Network-connected end devices remain a major cybersecurity point of vulnerability.

網(wǎng)絡(luò )連接的終端設備仍然是主要的網(wǎng)絡(luò )安全漏洞點(diǎn)。

Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.

網(wǎng)絡(luò )訪(fǎng)問(wèn)控制（NAC）技術(shù)提供了封鎖網(wǎng)絡(luò )訪(fǎng)問(wèn)的能力，在某種程度上，這是其他網(wǎng)絡(luò )防御產(chǎn)品無(wú)法做到的。

Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.

當今企業(yè)中的網(wǎng)絡(luò )威脅主要集中在整個(gè)網(wǎng)絡(luò )連接設備范圍內的多個(gè)攻擊面上。

Over the past few years, the number of endpoint attack surfaces has expanded considerably.

在過(guò)去幾年中，終端攻擊面的數量已經(jīng)大大增加。

This trend is expected to continue and increase exponentially in the years immediately ahead.

預計這一趨勢將在未來(lái)幾年繼續呈指數級增長(cháng)。

Endpoint attack surfaces are expanding in terms of client platform diversity, and include:

終端攻擊面在客戶(hù)端平臺多樣性方面正在擴展，包括：

• “Traditional” stationary desktop devices
• “傳統”固定桌面設備
• once the majority
• 曾經(jīng)占多數
• now increasingly in the minority of device types
• 現在越來(lái)越多的設備類(lèi)型

• The explosion of mobile device types and numbers, from laptops to tablets to smartphones
• 從筆記本電腦到平板電腦再到智能手機，移動(dòng)設備類(lèi)型和數量激增
• Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
• 員工、承包商和供應商擁有的“BYOD”（自帶設備）設備需要網(wǎng)絡(luò )訪(fǎng)問(wèn)
• Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
• 需要網(wǎng)絡(luò )連接（有線(xiàn)和無(wú)線(xiàn)）的“IoT”（物聯(lián)網(wǎng)）設備數量呈指數增長(cháng)

And also in terms of platform depth:

而且在平臺深度方面：

• Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
• 多個(gè)操作系統平臺（Windows，OSX，iOS，Android，Linux）和版本
• Multiple application and database platforms (OpenStack and proprietary)
• 多個(gè)應用程序和數據庫平臺（OpenStack和專(zhuān)利）
• Multiple storage technologies (SAN, NAS, DAS, Cloud)
• 多種存儲技術(shù)（SAN，NAS，DAS，云）
• Both wired and wireless connections
• 有線(xiàn)和無(wú)線(xiàn)連接
• Multiple device configurations
• 多個(gè)設備配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.

每個(gè)特定的設備和平臺都提供了自己獨特的攻擊面漏洞集。

All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.

所有這些都需要從網(wǎng)絡(luò )連接的角度進(jìn)行積極的管理，以確保它們不會(huì )對企業(yè)環(huán)境構成威脅。

This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

這需要確保所有設備都能夠被準確識別，所有設備都經(jīng)過(guò)適當的修補和更新，以確保O / S和應用程序級漏洞得到修復，并且設備使用最新的反惡意軟件/防病毒軟件定義獲得網(wǎng)絡(luò )訪(fǎng)問(wèn)權限。

Current cybersecurity trends

當前的網(wǎng)絡(luò )安全趨勢

• Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
• 網(wǎng)絡(luò )安全最佳實(shí)踐長(cháng)期以來(lái)一直采用主動(dòng)的設備管理方法。有許多工具可以實(shí)現這一目標，但近年來(lái)經(jīng)歷的持續網(wǎng)絡(luò )入侵、數據泄露和業(yè)務(wù)中斷表明，終端設備管理仍然是企業(yè)和組織環(huán)境中的一個(gè)重大弱點(diǎn)，無(wú)論大小
• Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
• 勒索軟件專(zhuān)注于利用網(wǎng)絡(luò )客戶(hù)端終端的漏洞，在2013年至2016年間迅速增長(cháng)，目前每年的勒索支付額約為10億美元。
• Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
• 在過(guò)去的3年中，電子郵件釣魚(yú)攻擊的利潤率仍然更高，每年為17億美元。
• Both ransomware and email exploits focus on the endpoint
• 勒索軟件和電子郵件攻擊都集中在終端上
• Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
• 此外，預計未來(lái)幾年物聯(lián)網(wǎng)設備的數量將呈指數級增長(cháng)（這一過(guò)程已在進(jìn)行中），企業(yè)網(wǎng)絡(luò )連接的數量也將相應增加
• The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
• 物聯(lián)網(wǎng)設備產(chǎn)生的網(wǎng)絡(luò )流量將不同于任何現有經(jīng)驗（預計到2021年將有250億臺設備從現在的100億臺設備增加到現在的250億臺），并且無(wú)法通過(guò)手動(dòng)方式進(jìn)行管理（即根據需要對所有警報作出響應，實(shí)時(shí)或以日志形式掃描流量）。需要基于策略的自動(dòng)和“預先規定”安全管理。NAC解決方案提供這種能力。
• The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
• 網(wǎng)絡(luò )防御的成本繼續攀升，預計將繼續攀升。我們甚至不知道目前的網(wǎng)絡(luò )犯罪活動(dòng)給我們造成了多大的損失，但最近華爾街日報保守估計，2017年每年的損失為2億美元（其他估計從3美元到6億美元不等，預計到2021年會(huì )達到更高的水平）。
• In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
• 就企業(yè)每年在網(wǎng)絡(luò )安全防御產(chǎn)品上的支出而言，據估計， 2015年全球網(wǎng)絡(luò )安全支出為75億美元; 預計2017年將增加至100億美元; 到2020年進(jìn)一步達到200億美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

簡(jiǎn)而言之，攻擊面迅速擴大，漏洞仍然是一個(gè)主要問(wèn)題，網(wǎng)絡(luò )安全成本明顯失控，企業(yè)成功應對這些挑戰的能力仍然不足 - 通常以最簡(jiǎn)單的方式。實(shí)際上，大多數重大漏洞都是由于操作系統和各種應用程序組件的更新和修補方面的操作不足造成的。除此之外：思科估計即使IT部門(mén)通過(guò)監控和警報提醒潛在問(wèn)題，實(shí)際上只有56％的活動(dòng)警報得到響應。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.

顯然，從任何組織的網(wǎng)絡(luò )安全角度對網(wǎng)絡(luò )連接設備進(jìn)行有效的運營(yíng)管理都需要嚴格和嚴格地協(xié)調正確的工具，技術(shù)，人員和流程。NAC技術(shù)為企業(yè)構建現代有效的網(wǎng)絡(luò )防御框架提供了必要的關(guān)鍵基礎組件。

NAC As a Key Component of Your Cyber Defense Framework

NAC是您的網(wǎng)絡(luò )防御框架的關(guān)鍵組成部分

At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.

在當前的形勢下，網(wǎng)絡(luò )攻擊已經(jīng)超出了企業(yè)有效應對的能力，顯然需要重新評估網(wǎng)絡(luò )防御戰略。對于NAC供應商來(lái)說(shuō)，有一個(gè)非常大的機會(huì )來(lái)提出增加NAC采用率的理由。由于該行業(yè)的總市值（2017年約為6.85億美元）預計在未來(lái)3-4年內將接近10億美元，因此這一市場(chǎng)是否會(huì )繼續增長(cháng)并不重要，而是取決于增長(cháng)的幅度和速度。這就是說(shuō)，媒體對網(wǎng)絡(luò )防御和網(wǎng)絡(luò )思想領(lǐng)導的最大份額目前集中在看似更新、引人注目的網(wǎng)絡(luò )防御創(chuàng )新上，如基于SIEM和ML-AI的預測分析，而不是網(wǎng)絡(luò )訪(fǎng)問(wèn)控制。然而，人們越來(lái)越認識到，沒(méi)有“一刀切”的辦法來(lái)構建有效的網(wǎng)絡(luò )安全防御框架。因此，市場(chǎng)趨勢是以一種為特定企業(yè)提供最佳解決方案的方式整合網(wǎng)絡(luò )安全產(chǎn)品系列中的工具。鑒于其在提供安全網(wǎng)絡(luò )訪(fǎng)問(wèn)方面的基礎作用，NAC需要處于任何網(wǎng)絡(luò )網(wǎng)絡(luò )防御體系結構的最前沿。

Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.

傳統的戰略和工具也必須集成到這種新的多層網(wǎng)絡(luò )防御方法中。傳統防火墻曾經(jīng)是安全工具包中的主要工具（如果不是唯一的話(huà)），現在被認為不足以提供必要的防御屏障。這是因為，與許多安全方法一樣，它們只解決了挑戰的一個(gè)方面——在本例中是保護網(wǎng)絡(luò )外圍。然而，如果有人通過(guò)暴力攻擊或網(wǎng)絡(luò )管理員的簡(jiǎn)單錯誤配置而破壞，那么僅外圍安全就不能阻止攻擊在網(wǎng)絡(luò )內部橫向傳播。同樣，使用簡(jiǎn)單的終端安全性：當終端受到威脅時(shí)，連接到同一網(wǎng)絡(luò )的所有設備也可能變得非常脆弱。

So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:

因此，盡管人們普遍認為需要采取多層次、綜合的方法來(lái)確保有效的網(wǎng)絡(luò )防御，但網(wǎng)絡(luò )安全產(chǎn)品市場(chǎng)已經(jīng)充斥著(zhù)大量競爭產(chǎn)品、平臺和相互矛盾的主張。Genians有機會(huì )幫助潛在客戶(hù)，澄清在這個(gè)已經(jīng)變得非?；靵y的市場(chǎng)中最重要的關(guān)鍵安全成分。例如：

• The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
• 出現“SDP”或“軟件定義周界”作為NAC的替代方案。這是一種誤導，因為它只是通過(guò)重新定義邊界來(lái)“移動(dòng)邊界”。無(wú)論是基于軟件還是面向硬件，例如傳統防火墻（實(shí)際上是硬件和軟件的組合），僅外圍安全就存在問(wèn)題?？偸谴嬖谥?zhù)周界滲透的危險。SDP也是一種未經(jīng)市場(chǎng)測試的全新技術(shù)，因此在這一點(diǎn)上，其數量非常未知。
• CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
• CASB或云訪(fǎng)問(wèn)安全代理在云客戶(hù)和供應商之間提供安全性。特性和功能因云供應商而異，因此客戶(hù)必須注意了解其特定的CASB/云供應商安全產(chǎn)品的價(jià)值。同樣，安全性需要作為一個(gè)復雜的、多方面的挑戰來(lái)處理，而不是一個(gè)單一的解決方案可以解決的問(wèn)題。這些云代理解決方案決不應被視為全面的防御框架。

Summary

總結

Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.

云計算帶來(lái)了極大的靈活性和顯著(zhù)增加的基礎設施復雜性。對于大多數企業(yè)來(lái)說(shuō)，重要的是要記住，“云”不是一個(gè)單一的整體，而是一個(gè)包含內部和外部組件的物理/虛擬基礎設施組合平臺。實(shí)際上，它很可能包括多個(gè)云供應商。因此，術(shù)語(yǔ)“混合”和“多云”環(huán)境。

Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.

安全解決方案將需要有效地解決這種新的復雜性。因此，基于nac、siem和ml/ai的預測分析工具最好一起用于聯(lián)合、全面的網(wǎng)絡(luò )防御解決方案。NAC可以在這個(gè)集成框架中發(fā)揮主要的、關(guān)鍵的作用，它可以作為指揮者協(xié)調來(lái)自SIEM、分析和其他安全工具的所有有意義的信息，以確保在正確的時(shí)間以正確的方式采取行動(dòng)，減輕網(wǎng)絡(luò )威脅。

In summary, enterprises need to:

總之，企業(yè)需要：

• Reevaluate their Cyber Defense Strategy
• 重新評估他們的網(wǎng)絡(luò )防御策略
• Understand there is No “One Size Fits All” Solution
• 了解沒(méi)有“一刀切”的解決方案
• The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
• “縱深防御”的最佳方法是多層集成
• Beware of Untried Approaches – “The Shiny New Objects”
• 謹防未經(jīng)嘗試的方法-“閃亮的新事物”
• Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
• 建立NAC作為您的安全框架的中心和基礎——您的網(wǎng)絡(luò )防御指揮官