Network-connected end devices remain a major cybersecurity point of vulnerability.

網(wǎng)絡(luò)連接的終端設(shè)備仍然是主要的網(wǎng)絡(luò)安全漏洞點。

Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.

網(wǎng)絡(luò)訪問控制（NAC）技術(shù)提供了封鎖網(wǎng)絡(luò)訪問的能力，在某種程度上，這是其他網(wǎng)絡(luò)防御產(chǎn)品無法做到的。

Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.

當(dāng)今企業(yè)中的網(wǎng)絡(luò)威脅主要集中在整個網(wǎng)絡(luò)連接設(shè)備范圍內(nèi)的多個攻擊面上。

Over the past few years, the number of endpoint attack surfaces has expanded considerably.

在過去幾年中，終端攻擊面的數(shù)量已經(jīng)大大增加。

This trend is expected to continue and increase exponentially in the years immediately ahead.

預(yù)計這一趨勢將在未來幾年繼續(xù)呈指數(shù)級增長。

Endpoint attack surfaces are expanding in terms of client platform diversity, and include:

終端攻擊面在客戶端平臺多樣性方面正在擴展，包括：

• “Traditional” stationary desktop devices
• “傳統(tǒng)”固定桌面設(shè)備
• once the majority
• 曾經(jīng)占多數(shù)
• now increasingly in the minority of device types
• 現(xiàn)在越來越多的設(shè)備類型

• The explosion of mobile device types and numbers, from laptops to tablets to smartphones
• 從筆記本電腦到平板電腦再到智能手機，移動設(shè)備類型和數(shù)量激增
• Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
• 員工、承包商和供應(yīng)商擁有的“BYOD”（自帶設(shè)備）設(shè)備需要網(wǎng)絡(luò)訪問
• Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
• 需要網(wǎng)絡(luò)連接（有線和無線）的“IoT”（物聯(lián)網(wǎng)）設(shè)備數(shù)量呈指數(shù)增長

And also in terms of platform depth:

而且在平臺深度方面：

• Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
• 多個操作系統(tǒng)平臺（Windows，OSX，iOS，Android，Linux）和版本
• Multiple application and database platforms (OpenStack and proprietary)
• 多個應(yīng)用程序和數(shù)據(jù)庫平臺（OpenStack和專利）
• Multiple storage technologies (SAN, NAS, DAS, Cloud)
• 多種存儲技術(shù)（SAN，NAS，DAS，云）
• Both wired and wireless connections
• 有線和無線連接
• Multiple device configurations
• 多個設(shè)備配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.

每個特定的設(shè)備和平臺都提供了自己獨特的攻擊面漏洞集。

All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.

所有這些都需要從網(wǎng)絡(luò)連接的角度進(jìn)行積極的管理，以確保它們不會對企業(yè)環(huán)境構(gòu)成威脅。

This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

這需要確保所有設(shè)備都能夠被準(zhǔn)確識別，所有設(shè)備都經(jīng)過適當(dāng)?shù)男扪a和更新，以確保O / S和應(yīng)用程序級漏洞得到修復(fù)，并且設(shè)備使用最新的反惡意軟件/防病毒軟件定義獲得網(wǎng)絡(luò)訪問權(quán)限。

Current cybersecurity trends

當(dāng)前的網(wǎng)絡(luò)安全趨勢

• Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
• 網(wǎng)絡(luò)安全最佳實踐長期以來一直采用主動的設(shè)備管理方法。有許多工具可以實現(xiàn)這一目標(biāo)，但近年來經(jīng)歷的持續(xù)網(wǎng)絡(luò)入侵、數(shù)據(jù)泄露和業(yè)務(wù)中斷表明，終端設(shè)備管理仍然是企業(yè)和組織環(huán)境中的一個重大弱點，無論大小
• Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
• 勒索軟件專注于利用網(wǎng)絡(luò)客戶端終端的漏洞，在2013年至2016年間迅速增長，目前每年的勒索支付額約為10億美元。
• Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
• 在過去的3年中，電子郵件釣魚攻擊的利潤率仍然更高，每年為17億美元。
• Both ransomware and email exploits focus on the endpoint
• 勒索軟件和電子郵件攻擊都集中在終端上
• Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
• 此外，預(yù)計未來幾年物聯(lián)網(wǎng)設(shè)備的數(shù)量將呈指數(shù)級增長（這一過程已在進(jìn)行中），企業(yè)網(wǎng)絡(luò)連接的數(shù)量也將相應(yīng)增加
• The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
• 物聯(lián)網(wǎng)設(shè)備產(chǎn)生的網(wǎng)絡(luò)流量將不同于任何現(xiàn)有經(jīng)驗（預(yù)計到2021年將有250億臺設(shè)備從現(xiàn)在的100億臺設(shè)備增加到現(xiàn)在的250億臺），并且無法通過手動方式進(jìn)行管理（即根據(jù)需要對所有警報作出響應(yīng)，實時或以日志形式掃描流量）。需要基于策略的自動和“預(yù)先規(guī)定”安全管理。NAC解決方案提供這種能力。
• The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
• 網(wǎng)絡(luò)防御的成本繼續(xù)攀升，預(yù)計將繼續(xù)攀升。我們甚至不知道目前的網(wǎng)絡(luò)犯罪活動給我們造成了多大的損失，但最近華爾街日報保守估計，2017年每年的損失為2億美元（其他估計從3美元到6億美元不等，預(yù)計到2021年會達(dá)到更高的水平）。
• In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
• 就企業(yè)每年在網(wǎng)絡(luò)安全防御產(chǎn)品上的支出而言，據(jù)估計， 2015年全球網(wǎng)絡(luò)安全支出為75億美元; 預(yù)計2017年將增加至100億美元; 到2020年進(jìn)一步達(dá)到200億美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

簡而言之，攻擊面迅速擴大，漏洞仍然是一個主要問題，網(wǎng)絡(luò)安全成本明顯失控，企業(yè)成功應(yīng)對這些挑戰(zhàn)的能力仍然不足 - 通常以最簡單的方式。實際上，大多數(shù)重大漏洞都是由于操作系統(tǒng)和各種應(yīng)用程序組件的更新和修補方面的操作不足造成的。除此之外：思科估計即使IT部門通過監(jiān)控和警報提醒潛在問題，實際上只有56％的活動警報得到響應(yīng)。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.

顯然，從任何組織的網(wǎng)絡(luò)安全角度對網(wǎng)絡(luò)連接設(shè)備進(jìn)行有效的運營管理都需要嚴(yán)格和嚴(yán)格地協(xié)調(diào)正確的工具，技術(shù)，人員和流程。NAC技術(shù)為企業(yè)構(gòu)建現(xiàn)代有效的網(wǎng)絡(luò)防御框架提供了必要的關(guān)鍵基礎(chǔ)組件。

NAC As a Key Component of Your Cyber Defense Framework

NAC是您的網(wǎng)絡(luò)防御框架的關(guān)鍵組成部分

At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.

在當(dāng)前的形勢下，網(wǎng)絡(luò)攻擊已經(jīng)超出了企業(yè)有效應(yīng)對的能力，顯然需要重新評估網(wǎng)絡(luò)防御戰(zhàn)略。對于NAC供應(yīng)商來說，有一個非常大的機會來提出增加NAC采用率的理由。由于該行業(yè)的總市值（2017年約為6.85億美元）預(yù)計在未來3-4年內(nèi)將接近10億美元，因此這一市場是否會繼續(xù)增長并不重要，而是取決于增長的幅度和速度。這就是說，媒體對網(wǎng)絡(luò)防御和網(wǎng)絡(luò)思想領(lǐng)導(dǎo)的最大份額目前集中在看似更新、引人注目的網(wǎng)絡(luò)防御創(chuàng)新上，如基于SIEM和ML-AI的預(yù)測分析，而不是網(wǎng)絡(luò)訪問控制。然而，人們越來越認(rèn)識到，沒有“一刀切”的辦法來構(gòu)建有效的網(wǎng)絡(luò)安全防御框架。因此，市場趨勢是以一種為特定企業(yè)提供最佳解決方案的方式整合網(wǎng)絡(luò)安全產(chǎn)品系列中的工具。鑒于其在提供安全網(wǎng)絡(luò)訪問方面的基礎(chǔ)作用，NAC需要處于任何網(wǎng)絡(luò)網(wǎng)絡(luò)防御體系結(jié)構(gòu)的最前沿。

Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.

傳統(tǒng)的戰(zhàn)略和工具也必須集成到這種新的多層網(wǎng)絡(luò)防御方法中。傳統(tǒng)防火墻曾經(jīng)是安全工具包中的主要工具（如果不是唯一的話），現(xiàn)在被認(rèn)為不足以提供必要的防御屏障。這是因為，與許多安全方法一樣，它們只解決了挑戰(zhàn)的一個方面——在本例中是保護(hù)網(wǎng)絡(luò)外圍。然而，如果有人通過暴力攻擊或網(wǎng)絡(luò)管理員的簡單錯誤配置而破壞，那么僅外圍安全就不能阻止攻擊在網(wǎng)絡(luò)內(nèi)部橫向傳播。同樣，使用簡單的終端安全性：當(dāng)終端受到威脅時，連接到同一網(wǎng)絡(luò)的所有設(shè)備也可能變得非常脆弱。

So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:

因此，盡管人們普遍認(rèn)為需要采取多層次、綜合的方法來確保有效的網(wǎng)絡(luò)防御，但網(wǎng)絡(luò)安全產(chǎn)品市場已經(jīng)充斥著大量競爭產(chǎn)品、平臺和相互矛盾的主張。Genians有機會幫助潛在客戶，澄清在這個已經(jīng)變得非?；靵y的市場中最重要的關(guān)鍵安全成分。例如：

• The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
• 出現(xiàn)“SDP”或“軟件定義周界”作為NAC的替代方案。這是一種誤導(dǎo)，因為它只是通過重新定義邊界來“移動邊界”。無論是基于軟件還是面向硬件，例如傳統(tǒng)防火墻（實際上是硬件和軟件的組合），僅外圍安全就存在問題?？偸谴嬖谥芙鐫B透的危險。SDP也是一種未經(jīng)市場測試的全新技術(shù)，因此在這一點上，其數(shù)量非常未知。
• CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
• CASB或云訪問安全代理在云客戶和供應(yīng)商之間提供安全性。特性和功能因云供應(yīng)商而異，因此客戶必須注意了解其特定的CASB/云供應(yīng)商安全產(chǎn)品的價值。同樣，安全性需要作為一個復(fù)雜的、多方面的挑戰(zhàn)來處理，而不是一個單一的解決方案可以解決的問題。這些云代理解決方案決不應(yīng)被視為全面的防御框架。

Summary

總結(jié)

Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.

云計算帶來了極大的靈活性和顯著增加的基礎(chǔ)設(shè)施復(fù)雜性。對于大多數(shù)企業(yè)來說，重要的是要記住，“云”不是一個單一的整體，而是一個包含內(nèi)部和外部組件的物理/虛擬基礎(chǔ)設(shè)施組合平臺。實際上，它很可能包括多個云供應(yīng)商。因此，術(shù)語“混合”和“多云”環(huán)境。

Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.

安全解決方案將需要有效地解決這種新的復(fù)雜性。因此，基于nac、siem和ml/ai的預(yù)測分析工具最好一起用于聯(lián)合、全面的網(wǎng)絡(luò)防御解決方案。NAC可以在這個集成框架中發(fā)揮主要的、關(guān)鍵的作用，它可以作為指揮者協(xié)調(diào)來自SIEM、分析和其他安全工具的所有有意義的信息，以確保在正確的時間以正確的方式采取行動，減輕網(wǎng)絡(luò)威脅。

In summary, enterprises need to:

總之，企業(yè)需要：

• Reevaluate their Cyber Defense Strategy
• 重新評估他們的網(wǎng)絡(luò)防御策略
• Understand there is No “One Size Fits All” Solution
• 了解沒有“一刀切”的解決方案
• The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
• “縱深防御”的最佳方法是多層集成
• Beware of Untried Approaches – “The Shiny New Objects”
• 謹(jǐn)防未經(jīng)嘗試的方法-“閃亮的新事物”
• Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
• 建立NAC作為您的安全框架的中心和基礎(chǔ)——您的網(wǎng)絡(luò)防御指揮官