First Level Text,Second Level Text,Third Level Text,Fourth Level Text,Fifth Level Text,Master Title Slide Headline,安全威胁情报体系的建设与应用,安全威胁情报体系的建设与应用,什么是安全威胁情报,什么是安全威胁情报,当前信息安全防护体系面临困境,难以从海量的安全事件发现真正的攻击行为，,IDS,、,SOC,等传统安全产品使用效率低下,某一点确认的安全事件不能及时在组织内及时有效地进行共享，组织内部难以有效协同,不同类型、不同厂商的安全设备之间的漏洞、威胁信息不通用，不利于大型网络的维护管理,斯诺登等事件揭示的,NSA,对我国的攻击手段，目前的手段难以有效识别发现，亟需对现有安全体系进行升级,应用安全威胁情报技术,建设安全威胁情报平台,当前信息安全防护体系面临困境难以从海量的安全事件发现真正的攻,攻防速度之争！,攻防速度之争！,速度！速度！还是速度！,Attack,Begins,System,Intrusion,Attacker,Surveillance,Cover-up,Complete,Access,Probe,Leap Frog Attacks,Complete,Target,Analysis,TIME,Attack,Set-up,Discovery/Persistence,Maintain foothold,Cover-up,Starts,Attack,Forecast,Physical Security,Containment&Eradication,System Reaction,Damage Identification,Recovery,Defender,Discovery,Monitoring&Controls,Impact Analysis,Response,Threat Analysis,Attack,Identified,Incident,Reporting,Need to collapse free time,ATTACKER FREE TIME,TIME,速度！速度！还是速度！AttackSystemAttacke,安全威胁情报是？,一些“热”词：,Security Intelligence,安全，安全情报,Threat Intelligence,威胁情报,Security Threat Intelligence,安全威胁情报,Cyber Threat Information Sharing,网络威胁信息共享,Intelligence,Aware,情报感知,Intelligence,Driven,情报驱动,Intelligence-Aware Security Control,基于情报感知的安全控制,Context Aware,情境感知,信誉库,安全威胁情报是？一些“热”词：,OSINT,Dell SecureWorks,RSA NetWitness Live/,Verisign iDefense,Symantec Deepsight,McAfee Threat Intelligence,SANS,CVEs,CWEs,OSVDB(Vulns),iSight Partners,ThreatStream,OpenDNS,MAPP,企业外部的安全威胁情报源,（,含开源及商业）,IBM,QRadar,Palo Alto Wildfire,Crowdstrike,AlienVault OTX,RecordedFuture,Team Cymru,ISACs/US-CERT,FireEye/Mandiant,Vorstack,CyberUnited,Norse IPViking/Darklist,OSINT企业外部的安全威胁情报源（含开源及商业）IBM Q,企业内部的安全威胁情报源（提供安全情境）,Directory user information(personal e-mail,access,user privilege,start/end date),Proxy information(content),DLP&business unit risk(trade secrets/IP sensitive docs),IT Case history/ticket tracking,Malware detection/AV alerts,Sensitive business roles,Application usage&consumption events(in-house),Database usage/access monitoring(privileged),Entitlements/access outliers(in-house),User behavior association based on geography,frequency,uniqueness,and privilege,企业内部的安全威胁情报源（提供安全情境）Directory,情报平台,Threat intelligence platforms,（,TIPS,）,预计至,2018,，,50%,的一线组织和,MSSPs,将会使用以,MRTI,为基础的,TIP,平台（目前不到,5%,）,情报平台Threat intelligence platfo,安全威胁情报应用示例之,RSA,NetWitness Live,Live gathers the best advanced threat intelligence and content in the global security community,Live Manager provides configurable manager with a dashboard,Aggregates&consolidates only the most pertinent information,Transparent integration with customers live and recorded network traffic,安全威胁情报应用示例之RSA NetWitness Live,安全威胁情报应用示例之,RSA,NetWitness Live,RSA Fraudaction Domains,RSA Fraudaction IP,NW APT Attachments,NW APT IP,NW APT Domains,NW Suspicious IP Intel,NW Criminal VPN Entry Domains,NW Criminal VPN Entry IP,NW Criminal VPN Exit IP,NW Criminal VPN Exit Domains,NW Criminal SOCKS nodes,NW Criminal SOCKS User IPs,NW Insider Threat Domains,NW Insider Threat IP,APT Filenames,Palevo Tracker IP,Palevo Tracker Domains,QakBot C2 Domains,Critical Intelligence Domains-SCADA,Critical Intelligence IPs-SCADA,Dynamic DNS Domains,TOR Exit Nodes,TOR Nodes,eFax sites(data leakage),iDefense Threat Indicators,ISEC Exposure Blacklist Domains,安全威胁情报应用示例之RSA NetWitness Live,安全威胁情报应用示例之,RSA,NetWitness Live,安全威胁情报应用示例之RSA NetWitness Live,安全威胁情报应用示例之,IBM Qradar SIP,Bridges silos,Highly scalable,Flexible&adaptable,Easy deployment,Rapid time to value,Operational efficiency,Proactive threat management,Identifies critical anomalies,Rapid,extensive impact analysis,安全威胁情报应用示例之IBM Qradar SIPBridg,安全威胁情报应用示例之,IBM QRadar SIP,Context and Correlation Drive Deepest Insight,Extensive Data Sources,Deep Intelligence,Exceptionally Accurate and Actionable Insight,+,=,Suspected Incidents,Event Correlation,Activity Baselining&Anomaly Detection,Logs,Flows,IP Reputation,Geo Location,User Activity,Database Activity,Application Activity,Network Activity,Offense Identification,Credibility,Severity,Relevance,Database Activity,Servers&Mainframes,Users&Identities,Vulnerability Info,Configuration Info,Security Devices,Network&Virtual Activity,Application Activity,安全威胁情报应用示例之IBM QRadar SIPConte,安全威胁情报应用示例之,IBM QRadar SIP,Turnkey log management,SME to Enterprise,Upgradeable to enterprise SIEM,Integrated log,threat,risk&compliance mgmt.,Sophisticated event analytics,Asset profiling and flow analytics,Offense management and workflow,Predictive threat modeling&simulation,Scalable configuration monitoring and audit,Advanced threat visualization and impact analysis,SIEM,Log Management,Risk&Configuration Management,Network Activity&Anomaly Detection,Network and Application Visibility,Network analytics,Behavioral anomaly detection,Fully integrated with SIEM,Layer 7 application monitoring,Content capture for deep insight,Physical and virtual environments,Fully Integrated Security Intelligence,安全威胁情报应用示例之IBM QRadar SIPTurnk,安全威胁情报应用示例之,McAfee Threat Intelligence,安全威胁情报应用示例之McAfee Threat Intel,安全威胁情报体系的建设,安全威胁情报体系的