以預警模式提高資安監控效能-以某金控為例

Abstract

隨著資訊科技持續進步，企業面臨的資安威脅日益增多，傳統資安監控系統已無法滿足企業需求，企業通常只重視抵禦防火牆之外的外部入侵和威脅，卻忽略了內部的資訊安全防護才是常常重傷企業的根本問題。企業缺乏對員工硬體操作和自行安裝軟體的監控就是非常好的例子。事實上，企業內部產生的資安威脅比例遠高於企業外部攻擊，但往往只有在重大缺失發生後才會被發現，且解決問題需耗費大量人力和時間成本且難以迅速解決，企業需倚賴更多先進資訊安全監控系統以達到資訊標準化及降低資安及營運風險的目標，內部資訊安全防護的重要性不可忽視。例如SOC服務對企業來說就是一個不錯的選擇，他整合企業內的各種資安系統，並進行實時的安全分析、事件處理、人工監控及快速警報服務，有效降低企業資安風險。隨著資訊科技的發展，因此需要更先進、多元化的資訊安全監控系統來應對。本研究透過個案研究法與深度訪談法，證實大型企業對內部端點資安服務的高度重視。面對企業內各端點設備用戶，除了保留所有軟硬體資料和數據外，企業更需要透過報表的方式即時掌握並修復各端點設備的潛在資安風險。透過預警系統的客製化報表服務，了解大型公司對於內部使用者的系統管理需求第一是淺顯易懂，第二是方便操作。經與資安專業人員訪談結果，規劃以類似防毒軟體的系統告警模式，在各用戶端設備上以紅黃綠燈燈號顯示當前資安風險等級，即時提醒公司內部用戶目前裝置的風險等級，燈號如果非綠燈表示當前有資安風險，用戶端可以隨時點選燈號查看，一方面降低資訊專業人員的支援人力，另一方面也讓用戶端透過裝置燈號了解目前的風險等級，讓用戶更重視個人設備的資安風險。此舉不僅有助於降低資訊部門在監控用戶設備上的人力消耗，還能加強用戶對資安的自我意識，同時提升監控效率。As information technology continues to advance, corporations are increasingly confronted with cybersecurity threats. Traditional information security monitoring systems can no longer meet their needs. While corporations tend to focus on defending against external intrusions and threats beyond firewalls, they often overlook that the main source of their vulnerability is their own internal information security. This is exemplified by the lack of surveillance over employees' hardware operations and self-installed software. In fact, the proportion of cybersecurity threats originating from within corporations far exceeds those of external attacks. However, such internal threats are often only detected after significant security lapses have occurred, requiring considerable manpower and time to resolve. Corporations must therefore rely more on advanced information security monitoring systems to achieve information standardization and to reduce operational and securityrisks. The importance of internal information security cannot be overstated. Services such as Security Operations Centers (SOCs) are a good choice for corporations. SOCs integrate various internal security systems and provide real-time security analysis, incident handling, manual monitoring, and rapid alert services, effectively reducing cybersecurity risks. As information technology continues to evolve, more advanced and diversified information security monitoring systems are needed.Through case studies and in-depth interviews, this research confirms that large corporations place a high value on internal endpoint security services. In dealing with internal endpoint device users, corporations need to maintain all software and hardware data and metrics and to instantly grasp and remediate potential security risks through reporting. By customizing the early warning system's reporting service, we found that large corporations require their internal user system management to be both easy to understand and convenient to operate. After consulting with cybersecurity professionals, a plan was developed to employ a system alert mode similar to antivirus software. In this mode, the current security risk level is displayed on each user device via a traffic-light color scheme. This provides an instant reminder to the corporation's internal users of the current risk levelof their devices. If the light is not green, this indicates a current security risk, which users can check at any time by clicking on the light. This not only reduces the support needed from information technology professionals but also enables users to understand the current risk level via the device light, prompting them to pay more attention to the security risks of their personal devices. This not only helps reduce the manpower required by the IT department in monitoring user devices, but it also strengthens users' self-awareness of cybersecurity while increasing the efficiency of monitoring.