enterprise/en-us/lp/threats-reports/oct-2021.html [2]. Kaspersky. What is threat intelligence? Definition and explanationWhat is threat intelligence. Definition and explanationWhat is threat intelligence? Definition and explanation. Available from:https://www.kaspersky.com/resource-center/definitions/threat-intelligence [3]. 臺灣法務(2021). 臺灣資通安全法.Available from:https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=A0030304 [4]. NetWitness(2021).Threat Intelligence: The Key to Higher. Available from:https://www.netwitness.com/wp-content/uploads/2021/12/threat-intelligence-the-key-to-higher-security-operation-performance.pdf [5]. Splunk. What Is a Security Operations Center (SOC)?. Available from:https://www.splunk.com/en_us/data-insider/what-is-a-security-operations-center.html [6]. CheckPoint(2020). COVID-19 Pandemic Drives Criminal and Political Cyber-Attacks Across Networks, Cloud and Mobile in H1 2020. from:https://www.checkpoint.com/press/2020/check-point-research-covid-19-pandemic-drives-criminal-and-political-cyber-attacks-across-networks-cloud-and-mobile-in-h1-2020/ [7]. Andrea Fumagalli(2020).How SOAR improves the performance of а SOC team. Sumo Logic. Available from: https://www.sumologic.com/blog/how-soar-improves-soc-team/ [8]. PaloAlto. What Is a SOC .Available from: https://www.paloaltonetworks.com/cyberpedia/what-is-a-soc [9]. Trellix. What Is a Security Operations Center (SOC). Available from: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [10]. Gartner(2017).Innovation Insight for Security Orchestration, Automation and Response. Available from: https://www.gartner.com/en/documents/3834578 [11]. Sharon Shea.SOAR (security orchestration, automation and response).Techtarget. Available from: https://searchsecurity.techtarget.com/definition/SOAR [12]. Cynet. Incident Response Platform: The Road to Automating IR. Available from: https://www.cynet.com/incident-response-services/incident-response-platform-the-road-to-automating-ir/#what [13]. iSIGHT. Executive Perspectives on Cyber Threat Intelligence .Available from: https://scadahacker.com/library/Documents/Threat_Intelligence/iSight%20Partners%20-%20Executive%20Perspectives%20on%20Cyber%20Threat%20Intelligence.pdf [14]. Zane Pokorny(2019).2 Common SOAR Problems Threat Intelligence Can Solve. Recordedfuture. Available from: https://www.recordedfuture.com/common-soar-problems/ [15]. Gartner(2020). Market Guide for Security Orchestration, Automation and Response Solutions. Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski. Available from: https://www.paloaltonetworks.com/blog/2020/10/secops-gartner-soar-solutions/ [16]. ISO(2021). The cybersecurity skills gap. Clare Naden. Available from: https://www.iso.org/news/ref2655.html [17]. CrowdStrike(2022). What is Cyber Threat Intelligence. Kurt Baker. Available from:https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/ [18]. Scott Simkin(2020). Redefining Security Orchestration and Automation with Cortex XSOAR .Paloalto. Available from: https://www.paloaltonetworks.com/blog/2020/02/cortex-xsoar/ [19]. Yin, R.K. (1994). Case Study Research Design and Methods 2nded, Sage Publications. Available from: https://iwansuharyanto.files.wordpress.com/2013/04/robert_k-_yin_case_study_research_design_and_mebookfi-org.pdf [20]. Microsoft(2022). 安全性權杖. Available from:https://docs.microsoft.com/zh-tw/azure/active-directory/develop/security-tokens [21]. Internet Assigned Numbers Authority(2022). Service Name and Transport Protocol Port Number Registry. Available from:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=4089 [22]. Rahul Vast, Shruti Sawant, Aishwarya Thorbole, Vishal Badgujar(2021). Artificial Intelligence based Security Orchestration, Automation and Response System. Available from: https://ieeexplore.ieee.org/abstract/document/9418109/authors#authors |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS