Responsive image
博碩士論文 etd-0618122-114723 詳細資訊
Title page for etd-0618122-114723
Adopting Security Orchestration Automation and Response to Improve the Efficiency of Security Operation Center – a Case Study of C Company
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
Security Orchestration Automation and Response, Security Operation Center, Threat Intelligence Platform, Automation, Analyst
本論文已被瀏覽 405 次,被下載 164
The thesis/dissertation has been browsed 405 times, has been downloaded 164 times.
英國前首相 溫斯頓丘吉爾說:“建造會需要花費多年的時間來完成一項艱鉅的任務,但破壞只須是一天的輕率行為”。此說法也適合用在現今的網路攻擊,因現在企業資安防禦預算所需的投資,與網路攻擊所需的資源無法成正比。駭客可能只需寄一封信件,就有機會讓企業員工無意點擊並下載後門程式,進入到內部執行竊取、破壞及癱瘓等非常行為。因此,如何有效率的阻擋惡意連線,避免內部員工因誤執行導致連線C&C,是現今企業所需要面臨的問題。
然而阻擋也只是治標不治本,所謂“知己知彼,百戰不殆” -孫子兵法。企業更需要的是瞭解該位址(IP)及網域(Domain Name) 的攻擊手法及入侵的管道等威脅情資。再透過這些威脅情資上下文的資訊,來制訂資安防禦的解決方案,方能有效的改善企業內部弱點及漏洞,降低企業突破口的數量。
Former British prime minister Winston Churchill said, “To build may have to be the slow and laborious task of years. To destroy can be the thoughtless act of a single day.” This statement is also applicable to today's cyber attacks, Because the investment required by the enterprise information security defense budget is not proportional to the resources required for cyber attacks. Hackers may only need to send a letter, and have the opportunity to let corporate employees click and download backdoor programs unintentionally, and enter into the interior to perform extraordinary behaviors such as stealing, sabotage, and network meltdown. Therefore, how to effectively block malicious connections and prevent internal employees from connecting to C&C due to misexecution is a problem that enterprises need to face today.
However, blocking is only a temporary solution, not the root cause, The so-called "Know yourself and know the enemy, you will not be imperiled in a hundred battles." - The Art of War. What enterprises need more is to understand the threat information such as the IP and Domain Name, the attack method and the intrusion pipeline. Then, through the information in the context of these threat intelligence, we can formulate solutions for information security defense, which can effectively improve the internal weaknesses and loopholes of the enterprise and reduce the number of enterprise security breach.
Therefore, in order to improve the internal information security defense capabilities of enterprises, in addition to the need for automated information security solutions, they also need a reputation rating platform that analyzes files, IPs and domain name. The platform also provides information security engineers with security news, threat intelligence and ways to analyze suspicious attacks.
目次 Table of Contents
論文審定書 i
誌謝 ii
中文摘要 iii
Abstract iv
第一章、 緒論 1
一、 研究背景 1
二、 研究動機與目的 2
(一)、 因連線方式改變,無法快速且有效的阻擋威脅連線 3
(二)、 威脅情資發散,增加資安工程師分析時間 3
三、 資安協作自動化變應(SOAR) 4
第二章、 文獻探討 6
一、 資訊安全監控中心(Security Operation Center,SOC) 6
(一)、 一線監控團隊(Tier1) 6
(二)、 二線分析團隊(Tier2) 6
(三)、 三線鑑識團隊(Tier3) 6
二、 資安協作自動化變應(SOAR)技術與架構 7
(一)、 SOAR 的定義 7
(二)、 SOAR 的架構 8
第三章、 研究方法 11
一、 研究方法選擇 11
二、 研究架構 11
(一)、 研究架構說明 11
(二)、 名詞定義 12
三、 研究對象 12
四、 研究貢獻 13
五、 研究限制 13
(一)、 C公司導入進度 13
(二)、 支援設備 13
(三)、 因應未來發展而導致架構不同 14
第四章、 個案研究 15
一、 情境一:自動化 15
(一)、 情境描述 15
(二)、 個案分析 15
(三)、 研究驗證 17
(四)、 外在因素影響 22
(五)、 改善效益 23
二、 情境二:威脅情資平台 24
(一)、 情境描述 24
(二)、 個案分析 24
(三)、 研究驗證 27
(四)、 改善效益 38
第五章、 結論成果 39
一、 研究結論 39
(一)、 情境一 40
(二)、 情境二 40
二、 後續研究與建議 40
參考文獻 42

參考文獻 References
[1]. Raj Samani(2021).Advance Threat research report. McAfee. Available from:
[2]. Kaspersky. What is threat intelligence? Definition and explanationWhat is threat intelligence. Definition and explanationWhat is threat intelligence? Definition and explanation. Available from:
[3]. 臺灣法務(2021). 臺灣資通安全法.Available from:
[4]. NetWitness(2021).Threat Intelligence: The Key to Higher. Available from:
[5]. Splunk. What Is a Security Operations Center (SOC)?. Available from:
[6]. CheckPoint(2020). COVID-19 Pandemic Drives Criminal and Political Cyber-Attacks Across Networks, Cloud and Mobile in H1 2020. from:
[7]. Andrea Fumagalli(2020).How SOAR improves the performance of а SOC team. Sumo Logic. Available from:
[8]. PaloAlto. What Is a SOC .Available from:
[9]. Trellix. What Is a Security Operations Center (SOC). Available from:
[10]. Gartner(2017).Innovation Insight for Security Orchestration, Automation and Response. Available from:
[11]. Sharon Shea.SOAR (security orchestration, automation and response).Techtarget. Available from:
[12]. Cynet. Incident Response Platform: The Road to Automating IR. Available from:
[13]. iSIGHT. Executive Perspectives on Cyber Threat Intelligence .Available from:
[14]. Zane Pokorny(2019).2 Common SOAR Problems Threat Intelligence Can Solve. Recordedfuture. Available from:
[15]. Gartner(2020). Market Guide for Security Orchestration, Automation and Response Solutions. Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski. Available from:
[16]. ISO(2021). The cybersecurity skills gap. Clare Naden. Available from:
[17]. CrowdStrike(2022). What is Cyber Threat Intelligence. Kurt Baker. Available from:
[18]. Scott Simkin(2020). Redefining Security Orchestration and Automation with Cortex XSOAR .Paloalto. Available from:
[19]. Yin, R.K. (1994). Case Study Research Design and Methods 2nded, Sage Publications. Available from:
[20]. Microsoft(2022). 安全性權杖. Available from:
[21]. Internet Assigned Numbers Authority(2022). Service Name and Transport Protocol Port Number Registry. Available from:
[22]. Rahul Vast, Shruti Sawant, Aishwarya Thorbole, Vishal Badgujar(2021). Artificial Intelligence based Security Orchestration, Automation and Response System. Available from:
電子全文 Fulltext
論文使用權限 Thesis access permission:校內校外完全公開 unrestricted
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available

紙本論文 Printed copies
開放時間 available 已公開 available

QR Code