一個基於雲端分析的端點防護機制

Abstract

現今企業及組織中的端點用戶愈來愈多、裝置多樣化，尤其員工時常任意使用自身之裝置連結企業及組織內部網路，造成端點安全及管理，此問題儼然成為IT部門相當困難的挑戰，強化各種安全軟體的管理，使得企業及組織中隱藏的成本負擔增大。各家防毒軟體廠商因應此項需求，陸續轉型將先進的威脅預防技術整合於單一代理程式當中，藉以改善原本防毒效能，原本希望能提供企業組織中各種端點升級防護實力，但實際上發現僅強調病毒分類、統計數量、監控之功能性而已，卻忽略管理者後續處理作業，因此始終無法對於企業或組織內部資安控管產生顯著成效。故本研究嘗試利用雲端分析工具(Hadoop)，在賽門鐵克端點防護主控臺(Symantec Endpoint Protection Manager, SEPM)進行雲端運算分析、實作、產生端點防護應優先處置之順序清單，提醒管理者注意，最後評估使用前後之效益，成果良好。本研究希冀透過雲端分析技術，有效強化資安事件處理、降低可能發生之威脅，成為其他企業或組織增進整體資安水準之參考。

Today the number of end-users in enterprises and organizations are obviously more than past twenty years, in particular, almost employees can use their own devices to connect the intranet of enterprises and organizations, making IT sector controlling and managing in endpoint securities and management become more difficultly. Strengthening manage security software may lead to increase the burden of companies and organizations hidden costs. Various anti-virus software vendors begin to figure out the solution, improving their products, and implementing the advanced threat prevention technologies into a single agent program which can be the great achievement of the original anti-virus software, not only providing organizations with unparalleled various endpoint defense capabilities, but also being comprehensive upgrade protection more safe. Therefore, almost of them only focus on the functionality, the monitoring service, the establishment of a state of exception, and the number of virus classification and statistics so that it fail to offer an effective way for the enterprise or organization's internal information security control. This study attempts to implement the cloud analysis tool (Hadoop) into Symantec Endpoint Protection Manager (SEPM) architecture, analyzing, noting to the managers and generating a priority checking list. Finally, offering assessment of effectiveness of before and after. The result has significant benefit. This study use the cloud analysis software (Hadoop) to effectively strengthen information security event handling, reducing the threat which may occur, for other companies or organizations to enhance overall information security level of the reference.