发布时间:2019-03-11 09:40 作者/来源: 浏览量:316

Network-connected end devices remain a major cybersecurity point of vulnerability.


Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.


Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.


Over the past few years, the number of endpoint attack surfaces has expanded considerably.


This trend is expected to continue and increase exponentially in the years immediately ahead.


Endpoint attack surfaces are expanding in terms of client platform diversity, and include:


  • “Traditional” stationary desktop devices
  • “传统”固定桌面设备
    • once the majority
    • 曾经占多数
    • now increasingly in the minority of device types
    • 现在越来越多的设备类型
  • The explosion of mobile device types and numbers, from laptops to tablets to smartphones
  • 从笔记本电脑到平板电脑再到智能手机,移动设备类型和数量激增
  • Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
  • 员工、承包商和供应商拥有的“BYOD”(自带设备)设备需要网络访问
  • Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
  • 需要网络连接(有线和无线)的“IoT”(物联网)设备数量呈指数增长

And also in terms of platform depth:


  • Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
  • 多个操作系统平台(Windows,OSX,iOS,Android,Linux)和版本
  • Multiple application and database platforms (OpenStack and proprietary)
  • 多个应用程序和数据库平台(OpenStack和专利)
  • Multiple storage technologies (SAN, NAS, DAS, Cloud)
  • 多种存储技术(SAN,NAS,DAS,云)
  • Both wired and wireless connections
  • 有线和无线连接
  • Multiple device configurations
  • 多个设备配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.


All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.


This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

这需要确保所有设备都能够被准确识别,所有设备都经过适当的修补和更新,以确保O / S和应用程序级漏洞得到修复,并且设备使用最新的反恶意软件/防病毒软件定义获得网络访问权限。

Current cybersecurity trends


  • Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
  • 网络安全最佳实践长期以来一直采用主动的设备管理方法。有许多工具可以实现这一目标,但近年来经历的持续网络入侵、数据泄露和业务中断表明,终端设备管理仍然是企业和组织环境中的一个重大弱点,无论大小
  • Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
  • 勒索软件专注于利用网络客户端终端的漏洞,在2013年至2016年间迅速增长,目前每年的勒索支付额约为10亿美元。
  • Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
  • 在过去的3年中,电子邮件钓鱼攻击的利润率仍然更高,每年为17亿美元。
  • Both ransomware and email exploits focus on the endpoint
  • 勒索软件和电子邮件攻击都集中在终端上
  • Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
  • 此外,预计未来几年物联网设备的数量将呈指数级增长(这一过程已在进行中),企业网络连接的数量也将相应增加
  • The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
  • 物联网设备产生的网络流量将不同于任何现有经验(预计到2021年将有250亿台设备从现在的100亿台设备增加到现在的250亿台),并且无法通过手动方式进行管理(即根据需要对所有警报作出响应,实时或以日志形式扫描流量)。需要基于策略的自动和“预先规定”安全管理。NAC解决方案提供这种能力。
  • The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
  • 网络防御的成本继续攀升,预计将继续攀升。我们甚至不知道目前的网络犯罪活动给我们造成了多大的损失,但最近华尔街日报保守估计,2017年每年的损失为2亿美元(其他估计从3美元到6亿美元不等,预计到2021年会达到更高的水平)。
  • In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
  • 就企业每年在网络安全防御产品上的支出而言,据估计, 2015年全球网络安全支出为75亿美元; 预计2017年将增加至100亿美元; 到2020年进一步达到200亿美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

简而言之,攻击面迅速扩大,漏洞仍然是一个主要问题,网络安全成本明显失控,企业成功应对这些挑战的能力仍然不足 - 通常以最简单的方式。实际上,大多数重大漏洞都是由于操作系统和各种应用程序组件的更新和修补方面的操作不足造成的。除此之外:思科估计即使IT部门通过监控和警报提醒潜在问题,实际上只有56%的活动警报得到响应。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.


NAC As a Key Component of Your Cyber Defense Framework


At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.


Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.


So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:


  • The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
  • 出现“SDP”或“软件定义周界”作为NAC的替代方案。这是一种误导,因为它只是通过重新定义边界来“移动边界”。无论是基于软件还是面向硬件,例如传统防火墙(实际上是硬件和软件的组合),仅外围安全就存在问题。总是存在着周界渗透的危险。SDP也是一种未经市场测试的全新技术,因此在这一点上,其数量非常未知。
  • CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
  • CASB或云访问安全代理在云客户和供应商之间提供安全性。特性和功能因云供应商而异,因此客户必须注意了解其特定的CASB/云供应商安全产品的价值。同样,安全性需要作为一个复杂的、多方面的挑战来处理,而不是一个单一的解决方案可以解决的问题。这些云代理解决方案决不应被视为全面的防御框架。



Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.


Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.


In summary, enterprises need to:


  • Reevaluate their Cyber Defense Strategy
  • 重新评估他们的网络防御策略
  • Understand there is No “One Size Fits All” Solution
  • 了解没有“一刀切”的解决方案
  • The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
  • “纵深防御”的最佳方法是多层集成
  • Beware of Untried Approaches – “The Shiny New Objects”
  • 谨防未经尝试的方法-“闪亮的新事物”
  • Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
  • 建立NAC作为您的安全框架的中心和基础——您的网络防御指挥官



Email: support@leagsoft.com