EDR产品技术白皮书

深信服EDR快速使用指南深信服EDR快速使用指南让产品帮您快速带来价值深信服EDR是一款轻量易用、实时保护、东西向可视可控的下一代终端安全产品客户端轻量化业务无感知，无需复杂配置，半自动化安全运维预防防护检测响应运营漏洞补丁管理系统安全基线核查微隔离流量可视微隔离流量可控USB管控一键端口封堵勒索诱饵防护无文件攻击专防进程黑白名单全球热点威胁同步远程登录防护文件实时监控Webshell检测暴力破解检测违规外联监控流行病毒快速检测框架SAVE引擎宏病毒修复僵尸网络举证进程溯源终端隔离清除&移除终端围剿式查杀资产信息清点可视化首页&报表警报API接口支持网端联动轻补丁漏洞免疫批量部署【轻量易用】【实时保护】创新微隔离技术基于业务维度让终端间流量可视可控，同时做到简单落地，高效运维【东西向可视可控】基于威胁攻击链多达30个功能构建多层次防御恶性病毒（感染型病毒，宏病毒，CAD病毒，勒索病毒等影响业务连续性的病毒）清除修复能力强网端联动达到Gartner定义的最高层级深信服终端检测响应平台EDR SANGFOR Endpoint Detection Response 深信服人工智能检测引擎SAVESANGFOR AI-based Vanguard Engine 01深信服EDR快速使用指南深信服EDR成功入围微软官方终端安全软件推荐名录，获得了兼容Windows 的微软WHQL徽标认证，其人工智能引擎SAVE 也入围了国际权威的Virustotal检测平台，技术能力位居业界前沿。

市场成绩第三方评测赛可达实验室-东方之星证书微软官方Windows 10/8/8.1推荐防病毒软件中国反网络病毒联盟成员单位赛可达优秀产品奖SKD AWARDS 02深信服EDR快速使用指南病毒千千万，担心我们内网系统会中毒，导致我们业务中断，能否快速有效的检测和修复病毒？当然没问题，EDR 基于AI 的漏斗型检测框架，统一配置下发病毒查杀策略，能够有效地针对恶性病毒（感染性病毒、CAD 病毒、宏病毒、勒索病毒等）进行快速处置修复，实现业务“零”干扰的安全防护！信服君03深信服EDR快速使用指南威胁检测打开【终端管理】->【策略中心】->【病毒查杀】->【扫描配置】进行多引擎扫描策略配置，如下图。

WHITE PAPERFigure 1: When deployed as part of the Fortinet Security Fabric, FortiClient can take advantage of threat-intelligence sharing to expand network visibility, detect attacks in real time, and coordinate threat response.Integrated Endpoint and Network Security Open Ecosystem Array A critical starting point to integrating endpoint and network security is an integrated, openecosystem of security solutions. Woven together to scale and adapt as business demandschange, the Security Fabric enables companies to address the full spectrum of challengesacross the expanding attack surface. Accordingly, part of the Fortinet Security Fabric,FortiClient works alongside common antivirus (AV) and endpoint detection and response (EDR)solutions. For example, users of Microsoft Windows Defender can augment their endpointprotection with FortiClient capabilities such as sandbox integration and VPN support.Endpoint Visibility and ManagementFortiClient integrates endpoint and network security, providing seamless visibility andcontrol across and between all endpoints, enforcing conditional access, and deliveringautomated threat response. It provides end-to-end visibility for both hosts and endpointdevices to help organizations harden endpoints and boost their security posture.Specifically, FortiClient simplifies endpoint management by centralizing key security tasks,identifying vulnerabilities, and correlating events to improve incident reporting. Followingare the ways FortiClient integrates endpoint and network security to provide transparentvisibility and management:Telemetry-based risk awarenessFortiClient establishes risk awareness by sharing real-time endpoint telemetry with networksecurity through the Fortinet Security Fabric. As part of this process, FortiAnalyzer collectslogs from FortiClient and other network components and incorporates global threatintelligence from FortiGuard Labs into a single pane of glass.Vulnerability managementFortiClient includes vulnerability scanning that allows IT infrastructure teams to discover andprioritize unpatched vulnerabilities. FortiClient also creates an applications inventory. Thisnot only provides visibility into software license utilization but also helps identify potentiallyunwanted applications and outdated applications for which patching support may not beavailable. All of this results in a reduced endpoint attack surface.Centralized provisioning and monitoringFortiClient allows IT infrastructure teams to deploy endpoint security software and performcontrolled upgrades to thousands of clients in just minutes, avoiding the time drain associated with manual deployment and minimizing human error. This seamless process is aided by FortiClient API integration with Microsoft Active Directory.Alert verificationIntegration between FortiClient and other security elements across the Security Fabric enables cross-referencing of events with network traffic. This feature helps to verify and triage alerts, enhancing the “signal-to-noise” ratio for incident reporting. As a result, IT infrastructure teams spend less time investigating false positives and are able to focus on identifying actual threats more accurately.Proactive risk managementOrganizations can augment their FortiClient endpoint security with an optional subscription to the FortiGuard Security Rating Service. The Security Rating Service helps IT infrastructure leaders improve their security in measurable ways and report their risk posture to executive management, boards of directors, and auditors. The Security Rating Service helps organizations understand where they stand in relation to peer organizations and accepted standards and provides actionable insights that IT infrastructure leaders can take to improve theorganization’s risk posture.Secure Remote AccessFortiClient offers IT infrastructure teams a powerful toolset for securing access by remote users, including conditional access empowered through endpoint and network integration and streamlined virtual private network (VPN 0 access) (Figure 2).Figure 2: FortiClient supports both IPsec and SSL VPN connections to provide secure remote access to remote users and branch offices.The FortiClient console allows administrators to provision VPN configurations and endpoint users to set up new VPN connections, saving time and reducing configuration errors.Conditional access empowered through endpoint and network integrationLeveraging conditional access capabilities in FortiClient, the IT infrastructure team is able to control endpoint access dynamically through virtual groups to determine access rights. Thus, as an example, only users in a finance group can retrieve information from the organization’s financial database. Yet, users in sales or engineering groups are unable to do so. Accordingly, FortiGate next-generation firewalls (NGFWs) retrieve and use FortiClient virtual groups to create firewall policies that enforce conditional access. This process is automatable since FortiGate NGFWs and FortiClient are integrated within the Security Fabric.Security enforcement also extends beyond virtual group access by automating conditional access: If an endpoint is out of compliance according to a preset condition (e.g., the device lacks a critical iOS or Android patch for a specified timeframe), FortiClient will assignthe user to a security-risk virtual group. By virtue of this designation, FortiGate NGFWs deny access to all resources except for internet connectivity. Once a user installs the required patch, FortiClient removes the user from the security-risk group, thereby restoring previous access rights.Streamlined VPN accessSecure sockets layer (SSL)/transport layer security (TLS) and IPsec VPN features inFortiClient provide secure and reliable access to corporate networks and applicationsfrom virtually any internet-connected remote location. FortiClient simplifies the remoteuser experience with built-in auto-connect and always-up VPN capability. Integration withFortiAuthenticator allows network teams to add two-factor authentication for additionalaccess security. In addition, FortiClient integrates with Microsoft Active Directory to facilitateauthentication and VPN logins using Active Directory credentials.Proactive Threat Response FortiClient leverages machine learning (ML)-based anti-malware, exploit prevention, web filtering, and sandbox integration to proactively protect endpoint devices. Here, FortiClient shares real-time threat intelligence across and between all endpoints and network securitycomponents to enable enterprisewide protection, regardless of where the threat is firstdiscovered. Threat-intelligence sharing facilitates automated responses, containingoutbreaks in near real time—thereby reducing time to containment and resolution.Automated remediationFortiClient automatically quarantines suspect devices to limit the spread of infection toother parts of the network. It also supports automatic patching for software applications andoperating systems, even when the endpoint is offline. These features help IT infrastructureleaders to ensure compliance with increasingly strict data privacy standards and industryregulations.Web filteringFortiClient delivers web security, web content filtering, and granular Software-as-a-Service(SaaS) control. In this case, it monitors browser and web application activity and enforcespolicies. FortiClient web filtering supports a variety of user devices, including Windows, Mac,iOS, Android, and Chromebook. Additionally, with FortiClient, IT infrastructure teams can seta consistent policy for devices when they are on and off the network. This enables them toavoid the time and expense needed to deploy and manage a third-party web filtering solutionor web proxy tools.Sandbox integrationFortiClient submits unknown or suspicious objects to FortiSandbox for detailed analysis.Once FortiSandbox identifies the threat, it notifies all FortiClient-protected endpoints andother security elements within the Security Fabric (Figure 3). This proactive approachallows IT infrastructure leaders to pinpoint and block unknown and zero-day threatsquickly and easily. ConclusionFortiClient facilitates deep integration between endpoint security and network security, especially when deployed as part of the FortinetSecurity Fabric. This integration strengthens not only endpoint security but also network security. At the same time, automation of endpoint security workflows and threat-intelligence sharing enables IT infrastructure leaders to streamline operations. This helps them deal with the cybersecurity skills shortage.65Copyright © 2019 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common lawtrademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be October 18, 2019 12:47 AM In addition to the above, FortiClient gives IT infrastructure teams end-to-end risk visibility based on threat-intelligence sharing and full control of security policies and responses. At the same time, it offers flexible, powerful remote access security with conditional admission and VPN support. Finally, FortiClient delivers proactive threat response with integrated, automated remediation, sandbox integration, web filtering, and interoperability with common AV and EDR solutions.Figure 3: By integrating with the Security Fabric, FortiClient automates the process of quarantining suspicious or compromised endpoints.1James Hasty, et al., “Advanced Endpoint Protection Test Report ,” NSS Labs, March 5, 2019. 2“Security Value Map: Advanced Endpoint Protection (AEP),” NSS Labs, March 2019. 3Jim Parise, “Heads Up: Cybercriminals Are Businesspeople ,” CFO, August 2, 2019.4Dionisio Zumerle, “The Long-Term Evolution of Endpoints Will Reshape Enterprise Security ,” Gartner, May 1, 2019.5“Empower Security Analysts Through Guided EDR Investigation: Bridging The Gap Between Detection And Response ,” Forrester, May 2019.6 Navanwita Sachdev, “The many motives of hackers and how much your data is worth to them ,” The Sociable, July 1, 2019.。

Edge OTN 解决方案技术白皮书文档版本 V1.1 发布日期2021-03-20华为技术有限公司版权所有© 华为技术有限公司2021。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：https://客户服务邮箱：******************客户服务电话：4008302118文档版本V1.1 (2021-03-20) 版权所有© 华为技术有限公司第 2 共29目录1 FMEC网络融合的趋势与挑战 (4)1.1 品质业务需求快速增长 (4)1.2 融合业务成为趋势 (6)1.3 FMEC网络建设面临的挑战 (7)1.4 总结 (8)2 Edge OTN方案是FMEC融合建网的最佳选择 (9)2.1 Edge OTN架构 (9)2.2 基于价值区域的精准布局建网方式 (10)2.3 总结 (12)3 Edge OTN关键技术 (13)3.1 环境适应性增强技术 (13)3.2 灰光彩光混合传输 (13)3.3 Liquid OTN技术 (14)3.4 高精度时间同步 (15)4 华为Edge OTN解决方案 (16)4.1 精准规划工具 (16)4.2 全场景部署能力 (17)4.3 光层电层创新方案 (19)4.3.1 极简光层 (19)4.3.2 X+Y分布式电层 (20)4.3.3 创新线路速率 (22)4.3.4 平滑演进典型方案 (22)4.4 智慧运维 (23)4.4.1 NCE智能管控 (23)4.4.2 光层自动调测 (24)4.4.3 智能光纤管理 (24)4.4.4 智慧光性能管理 (24)5 总结 (26)A 缩略语 (27)1 FMEC网络融合的趋势与挑战1.1 品质业务需求快速增长宽带成为人们生产、生活必需的基础资源。

EDRP企业数字版权保护系统技术白皮书2007年12月目录1 概述 (3)1.1 系统简介 (3)1.2 系统组成 (4)1) 硬件 (4)2) 软件 (4)3) 体系结构 (4)2 主要功能介绍 (5)2.1 安全管理中心 (5)2.2 令牌管理中心 (6)2.3 U盘管理中心 (7)2.4 策略编辑器 (8)2.5 策略分配器 (9)2.6 策略服务器 (12)2.7 文档服务器 (13)2.8 客户端 (14)3 产品特点 (15)3.1 基于PKI技术，双密钥设计 (15)3.2 完全透明的过程加密 (15)3.3 内核级加密，支持任意格式 (16)3.4 复制粘贴拖放拷屏的处理 (16)3.5 灵活的组策略 (16)3.6 文档集中管理与分散管理 (16)4 产品设计思想 (17)4.1 目标 (17)4.2 实现原理 (17)5 系统要求 (18)6 关键技术 (19)6.1 内容识别，而非扩展识别 (19)6.2 不依赖进程名来确定是否受控程序 (19)6.3 人性化的复制粘贴拖放截屏控制 (19)7 产品优势 (19)1概述1.1 系统简介在当今信息社会中，商业间谍、黑客、不良员工对企业的信息安全形成了巨大的威胁。

而网络的普及和USB接口的大量使用给企业获取和交换信息带来巨大方便的同时，也给这些威胁大开方便之门。

如何来管理这些情况呢？大多数企业是采用拆除光驱软驱，封掉USB 接口。

限制上网等方法来尽可能的减少信息交换，以达到信息保密的目的。

或者安装一些监控软件。

监控员工的日常工作，使其不敢轻举妄动。

但这些方法都严重影响工作的方便性，并容易引起员工的抵触情绪，甚至可能会带来法律方面的问题。

并且现在大量事实证明这种方法效果不是很好，重要的文件往往依旧会泄漏。

2003 年，美国的执法机构FBI和CSI对数百家企业进行了调查。

该调查结果认为绝大多数泄密事件是由内部人员所为，或者由内外勾结造成的。

How SOAR Is Transforming Threat IntelligenceThe benefits of digita l tra nsforma tion for a ny enterprise a re clea r, but thetra nsforma tion a lso comes with security implica tions a s new technologiesexpand the attack surface, enabling attackers to come from anywhere. Withcloud computing, a utoma tion, a nd a rtificia l intelligence now ma instrea m,a tta ckers ca n ca rry out their ca mpa igns a t unprecedented levels of sophis-tication and scale with minimal human intervention. Today, threat actors attackcomputers every 39 seconds.1 A report by Cybersecurity Ventures projects thatby 2021, a business will fall victim to ransomware every 11 seconds.2 This is onlypossible because attackers are taking advantage of machine speed.1. “Hackers Attack Every 39 Seconds,” Security Magazine, February 10, 2017, https:///articles/87787-hackers-attack-every-39-seconds.2. “Global Cybercrime Damages Predicted T o Reach $6 Trillion Annually By 2021,” Cybercrime Magazine, December 7, 2018, https:///cybercrime-damages-6-trillion-by-2021.Incident Responders Incident responders are worried about damage control. They look for possible breaches, and If they find evidence of one, their job is to investigate and prevent it from spreading. Due to the sensitive nature of breaches, all evidence needs to be well-documented and shared with all the stakeholders. Incident responders have access to tools that help them contain breach -es, such as EDR tools to kill the end host. They engage firewall administrators to deploy policies that block propagation at the network level. They heavily rely on external threat intelligence to learn about the profiles and common techniques of attackers, allowing them to respond confidently and with precision.Accordingly, incident responders are challenged when it comes to:• Knowledge transfer , where a lack of collaboration be-tween teams introduces gaps in security.• Case management , because generic case management is not ideal for security use cases, resulting in inefficiency and poor documentation.• Lack of threat intelligence as many incident responders are forced to use manual, flawed processes to gain context around external threats, causing delays and risks.Incident responders need:• Full security case management to document their find -ings in detail and enable them to collaborate in real time with other stakeholders as well as provide preventive and quarantine measures across the enterprise.•Threat intelligence to provide deeper context around attackers and their motivations.Disparate knowledge transfer introduces communication gaps Insufficient case management Lack of security centriccase-management results in inefficiency Lack of threat intelligence Missing real-world external context to prioritize alertsFigure 2:Incident responders challengesToo many alerts & not enough people to handle them Repetitive & manual actions across tools,process and people It takes days toinvestigate and respond to threatsFigure 1: SOC analyst challengesdetect, investigate, and respond to advanced cyberthreats.Unfortunately, security teams of all sizes are overwhelmed and unable to function at full capacity due to a shortage of cybersecurity skills, high volumes of low-fidelity alerts, a plethora of disconnected security tools, and lack of external threat context. To address these challenges, we first need to break down the inner workings of a SOC and get a sense of what happens. Only then will we be able to appreciate the enormity of what SOC teams are up against and begin to ap-ply solutions that work.In larger organizations, mature security operations teams have a lot of moving parts. Three main functions make up ef -fective security operations: SOC analysts, incident respond -ers, and threat analysts.SOC Analysts SOC analysts look at thousands of internal alerts daily, sourced by security information and event management (SIEM) technologies, endpoint detection and response (EDR) systems, and sometimes hundreds of other internal security tools. Their job is to be the eyes of the enterprise: to detect, investigate, determine root cause of, and respond quickly to security incidents. SOC analysts continuously monitor the network using detection tools, identifying and investigating potential threats. Once they identify a potential risk, ana-lysts also need to document their findings and share recom -mended actions with other stakeholders.All this means SOC analysts often struggle with:• Alert fatigue: The average enterprise receives more than 11,000 security alerts per day,3 and doesn’t have enough people to handle them.• Lack of time: Repetitive, manual, and administrative tasks take too long. A lack of integration across the many tools analysts must use slows down every stage of the process. • Limited context: It often takes days to investigate and respond to threats. Security tools don’t provide adequate context on alerts or their relevance to the environment,forcing analysts to piece these things together manually.To overcome these problems, analysts need:• Automation to take care of daily tasks so they can f ocus on what really matters.• Real-time collaboration with the rest of the team so they are always in sync and learning from one another. • Threat intelligence that delivers context to help them un -derstand the relevance and potential impact of a threat.3.According to a commissioned study conducted by Forrester Consulting on behalf of Palo Alto Networks, February 2020. As of the publication of this document, the report has not yet been officially released.IP 1.1.1.1feeds How bad is it?Malware analysisEndpoint detection and response SIEM Spreadsheet Bad IP 1.1.1.1Security SIEM ToolsResearch ReportsWho is behind it?EmailEnd usersAssets FirewallNetwork topology Internet accessNews/Blog Threat actors use 1.1.1.1 To attack!Industry peersAre we impacted?Who is using this IP address?Which policy isblocking this IP address?• Difficulty taking action since putting threat intel into a ction is highly manual and relies on other teams.Threat intelligence analysts need:• Full control over threat intelligence feed indicators to build their own logic and reputation based on their environment and business needs.• Collaboration with other teams to quickly arm them with rich context and up-to-date research.• Robust documentationto capture their ck of controlManually tuningand scoring of IOCS Siloed workflows Incidents and threat intel are broken across tools, people and process Putting threat intel intoaction is highly manual and repetitiveFigure 3: Difficulties facing threat analysts Figure 4: Holistic view of a typical day in a SOCThreat Intelligence Analysts/ Programs Threat analysts identify potential risks to organizations that have not been observed in the network. They provide c ontext around potential threats by combining external threat i ntelligence feeds from multiple sources with human intelli-gence. According to a recent survey conducted by the SANS Institute, 49.5% of organizations have some type of a threat intelligence team or program with its own dedicated budget and staffing.4 This is evidence of the growing importance of threat intelligence analysts, who help to identify attackers, uncovering their motivations, techniques, and processes. Threat intelligence teams pass their findings on specific at -tacks as well as broader threat landscape reports to SOC and incident response teams to build better preventive measures.Threat intelligence analysts face:• Lack of control over threat intelligence feeds, forcing the analysts to manually tune and score indicators of compro-mise (IOCs) to match their environment.• Siloed workflows causing poor communication and i ntegration between incident response and threat intelli-gence tools, teams, and processes.4. “2020 SANS Cyber Threat Intelligence (CTI) Survey,” SANS Institute, February 11, 2020, https:///reading-room/whitepapers/threats/paper/39395.with instant clarity into high-priority threats to drive the right response, in the right way, across the entire enterprise.Cortex XSOAR unifies case management, r eal-time c in the industry’s first extended security mation, and response platform.security orchestration, automation, and response (SOAR) platforms to manage alerts across all sources, standardize processes with playbooks, and automate response for any security use case, but there is still a significant gap when it comes to threat intelligence management.as an i ssue, o ffering guidance that SOAR and TIPs need to converge. TIPs are merely adding complexity by aggregating intelligence sources without the real-world context or auto -mation required to take quick, confident action. It’s time for a different approach.We Need an Extended SOAR PlatformCortex™ XSOAR, with native Threat I ntel Management, just makes sense. As part of the extensible C ortex XSOAR platform,Threat Intel Management defines a new approach by unify -ing threat intelligence aggregation, scoring, and sharing with playbook-driven automation. It empowers securityleaders370+Third-party tools Cortex XDR Tools People APIOther sources source ISAC Premium AutoFocus AFresponseTake complete control of your threat intelligence feeds Make smarter incident response decisions by enriching every tool and process Close the loop between intelligence and action with playbook-driven automation Figure 7: Benefits of Threat Intel Management Figure 6: Cortex XSOAR playbook-driven automationintelligence platforms Figure 5: A typical SOAR + TIP siloed deployment Cortex XSOAR allows you to:• Eliminate manual tasks with automated playbooks to ag-gregate, parse, deduplicate, and manage millions of daily indicators across multiple feed sources. Extend and edit IOC scoring with ease. Find providers that have the most relevant indicators for your specific environment.• Reveal critical threats by layering third-party threati ntelligence with internal incidents to prioritize alerts and make smarter response decisions. Supercharge i nvestigations with high-fidelity, built-in threat intel -ligence from Palo Alto N etworks AutoFocus™ service. Enrich any detection, monitoring, or response tool withcontext from curated threat intelligence.Security analysts deal with millions of indicators collected from hundreds of multi-sourced intelligence feeds. These indicators lack context required for analysts to make informed decisions, p recision. tools at their disposal can’t handle the sheer volume of indi cators, and analysts end up re-prioritizing indicators to match native Threat Management gives analysts complete control and flexibility to incorporate any business logic into their scoring. Built-in inte-gration with more than 370 vendors allows analysts to react in real time as the indicators are consumed.report millions of indicators on a daily basis the context analysts need to make informed decisions and take action handle limited amounts of threat intelligence data and need to constantlyre-prioritize indicators Figure 9: Challenges of disconnected intelligence toolsFigure 10: Intelligence management before and after Cortex XSOAR ISACs AAPIAutomated playbooksIndicatorvalue report Indicator lifecycle Third-party Intel sharingvisualization Threat intelligence enrichment and prioritization3000 Tannery Way Santa Clara, CA 95054M a in: +1.408.753.4000S a les: +1.866.320.4788Support: +1.866.898.9087© 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered t rademark of Palo Alto Networks. A list of our trademarks can be found at https:///company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. how-cortex-is-transforming-threat-intelligence-wp-041720of the most common use cases include phishing, s ecurity op-erations, incident alert handling, cloud security orchestration, vulnerability management, and threat hunting.The future of SOAR includes native Threat Intel Manage -ment, enabling teams to break down silos between securi-ty operations and threat intelligence functions. When these are offered together in one platform, SOC analysts, incident responders, and threat intelligence teams can unify their efforts against advanced adversaries, optimizing their com -munication, efficiency, and access to insights.Cortex XSOAR redefines orchestration, automation, and response with the industry’s firstextended SOARplatform that includes automation, orchestration, real-time collab-oration, case management, and Threat Intel Management, enabling security teams to keep pace with attackers now and in the future.Visit us online to learn more about Cortex XSOAR.Breadth of Cortex XSOAR Use Cases The open and extensible Cortex XSOAR platform can be applied to a wide range of use cases—even to processes outside the purview of the SOC or security incident response team. SomeIncorporate any business logic into collection, scoring,and integrations to security devices React in real time to new indicators as they are consumed Defend your network instead of spending time building integrations integrations Figure 11: Cortex XSOAR benefits across the SOC。

全球眼信息外泄报警系统白皮书目录一、网络安全背景2二、信息外泄报警系统设计思想3三、信息外泄报警系统的体系架构4四、信息外泄报警系统主要功能54.1、核心功能54.2、报表统计54.3、客户端管理64.4、查询6五、信息外泄报警系统的特性75.1、隐蔽性75.2、针对性75.3、穿透性85.4、准确性8六、信息外泄报警系统的优势86.1、现有的防间谍软件系统86.2、和传统防间谍软件进行比较96.3、信息外泄报警系统的优势9七、产品的实际应用与适用范围107.1、产品的实际应用107.2、产品的适应范围10一、网络安全背景在当前复杂的国际形势和国际网络安全形势下，网络由于具有全球性、隐蔽性、灵活性、高速性和便捷性等特点，因此被越来越多的组织和个人用于开展间谍活动。

区别于传统的间谍活动，这种新型的网络间谍活动有以下两个特征：首先，计算机网络间谍隐蔽性好、不易暴露。

用计算机网络窃取情报几乎不留任何痕迹，通常也不会对目标计算机网络造成损害，因此很难被发现和分辨出来。

其次，计算机网络间谍工作效率高、威胁大，一旦计算机网络间谍侵入重要的计算机系统，特别是获得访问特权，他们就能够以此为基地，源源不断地获得大量的高度XX的信息，而受害者一方往往还不清楚自己所受的损失。

计算机网络间谍受空间、时间限制小，工作十分灵活。

国际互联网遍布全球，可以从网络的任一终端甚至通过公用进入目标计算机网络。

从理论上讲，计算机网络间谍可以从世界上任何一个有计算机网络的地方尝试进入敌方计算机网络。

如今，计算机与其网络以极快的速度渗透到社会的各个部门，越发达的国家越依赖于计算机网络。

而计算机网络恰恰是XX最集中的地方。

随着计算机网络的广泛使用，大量XX信息在计算机网络中存储或传输。

网络安全的重要性可见一斑。

二、信息外泄报警系统设计思想信息时代，计算机网络为间谍提供了快速、高效的手段，同时也引发了一场“反间谍”手段的革命。

信息外泄报警系统正是由此而设计。

第一章概述二十一世纪以计算机和网络通信为代表的信息化技术迅速发展，现代政府部门、金融机构、企事业单位和商业等组织的日常办公对信息系统以及计算机终端愈发依赖，信息技术几乎渗透到了世界的各行各业及工作生活的方方面面。

组织机构的正常运行高度依赖于信息系统，而针对其所承载的服务和数据的安全保护就显得尤为重要，如数据的安全性、完整性，终端计算机的可靠性、可用性等方面出现缺陷，将会给组织机构带来不可计量的损失。

而如今，全球化的互联网使得组织机构不仅依赖信息系统，还不可避免地通过计算机与外部的信息系统建立密切联系。

面对来自外部以及内部的威胁，对信息系统及系统终端的保护需求则更为突出。

面对日益严峻的安全风险，大部分组织机构通过以边界安全网关类设备为基础构建信息系统安全防护体系，并在一定程度上抵御来自外部的攻击，然而内部信息系统是不断变化发展的，系统环境在任何时刻都会呈现开放、共享等特点，不应以孤岛形式存在，外部威胁只是安全风险的一部分，作为办公环境的重要组成，开放的信息系统及办公计算机终端环境将面临更为严峻的内部威胁挑战。

正因如此，终端的安全性显得格外重要且又是容易被忽略的安全薄弱环节。

XX终端计算机具有点数多、覆盖面大、难管理等特点，加之XX信息安全人员人手有限，终端分布环境复杂，威胁风险事件较多，使信息安全人员对终端安全工作处于被动状态。

在终端安全方面，一旦出现病毒感染、恶意破坏传播、数据丢失等事件，将会给XX造成严重损失，后果不堪设想。

现由于XX各部门及员工对计算机的合规使用、对终端安全以及病毒防范的意识和能力参差不齐，已严重影响到计算机信息系统安全性。

正因如此，全方位做好XX信息系统的终端安全防护工作，在XX建设一套终端安全检测与响应系统，以确保XX的日常办公安全、稳定、高效运行。

第二章应用场景与风险分析2.1防病毒应用概况信息化飞速发展，组织内部人员的正常办公，与计算机终端密不可分，它为使用者带来便利同时，亦产生了层出不穷的安全威胁。

华为全系列数据通信产品白皮书第一部分：引言（200字）数据通信产品在现代社会中扮演着至关重要的角色，它们是连接世界的桥梁，促进了信息的传递和交流。

华为作为全球领先的通信技术解决方案提供商，为满足客户需求，推出了一系列高质量的数据通信产品。

本白皮书旨在介绍华为全系列数据通信产品的技术特点、应用场景和优势，帮助用户更好地了解和选择适合自己的产品。

第二部分：产品概述（200字）华为全系列数据通信产品包括路由器、交换机、光纤传输设备等多个种类。

这些产品具备高度的稳定性、可靠性和安全性，能够保证数据传输的质量和效率。

华为路由器是业界领先的产品之一，支持高速连接，稳定运行和智能优化。

交换机则提供灵活的网络管理和控制功能，适用于各种不同规模和需求的环境。

光纤传输设备则可以实现高容量和长距离的数据传送，特别适用于电信、金融和大型企业等行业。

第三部分：技术特点（300字）华为全系列数据通信产品具备一系列重要的技术特点。

首先，这些产品都采用了先进的硬件和软件技术，能够实现高效的数据处理和传输。

其次，华为产品支持灵活的网络配置和管理，可以根据实际需求进行定制和扩展。

同时，华为产品还具备高度的安全性，采用了先进的加密和认证技术，保障了数据的机密性和完整性。

此外，华为产品还支持智能化的运维和管理，通过数据分析和优化，提高了网络的性能和稳定性。

第四部分：应用场景（300字）华为全系列数据通信产品广泛应用于各个领域。

它们可以满足不同规模和需求的数据通信需求，适用于运营商、企业和个人用户等不同类型的客户。

在运营商领域，华为产品可以构建高速、稳定和安全的通信网络，支撑运营商的业务和服务。

在企业领域，华为产品可以实现灵活的网络管理和控制，提供高效的数据传输和存储解决方案。

对于个人用户来说，华为产品可以提供高速的网络连接和智能的家庭网络管理，满足各种娱乐和生活需求。

第五部分：产品优势（200字）华为全系列数据通信产品具备多个优势。

首先，它们拥有领先的技术和创新能力，能够满足不断变化的市场需求。

绿盟运维安全管理系统产品白皮书©2018绿盟科技■版权声明本文中出现的任何文字叙述、文档格式、插图、照片、方法、过程等内容，除另有特别注明，版权均属绿盟科技所有，受到有关产权及版权法保护。

任何个人、机构未经绿盟科技的书面授权许可，不得以任何方式复制或引用本文的任何片断。

目录一. 背景 (1)1.1运维账号混用，粗放式权限管理 (1)1.2审计日志粒度粗，易丢失，难定位 (2)1.3面临法规遵从的压力 (2)1.4运维工作繁重枯燥 (2)1.5虚拟云技术蓬勃发展 (3)二. 产品概述 (3)2.1运维安全管理系统 (3)2.2目标 (3)2.3应用场景 (4)2.3.1 管理员制定运维管理策略 (5)2.3.2 普通运维用户访问目标设备 (6)2.4系统价值 (8)三. 产品介绍 (8)3.1系统功能 (8)3.2系统架构 (9)四. 产品特性 (11)4.1多维度、细粒度的认证与授权体系 (11)4.1.1 灵活的用户认证方式 (11)4.1.2 细粒度的运维访问控制 (11)4.1.3 多维度的运维访问授权 (12)4.2高效率、智能化的资产管理体系 (12)4.2.1 智能化巡检托管设备和设备账号 (13)4.2.2 高效率管理设备和设备账号 (13)4.3提供丰富多样的运维通道 (14)4.3.1 B/S下网页访问 (14)4.3.2 C/S下客户端访问 (14)4.3.3 跨平台无缝管理 (15)4.3.4 强大的应用扩展能力 (15)4.4高保真、易理解、快定位的审计效果 (16)4.4.1 数据库操作图形与命令行级双层审计 (16)4.4.2 基于唯一身份标识的审计 (16)4.4.3 全程运维行为审计 (17)4.4.4 审计信息“零管理” (17)4.4.5 文字搜索定位录像播放 (18)4.5稳定可靠的系统安全性保障 (19)4.5.1 系统安全保障 (19)4.5.2 数据安全保障 (19)4.6快速部署，简单易用 (19)4.6.1 物理旁路，逻辑串联 (19)4.6.2 配置向导功能 (20)五. 客户收益 (21)插图索引图 1.1 用户与运维账号的关系现状 (1)图 2.1 核心思路 (4)图 2.2 运维管理员制定策略 (5)图 2.3 普通用户访问目标设备 (7)图 3.1 系统功能 (9)图 3.2 系统架构 (10)前置机架构示意图 (15)图 4.1 数据库操作图形与命令行级双层审计 (16)图 4.2 文字搜索定位录像播放 (18)图 4.3 产品部署 (20)一. 背景随着信息化的发展，企事业单位IT系统不断发展，网络规模迅速扩大、设备数量激增，建设重点逐步从网络平台建设，转向以深化应用、提升效益为特征的运行维护阶段，IT系统运维与安全管理正逐渐走向融合。