SLIDE 1
打造 Secure by Design 為軸心 的數位企業
台灣恩悌悌系統股份有限公司 資深解決方案 業務經理 楊進盛 Jason Yang
打造 Secure by Design 為軸心的數位企業
台灣恩悌悌系統股份有限公司 資深解決方案 業務經理 楊進盛 Jason Yang
Secure by Design - - PowerPoint PPT Presentation
Secure by Design - - PowerPoint PPT Presentation
Secure by Design Jason Yang Secure by Design
SLIDE 2
SLIDE 3
2020全球威脅情報報告
強化資安韌性,打造以安全設計為軸心的企業
SLIDE 4
基於實際威脅數據的分析報告
NTT收集2018年10月1日至2019年9月31日期間,來自全球客戶的安全日誌、事件、攻擊、故障及漏洞等數據, 透過NTT Ltd.全球威脅情報平台加以分析,集結成年度全球威脅情報報告,反映持續變化的全球資安威脅形勢。
全球六大洲 4000多家客戶 150組資安 諮詢評估資料 10家SOC 資安營運中心 7家R&D 全球研發中心 NTT自有全球 威脅情報平台
SLIDE 5
六大關鍵洞察
1 2 3 攻擊者不斷創新 舊漏洞仍是被攻擊 主要目標 物聯網武器化
六大關鍵洞察
最常見的攻擊類型 是遠端代碼執行 (15%) 和注入攻擊 (14%) Mirai及其變種 IoTroop和Echobot 等殭屍網路,透過 自動化提高其傳播 能力 企業組織未遵循修 補程式管理的最佳 實踐
SLIDE 6
4 5 6 內容管理系統(CMS) 面臨風險 治理風險及合規(GRC) 不斷演進 受攻擊目標產業 的轉變
去年度所有攻撃事 件中,20%的攻擊 針對內容管理系統 平台 2019年是法規遵循 的「執行年」,新 法規措施持續增加, GRC變得更複雜且 更具挑戰性 科技業成為頭號攻 擊目標,佔總攻擊 數的25%,去年為 17%
SLIDE 7
當前動盪不安的環境下,資安威脅形勢更為詭譎多變 企業務須作好萬全準備,應對任何突發事件 致力於實施安全設計和韌性網路,以確保網際安全
1 2 3
以人為本 調整順序 不忘安全
4 5
員工教育 持續更新
專注於確保員 工的安全,並 提供一切必要 的支援與工具 動態調整計畫 與行動的優先 順序,評估任 何可能的影響 以安全的方式 持續業務營運 並完成工作, 保護企業資產 與員工持續溝 通變動中的策 略、業務、流 程與安全要求 持續修補和更新 所有系統,妥善 備份並強化端點 控制與防護
面對突如其來的疫情衝擊,NTT建議企業聚焦五大要點:
SLIDE 8
常見攻擊類型 前五大受攻擊產業
33% 22% 14% 14% 5% 12%
特殊應用 網路應用程式 偵查 DoS/DDoS 網路操控 其他 產業 2019 排名 2019 % 2018 排名 2018 % 科技
1 25% 2 17%
政府
2 16% 5 9%
金融
3 15% 1 17%
商業與 專業服務
4 12% 3 12%
教育
5 9% 4 11%
SLIDE 9
企業必須基於安全設計 (Secure by Design) 實施 基礎架構、應用程式和操作程序
資安威脅 應對之道
02 03 04 05 06 07 01
01 02 03 04 05 06 07
利用智慧網際安全解決方案支持業務敏捷性,並保 持企業組織可接受的風險水平 確保您的企業組織在整個資訊和通訊技術環境中擁 有適當的可視性 定期進行滲透測試活動,包括應用程式測試和社交 工程 管理惡意軟體相關的風險,持續發展防禦措施 將GRC納入企業組織的運作常規中,進行定期的技 術和非技術活動評估,以確認潛在的薄弱環節 隨著5G和相關設備陸續部署,對物聯網的攻擊將顯 著增加,必須提高警覺妥善防護
SLIDE 10
Cybersecurity GTM
Cybersecurity Advisory Assess security posture, identify gaps, and recommend improvements to ensure your security architecture addresses your business needs Managed Security Services Transforms cybersecurity posture to combat the evolving threat landscape and deliver effective business outcomes Secure by Design Pre-defined solution based on best practices helps to give a better picture of what a Cybersecurity posture looks like for a client
SLIDE 11
Cybersecurity Advisory
How does it w ork?
We conduct series of technical and non-technical workshops, documentation and architecture reviews, as well as optional technical security testing to set security maturity levels across their business
What is it?
A globally consistent, business- driven framework for delivering security outcomes to clients
What is the client deliverable?
With maturity levels mapped to easy to understand dashboards addressing the client’s current state and target state, we benchmark the client against their peers and develop a roadmap for them to reach their desired security posture
SLIDE 12
Cybersecurity Advisory
No process exists Ad-hoc and informal Some basic templates or checklists exist Formally documented processes are consistent Formal and integrated workflows Mature and automated workflows No metric exists Ad-hoc reporting Basic metrics, informal reporting Formally documented metrics, manual reporting Advanced metrics and semi- automated reporting Fully automated reporting No technology control exists Planning underway Basic functionality implemented with
- nly elemental
capabilities Functionality implemented and aligned to policies Integrated logging, manual correlation Integrated platform, automated correlation
Optimized Repeatable Defined Managed Initial Non-Existent Level of Maturity:
Process Metrics Tools
Education, Energy & Utilities, Healthcare, Manufacturing, Mining & Natural Resources, Media & Communications, Pharma, Professional Services, Public Sector, Real Estate & Construction, Retail, Technology Federal Government, Financial Services, Service Providers Intelligence / Defence agencies, Security MSP
Minimum Recommended Targets
Maturity and Capability Levels
Cybersecurity Advisory
SLIDE 13
Information Security Dashboard
Assets Assurance
Risk Management Framework
Compliance, Policies, Standards and Guidelines Security Domain Model Data Classification Threats
Logical Security Architecture Security Vision and Strategy Information Security Framework
Vulnerabilities Operations Applications Endpoint Infrastructure Roles and Responsibilities
Business View Architect’s View Designer’s View
Optimised Managed Defined Repeatable Initial Non-Existent
Maturity Scale:
SLIDE 14 Identity & Access management NAC AAA MFA PAM
Operations
Asset / Config Management Incident Management Change Management Access Management Event Monitoring and Management Threat ManagementInfrastructure
SIEM Messaging & Email Sec. DDOS Protection Firewall /NGFW / UTM / Segmentation Network IDPS VPN GW / (IPSEC & SSL) UEBA Wireless Security Web Security Network DLP DNS Security Deception / Honeypots Network Security Network Malware Sandboxing Network Packet Forensics TIP - Platform Threat Intelligence Endpoint and Mobile Protection Antivirus / NGAV Patch Management Asset / Secure Configuration Management HIPS EDRDevices
Application SecurityApplications
WAF Data Encryption App Container Security Application Sandboxing App Control Whitelisting API Security BAS Data Security Host DLP DAM - DB Activity Monitoring DRM - Document Rights Management Data Masking IAM SSO CASB FIM GRC Vulnerability / Patch Management RASP Source Code Analysis PKI / Certificate Management Secure Collaboration and File Transfer Fraud Prevention & Transaction Security Remote Browser Isolation VDI Security MDM Password Management Data Discovery& Classification Infrastructure Protection CWP - Cloud Workload Protection ETA – Encrypted Traffic Analysis NBAD - Network Behaviour Anomaly Protection DRP - Digital Risk Protection APT SOAR – Security Automation, Orchestration & Response Mobile Data Protection Vulnerability Management Application Security Testing Optimised Managed Defined Repeatable Initial Non-ExistentMaturity Scale:
Security Controls Dashboard
SLIDE 15
Roadmap – People and Process
Risk Management Vision and Strategy Security Framework
Align Tactical Operations to Strategy
1 Year 18 Month 24 Month 30 Month
Enhance Global Information Security Awareness and Enforcement Asset Classification Complete Data Ownership Global Information Security Model
2 Year 3 Year
Enhance Incident Management Develop DLP Program Gap Analysis for Resources Establish BCP Plan including RACI Matrix Complete Risk Taxonomy User security audit and improve Threat analysis for critical Assets 3rd Parties Risk Assessment Business Impact Analysis
3.8 3.8 3.6 3.1 1.7 1.7
Risk Management Process Enhance Patch Management & Vulnerability Remediation Enhance Global Risk Management Enhance Change Management
SLIDE 16
Roadmap – Technology (Security Architecture)
Operations Applications Endpoints Infrastructure 1 Year 18 Month 24 Month 30 Month
Incident Management Testing DB Monitoring PoC
2 Years 3 Years
WAF PoC DLP Consolidate Asset Management Tools APT Data Classification Expand MFA IPS Continue WAN Project URL Filtering Network Anti-Malware Network DLP Vulnerability Remediation Site-Site VPN. Network Sandboxing
Quick Win
1.1 3.5
SSO Integration Endpoint DLP Secure File transfer enforcement Layered Application Security Breach Detection Investigate DDOS Control Endpoint Removable Storage
SLIDE 17
Securit rity b y by Design ign
Managed Security Services Identifying each security control and mapping it to different solution domains, partners, and technology. Secure by Design Taking NTT and our vendor’s capabilities to provide proven security frameworks through to architectures and controls Cybersecurity Advisory Based from years of experience with providing our client’s Cybersecurity needs
SLIDE 18
Secure Intelligent Infrastructure Secure SD-WAN Secure Multi- Cloud Secure Intelligent Workplace
Device Data Application Server Data Network Network Access Compliance On- Premise Secured Access Data TransitSecure by Design
Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point PolicySecure by Design
A Comprehensive X-Platform Approach to Cybersecurity
Secure OT and IOT
Device Servers NetworkDev Sec Ops
Application Data Network SLIDE 19
Secure Digital Workplace - Secure by Design
A Comprehensive X-Platform Approach
Secure by Design Digital Workplace Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point Policy EDR NGFW Vulnerability Management Email Security Mobile Data Protection Encryption IAM PAM Asset/Patch/ Config Mgmt Document Rights Mgmt CASBCybersecurity Advisory
Consulting Solution & Outcome Technology Components
Control Elements
Policy Compliance Identity Secure Collaboration Secure Comms Data SecurityData Endpoint Comms Identity Logging Access Key Diagram Function Solution
Device SLIDE 20
Secure SD-WAN (Cloud-Optimised Hybrid WAN) - Secure by Design
A Comprehensive X-Platform Approach
Secure by Design Hybrid WAN Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point Policy APT Protection NGFW Cloud Workload Protection Email Security SOAR Network DLP CASB DDOS Protection VPN Gateway DNS Security Anomaly DetectionCybersecurity Advisory
Consulting Solution & Outcome Technology Components
Control Elements
Policy Compliance Identity Branch Protection Network Security Data SecurityCompliance Key Diagram Function Solution Application Lateral Movement Access
SLIDE 21
Secure Intelligent Infrastructure - Secure by Design
A Comprehensive X-Platform Approach
Secure by Design Infrastructure Modernisation Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point Policy EDR NGFW Vulnerability Management Email Gateway SIEM Host DLP IDM DDOS Protection Asset/Patch/ Config Mgmt DNS Security PAMCybersecurity Advisory
Consulting Solution & Outcome Technology Components
Control Elements
Policy Compliance Identity Infrastructure Protection Secure Comms Data SecurityData Server Network Identity Logging Access Key Diagram Function Solution
SLIDE 22
Secure Multi-Cloud - Secure by Design
A Comprehensive X-Platform Approach
Secure by Design Multi- Cloud Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point Policy EDR / NGAV NGFW Vulnerability Management VPN Gateway SIEM Data Discovery CASB Network IDPS Application Security Test Data Encryption File Integrity MonitoringCybersecurity Advisory
Consulting Solution & Outcome Technology Components
Control Elements
Policy Compliance Identity Infrastructure Protection Secure Comms Data SecurityData Server Network Identity Logging Cloud Key Diagram Function Solution
Cloud Security SLIDE 23
物聯網的系統架構
應用層 傳輸層 感知層
電信網路 Internet 專用網 建築與城市 交通與物流 農業與環境 工業應用 物聯網終端設備
………….. …………..
物聯網閘道
SLIDE 24
物聯網的安全問題
應用層 傳輸層 感知層 雲端安全技術 網路安全技術
輕量級安全技術 Internet 物聯網 NB-IoT 物聯網
DoS / DDoS SQL Injection 維運安全風險 APT 攻擊 雲端介面風險 Web 應用漏洞 重送攻擊 通信劫持 存取權限漏洞 明文傳輸 密鑰管理漏洞 設備偽造 開源碼安全 韌體完整性 敏感訊息洩漏
SLIDE 25
SLIDE 26
Secure OT / IOT - Secure by Design
A Comprehensive X-Platform Approach
Secure by Design OT and IoT Logging & Analytics Visibility & Control Identity & Authentication Assessment & Profiling Perimeter, Cloud, End Point Policy EDR / NGAV NGFW / Segmentation Vulnerability Management VPN Gateway SIEM Network IDPS CASB Anomaly Detection Application Control Whitelisting Secure Config Mgmt Network Malware SandboxingCybersecurity Advisory
Consulting Solution & Outcome Technology Components
Control Elements
Policy Compliance Identity Infrastructure Protection Secure Comms Data Security Legacy Device Network Vulnerabilities MalwareKey Diagram Function Solution
SLIDE 27
Managed Security Services
SLIDE 28
.
Endpoint Security Services Cloud Security Services Protect Detect Respond
Perimeter Threat Detection Services Enterprise Security Monitoring Services Vulnerability Management Device Management Services Proactive and Remote Response Services On-Premises Threat Detection Services Enterprise Security Monitoring Services Vulnerability Management Device Management Services Proactive and Remote Response Hybrid IT
Reactive Proactive Predictive
Threat Intelligence Services Threat Detection
Enterprise Security Monitoring Vulnerability Management Device Management Bot-Master detection Active Response Gateway Threat Detection Activity Anomaly Monitoring
OT/IoT
Endpoint Security Services Cloud Security Services
Managed Security Service Structure
IDC briefing – MSS roadmap - UEA V1 SLIDE 29
NTT Group
全球最大 ICT 服務公司之一,日本最大電信事業集團
Who We are
SLIDE 30
NTT集團於2019年將旗下31家頂尖專業公司 整合為一家新的全球技術服務企業NTT Ltd.
Together we do great things
SLIDE 31
Our global capabilities, infrastructure, and expertise
We partner with organizations globally to shape and achieve outcomes through intelligent technology
- solutions. For us, intelligent means data driven, connected, digital, and secure.
Innovative client, industry, and functional solutions
Co-innovation | intelligent cities | autonomous cars | Connected Conservation | society 5.0Intelligent Innovation Intelligent Cybersecurity
Predictive Threat Intelligence Application Security
App FW | DNS | CASB | Data | WAFAdvanced Competencies
analytics | information architecture | data management | IoE | artificial intelligence | machine learningEnterprise Applications
software-defined systems | service supporting functions | application deliveryIntelligent Business Intelligent Workplace
Workplace Security
EDR | Vun Mgt | Config Mgt | MFACustomer Experience
workforce optimization / RPA | omni-channel contact center | AI / ML-enabled service models | marketplaceModern Collaboration
voice / video / UC | messaging | streaming | content / file sharing | socialConsulting Services Technical Services Support Services Managed Services Intelligent Infrastructure
Infrastructure Security
Identity | NGFW | IPS | Web GW | SIEM | Threat Intel…Data Center Infrastructure
compute | storage | co-location | interconnectsMulticloud
private cloud | public cloud | hybrid-cloudHybrid WAN
SD-WAN | MPLS | Internet | NFV | IP transitWired and Wireless
hybrid campus (switching, wi-fi) | eSIMICT Infrastructure Services
SLIDE 32
One More Thing
經常 更新軟體 密碼 不是越複雜越好 應該越長越好 至少20碼 只到信任的官方 網站下載程式 盡量不要用 管理帳號 不用 就關機 資料要加密 傳輸要加密
安全提示
- 不認識有疑慮的郵件不要開
- 不用別人的USB隨身碟
- 要常常備份資料
- 攝影鏡頭需蓋掉
- 不要在非自己的設備上瀏覽自
己的敏感資料
- 社群媒體上,先想,再分享
- 打開內建防火牆
SLIDE 33