Network-connected end devices remain a major cybersecurity point of vulnerability.

網絡連接的終端設備仍然是主要的網絡安全漏洞點。

Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.

網絡訪問控制（NAC）技術提供了封鎖網絡訪問的能力，在某種程度上，這是其他網絡防御產品無法做到的。

Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.

當今企業中的網絡威脅主要集中在整個網絡連接設備范圍內的多個攻擊面上。

Over the past few years, the number of endpoint attack surfaces has expanded considerably.

在過去幾年中，終端攻擊面的數量已經大大增加。

This trend is expected to continue and increase exponentially in the years immediately ahead.

預計這一趨勢將在未來幾年繼續呈指數級增長。

Endpoint attack surfaces are expanding in terms of client platform diversity, and include:

終端攻擊面在客戶端平臺多樣性方面正在擴展，包括：

• “Traditional” stationary desktop devices
• “傳統”固定桌面設備
• once the majority
• 曾經占多數
• now increasingly in the minority of device types
• 現在越來越多的設備類型

• The explosion of mobile device types and numbers, from laptops to tablets to smartphones
• 從筆記本電腦到平板電腦再到智能手機，移動設備類型和數量激增
• Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
• 員工、承包商和供應商擁有的“BYOD”（自帶設備）設備需要網絡訪問
• Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
• 需要網絡連接（有線和無線）的“IoT”（物聯網）設備數量呈指數增長

And also in terms of platform depth:

而且在平臺深度方面：

• Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
• 多個操作系統平臺（Windows，OSX，iOS，Android，Linux）和版本
• Multiple application and database platforms (OpenStack and proprietary)
• 多個應用程序和數據庫平臺（OpenStack和專利）
• Multiple storage technologies (SAN, NAS, DAS, Cloud)
• 多種存儲技術（SAN，NAS，DAS，云）
• Both wired and wireless connections
• 有線和無線連接
• Multiple device configurations
• 多個設備配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.

每個特定的設備和平臺都提供了自己獨特的攻擊面漏洞集。

All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.

所有這些都需要從網絡連接的角度進行積極的管理，以確保它們不會對企業環境構成威脅。

This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

這需要確保所有設備都能夠被準確識別，所有設備都經過適當的修補和更新，以確保O / S和應用程序級漏洞得到修復，并且設備使用最新的反惡意軟件/防病毒軟件定義獲得網絡訪問權限。

Current cybersecurity trends

當前的網絡安全趨勢

• Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
• 網絡安全最佳實踐長期以來一直采用主動的設備管理方法。有許多工具可以實現這一目標，但近年來經歷的持續網絡入侵、數據泄露和業務中斷表明，終端設備管理仍然是企業和組織環境中的一個重大弱點，無論大小
• Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
• 勒索軟件專注于利用網絡客戶端終端的漏洞，在2013年至2016年間迅速增長，目前每年的勒索支付額約為10億美元。
• Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
• 在過去的3年中，電子郵件釣魚攻擊的利潤率仍然更高，每年為17億美元。
• Both ransomware and email exploits focus on the endpoint
• 勒索軟件和電子郵件攻擊都集中在終端上
• Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
• 此外，預計未來幾年物聯網設備的數量將呈指數級增長（這一過程已在進行中），企業網絡連接的數量也將相應增加
• The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
• 物聯網設備產生的網絡流量將不同于任何現有經驗（預計到2021年將有250億臺設備從現在的100億臺設備增加到現在的250億臺），并且無法通過手動方式進行管理（即根據需要對所有警報作出響應，實時或以日志形式掃描流量）。需要基于策略的自動和“預先規定”安全管理。NAC解決方案提供這種能力。
• The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
• 網絡防御的成本繼續攀升，預計將繼續攀升。我們甚至不知道目前的網絡犯罪活動給我們造成了多大的損失，但最近華爾街日報保守估計，2017年每年的損失為2億美元（其他估計從3美元到6億美元不等，預計到2021年會達到更高的水平）。
• In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
• 就企業每年在網絡安全防御產品上的支出而言，據估計， 2015年全球網絡安全支出為75億美元; 預計2017年將增加至100億美元; 到2020年進一步達到200億美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

簡而言之，攻擊面迅速擴大，漏洞仍然是一個主要問題，網絡安全成本明顯失控，企業成功應對這些挑戰的能力仍然不足 - 通常以最簡單的方式。實際上，大多數重大漏洞都是由于操作系統和各種應用程序組件的更新和修補方面的操作不足造成的。除此之外：思科估計即使IT部門通過監控和警報提醒潛在問題，實際上只有56％的活動警報得到響應。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.

顯然，從任何組織的網絡安全角度對網絡連接設備進行有效的運營管理都需要嚴格和嚴格地協調正確的工具，技術，人員和流程。NAC技術為企業構建現代有效的網絡防御框架提供了必要的關鍵基礎組件。

NAC As a Key Component of Your Cyber Defense Framework

NAC是您的網絡防御框架的關鍵組成部分

At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.

在當前的形勢下，網絡攻擊已經超出了企業有效應對的能力，顯然需要重新評估網絡防御戰略。對于NAC供應商來說，有一個非常大的機會來提出增加NAC采用率的理由。由于該行業的總市值（2017年約為6.85億美元）預計在未來3-4年內將接近10億美元，因此這一市場是否會繼續增長并不重要，而是取決于增長的幅度和速度。這就是說，媒體對網絡防御和網絡思想領導的最大份額目前集中在看似更新、引人注目的網絡防御創新上，如基于SIEM和ML-AI的預測分析，而不是網絡訪問控制。然而，人們越來越認識到，沒有“一刀切”的辦法來構建有效的網絡安全防御框架。因此，市場趨勢是以一種為特定企業提供最佳解決方案的方式整合網絡安全產品系列中的工具。鑒于其在提供安全網絡訪問方面的基礎作用，NAC需要處于任何網絡網絡防御體系結構的最前沿。

Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.

傳統的戰略和工具也必須集成到這種新的多層網絡防御方法中。傳統防火墻曾經是安全工具包中的主要工具（如果不是唯一的話），現在被認為不足以提供必要的防御屏障。這是因為，與許多安全方法一樣，它們只解決了挑戰的一個方面——在本例中是保護網絡外圍。然而，如果有人通過暴力攻擊或網絡管理員的簡單錯誤配置而破壞，那么僅外圍安全就不能阻止攻擊在網絡內部橫向傳播。同樣，使用簡單的終端安全性：當終端受到威脅時，連接到同一網絡的所有設備也可能變得非常脆弱。

So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:

因此，盡管人們普遍認為需要采取多層次、綜合的方法來確保有效的網絡防御，但網絡安全產品市場已經充斥著大量競爭產品、平臺和相互矛盾的主張。Genians有機會幫助潛在客戶，澄清在這個已經變得非常混亂的市場中最重要的關鍵安全成分。例如：

• The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
• 出現“SDP”或“軟件定義周界”作為NAC的替代方案。這是一種誤導，因為它只是通過重新定義邊界來“移動邊界”。無論是基于軟件還是面向硬件，例如傳統防火墻（實際上是硬件和軟件的組合），僅外圍安全就存在問題。總是存在著周界滲透的危險。SDP也是一種未經市場測試的全新技術，因此在這一點上，其數量非常未知。
• CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
• CASB或云訪問安全代理在云客戶和供應商之間提供安全性。特性和功能因云供應商而異，因此客戶必須注意了解其特定的CASB/云供應商安全產品的價值。同樣，安全性需要作為一個復雜的、多方面的挑戰來處理，而不是一個單一的解決方案可以解決的問題。這些云代理解決方案決不應被視為全面的防御框架。

Summary

總結

Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.

云計算帶來了極大的靈活性和顯著增加的基礎設施復雜性。對于大多數企業來說，重要的是要記住，“云”不是一個單一的整體，而是一個包含內部和外部組件的物理/虛擬基礎設施組合平臺。實際上，它很可能包括多個云供應商。因此，術語“混合”和“多云”環境。

Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.

安全解決方案將需要有效地解決這種新的復雜性。因此，基于nac、siem和ml/ai的預測分析工具最好一起用于聯合、全面的網絡防御解決方案。NAC可以在這個集成框架中發揮主要的、關鍵的作用，它可以作為指揮者協調來自SIEM、分析和其他安全工具的所有有意義的信息，以確保在正確的時間以正確的方式采取行動，減輕網絡威脅。

In summary, enterprises need to:

總之，企業需要：

• Reevaluate their Cyber Defense Strategy
• 重新評估他們的網絡防御策略
• Understand there is No “One Size Fits All” Solution
• 了解沒有“一刀切”的解決方案
• The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
• “縱深防御”的最佳方法是多層集成
• Beware of Untried Approaches – “The Shiny New Objects”
• 謹防未經嘗試的方法-“閃亮的新事物”
• Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
• 建立NAC作為您的安全框架的中心和基礎——您的網絡防御指揮官