网络安全应急的三观

络安全应急的三观（宏、（中和（微）（摘Treble-ViewofCyberEmergencyResponse(Macro,MiddleandMicro)明星辰信息技术有限公司潘CSO柱廷看JordanPan,CSO,Venustech要看Agenda–应急的“急的独特性和复杂三和–观论（宏、论中微论复）论从–在观论应急的–ViewofER“ComplexityanduniquenessofER–Treble-view(macro,middleµ)–Treble-ViewofER从急的ViewofER急的安全地微独特性位功ER,uniquepositioninITSecurity功全应能角从Viewthroughsecurityfunctions–急的能常被被成应模PDR型扩展为恢PDRR型扩微独”工杂„–RecoveryisthoughtasafunctionelementinPDRRmodel护检护检ProtectionProtection测响测响DetectionDetectionResponseResponse应恢应恢RecoveryRecovery复准复准护检护检ProtectionProtection测响测响DetectionDetectionResponseResponse应恢应恢功全应能角度对从Viewthroughsecurityfunctions–急的作，如果业在务连续管和理完独整体系来待应话独是如覆盖或PDR者其他类似个型扩独体域能常关独–ER,fromtheviewofwholebusinesscontinuitymanagement,coversallthefunctiondomainsofPDRoranyotherfunctionmodel.护检护检ProtectionProtection测响测响DetectionDetectionResponseResponse应恢应恢备接备接PreparationPreparation测响测响DetectionDetectionActionsActionsOfEROfER功全应象域从Viewthroughsecurityobjectives–注方务连–全地关法一覆分域析解复完对全地象好独网法一–Focusonbusiness–SecurityZoneMethodologyisagoodwaytoanalyzeandunderstandsecurityobjectives3+1全应方法不3+1SecurityZoneMethodology–络统复来可以析对模4域关–Networksandsystemshave4kindsofZones入域互入域互AccessZoneAccessZone联支互联支互InterInter--networkingZonenetworkingZone撑服互撑服互SupportingZoneSupportingZone务可互务可互ServiceZoneServiceZone3+1全应方三同内急的容威ERof3+1SecurityZone–际要独急的工杂作，考虑问4域关–4kindsofZonesshouldbeconsidered入域互入域互AccessZoneAccessZone务可互务可互ServiceZoneServiceZone联支互联支互InterInter--networkingZonenetworkingZone撑服互撑服互SupportingZoneSupportingZone中式计算恢复分中式计算恢复分CentralizedsystemCentralizedsystem布存计算恢复分布存计算恢复分DistributedsystemDistributedsystem储终复分储终复分StoragesystemStoragesystem端用户网复分端用户网复分EndEnd--useruser络备份支络备份支NetworkRedundantNetworkRedundant撑系统和环境呆复分撑系统和环境呆复分Supportingsystem&EnvironmentSupportingsystem&Environment功胁风微险论从能性影能性影likelihoodlikelihood一应一应impactimpact般安全工作基般安全工作基GeneralSecurityGeneralSecurity本急作基本急作基BasicBasic恢局恢局ERER从急的ViewofER务资/产防护措施威胁实观（范Treble-view观（范Treble-view现层运现层运营技运营技运术人术人员过员过程决程决策追运策追运观微Macro中微MicroÛ微Middle围实Scope观微中微Û微工：涉及机构的整体部工：涉及机构的整体部All:allovertheorganizationAll:allovertheorganization：些涉及机构的整般门些或者业单可：些涉及机构的整般门些或者业单可Part:somedepartmentsorbusinessPart:somedepartmentsorbusinessprocessesoftheorganizationprocessesoftheorganization点只涉个及机点几者件几整几部者业单可整些使点只涉个及机点几者件几整几部者业单可整些使PointPoint涉涉onlyoneorsomeentitiesorbusinessonlyoneorsomeentitiesorbusinesscomponentscomponents体化程三示对Levelofmaterialization观微中微Û微命、价值等价单可流命、价值等价单可流Mission,Value,Business,etc.Mission,Value,Business,etc.程制价度大价系统设流程制价度大价系统设流Process,Regulation,SystemofsystemsProcess,Regulation,Systemofsystems功接价资性价源力价统设流功接价资性价源力价统设流Equipment,Function,Resource,System,etc.Equipment,Function,Resource,System,etc.例：力ITIL角管理个观子同内体化程三流信示Example:3sub-processesofcapacitymanagementinITIL观微中微Û微单可性管理面单可性管理面BusinessCapacityManagementBusinessCapacityManagement务可性管理面务可性管理面ServiceCapacityManagementServiceCapacityManagement源力性管理面源力性管理面ResourceCapacityManagementResourceCapacityManagement息事全应件产ITincident观微中微Û微工关工关//键问单可题蠕键问单可题蠕KeybusinessdestroyedKeybusinessdestroyed虫洪价事程破使价坏高器一应管务可对虫洪价事程破使价坏高器一应管务可对Worm,Flooding,intrusiontokeyserverWorm,Flooding,intrusiontokeyserver普通侵务可对整域数普通侵务可对整域数IntrusiontogeneralserversIntrusiontogeneralservers据，坏高损统设停高据，坏高损统设停高Data&systemcorruptedData&systemcorrupted点般单可顿前点般单可顿前SinglebusinessstoppedSinglebusinessstopped工：单可层停工：单可层停WholebizstoppedWholebizstopped息事全应品服ITSecurityProducts观微中微Û微器具作决涉策持撑风价险组理面统设器具作决涉策持撑风价险组理面统设HighleveltoolsHighleveltools涉涉DSS,RiskM.DSS,RiskM.合和资性平台火涉全工理面台火流合和资性平台火涉全工理面台火流Integratedfunctionorplatform:SIMS,Integratedfunctionorplatform:SIMS,SOCplatform,etc.SOCplatform,etc.决部资性涉护墙病价域数测响价护毒加价密端流决部资性涉护墙病价域数测响价护毒加价密端流Specificfunctions:Firewall,IDS,Antivirus,Specificfunctions:Firewall,IDS,Antivirus,Encryption,etc.Encryption,etc.息事全应务味ITSecurityServices观微中微Û微器咨务可涉理面询分价单可险组询分器咨务可涉理面询分价单可险组询分HighHigh--endServicesendServices涉涉managementmanagementconsulting,BusinessRiskConsultingconsulting,BusinessRiskConsulting体和务可涉全工互析综价评和险组估固流体和务可涉全工互析综价评和险组估固流IntegratedServices:Securityzoneanalysis,IntegratedServices:Securityzoneanalysis,Integratedriskassessment,etc.Integratedriskassessment,etc.决部务可涉统设估固平密网价络范功接估固流决部务可涉统设估固平密网价络范功接估固流Specificservices:Systemassessment&harden,Specificservices:Systemassessment&harden,networkequipmentassessment,etc.networkequipmentassessment,etc.观（三道用Differenttasteofthethreeview观微中微Û微系围化价器具价值等结价命、价单可系围化价器具价值等结价命、价单可Largescope,highLargescope,high--end,value,mission,end,value,mission,Business,etc.Business,etc.部统中的价运具价决部结价程制价营物价度大部统中的价运具价决部结价程制价营物价度大Architecture,middle,specific,processes,Architecture,middle,specific,processes,Operation,regulation,etc.Operation,regulation,etc.点只价本具价实面统设价：些价资性价现战点只价本具价实面统设价：些价资性价现战Singlepoint,ground,physicalsystem,partial,Singlepoint,ground,physicalsystem,partial,Function,implementation,etc.Function,implementation,etc.本观（从次大会发三言组Treble-viewofpresentationsinthisconference观微中微Û微织层责大微任原Organizationandresponsibilities观微中微Û微构的器具涉策持价略执构的器具涉策持价略执Executive:decision,strategyExecutive:decision,strategy构的运具涉营基价理面价行操构的运具涉营基价理面价行操Management:operation,admin.Management:operation,admin.构的本