Licensed for Distribution

This research note is restricted to the personal use of ().

Hype Cycle for Security Operations, 2024
安全运营的炒作周期，2024年

29 July 2024 二〇二四年七月二十九日 - ID G00810451 - 编号G00810451 - 92 min read - 92分钟阅读

By Jonathan Nunez, Andrew Davies
乔纳森·努涅斯，安德鲁·戴维斯

Security operations technology and services defend IT/OT systems, cloud workloads, applications and other digital assets from attack by identifying threats, vulnerability and exposures. This Hype Cycle helps security and risk management leaders strategize and deliver SecOps capability and functions.
安全运营技术和服务通过识别威胁、漏洞和暴露，保护IT/OT系统、云工作负载、应用程序和其他数字资产免受攻击。此宣传周期可帮助安全和风险管理领导者制定战略并提供SecOps能力和功能。

Analysis 分析

What You Need to Know
你需要知道的

Hybrid and remote work practices continue to evolve, and security operations center (SOC) teams support these transformations. Generative AI (GenAI) is shaking up the cybersecurity industry and security operations need to be at the front of it, leveraging GenAI for improved results, but also facing potential new attacks. To keep up with the changing landscape, security and risk management (SRM) leaders must develop security operations (SecOps) strategies centered on business risk instead of just adopting new ways to do the same things better.
混合和远程工作实践不断发展，安全运营中心（SOC）团队支持这些转变。生成式人工智能（GenAI）正在撼动网络安全行业，安全运营需要处于领先地位，利用GenAI改善结果，但也面临潜在的新攻击。为了跟上不断变化的形势，安全和风险管理（SRM）领导者必须制定以业务风险为中心的安全运营（SecOps）战略，而不仅仅是采用新的方法来更好地做同样的事情。

The Hype Cycle 炒作周期

Addressing the complexities of managing organizational exposures continues to be a dominant theme in this year’s Hype Cycle as the threat landscape has become more volatile and complex (see How to Respond to the Threat Landscape in a Volatile, Complex and Ambiguous World). Despite increased volatility and complexity, attackers are successfully targeting and exploiting vulnerabilities and security weaknesses that have long been seen as problematic and requiring action. SRM leaders are still, however, challenged with obtaining visibility into organizational attack surfaces and the prioritization of those findings.
解决管理组织风险的复杂性仍然是今年炒作周期的主要主题，因为威胁形势变得更加动荡和复杂（请参阅如何在动荡、复杂和充满变数的世界中应对威胁形势）。尽管波动性和复杂性增加，但攻击者正在成功地瞄准和利用长期以来被视为问题并需要采取行动的漏洞和安全弱点。然而，SRM领导者仍然面临着对组织攻击面的可见性以及对这些发现的优先顺序的挑战。

SRM leaders continue to sharpen their threat detection and response efforts. This year’s Hype Cycle features significant movement for identity threat detection and response (ITDR), extended detection and response (XDR) and co-managed monitoring services. SRM leaders are called to action to fortify digital identities and identity infrastructure using ITDR products and services. Those that have already implemented these technologies should look to integrate ITDR outcomes into the SOC for improved threat detection (see 5 Initiatives to Move Toward Security Operations Excellence).
SRM领导人继续加强其威胁检测和响应工作。今年的炒作周期的特点是身份威胁检测和响应（ITDR），扩展检测和响应（XDR）和共同管理的监控服务的重大运动。SRM领导者需要采取行动，使用ITDR产品和服务来加强数字身份和身份基础设施。已经实施这些技术的企业应该将ITDR成果集成到SOC中，以改进威胁检测（请参阅迈向卓越安全运营的5项举措）。

A substantial subset of organizations face challenges with organizing their threat detection, investigation and response (TDIR) function. Security information and event management (SIEM) is a mature technology, and recent market shake-ups have created uncertainty (see Quick Answer: How to React to Recent SIEM M&A Announcements). Smaller organizations aim at preconfigured technologies that accelerate time to value, using a predefined set of analytics, prebuilt automation and some out-of-the-box response capabilities. XDR providers promise to deliver that, and are adding AI assistants to make it even easier for anyone to get information from the tools.
许多组织在组织威胁检测、调查和响应（THED）功能方面面临挑战。安全信息和事件管理（SIEM）是一项成熟的技术，最近的市场动荡带来了不确定性（请参阅快速回答：如何对最近的SIEM M A公告做出反应&）。规模较小的组织旨在使用预先配置的技术来加速价值实现，使用预定义的一组分析，预构建的自动化和一些开箱即用的响应功能。XDR提供商承诺提供这一点，并正在添加AI助手，使任何人都可以更容易地从工具中获取信息。

Enterprises look for partners that can help them handle greater customizability. Co-managed monitoring services providers offer more flexibility in terms of technologies and service augmentation, allowing customers to directly contribute to operational performance and outcomes. Managed detection and response (MDR) providers add managed incident response for organizations that cannot — or are not willing to — support this function internally.
企业寻找可以帮助他们处理更大的可定制性的合作伙伴。共同管理的监控服务提供商在技术和服务增强方面提供了更大的灵活性，使客户能够直接为运营绩效和成果做出贡献。托管检测和响应（MDR）提供商为无法或不愿意在内部支持此功能的组织添加托管事件响应。

Continuous Threat Exposure Management
持续威胁暴露管理

A number of new profiles appear on this Hype Cycle this year, reflecting evolving vulnerability and exposure management approaches, more aligned with the continuous threat exposure management (CTEM) framework:
今年的炒作周期中出现了许多新的配置文件，反映了不断发展的漏洞和暴露管理方法，与持续威胁暴露管理（CTEM）框架更加一致：

Threat exposure management
威胁暴露管理
Exposure assessment platforms
暴露评估平台
Adversarial exposure validation
对抗性暴露验证

CTEM is a program helping organizations to improve their maturity when they govern and operationalize the five recommended phases of exposure management: scoping, discovery, prioritization, validation and mobilization.
CTEM是一个帮助组织在治理和实施风险管理的五个建议阶段时提高成熟度的计划：范围界定、发现、优先级排序、验证和动员。

Threat exposure management entered the Hype Cycle last year. Its profile represents a broader domain, encompassing innovations in processes such as the CTEM approach. Exposure assessment platforms and adversarial exposure validation solutions are examples of technology platforms that could be used to execute against threat exposure management programs. Organizations should employ proper governance and repeatability to make their threat exposure management programs continuous (see Top Strategic Technology Trends for 2024: Continuous Threat Exposure Management).
去年，ThreateXamplem进入了炒作周期。它的轮廓代表了一个更广泛的领域，包括诸如CTEM方法等进程中的创新。暴露评估平台和对抗性暴露验证解决方案是可用于执行威胁暴露管理程序的技术平台的示例。组织应采用适当的治理和可重复性，使其威胁暴露管理计划持续进行（请参阅2024年的主要战略技术趋势：持续威胁暴露管理）。

Exposure assessment platforms aim to consolidate vulnerability assessment and vulnerability prioritization technologies all in one platform. This affords the end user greater simplicity and potentially greater efficacy in discovering their relevant attack surfaces, optimizing exposure prioritization and providing greater flexibility in mobilization.
风险评估平台旨在将脆弱性评估和脆弱性优先排序技术整合到一个平台中。这为最终用户提供了更大的简单性，并可能在发现其相关攻击面、优化暴露优先级以及提供更大的移动灵活性方面提供更大的效率。

Adversarial exposure validation technologies offer offensive security technologies simulating threat actor tactics, techniques and procedures to validate the existence of exploitable exposures and test security control effectiveness. Within this profile, Gartner has consolidated breach attack simulation and autonomous penetration testing and red teaming.
对抗性安全验证技术提供攻击性安全技术，模拟威胁行为者的战术、技术和程序，以验证是否存在可利用的风险，并测试安全控制的有效性。在此配置文件中，Gartner整合了数据泄露攻击模拟和自主渗透测试以及红色团队。

Evaluating the Hype Cycle
评估炒作周期

Some key recommendations for evaluating this year’s Hype Cycle:
评估今年炒作周期的一些关键建议：

Consider the objectives and initial steps of transformational initiatives like CSMA to anticipate long-term evolutions of the security operation function.
考虑像CSMA这样的转型计划的目标和初始步骤，以预测安全运营功能的长期发展。
Initiate tactical or more profound threat exposure management initiatives based on your current vulnerability management program maturity.
根据您当前的漏洞管理计划成熟度启动战术或更深入的威胁暴露管理计划。
Apply rigorous governance of SecOps requirements to fight the marketing noise around unproven capabilities.
对SecOps要求实施严格的治理，以消除围绕未经证实的功能的营销噪音。
Test provider technology and service delivery for assurances of performance outcomes.
测试供应商的技术和服务交付，以确保性能结果。
Evaluate AI cybersecurity assistants for operational efficiency gains and skills augmentation.
评估人工智能网络安全助理，以提高运营效率和技能。

Innovation Trigger 创新触发器

This year’s Innovation Trigger is a call to action for SRM leaders to play a larger role in transformational security initiatives and be more influential in optimizing existing security investments. While transformational initiatives like cybersecurity mesh architecture (CSMA) and CTEM are on the horizon for some, we recommend making incremental shifts early on the journey, leveraging technology and service consolidation and automation opportunities, reducing time to value and administrative overhead.
今年的创新触发是对SRM领导者的行动呼吁，要求他们在转型安全计划中发挥更大作用，并在优化现有安全投资方面发挥更大影响力。虽然网络安全网状架构（CSMA）和CTEM等转型计划即将推出，但我们建议在旅程的早期进行渐进式转变，利用技术和服务整合以及自动化机会，减少价值实现时间和管理开销。

Greater emphasis is being put on achieving a higher degree of threat detection performance and faster incident response. To do this, more data is often required to broaden visibility, enabling detections across technology and business domains. However, staffing and budget limitations are key impediments preventing organizations from meeting these objectives. Gartner recommends considering technologies that can reduce data management costs, like those noted in the telemetry pipelines profile, as well as scaling operational efficiency by leveraging cybersecurity AI assistants.
更加重视实现更高程度的威胁检测性能和更快的事件响应。要做到这一点，通常需要更多的数据来扩大可见性，从而实现跨技术和业务领域的检测。然而，人员配置和预算限制是阻碍各组织实现这些目标的主要障碍。Gartner建议考虑可以降低数据管理成本的技术，例如telemetrypipelines配置文件中指出的技术，以及通过利用网络安全人工智能辅助来提高运营效率。

Peak of Inflated Expectations
膨胀的期望值

Enterprises are aiming to gain visibility of expanding attack surfaces (CPS security, threat exposure management, cyber asset attack surface management) and test the resilience of technology domains (penetration testing as a service). Refining their requirements before going to market can help to avoid unrealistic expectations promoted by vendor marketing teams. Market capabilities expand and contract; stay aligned with your requirements to avoid false hype.
企业的目标是获得不断扩大的攻击面（CPS安全、威胁暴露管理、网络资产攻击面管理）的可见性，并测试技术领域的弹性（渗透测试即服务）。在进入市场之前细化他们的需求可以帮助避免供应商营销团队提出的不切实际的期望。市场能力扩大和收缩;与您的需求保持一致，以避免虚假宣传。

Trough of Disillusionment
幻灭的低谷

SRM leaders are reevaluating the value they’re getting from technologies in the trough, often having to reinforce their justification for budgets. For example:
SRM的领导者正在重新评估他们从技术中获得的价值，通常不得不加强他们对预算的合理性。举例来说：

Enterprises were overpromised outcomes (digital forensics and incident response)
企业被过度承诺的结果（数字取证和事件响应）
Enterprises were unprepared to consume and operationalize service output (digital risk protection services, external attack surface management, ITDR)
企业没有准备好使用和运营服务输出（数字风险保护服务、外部攻击面管理、ITDR）
Enterprises’ adopted technologies that have not kept pace with changing requirements (security orchestration, automation and response [SOAR], XDR).
企业采用的技术没有跟上不断变化的需求（安全编排、自动化和响应[SOAR]、XDR）。

SRM leaders must look for assurances that their services and products are delivering the expected value.
SRM领导者必须确保他们的服务和产品能够提供预期的价值。

Slope of Enlightenment 启蒙的斜坡

Several innovations this year have shown significant improvements in capabilities offered, market maturity and customer adoption:
今年的几项创新在提供的功能、市场成熟度和客户采用方面都有了显著的改进：

Co-managed monitoring services
共同管理的监控服务
Managed detection and response services
托管检测和响应服务
Network detection and response
网络检测和响应
Threat intelligence products and services
威胁情报产品和服务

Evaluate these technologies and services to bridge gaps in maturation, whether to improve threat detection or to operationalize threat intelligence.
评估这些技术和服务，以弥补成熟度方面的差距，无论是改进威胁检测还是实施威胁情报。

Plateau of Productivity 生产力高原

Endpoint detection and response (EDR) and SIEM have reached market maturity with wide-scale adoption and their benefits well-demonstrated. SRM leaders should look to these technologies as risk-reducing and incorporate their capabilities into the wider SecOps ecosystem.
端点检测和响应（EDR）和SIEM已经达到市场成熟度，并得到了广泛采用，其优势也得到了充分证明。SRM领导者应将这些技术视为降低风险的技术，并将其功能纳入更广泛的SecOps生态系统。

Figure 1: Hype Cycle for Security Operations, 2024
图1：安全运营的炒作周期，2024年

Innovations such as security services edge and digital risk protection services are plotted on the Hype Cycle for Security Operations based on market interest and time to commercial maturity, as of July 2024. It gives you a view into how innovations will evolve over time, guiding investment decisions.

The Priority Matrix 优先矩阵

Organizations that evaluate the risks across the business before investing in any security operations service and capability will be more easily able to identify what to purchase and how much to spend. This will allow organizations to get the best risk reduction and respond effectively to issues that may be damaging to productivity or the brand — or both.
在投资任何安全运营服务和功能之前评估整个业务风险的组织将更容易确定购买什么和花费多少。这将使组织能够最大限度地降低风险，并有效地应对可能损害生产力或品牌（或两者）的问题。

Technologies and services that align to security operations rarely provide immediate benefits. Such capabilities should be considered consumable. In other words, they require a process to fit in to become effective. Security risk should be managed in line with organizational priorities, but firmly anchored in addressing the specific organization’s threat landscape.
与安全运营相一致的技术和服务很少能立即带来好处。这种能力应被视为消耗品。换句话说，他们需要一个过程来适应，以成为有效的。安全风险应根据组织的优先事项进行管理，但应牢牢立足于解决特定组织的威胁环境。

When considering the technology and capability roadmap for security operations, focus on the prioritization of discovered issues to ensure that the security operations program aligns to the organization’s specific and dynamic attack surface. Concurrently, this all needs to align with modern IT architectures.
在考虑安全运营的技术和能力路线图时，重点关注已发现问题的优先级，以确保安全运营计划与组织的特定和动态攻击面保持一致。同时，这一切都需要与现代IT架构保持一致。

Adding complexity is neither of high priority, nor of high benefit. Long-term initiatives in areas such as CSMA adoption and exposure management are ways to model processes and the use of current technology, rather than using an entirely new tool. The Priority Matrix helps weigh up those strategic items that have a greater chance of effective and measurable positive impact on the risk profile of the business.
增加复杂性既不是高优先级，也不是高效益。CSMA采用和风险管理等领域的长期计划是对流程建模和使用当前技术的方法，而不是使用全新的工具。优先级矩阵有助于衡量那些对业务风险状况有更大机会产生有效和可衡量的积极影响的战略项目。

Table 1: Priority Matrix for Security Operations, 2024
表1：2024年安全运营优先级矩阵

Benefit 受益	Years to Mainstream Adoption 主流采用年数
	Less Than 2 Years 少于2年	2 - 5 Years 2 - 5年	5 - 10 Years 5 - 10年	More Than 10 Years 10多年
Transformational 转型		Security Service Edge 安全服务边缘	Threat Exposure Management 威胁暴露管理	Cybersecurity Mesh Architecture 网络安全网状架构
High 高	Endpoint Detection and Response 端点检测和响应	CPS Security CPS安全 Exposure Assessment Platforms 风险评估平台 Identity Threat Detection and Response 身份威胁检测和响应 MDR Services MDR服务 Penetration Testing as a Service 渗透测试即服务 Threat Intelligence Products and Services 威胁情报产品和服务 XDR	Adversarial Exposure Validation 对抗性暴露验证
Moderate 中度	External Attack Surface Management 外部攻击面管理 SIEM	Co-Managed Security Monitoring Services 共同管理的安全监控服务 Digital Forensics and Incident Response Digital Risk Protection Services NDR Telemetry Pipelines	Automated Security Control Assessment 自动化安全控制评估 Cybersecurity AI Assistants
Low			CAASM

Source: Gartner (July 2024)
来源：Gartner（2024年7月）

Off the Hype Cycle 脱离炒作周期

Vulnerability assessment — Subsumed into exposure assessment platforms
脆弱性评估-纳入风险评估平台
Vulnerability prioritization technologies — Subsumed into exposure assessment platforms
脆弱性优先排序技术-纳入风险评估平台
Breach attack simulation — Subsumed into adversarial exposure validation
漏洞攻击模拟-纳入对抗性暴露验证
Autonomous penetration testing and red teaming — Subsumed into adversarial exposure validation
自主渗透测试和红色组队-纳入对抗性暴露验证
Managed SIEM services — Subsumed into co-managed security monitoring services
托管的SIEM服务-包含在共同管理的安全监控服务中
OT security — Subsumed into CPS security
OT安全-纳入CPS安全

On the Rise 呈上升

Automated Security Control Assessment
自动化安全控制评估

Analysis By: Evgeny Mirolyubov, Jeremy D'Hoinne
分析员：Evgeny Mirolyubov、Jeremy D 'Hoinne

Benefit Rating: Moderate
获益评级：中等

Market Penetration: 1% to 5% of target audience
市场渗透率：目标受众的1%至5%

Maturity: Emerging
成熟度：新兴

Definition: 定义：

Automated security control assessment (ASCA) is a security technology that continuously analyzes, prioritizes and optimizes security controls to reduce an organization’s threat exposure. ASCA identifies configuration drift, policy and control deficiencies, detection logic gaps, poor defaults, and other misconfigurations in security controls. It then uses identified weaknesses to recommend and prioritize remediation steps to improve security against organization-specific threats.
自动化安全控制评估（ASCA）是一种安全技术，可持续分析、优先排序和优化安全控制，以减少组织的威胁暴露。ASCA可识别安全控制中的配置漂移、策略和控制缺陷、检测逻辑差距、不良默认值和其他错误配置。然后，它使用识别出的弱点来建议和优先考虑补救措施，以提高针对组织特定威胁的安全性。

Why This Is Important 为什么这很重要

The misconfiguration of security controls is a consistent issue associated with security breaches. The complexity of heterogeneous security infrastructure and the increased importance of the secure configuration of general-purpose technology have resulted in a complex web of security policies and configurations. The security skills gap and rapidly changing attack techniques have compounded the problem of maintaining an optimal configuration of security controls without automation.
安全控制的错误配置是与安全漏洞相关的一贯问题。异构安全基础设施的复杂性和通用技术的安全配置的重要性的增加导致了复杂的安全策略和配置网络。安全技能差距和快速变化的攻击技术加剧了在没有自动化的情况下维护安全控制的最佳配置的问题。

Business Impact 业务影响

ASCA reduces the organization’s risk of business disruption and financial loss by optimizing security controls and reducing exposure to threats. Organizations implementing ASCA technologies enhance staff efficiency, minimize the impact of human errors and improve resilience in the face of organizational churn.
ASCA通过优化安全控制和减少对威胁的暴露，降低了组织的业务中断和财务损失风险。实施ASCA技术的组织可以提高员工效率，最大限度地减少人为错误的影响，并提高面对组织流失的弹性。

Drivers 司机

The complexity of managing security control configurations continues to grow with emerging threat vectors, the proliferation of security tools, and the high turnover of administration staff, leading to a more exposed attack surface.
随着新出现的威胁媒介、安全工具的激增以及管理人员的频繁流动，管理安全控制配置的复杂性不断增加，从而导致更容易受到攻击。
Specific organizational use cases and objectives require the preservation of complex heterogeneous infrastructure and security architectures, driving increased complexity in security control administration.
特定的组织用例和目标需要保留复杂的异构基础设施和安全架构，从而增加了安全控制管理的复杂性。
Manual configuration reviews, occasional penetration tests or siloed, tool-centric administration of security controls are insufficient in the face of rapidly changing attack techniques.
面对快速变化的攻击技术，手动配置审查、偶尔的渗透测试或孤立的、以工具为中心的安全控制管理是不够的。
Continuously assessing and optimizing security control configurations in accordance with the organization-specific threat landscape is an effective risk mitigation strategy that ultimately reduces an organization’s exposure to threats.
根据组织特定的威胁环境不断评估和优化安全控制配置是一种有效的风险缓解策略，可最终降低组织面临的威胁。

Obstacles 障碍

ASCA technology delivers an automated assessment of security control configurations with no active validation of the hypothesis, leaving it to end users to validate findings about an effective course of resolution.
ASCA技术提供了安全控制配置的自动评估，没有主动验证假设，让最终用户验证有关解决方案的有效过程的结果。
The lack of support for niche security vendors and embedded security controls in general-purpose technology makes ASCA less valuable for large, complex organizations with specialized security solutions.
缺乏对利基安全供应商的支持以及通用技术中的嵌入式安全控制，使得ASCA对于拥有专业安全解决方案的大型复杂组织来说价值不大。
Overlaps with built-in self-assessment capabilities, such as Generative AI, and tools that are looking to accomplish similar goals in individual silos; for example, tools for network firewalls or cloud configuration assessments.
与内置的自我评估功能（如生成式AI）以及希望在各个孤岛中实现类似目标的工具重叠;例如，网络防火墙或云配置评估工具。
The slow pace of remediation, paired with continuous assessments, may cause recommendations to pile up without a proper triage process that considers the business context.
缓慢的补救速度，加上持续的评估，可能会导致建议堆积起来，而没有考虑业务环境的适当分类过程。
The required budget increases to invest in people, processes, and technologies needed to respond to an accelerated list of configuration issues discovered by ASCA tools.
所需的预算增加，以投资于响应ASCA工具发现的配置问题加速列表所需的人员、流程和技术。

User Recommendations 用户推荐

Establish processes to continuously evaluate security controls, including planning, assessing, remediating and validating security control configurations.
建立持续评估安全控制的流程，包括规划、评估、补救和验证安全控制配置。
Evaluate incumbent security providers for ASCA capabilities, including continuous configuration optimization aligned with the organization-specific threat landscape.
评估现有安全提供商的ASCA能力，包括根据组织特定的威胁形势进行持续配置优化。
Assess ASCA providers’ capabilities, including breadth and depth of assessments, alignment with threat context, and integration with other exposure assessment and validation tools.
评估ASCA提供商的能力，包括评估的广度和深度、与威胁背景的一致性以及与其他风险评估和验证工具的集成。
Reduce complexity by pursuing security vendor consolidation or considering alternatives, such as “policy as code,” to manage security configurations.
通过寻求安全供应商整合或考虑替代方案（如“策略即代码”）来管理安全配置，从而降低复杂性。

Sample Vendors 样本供应商

Absolute Security; CardinalOps; Interpres Security; Nagomi Security; Reach Security; Tidal Cyber; Veriti
绝对安全;CardinalOps;解释安全; Nagomi安全; Reach安全; Tidal网络;Veriti

Cybersecurity Mesh Architecture
网络安全网状架构

Analysis By: Pete Shoard, Patrick Hevesi
分析员：Pete Shoard、帕特里克Hevesi

Benefit Rating: Transformational
效益评级：转型

Market Penetration: Less than 1% of target audience
市场渗透率：不到目标受众的1%

Maturity: Embryonic
成熟度：胚胎

Definition: 定义：

Cybersecurity mesh architecture (CSMA) is an emerging approach for architecting composable, distributed security controls with the objective of sharing data and security insights universally. It enables secure, centralized security operations and oversight that emphasizes composable, independent security monitoring, predictive analytics and proactive enforcement, centralized intelligence and governance, and a common identity fabric.
网络安全网格架构（CSMA）是一种新兴的方法，用于构建可组合的分布式安全控制，其目标是普遍共享数据和安全见解。它支持安全、集中的安全运营和监督，强调可组合的独立安全监控、预测分析和主动实施、集中的智能和治理以及通用身份结构。

Why This Is Important 为什么这很重要

CSMA aims to address the growing complexity of managing security tools, intelligence and identity solutions. Organizations must begin evolving toward a radically more flexible security architecture to prevent the impact of fast-emerging and evolving attack types, and reduce overhead caused by the proliferation and churn in security tool categories and attack types. Investing in composable, interoperable and extensible security toolsets is essential to reduce cost and increase consistency.
CSMA旨在解决管理安全工具、智能和身份解决方案日益复杂的问题。组织必须开始朝着更加灵活的安全架构发展，以防止快速出现和不断发展的攻击类型的影响，并减少安全工具类别和攻击类型的激增和变化所造成的开销。投资于可组合、可互操作和可扩展的安全工具集对于降低成本和提高一致性至关重要。

Business Impact 业务影响

CSMA offers a potential solution to problems currently suffered by defense-in-depth security architectures that most organizations employ. These are often made up of multiple point solutions that are poorly interconnected. CSMA addresses many challenges, including centralized exposure and security posture management, threat awareness, coordinated detection methodology and use cases, harmonized threat reporting and proactive response, and an increase in the efficiency of cross-tool collaboration.
CSMA提供了一个潜在的解决方案，以解决目前大多数组织采用的深度防御安全架构所面临的问题。这些解决方案通常由多点解决方案组成，这些解决方案相互之间的联系很差。CSMA解决了许多挑战，包括集中暴露和安全态势管理、威胁感知、协调检测方法和用例、协调威胁报告和主动响应，以及提高跨工具协作的效率。

Drivers 司机

Organizations increasingly require a broader perspective on the impact and likelihood of a threat or an exposure to a threat; this level of detail is crucial for making better probusiness security decisions.
组织越来越需要对威胁或暴露于威胁的影响和可能性有更广泛的视角;这种详细程度对于做出更好的有利于业务的安全决策至关重要。
IT security organizations can be overwhelmed when trying to stay ahead of new and more complex attacks, and when deploying the latest security tools to ever-expanding infrastructure. Teams are not able to implement the analytical capability required to be proactive and dynamic regarding their security enforcement and response decisions. Furthermore, these decisions are rarely fast enough to meet business needs.
IT安全组织在试图领先于新的和更复杂的攻击时，以及在将最新的安全工具部署到不断扩展的基础设施时，可能会不堪重负。团队无法实现B在安全实施和响应决策方面主动和动态所需的分析能力。此外，这些决策很少能够快速满足业务需求。
Organizations are looking for approaches such as CSMA to better integrate and interpret the outputs of siloed security technologies that operate with insufficient knowledge of other tools. Effective security and identity management requires a layered and integrated approach.
组织正在寻找像CSMA这样的方法来更好地集成和解释孤立的安全技术的输出，这些安全技术在对其他工具了解不足的情况下运行。有效的安全和身份管理需要分层和集成的方法。
Organizations are frustrated by the lack of integration and consistent visibility within their current security workbenches. Security and risk management leaders require an architecture that not only reacts to the current security issues (those that are visible in the organization), but provides a coordinated and holistic approach to complex security problems.
组织因其当前安全工作台中缺乏集成和一致的可见性而感到沮丧。安全和风险管理领导者需要一个架构，不仅对当前的安全问题（组织中可见的问题）做出反应，而且为复杂的安全问题提供协调和整体的方法。
Creating a collaborative ecosystem of security tools will address inconsistency and help clarify and minimize the exposure that is consistent with business expectations.
创建安全工具的协作生态系统将解决不一致性问题，并有助于澄清和最大限度地减少与业务预期一致的风险。

Obstacles 障碍

As vendors continue to support CSMA architecture principles to their products, vendor lock-in will likely be a concern. If a proprietary approach is employed, it may serve to block, rather than facilitate, cross-tool integration; then gaps in coverage will likely appear, and this inflexibility will drive up costs.
随着供应商继续在其产品中支持CSMA架构原则，供应商锁定可能会成为一个问题。如果采用专有的方法，它可能会阻碍而不是促进跨工具集成;那么覆盖范围的差距可能会出现，这种可扩展性将推高成本。
Organizations that choose to create their own CSMA construct will likely need significant engineering effort to integrate disparate products. Additionally, they might suffer if the security industry moves toward a set of interoperability standards after significant custom integration work has been completed.
选择创建自己的CSMA结构的组织可能需要大量的工程工作来集成不同的产品。此外，如果安全行业在完成重要的定制集成工作后转向一组互操作性标准，它们可能会受到影响。
At the early stages of adoption, CSMA continues to evolve in response to consumer IT advancement and security technology consolidation. Planning for the relevant flexibility required to manage this change is difficult.
在采用的早期阶段，CSMA将继续发展以应对消费者IT进步和安全技术整合。很难规划管理这种变化所需的相关灵活性。
Organizations understand and acknowledge the skills gaps and challenges in volumes of work but do not have clear solutions to deal with these issues.
各组织了解并承认大量工作中的技能差距和挑战，但没有明确的解决办法来处理这些问题。

User Recommendations 用户推荐

Add purchasing requirements that focus on integration and interoperability of multivendor tools.
添加采购要求，重点关注多供应商工具的集成和互操作性。
Find your main security intelligence layer platform and connect the rest of the layers into it.
找到您的主要安全智能层平台，并将其余层连接到其中。
Mature your security infrastructure by selecting product vendors who follow CSMA reference architecture, using standards such as open cybersecurity schema framework (OCSF), have fully developed advanced APIs, complete adherence to modern security standards, and integrations into security partner networks.
通过选择遵循CSMA参考架构、使用开放网络安全架构框架（OCSF）等标准、完全开发了高级API、完全遵守现代安全标准并集成到安全合作伙伴网络中的产品供应商，使您的安全基础设施更加成熟。
Evolve your identity infrastructure into an identity fabric by removing silos to achieve dynamic real-time identity capabilities that incorporate a more complete set of context and risk signals (such as device proximity, posture, biometrics and location).
通过消除孤岛，将您的身份基础设施转化为身份结构，以实现动态实时身份功能，其中包含一组更完整的上下文和风险信号（如设备接近度、姿态、生物识别和位置）。
Improve your responsiveness by centralizing your policy, posture and playbook management along with building an integrated “single starting pane of glass” view for security teams.
通过集中化策略、态势和策略手册管理，并沿着为安全团队构建集成的“单一启动窗格”视图，提高您的响应能力。

Gartner Recommended Reading
Gartner推荐阅读

The Future of Security Architecture: Cybersecurity Mesh Architecture (CSMA)
安全架构的未来：网络安全网状架构（CSMA）

2024 Planning Guide for Security
2024安全规划指南

Emerging Technology Horizon for Information Security, 2022
2022年信息安全新兴技术展望

How to Start Building a Cybersecurity Mesh Architecture
如何开始构建网络安全网状架构

Cybersecurity AI Assistants
网络安全AI助理

Analysis By: Jeremy D'Hoinne, Avivah Litan, Wilco van Ginkel, Mark Horvath
分析员：Jeremy D'Hoinne、Avivah Litan、Wilco货车Ginkel、Mark Horvath

Benefit Rating: Moderate
效益评级：中等

Market Penetration: Less than 1% of target audience
市场渗透率：不到目标受众的1%

Maturity: Emerging
成熟度：新兴

Definition: 定义：

Cybersecurity AI assistants leverage large language models to help discover existing knowledge available from cybersecurity tools and generate content relevant to the target roles in security teams. Cybersecurity AI assistants are mostly available as companion features in existing products, but can also take the form of a dedicated front end and can integrate software agents to take action.
网络安全人工智能助理利用大型语言模型来帮助发现网络安全工具中可用的现有知识，并生成与安全团队中的目标角色相关的内容。网络安全AI助手大多作为现有产品的配套功能提供，但也可以采用专用前端的形式，并可以集成软件代理来采取行动。

Why This Is Important 为什么这很重要

Cybersecurity technology providers have embraced the generative AI (GenAI) wave by releasing AI assistants integrated into their existing products. These cybersecurity AI assistants deliver knowledge discovery and content creation (often as summarization or generated code/script). Their promise of improved productivity appeals to cybersecurity executives. These assistants might evolve to be multimodal (more than text) and become more autonomous agents that can work using high-level guidance without frequent prompting.
网络安全技术提供商已经通过发布集成到其现有产品中的AI助手来接受生成AI（GenAI）浪潮。这些网络安全AI助手提供知识发现和内容创建（通常作为摘要或生成的代码/脚本）。他们提高生产力的承诺吸引了网络安全高管。这些助手可能会进化为多模式（而不是文本），并成为更自主的代理，可以使用高级指导而无需频繁提示。

Business Impact 业务影响

Organizations will start using cybersecurity AI assistants as more advanced interactive help and query engines. They are a good fit for investigation tasks such as incident response, exposure or risk management, or code review. They promise to improve efficiency and shorten response times for organizations with low security maturity, and those with established processes and large teams. A variety of use cases will be applicable (application security, security operation, infrastructure security), but will vary regarding their pace of adoption.
组织将开始使用网络安全AI助手作为更高级的交互式帮助和查询引擎。它们非常适合调查任务，例如事件响应、暴露或风险管理或代码审查。它们承诺为安全成熟度低的组织以及具有既定流程和大型团队的组织提高效率并缩短响应时间。各种用例都将适用（应用程序安全性，安全操作，基础设施安全性），但它们的采用速度会有所不同。

Drivers 司机

The main use cases for cybersecurity AI assistants leveraging GenAI include creating general best-practice guidance, synthesizing and analyzing threat intelligence, automating the first steps in incident response and generating remediation suggestions for application security.
利用GenAI的网络安全AI助手的主要用例包括创建通用最佳实践指南，合成和分析威胁情报，自动化事件响应的第一步，以及为应用程序安全生成补救建议。
Organizations continue to experience skill shortages and look for opportunities to automate resource-intensive cybersecurity tasks.
组织继续面临技能短缺，并寻找机会自动化资源密集型网络安全任务。
Cybersecurity AI assistants can also help implement more secure code, fix cloud misconfigurations, generate scripts and code, and identify key security events in logging systems.
网络安全AI助手还可以帮助实现更安全的代码，修复云错误配置，生成脚本和代码，并识别日志系统中的关键安全事件。
Other use cases for cybersecurity AI assistants include the tuning of security configuration adjustment, and conducting risk and compliance identification and analysis.
网络安全AI助手的其他使用案例包括调整安全配置调整，以及进行风险和合规性识别和分析。
Cyber risk analysts need to speed up cyber risk assessments, and be more agile and adaptable through increased automation and prepopulation of risk data in context.
网络风险分析师需要加快网络风险评估，并通过提高自动化程度和预先填充风险数据来提高敏捷性和适应性。
More broadly, GenAI might augment existing continuous threat exposure management programs by better aggregating, analyzing and prioritizing inputs. It can also generate realistic scenarios for validation.
更广泛地说，GenAI可以通过更好地聚合、分析和优先排序输入来增强现有的持续威胁暴露管理计划。它还可以生成用于验证的现实场景。

Obstacles 障碍

The cybersecurity industry is already plagued with false positives. One bad “hallucination” or GenAI’s inaccurate response will cause organizations to be cautious about adoption or limit the scope of their usage.
网络安全行业已经受到误报的困扰。一个糟糕的“幻觉”或GenAI的不准确反应将导致组织对采用持谨慎态度或限制其使用范围。
Best practices and tooling to implement responsible AI, privacy, trust, security and safety for GenAI applications do not fully exist yet.
为GenAI应用程序实现负责任的AI，隐私，信任，安全和安全的最佳实践和工具尚未完全存在。
Organizations still require the core skill sets they are supposed to augment using GenAI. Currently, adopting GenAI will likely increase workloads before it successfully decreases them.
组织仍然需要他们应该使用GenAI增强的核心技能。目前，采用GenAI可能会在成功减少工作负载之前增加工作负载。
As GenAI is still developing, establishing the trust required for its wider adoption will take time. This is especially true for the skill augmentation use cases, as you would need the skills you are supposed to augment in order to ensure the recommendations are good.
由于GenAI仍在开发中，建立更广泛采用所需的信任需要时间。对于技能增强用例尤其如此，因为您需要增强的技能才能确保建议是好的。
Uncertainty about the pricing of these assistants will play a big factor in the pace of adoption. Today, only a few providers have communicated about their pricing, while many give early previews for free.
这些助手定价的不确定性将在采用速度方面发挥重要作用。今天，只有少数供应商已经沟通了他们的定价，而许多人提供免费的早期预览。

User Recommendations 用户推荐

Pick initial use cases carefully and advertise them as experiments taking the form of an integrated feature of existing tools or stand-alone products that do not replace existing tools. First implementations might have a higher error rate than more mature techniques already in place.
仔细挑选最初的用例，并将其作为实验进行宣传，这些实验采用现有工具的集成功能或不取代现有工具的独立产品的形式。第一种实现可能比已经存在的更成熟的技术具有更高的错误率。
Monitor the addition of GenAI assistants from your existing providers and beware of GenAI washing. Don’t pay a premium before obtaining measurable results.
监控从您现有的供应商和GenAI清洗的B eware添加GenAI助手。在获得可衡量的结果之前，不要支付额外费用。
Evaluate privacy features and the model architecture to ensure you control the type of data shared with the GenAI assistant.
评估隐私功能和模型架构，以确保您控制与GenAI助手共享的数据类型。
Implement a documented approval workflow for allowing new generative cybersecurity AI experiments to avoid the unmanaged sharing of sensitive data.
实施一个记录在案的批准工作流程，允许新的生成式网络安全人工智能实验，以避免敏感数据的非托管共享。
Make it mandatory from a policy standpoint that any content (that is, configuration or code) generated by an AI is fully documented, peer-reviewed by humans and tested before it is implemented. If not possible, consider any AI-generated content as “Draft Only” when used for critical use cases.
从政策的角度来看，强制要求人工智能生成的任何内容（即配置或代码）在实施之前都要有完整的文档记录，由人类进行同行评审并进行测试。如果不可能，在用于关键用例时，请将任何AI生成的内容视为“仅限草稿”。

Gartner Recommended Reading
Gartner推荐阅读

4 Ways Generative AI Will Impact CISOs and Their Teams
生成式AI将影响CISO及其团队的4种方式

Innovation Insight for Generative AI
生成式人工智能的创新洞察

Market Guide for AI Trust, Risk and Security Management
AI信任、风险和安全管理市场指南

How to Improve Developer Effectiveness Using AI Coding Tools
如何使用AI编码工具提高开发人员的效率

Adversarial Exposure Validation
对抗性暴露验证

Analysis By: Jeremy D'Hoinne, Eric Ahlm, Dhivya Poole, Jonathan Nunez
分析员：Jeremy D'Hoinne、Eric Ahlm、Dhivya Poole、Jonathan Nunez

Benefit Rating: High
效益评级：高

Market Penetration: 5% to 20% of target audience
市场渗透率：目标受众的5%至20%

Maturity: Adolescent
成熟度：青少年

Definition: 定义：

Adversarial exposure validation is the process and supporting technologies delivering consistent, continuous and automated evidence of the feasibility of various attack scenarios. Adversarial exposure validation technologies combine multiple simulations or real attack techniques to demonstrate not only the existence but also the exploitability of exposures despite existing defensive controls and process. Products are deployed primarily as SaaS, with agents and/or virtual machines.
对抗性暴露验证是一种流程和支持技术，可为各种攻击场景的可行性提供一致、连续和自动化的证据。对抗性暴露验证技术结合了联合收割机多个模拟或真实的攻击技术，不仅可以证明暴露的存在，还可以证明暴露的可利用性，尽管存在防御控制和过程。产品主要部署为SaaS，带有代理和/或虚拟机。

Why This Is Important 为什么这很重要

Automated pentest tools and breach and attack simulation (BAS) vendors have largely converged to become adversarial exposure validation providers. They offer easy-to-deploy products, good automation and growing flexibility by combining attack simulation with heavily customized and realistic scenarios. This leads to more frequent and reliable assessments, creating efficiency and a more measurable outcome. It also expands the use cases for the red team to the broader exposure management initiative.
自动化渗透测试工具和漏洞和攻击模拟（BAS）供应商在很大程度上已经融合成为对抗性暴露验证提供商。他们提供易于部署的产品，良好的自动化和不断增长的灵活性相结合的攻击模拟与高度定制和现实的场景。这导致更频繁和更可靠的评估，创造效率和更可衡量的成果。它还将红色团队的用例扩展到更广泛的暴露管理计划。

Business Impact 业务影响

Adversarial exposure validation confirms a potential exposure to a specific threat by taking the attackers’ view. It evaluates the efficacy of attacks through deployed security controls and can highlight vulnerable paths leading to the organization’s most critical assets. This helps security teams prioritize strategic initiatives and evaluate the value of their acquired technologies. It complements exposure assessments and provides a way to continuously execute attack scenarios.
对抗性暴露验证通过采取攻击者的观点来确认对特定威胁的潜在暴露。它通过部署的安全控制来评估攻击的有效性，并可以突出指向组织最关键资产的易受攻击路径。这有助于安全团队确定战略计划的优先级，并评估其所获得技术的价值。它补充了暴露评估，并提供了一种持续执行攻击场景的方法。

Drivers 司机

Adversarial exposure validation is relevant to security operations teams looking for flexibility and automation as it supports multiple use cases.
对抗性暴露验证与寻求灵活性和自动化的安全运营团队相关，因为它支持多个用例。

Filter for relevant remediation actions: Adversarial exposure validation drives urgency, which the organization should address by filtering theoretical risks (e.g., list of high-priority issues) by highlighting only attacks that are demonstrated to work.
相关补救措施的过滤器：对抗性暴露验证驱动紧迫性，组织应通过过滤理论风险（例如，高优先级问题列表），只突出显示已证明有效的攻击。
Red team augmentation: Human-led red teaming programs are difficult to initiate because they require a specific set of expertise, processes and tools that can be expensive to develop or procure. The progress in automation and the expanding number of providers help kick off red teaming programs by starting small and demonstrating benefits early.
红队增强：人类主导的红队计划很难启动，因为它们需要一套特定的专业知识，流程和工具，开发或采购成本可能很高。自动化的进步和不断扩大的供应商数量有助于启动红色团队计划，从小规模开始，并尽早展示其好处。
Attack surface reduction: Organizations with established cybersecurity validation programs use BAS technology primarily to ensure consistent, yet improved, security posture over time and across multiple locations.
减少攻击面：具有既定网络安全验证计划的组织主要使用BAS技术来确保随着时间的推移和跨多个位置的一致但改进的安全状态。
Exceeding compliance requirements: They continuously validate the organization’s security posture. Organizations value more automated assessments to prepare for mandatory compliance penetration testing, or to augment and/or refocus human-led red team activity on more advanced scenarios. They go deeper than assessment tools as they positively verify an exposure by simulating or running actual attacks.
超越合规性要求：他们不断验证组织的安全状况。组织重视更多的自动化评估，以准备强制性的合规渗透测试，或者增强和/或重新关注更高级场景中由人类领导的红队活动。它们比评估工具更深入，因为它们通过模拟或运行实际攻击来积极验证暴露。
Security control validation: In a purple team scenario, these tools can integrate with, or more importantly, highlight deficiencies in security control technologies or how they are configured. It does so through the security tools’ management APIs or by reading alert logs, enabling security configuration management and improving the visibility of defense gaps.
安全控制验证：在紫色团队场景中，这些工具可以与安全控制技术集成，或者更重要的是，突出安全控制技术的缺陷或它们的配置方式。它通过安全工具的管理API或通过阅读警报日志来实现这一点，从而实现安全配置管理并提高防御差距的可见性。
Support continuous threat exposure management (CTEM) program: Adversarial exposure validation enables deeper automation of the “validation” step. Adding automation to the red team’s toolkit can also help initiate such a program.
支持持续威胁暴露管理（CTEM）计划：对抗性暴露验证可实现“验证”步骤的更深层次自动化。将自动化添加到红队的工具包中也可以帮助启动这样的程序。

Obstacles 障碍

Only higher maturity organizations are successfully implementing exposure management initiatives because it requires extensive internal sponsorship, not only from the security team, but also from other infrastructure teams, such as networks or applications.
只有成熟度较高的组织才能成功实施风险管理计划，因为它需要广泛的内部支持，不仅来自安全团队，还来自其他基础设施团队，如网络或应用程序。
Many vendors still have too narrow targeted use cases like red teaming only. While this is a valid use case, CTEM activities expand to many more user organizations.
许多供应商仍然有太窄的目标用例，如红色团队。虽然这是一个有效的用例，但CTEM活动扩展到更多的用户组织。
While many vendors offer attack simulation and automated penetration testing in the same technology portfolio, they rarely combine the two functions in a single tool. Users typically need to purchase them separately.
虽然许多供应商在相同的技术组合中提供攻击模拟和自动渗透测试，但他们很少将这两种功能联合收割机结合在一个工具中。用户通常需要单独购买。
The skill set required to deploy, maintain and operate an adversarial exposure validation tool is extensive and includes technical competences; threat actor and technique understanding, as well as infrastructure and application architecture insights.
部署、维护和操作对抗性暴露验证工具所需的技能是广泛的，包括技术能力;对威胁行为者和技术的理解，以及对基础设施和应用程序架构的见解。
Acceptance of results by auditors, assessors and third-party risk teams is rare, especially in organizations in highly regulated industries.
审计员、评估员和第三方风险团队很少接受结果，特别是在高度监管的行业中。

User Recommendations 用户推荐

Prioritize the most impactful exposure scenarios. Assess the vendors’ capabilities to deliver simulated attacks as an easier way to convey the benefits of supporting an exposure management and resilience program.
优先考虑最具影响力的暴露场景。评估供应商提供模拟攻击的能力，将其作为一种更简单的方式来传达支持暴露管理和弹性计划的好处。
Integrate existing attack simulation and penetration testing scenarios in an adversarial exposure validation roadmap, as part of a shift from vulnerability management to a CTEM program.
在对抗性暴露验证路线图中集成现有的攻击模拟和渗透测试场景，作为从漏洞管理到CTEM计划转变的一部分。
Onboard existing red teams by demonstrating that the automation helps support more interesting human-led red teaming activities, while enabling a collaborative “purple teaming” approach helps improve threat detection, investigation and response.
通过展示自动化有助于支持更有趣的人类主导的红色团队活动，同时启用协作的“紫色团队”方法有助于改进威胁检测、调查和响应，从而加入现有的红色团队。
Evaluate the threat vectors and attack scenarios that these tools can deliver, the security controls they can evaluate, and the frequency to which simulations are updated. Specifically, some providers are adding cloud and hybrid validation scenarios which might not be as mature.
评估这些工具可以提供的威胁向量和攻击场景，它们可以评估的安全控制以及模拟更新的频率。具体来说，一些提供商正在添加云和混合验证场景，这些场景可能并不成熟。
Understand the benefits and challenges resulting from the various deployment options (e.g., “assume breach” versus assessment starting from outside the organization, agent deployment). Today, many vendors tend to use agents or agentless, not both. A hybrid approach might be architecturally more effective over time as it offers the greatest choice exposure simulations.
了解各种部署选项带来的好处和挑战（例如，“假定违反”与从组织外部开始的评估、代理部署相比）。今天，许多供应商倾向于使用代理或无代理，而不是两者兼而有之。随着时间的推移，混合方法可能在架构上更有效，因为它提供了最大的选择暴露模拟。

Sample Vendors 样本供应商

AttackIQ; Cymulate; Google; Horizon3.ai; NetSPI; Pentera; Picus Security; Ridge Security; SafeBreach; SCYTHE
AttackIQ;Cymulate;Google;Horizon3.ai;NetSPI;Pentera;Picus Security; Ridge Security; SafeBreach;SCYTHE

Gartner Recommended Reading
Gartner推荐阅读

Quick Answer: Key Objectives of Blue, Red and Purple Teams
快速回答：蓝、红、紫团队的主要目标

2024 Strategic Roadmap for Managing Threat Exposure
2024年管理威胁暴露的战略路线图

Quick Answer: What Are the Top and Niche Use Cases for Breach and Attack Simulation Technology?
快速解答：漏洞和攻击模拟技术的顶级和利基用例是什么？

Exposure Assessment Platforms
风险评估平台

Analysis By: Mitchell Schneider, Dhivya Poole, Jonathan Nunez
分析员：Mitchell Schneider、Dhivya Poole、Jonathan Nunez

Benefit Rating: High
效益评级：高

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Exposure assessment platforms (EAPs) continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. They natively deliver or integrate with discovery capabilities, such as assessment tools that enumerate exposures like vulnerabilities and configuration issues, to increase visibility.
风险评估平台（EAP）持续识别并优先处理各种资产类别中的风险，例如漏洞和错误配置。它们原生地提供或集成了发现功能，例如枚举漏洞和配置问题等暴露的评估工具，以提高可见性。

Why This Is Important 为什么这很重要

EAPs support continuous threat exposure management (CTEM) programs by providing a better, more consolidated view of high-risk exposures, which in turn allows organizations to take key actions to prevent breaches. EAPs enable prioritization and remediation efforts by consolidating discovered exposures and prioritizing them based on exposure severity, asset criticality, business impact, likelihood of exploitation and the context of security controls.
EAP通过提供更好、更整合的高风险暴露视图来支持持续威胁暴露管理（CTEM）计划，从而使组织能够采取关键措施来防止违规行为。EAP通过整合发现的风险并根据风险严重性、资产关键性、业务影响、漏洞利用的可能性和安全控制的上下文确定风险的优先级，从而实现优先级排序和补救工作。

Business Impact 业务影响

The rise in security incidents and breaches has driven the adoption of EAPs to support effective CTEM programs. EAPs consolidate the results of exposure assessments into a central location to improve operational efficiency, including risk scoring, trends, stats and other visualizations, such as visibility/accessibility of assets (e.g., via attack path), asset identification/ownership and remediation tracking. EAPs offer multiple views, surfacing trends and supporting workflows to track the life cycle of vulnerabilities and other exposures.
安全事件和违规行为的增加推动了EAP的采用，以支持有效的CTEM计划。EAP将风险评估的结果整合到一个中心位置，以提高运营效率，包括风险评分、趋势、统计数据和其他可视化，例如资产的可见性/可访问性（例如，通过攻击路径）、资产识别/所有权和补救跟踪。EAP提供多个视图，呈现趋势并支持工作流程，以跟踪漏洞和其他风险的生命周期。

Drivers 司机

Benefits and advantages of EAPs that drive their adoption include the following:
推动采用EAP的好处和优势包括：

Organizations are inundated with vulnerability findings prioritized solely by Common Vulnerability Scoring System (CVSS) scores. EAPs contextualize these findings with threat intelligence, resulting in increased actionability.
组织被淹没在漏洞调查结果中，这些漏洞调查结果仅按通用漏洞评分系统（CVSS）分数进行优先级排序。EAP将这些发现与威胁情报结合起来，从而提高了可操作性。
EAPs identify the most material risks to the organization and help prioritize treatment recommendations — whether via remediation (e.g., patching) and/or compensating controls — to avoid a potential compromise.
EAP识别组织面临的最重大风险，并帮助确定处理建议的优先级-无论是通过补救措施（例如，修补）和/或补偿控制-以避免潜在的危害。
EAP solutions offer a single consolidated view, affording organizations the opportunity to reduce overhead associated with mundane or misprioritized findings. This is especially beneficial for organizations looking to retain talent by focusing them on more value-added activities.
EAP解决方案提供了一个统一的视图，使组织有机会减少与平凡或优先级错误的调查结果相关的开销。这对于希望通过将人才集中在更多增值活动来留住人才的组织来说尤其有益。
EAP reporting into the SOC can help bolster operational efforts, such as threat detection, investigation and response. The contextual asset enrichments and various views (e.g., attack path) both aid in accelerating investigations.
向SOC报告EAP有助于加强运营工作，例如威胁检测、调查和响应。上下文资产丰富和各种视图（例如，攻击路径）都有助于加快调查。

Obstacles 障碍

EAP solutions are intended to support CTEM programs. If there are broken, undefined or immature processes in your CTEM program, the value of EAPs will be limited.
EAP解决方案旨在支持CTEM计划。如果您的CTEM程序中存在中断、未定义或不成熟的流程，EAP的价值将受到限制。
Organizations limiting EAP activities to compliance-driven mandates on CVSS severity as the defining characteristic of how serious exposures are will not be able to realize the full value from EAPs.
将EAP活动限制在CVSS严重性的法规遵从性驱动的要求上作为风险严重程度的定义特征的组织将无法实现EAP的全部价值。
Attack-path mapping can be an output of exposure assessment platforms, but can be achieved by leveraging other technologies, such as breach and attack simulation or automated security control assessment. Your organization may already have this capability via one of these tools.
攻击路径映射可以是暴露评估平台的输出，但也可以通过利用其他技术来实现，例如漏洞和攻击模拟或自动安全控制评估。您的组织可能已经通过这些工具之一拥有了此功能。

User Recommendations 用户推荐

Implement an outcome-driven approach that:
实施成果驱动的方法，以便：
- Scopes the aspects of the business that are most important to its success
  确定对业务成功最重要的方面
- Correlates asset context and criticality, threat intelligence, security configurations, and proprietary algorithms to calculate a more dynamic and evidence-based risk rating
  将资产上下文和关键性、威胁情报、安全配置和专有算法关联起来，以计算更动态、更基于证据的风险评级
- Automates through an EAP where those capabilities were in separate consoles previously
  通过EAP实现自动化，而这些功能以前位于单独的控制台中
Select EAP vendors that have strong built-in integrations with a wide range of tools that help broaden attack surface visibility, refine prioritization, and facilitate cross-collaboration and communication between business units streamlining CTEM processes.
选择EAP供应商，这些供应商具有与各种工具的强大内置集成，这些工具有助于扩大攻击面的可见性，优化优先级，并促进业务部门之间的交叉协作和沟通，从而简化CTEM流程。
Deploy EAPs that evaluate a range of exposure telemetry, especially security control configurations, where data from existing endpoint and network investments can easily be ingested and used to create a more accurate, situational picture.
部署评估一系列暴露遥测的EAP，特别是安全控制配置，其中可以轻松获取来自现有端点和网络投资的数据，并用于创建更准确的情景画面。

Sample Vendors 样本供应商

Armis; Balbix; CrowdStrike; Hive Pro; Microsoft; Qualys; Rapid7; Tenable

Gartner Recommended Reading
Gartner推荐阅读

Implement a Continuous Threat Exposure Management (CTEM) Program
实施持续威胁暴露管理（CTEM）计划

Innovation Insight for Attack Surface Management
针对攻击面管理的创新见解

2024 Strategic Roadmap for Managing Threat Exposure
2024年管理威胁暴露的战略路线图

Top Strategic Technology Trends for 2024: Continuous Threat Exposure Management
2024年的主要战略技术趋势：持续威胁暴露管理

Telemetry Pipelines 遥测管道

Analysis By: Gregg Siegfried
分析人：Gregg齐格弗里德

Benefit Rating: Moderate
效益评级：中等

Market Penetration: 5% to 20% of target audience
市场渗透率：目标受众的5%至20%

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Telemetry pipelines are solutions that provide a uniform and holistic mechanism to manage the collection, ingestion, enrichment, transformation and routing of machine data (telemetry) from source to destination(s). These solutions can be consumed on a self-managed, SaaS-managed or hybrid basis. Telemetry pipelines may be stand-alone products or part of a vendor’s broader portfolio of monitoring solutions.
遥测管道是提供统一和整体机制的解决方案，用于管理机器数据（遥测）从源到目的地的收集、摄取、丰富、转换和路由。这些解决方案可以在自我管理、SaaS管理或混合的基础上使用。远程监控管道可以是独立的产品，也可以是供应商更广泛的监控解决方案组合的一部分。

Why This Is Important 为什么这很重要

When applications and services are distributed across a wide area, and involve multiple service providers, their context is as well. Telemetry pipelines, sometimes called observability pipelines, enable organizations to collect, transform, enrich and route health, performance and security telemetry more efficiently from sources (workloads, monitoring agents and platforms) to destinations (analysis and investigation tools, event management solutions and long-term storage).
当应用程序和服务分布在广泛的区域，并涉及多个服务提供商时，它们的上下文也是如此。遥测管道，有时称为可观测性管道，使组织能够更有效地从源（工作负载，监控代理和平台）到目的地（分析和调查工具，事件管理解决方案和长期存储）收集，转换，丰富和路由健康，性能和安全遥测。

Business Impact 业务影响

Telemetry pipelines improve efficiency by:
遥测管道通过以下方式提高效率：

Ensuring telemetry is of sufficient quality before analysis.
在分析之前确保遥测具有足够的质量。
Managing analysis cost by storing telemetry according to its purpose.
通过根据目的存储遥测数据来管理分析成本。
Reducing the number of agents collecting telemetry at the source.
减少在源头收集遥测数据的代理数量。
Simplifying alert generation by normalizing taxonomy, granularity and cardinality before ingestion into analysis tools.
通过在将其纳入分析工具之前规范化分类、粒度和基数，简化警报生成。
Optimizing bandwidth utilization through compression and deduplication.
通过压缩和重复数据删除优化带宽利用率。
Consolidating portions of the IT and security operations toolchains.
整合IT和安全运营工具链的各个部分。

Drivers 司机

Telemetry volume is increasing — Modern workloads generate significant amounts of telemetry, which can take many forms and may originate in multiple locations. Telemetry pipelines provide a mechanism to unify them.
遥测数据量不断增加-现代工作负载会产生大量遥测数据，这些数据可以采用多种形式，并可能来自多个位置。遥测管道提供了一种统一它们的机制。
Cost — Moving and storing data can be expensive. Many telemetry insight platforms charge based on ingest volume. Applying governance to telemetry and only moving, ingesting and storing what you need can help manage costs.
成本-移动和存储数据可能非常昂贵。许多遥测洞察平台根据摄入量收费。将治理应用于遥测并仅移动、输入和存储您需要的内容可以帮助管理成本。
Bulk long-term storage — Cloud-based object storage has become a ubiquitous, secure and reasonably priced way to store bulk data. Some log monitoring products have built seamless support for object storage while maintaining rapid reporting access. This reduces the need for each individual analysis solution to maintain a “cold” or “frozen” tier.
批量长期存储-基于云的对象存储已成为存储批量数据的普遍、安全且价格合理的方式。一些日志监控产品已经构建了对对象存储的无缝支持，同时保持快速的报告访问。这减少了对每个单独的分析解决方案保持“冷”或“冻结”层的需要。
OpenTelemetry Collector implementation — The open-source OpenTelemetry Collector software itself relies on the telemetry pipeline pattern and supports transformation, enrichment and routing to multiple destinations out of the box.
OpenTelemetry Collector实现-开源OpenTelemetry Collector软件本身依赖于遥测管道模式，并支持转换，丰富和路由到多个目的地的开箱即用。

Obstacles 障碍

Additional tools add to administrative cognitive load — Telemetry pipeline products have their own learning curve, particularly when configuring them to transform and enrich data as they pass through.
其他工具增加了管理认知负荷-Telemetry管道产品有自己的学习曲线，特别是在配置它们以在数据通过时转换和丰富数据时。
Potential compatibility — Given the variety of telemetry sources and analysis back ends available, choosing a telemetry pipeline product that meets current and future needs may pose a challenge.
潜在的兼容性-考虑到各种遥测源和分析后端可用，选择满足当前和未来需求的遥测管道产品可能会带来挑战。
ROI concerns — Although the ROI is very clear when telemetry pipelines are used to reduce ingestion into a volume-based analysis tool, other benefits have a less obvious payback.
ROI关注点-尽管当遥测管道用于减少对基于体积的分析工具的摄取时，ROI非常明显，但其他好处的回报不太明显。

User Recommendations 用户推荐

Consolidate or bridge silos of telemetry by deploying telemetry pipelines. Understanding the data that you have will support use-case adjacencies such as a telemetry data lake.
通过部署遥测管道来整合或桥接遥测孤岛。了解您拥有的数据将支持用例邻接，例如遥测数据湖。
Unify operational and security-related telemetry collection by deploying telemetry pipeline products. The analysis back ends may be different, but a reduction in agents can be a win.
通过部署遥测管道产品，统一与操作和安全相关的遥测收集。分析后端可能不同，但减少代理可能是一种胜利。
Emphasize consistency by limiting the output formats. Although telemetry pipelines are inherently many-to-many solutions, make “many to fewer” the objective.
通过限制输出格式来强调一致性。虽然遥测管道本质上是多对多的解决方案，但目标是“多对少”。
Use telemetry pipelines to optimize and standardize the data enrichment and transformation needs without overloading the data source.
使用遥测管道优化和标准化数据丰富和转换需求，而不会使数据源过载。

Sample Vendors 样本供应商

Chronosphere (Calyptia); Cribl; Datadog; Edge Delta; Mezmo; observIQ; Onum
Chronosphere（Calyptia）; Cribl; Datadog; Edge Delta; Mezmo; observIQ; Onum

Gartner Recommended Reading
Gartner推荐阅读

Innovation Insight: Telemetry Pipelines Elevate the Handling of Operational Data
创新洞察：遥测管道提升了运营数据的处理水平

Enhance Monitoring and Observability via Telemetry Pipelines
通过遥测管道加强监测和可观测性

At the Peak 巅峰

CPS Security CPS安全

Analysis By: Katell Thielemann
分析师：Katell Thielemann

Benefit Rating: High
效益评级：高

Market Penetration: More than 50% of target audience
市场渗透率：超过50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Cyber-physical systems (CPS) security is the overall discipline to ensure that CPS remain safe, reliable and resilient in the face of growing threats. CPS are engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). They are created as physical assets become connected to each other or to enterprise IT systems, and as automation and robotic technology assets are deployed.
网络物理系统（CPS）安全是确保CPS在面临日益增长的威胁时保持安全、可靠和弹性的总体原则。CPS是一种工程系统，可协调传感、计算、控制、网络和分析，以与物理世界（包括人类）进行交互。它们是在物理资产相互连接或连接到企业IT系统时创建的，并且是在部署自动化和机器人技术资产时创建的。

Why This Is Important 为什么这很重要

CPS include industrial control systems (ICS), operational technology (OT), Internet of Things (IoT) and industrial IoT umbrellas. They cover everything from equipment that supports critical infrastructure, such as energy, water systems, communications, smart cities and grids, to autonomous vehicles and smart manufacturing. They connect physical processes with digital technology and underpin all critical infrastructure. CPS are increasingly targeted by attackers seeking to steal data, demand ransom, derail production or sow geopolitical unrest.
CPS包括工业控制系统（ICS），操作技术（OT），物联网（IoT）和工业物联网伞。它们涵盖了从支持关键基础设施的设备（如能源，供水系统，通信，智能城市和电网）到自动驾驶汽车和智能制造的所有方面。它们将物理流程与数字技术连接起来，并支撑着所有关键基础设施。CPS越来越多地成为攻击者的目标，这些攻击者试图窃取数据、索要赎金、破坏生产或引发地缘政治动荡。

Business Impact 业务影响

Unlike IT systems that create, store, transact or transform data, CPS connect both the cyber and the physical worlds. They are usually deployed in production or mission-critical environments. Thus, CPS security efforts need to focus on human safety and operational resilience, above and beyond traditional data-centric security efforts. These efforts need to consider all cybersecurity best practices, the laws of physics and industry-specific engineering decisions.
与创建、存储、处理或转换数据的IT系统不同，CPS连接网络世界和物理世界。它们通常部署在生产或关键任务环境中。因此，CPS安全工作需要关注人员安全和运营弹性，超越传统的以数据为中心的安全工作。这些工作需要考虑所有网络安全最佳实践、物理定律和特定行业的工程决策。

Drivers 司机

The consequences of a successful attack on CPS go beyond cybersecurity-centric data loss. They include operational shutdowns, environmental impacts, damage and destruction of property and equipment, and even personal and public safety risks.
对CPS成功攻击的后果超出了以网络安全为中心的数据丢失。它们包括业务关闭、环境影响、财产和设备的损坏和破坏，甚至个人和公共安全风险。
The last few years have seen a marked increase in attacks that impact loss of visibility or loss of control in manufacturing and critical infrastructure production environments. Because these areas are usually where value is created or essential public services are performed, CPS will continue to be targeted.
在过去的几年里，攻击事件显著增加，导致制造业和关键基础设施生产环境中的可见性丧失或失控。由于这些领域通常是创造价值或提供基本公共服务的地方，CPS将继续成为目标。
Rapidly increasing initiatives from governments and companies alike are bringing CPS security into sharper focus. These initiatives span various domains, such as smart cities, utilities, healthcare, food, agriculture, public safety, and transportation.
政府和公司的快速增长的举措使CPS安全成为焦点。这些计划涵盖各个领域，如智慧城市、公用事业、医疗保健、食品、农业、公共安全和交通运输。
Risks that extend to the physical world require measures above and beyond “regular” cybersecurity. Such risks include physical perimeter breaches, USB insertion, controller area network (CAN) bus injections, GPS jamming, hacking, spoofing, tampering, command intrusion and malware implantation in physical assets.
扩展到物理世界的风险需要采取超出“常规”网络安全的措施。这些风险包括物理边界破坏、USB插入、控制器局域网（CAN）总线注入、GPS干扰、黑客攻击、欺骗、篡改、命令入侵和物理资产中的恶意软件植入。
The generic OT security market has evolved into specific CPS security categories. These include protection platforms, cyber-risk quantification platforms, unidirectional data flow solutions, secure remote access solutions, content disarm and reconstruction solutions, security services, network-centric solutions (e.g., cloaking, microsegmentation), onboard diagnostics solutions, embedded systems security, and supply chain security solutions.
通用OT安全市场已演变为特定的CPS安全类别。其中包括保护平台、网络风险量化平台、单向数据流解决方案、安全远程访问解决方案、内容解除和重建解决方案、安全服务、以网络为中心的解决方案（例如，隐身、微分割）、车载诊断解决方案、嵌入式系统安全和供应链安全解决方案。
Because of the prevalence of CPS in critical infrastructure sectors and the tight relationship between critical infrastructure and national security, governments worldwide are turning to security regulations and directives to mandate minimum security controls.
由于CPS在关键基础设施领域的普遍存在以及关键基础设施与国家安全之间的密切关系，世界各国政府正在转向安全法规和指令，以强制执行最低安全控制。

Obstacles 障碍

CPS are often deployed by business units without consultation from the security team.
CPS通常由业务部门部署，而无需咨询安全团队。
Most organizations still focus mainly on IT-security-centric risk management.
大多数组织仍然主要关注以IT安全为中心的风险管理。
The lack of collaboration across siloed teams running systems such as IT, OT and IoT hampers CPS security efforts that require cross-functional collaboration.
运行IT、OT和IoT等系统的孤立团队之间缺乏协作，阻碍了需要跨职能协作的CPS安全工作。
CPS vendors are integrating 4G/5G modems in their equipment for out-of-band communication, without customer awareness.
CPS供应商正在其设备中集成4G/5G调制解调器，用于带外通信，而客户却不知道。
Many organizations do not have structured security programs or skills that sufficiently cover the scope of CPS, especially the high-value/mission-critical assets.
许多组织没有充分覆盖CPS范围的结构化安全计划或技能，特别是高价值/关键任务资产。
Because CPS product standards that guide security design and usage are still evolving, many manufacturers value “speed to market” over “secure to market.”
由于指导安全设计和使用的CPS产品标准仍在不断发展，许多制造商重视“快速上市”而不是“安全上市”。
Many devices lack storage and compute power to facilitate security mechanisms.
许多设备缺乏存储和计算能力来促进安全机制。
The omnipresence of CPS devices in buildings, cities, homes and vehicles tests the scalability of traditional security methods, which may not be able to address the risks in devices, areas or the entire value chain.
CPS设备在建筑物、城市、家庭和车辆中的无处不在考验了传统安全方法的可扩展性，这些方法可能无法解决设备、区域或整个价值链中的风险。

User Recommendations 用户推荐

Prioritize security controls and “secure by design” practices in new procurements.
在新的采购中优先考虑安全控制和“安全设计”实践。
Discover all connected assets using tools designed specifically for CPS environments, realizing that CPS may be present in office environments as well in the form of access controls, elevators, air conditioning, etc.
使用专为CPS环境设计的工具发现所有连接的资产，认识到CPS可能以访问控制、电梯、空调等形式存在于办公室环境中。
Evaluate which CPS assets are high value or mission critical, identify specific CPS security controls already in place, and determine whether any gaps need to be prioritized based on potential organizational impact.
评估哪些CPS资产是高价值或使命关键型资产，确定已实施的特定CPS安全控制措施，并根据潜在的组织影响确定是否需要对任何差距进行优先级排序。
Create an investment plan to update security and risk management strategies and programs in relation to CPS, starting with the high-value and mission-critical assets.
制定投资计划，以更新与CPS相关的安全和风险管理战略和计划，从高价值和关键任务资产开始。
Engage functional business leaders to establish clear risk ownership, define domain-specific controls for CPS, and balance trade-offs between growing the business and improving security.
让职能业务领导者参与进来，以建立明确的风险所有权，为CPS定义特定领域的控制措施，并在业务增长和提高安全性之间进行权衡。
Evaluate the growing list of CPS security solutions, as there are more options than ever before.
评估不断增长的CPS安全解决方案列表，因为选项比以往任何时候都多。

Sample Vendors 样本供应商

Armis; Claroty; Dragos; Microsoft; Nozomi Networks

Gartner Recommended Reading
Gartner推荐阅读

3 Initial Steps to Address Unsecure Cyber-Physical Systems
解决不安全的网络物理系统的3个初步步骤

Predicts 2024: CPS Security — Turbulence Ahead
预测2024：CPS安全-未来的动荡

CPS Security Governance — Best Practices From the Front Lines
CPS安全治理-来自前线的最佳实践

Market Guide for CPS Protection Platforms
CPS保护平台市场指南

CAASM

Analysis By: John Watts, Neil MacDonald, Mitchell Schneider
分析员：John Watts、Neil MacDonald、Mitchell Schneider

Benefit Rating: Low
效益评级：低

Market Penetration: 1% to 5% of target audience
市场渗透率：目标受众的1%至5%

Maturity: Emerging
成熟度：新兴

Definition: 定义：

Cyber asset attack surface management (CAASM) focuses on enabling security teams to overcome asset visibility and exposure challenges. It enables organizations to obtain a near-complete view of their assets (internal and external), primarily through API integrations with existing tools, query consolidated data, identify the scope of exposures and gaps in security controls, and mitigate issues.
网络资产攻击面管理（CAASM）专注于帮助安全团队克服资产可见性和暴露方面的挑战。它使组织能够获得其资产（内部和外部）的近乎完整的视图，主要是通过API与现有工具的集成，查询整合数据，确定安全控制中的风险范围和差距，并减轻问题。

Why This Is Important 为什么这很重要

CAASM aggregates asset visibility from other products that collect a subset of assets, such as endpoints, servers and devices. By consolidating internal and external cyberassets, users can query to find coverage gaps and misconfigurations for security tools such as vulnerability assessment and endpoint detection and response tools. CAASM provides mostly passive data collection via API integrations, replacing time-consuming manual processes to collect and reconcile asset information.
CAASM从收集资产子集（如端点、服务器和设备）的其他产品中聚合资产可见性。通过整合内部和外部网络资产，用户可以查询以查找漏洞评估和端点检测和响应工具等安全工具的覆盖差距和错误配置。CAASM通过API集成提供大部分被动数据收集，取代耗时的手动过程来收集和协调资产信息。

Business Impact 业务影响

CAASM enables security teams to improve basic security hygiene by finding security controls posture gaps, and asset exposures across all digital assets. Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes to improve staff efficiency, and reduce attack surface by mitigating gaps either manually or via automated workflows. Organizations visualize security tool coverage, support attack surface management (ASM) processes and correct systems of record that may have stale or missing data.
CAASM使安全团队能够通过发现安全控制态势差距和所有数字资产的资产暴露来改善基本的安全状况。部署CAASM的组织减少了对本土系统和手动收集流程的依赖，以提高员工效率，并通过手动或自动化工作流程缩小差距来减少攻击面。组织可视化安全工具覆盖范围，支持攻击面管理（ASM）流程，并纠正可能包含陈旧或丢失数据的记录系统。

Drivers 司机

More comprehensive visibility into any asset owned by the organization collected through existing tools to improve the understanding of an organization’s potential attack surface and existing security control gaps.
通过现有工具更全面地了解组织拥有的任何资产，以提高对组织潜在攻击面和现有安全控制漏洞的了解。
Quicker audit compliance reporting through more accurate, current, and comprehensive asset and security control reports.
通过更准确、最新和全面的资产和安全控制报告，加快审计合规性报告。
Consolidation of existing products that collect asset and exposure information into a single normalized view, to reduce operational overhead of manual processes and dependencies on homegrown applications or spreadsheets.
将收集资产和风险信息的现有产品整合到单个规范化视图中，以减少手动流程的运营开销以及对自制应用程序或电子表格的依赖性。
Access to consolidated asset views for multiple individuals and teams across an organization and integrations with other systems of record for current state visibility.
访问组织中多个人和团队的整合资产视图，并与其他记录系统集成，以了解当前状态。
Lower resistance to data collection from and better security visibility into potential blind spots, such as “shadow IT” organizations, installed third-party systems and line-of-business applications over which the IT department lacks governance and control. Security teams need visibility in these places, whereas the IT department may not.
降低从潜在盲点收集数据的阻力，并提高对潜在盲点的安全可见性，例如“影子IT”组织、已安装的第三方系统和IT部门缺乏治理和控制的业务线应用程序。安全团队需要这些地方的可见性，而IT部门可能不需要。
Help IT teams improve the accuracy of their existing configuration management database (CMDB) through periodic updates of assets and attributes missed by CMDB reconciliation processes.
通过定期更新CMDB协调流程遗漏的资产和属性，帮助IT团队提高其现有配置管理数据库（CMDB）的准确性。

Obstacles 障碍

Resistance to “yet another” tool — there are increasing overlaps with CAASM vendors and adjacent tools that provide some asset inventory and reporting, such as vulnerability prioritization technology and continuous control monitoring.
对“另一种”工具的抵抗--与CAASM供应商和提供某些资产清单和报告的邻近工具（如漏洞优先级排序技术和持续控制监控）的合作越来越多。
Not all vendors have capabilities to identify and integrate with every required system for visibility and vulnerability information, and do not ingest nor normalize security events across environments into a common data model.
并非所有供应商都有能力识别和集成每个所需的系统，以获得可见性和漏洞信息，并且不会将跨环境的安全事件摄取或规范化到公共数据模型中。
Vendor response actions to prioritized issues may be limited to opening tickets or invoking a script.
供应商对优先问题的响应行动可能仅限于打开票据或调用脚本。
Extremely large environments are limited by some vendor’s licensing and scalability.
超大型环境受到某些供应商的许可和可扩展性的限制。
Tools that can be integrated with a CAASM product either do not exist within an organization or lack an API or may be prevented from integrating by the teams that own them.
可以与CAASM产品集成的工具要么不存在于组织中，要么缺乏API，或者可能被拥有它们的团队阻止集成。
Reconciliation processes that conflict with source systems may not be resolved easily within CAASM vendor tooling.
在CAASM供应商工具中，可能无法轻松解决与源系统冲突的对账流程。

User Recommendations 用户推荐

Take advantage of proof-of-concept opportunities and free versions of products and subscriptions to “try before you buy,” as CAASM products are nondisruptive and easy to deploy.
利用概念验证机会和免费版本的产品和订阅“先试后买”，因为CAASM产品无中断且易于部署。
Sign contracts with smaller pure-play providers for no more than one year, considering the immaturity of the market and potential introduction of CAASM functionality by incumbent security vendors.
考虑到市场的不成熟以及现有安全供应商可能引入CAASM功能，与小型纯服务供应商签订不超过一年的合同。
Favor vendors that can combine inside-out and outside-in asset visibility capabilities for all asset types or partner with external ASM providers, and leverage APIs as the primary mechanism to collect asset data.
支持能够为所有资产类型组合联合收割机由内而外和由外而外资产可视性功能的供应商，或与外部ASM提供商合作，并利用API作为收集资产数据的主要机制。
Inventory all available APIs that can be integrated with the CAASM product you are considering, and ensure that you have read-only or low-privilege user accounts available to integrate.
清点所有可以与您正在考虑的CAASM产品集成的可用API，并确保您具有可用于集成的只读或低权限用户帐户。

Sample Vendors 样本供应商

Armis; Axonius; Brinqa; Encore; JupiterOne; Noetic Cyber; NorthStar.io; Ordr; Panaseer; Sevco Security
Armis; Axonius;Brinqa; Encore; EncoderOne;Noetic Cyber; NorthStar.io;Ordr;Panaseer; Sevco Security

Gartner Recommended Reading
Gartner推荐阅读

Innovation Insight: Attack Surface Management
创新洞察：攻击面管理

Implement a Continuous Threat Exposure Management (CTEM) Program
实施持续威胁暴露管理（CTEM）计划

Innovation Insight: Cybersecurity Continuous Control Monitoring
创新洞察：网络安全持续控制监控

Penetration Testing as a Service
渗透测试即服务

Analysis By: Mitchell Schneider, Carlos De Sola Caraballo, William Dupre, Jeremy D'Hoinne
Analysis By：Mitchell Schneider，Carlos De Sola Caraballo，William Dupre，Jeremy D 'Hoinne

Benefit Rating: High
效益评级：高

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Adolescent
成熟度：青少年

Definition: 定义：

Penetration testing as a service (PTaaS) provides technology-led, point-in-time and continuous application and infrastructure testing aligned with penetration testing (pentesting) standards, which have traditionally relied heavily on human pentesters using commercial/proprietary tools. The service is delivered via a SaaS platform, leveraging a hybrid approach of automation and human pentesters (crowdsourced or vendors’ in-house team) to increase the efficiency and effectiveness of the results.
渗透测试即服务（PTaaS）提供技术主导的、时间点的、持续的应用程序和基础设施测试，这些测试与渗透测试（渗透测试）标准保持一致，传统上严重依赖使用商业/专有工具的渗透测试人员。该服务通过SaaS平台提供，利用自动化和人工测试人员（众包或供应商的内部团队）的混合方法来提高结果的效率和有效性。

Why This Is Important 为什么这很重要

Pentesting is foundational in a security program and mandated by various compliance standards (e.g., payment card industry [PCI]). PTaaS delivers continuous security testing via a platform that enables faster scheduling and execution of pentests, and real-time communications with testers and visibility of test results. It provides API access to enable integration with existing DevOps and ticketing solutions for workflow automation. It also provides the ability to document and track pentesting results to demonstrate progress over time to leadership/auditors.
渗透测试是安全计划的基础，并由各种合规标准（例如，支付卡行业[PCI]）。PTaaS通过一个平台提供持续的安全测试，该平台可以更快地调度和执行渗透测试，并与测试人员进行实时通信，以及测试结果的可见性。它提供了API访问，以实现与现有DevOps和票务解决方案的集成，从而实现工作流自动化。它还提供了记录和跟踪渗透测试结果的能力，以向领导/审计员展示随时间推移的进展。

Business Impact 业务影响

PTaaS complements vulnerability scanning and application security testing, and provides cost optimization and quality improvement of pentesting output and validation of vulnerability status. PTaaS enables organizations to elevate their security posture through continual assessment, and can integrate validation earlier in the software development life cycle compared with traditional pentesting phases by giving access to real-time findings delivered through the platform, therefore enabling faster treatment of exposure.
PTaaS补充了漏洞扫描和应用程序安全测试，并提供渗透测试输出的成本优化和质量改进以及漏洞状态的验证。PTaaS使组织能够通过持续评估来提升其安全状况，并且与传统的渗透测试阶段相比，可以通过访问通过平台提供的实时结果在软件开发生命周期中更早地整合验证，从而更快地处理暴露。

Drivers 司机

Organizations are turning to PTaaS to deal with the increase in attack surfaces due to the accelerating use of public cloud and expansion of public-facing digital assets. PTaaS allows developers to talk to and receive guidance from pentesters instead of relying completely on scanners, such as dynamic application security testing/static application security testing (DAST/SAST) scanners.
由于公共云的加速使用和面向公众的数字资产的扩展，组织正在转向PTaaS来应对攻击面的增加。PTaaS允许开发人员与pentesters交谈并获得指导，而不是完全依赖扫描仪，例如动态应用程序安全测试/静态应用程序安全测试（DAST/SAST）扫描仪。
Organizations with limited in-house security expertise must meet their compliance and risk management objectives, in addition to improving their security posture, and therefore look to pentesting services to meet these initiatives.
内部安全专业知识有限的组织必须满足他们的合规性和风险管理目标，以及改善他们的安全状况，因此希望渗透测试服务来满足这些计划。
In order to meet fast production deadlines, security-aware organizations must integrate a more agile way of conducting pentesting into their continuous integration/continuous delivery (CI/CD) pipelines for their DevSecOps practices.
为了满足快速生产的最后期限，具有安全意识的组织必须将一种更敏捷的渗透测试方法集成到其DevSecOps实践的持续集成/持续交付（CI/CD）管道中。
Gartner clients have expressed an appetite to test on a more frequent basis; however, manual pentesting is cost-prohibitive in modern infrastructure (e.g., infrastructure as a service [IaaS], SaaS and third-party subscriptions).
Gartner的客户已经表达了更频繁地进行测试的愿望;然而，在现代基础设施中，手动渗透测试的成本过高（例如，基础设施即服务（IaaS）、SaaS和第三方订阅）。
Most organizations have a pentesting budget, and often seek better ways to use their annual budget. Highly automated, technology-led pentesting has the potential to offer higher quality deliverables for the price, or at least more frequent deliverables for the price.
大多数组织都有一个渗透预算，并经常寻求更好的方式来使用他们的年度预算。高度自动化、技术主导的渗透测试有可能以更高的价格提供更高质量的可交付成果，或者至少以更高的价格提供更频繁的可交付成果。

Obstacles 障碍

Selecting a suitable PTaaS vendor in the market may be difficult, as their capabilities vary. Vendors use one or a combination of automation and human testers, which are in-house or community-led — typically vetted freelancers — to perform penetration testing for the client organization.
在市场上选择合适的PTaaS供应商可能很困难，因为他们的能力各不相同。供应商使用自动化测试人员和人工测试人员中的一个或组合，这些测试人员是内部或社区领导的-通常是经过审查的自由职业者-为客户组织执行渗透测试。
Most PTaaS vendors in the market focus on internet-facing digital assets, like web and mobile applications, which may only partially fulfill client requirements.
市场上的大多数PTaaS供应商都专注于面向互联网的数字资产，如Web和移动的应用程序，这些应用程序可能只能部分满足客户的需求。
PTaaS vendors may not be able to support very complex environments where extensive domain expertise is needed.
PTaaS供应商可能无法支持需要广泛领域专业知识的非常复杂的环境。
The depth and extensibility of a PTaaS is not as flexible as a statement of work (SOW)-led engagement. Therefore, if you have some specific requests, and/or are seeking extensive testing, you are not going to get it with PTaaS.
PTaaS的深度和可扩展性不如工作说明书（SOW）主导的参与灵活。因此，如果你有一些特定的请求，和/或正在寻求广泛的测试，你不会得到它与PTaaS。

User Recommendations 用户推荐

Determine which option/mix of penetration testing programs is best for your organization: compliance-driven service engagement; PTaaS; in-house red team leveraging an automated pentesting tool; or bug bounty.
确定哪种渗透测试计划选项/组合最适合您的组织：合规驱动的服务参与; PTaaS;利用自动渗透测试工具的内部红色团队;或错误奖励。
Identify and evaluate the pentesting scope and requirements that PTaaS vendors will be able to fulfill before engaging with vendors. PTaaS is well-aligned to both application testing and external infrastructure testing. Not all vendors will be able to replace internal infrastructure pentests, wireless, social engineering and physical assessments.
在与供应商接洽之前，确定并评估PTaaS供应商能够满足的渗透测试范围和要求。PTaaS与应用程序测试和外部基础设施测试保持良好的一致性。并非所有供应商都能够取代内部基础设施渗透测试、无线、社会工程和物理评估。
Favor hybrid scanning models that combine human analysis and automation to increase both effectiveness and efficiency.
支持结合了联合收割机人工分析和自动化的混合扫描模式，以提高效率和效益。
Select a PTaaS vendor that aligns with relevant compliance requirements, and not just focuses on internet-facing infrastructure and applications.
选择符合相关合规性要求的PTaaS供应商，而不仅仅关注面向互联网的基础设施和应用程序。
Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service to alleviate the security skills gap.
寻求PTaaS供应商，在其服务的整个生命周期中提供定制和量身定制的指导，以缩小安全技能差距。

Sample Vendors 样本供应商

Bishop Fox; BreachLock; Bugcrowd; Cobalt Labs; HackerOne; NetSPI; Raxis; Siemba; Synack; SynerComm
Bishop Fox; BreachLock; Bugcrowd;Cobalt Labs; HackerOne; NetSPI; Raxis; Siemba; Synack; SynerComm

Gartner Recommended Reading
Gartner推荐阅读

Innovation Insight: Penetration Testing as a Service
创新洞察：渗透测试即服务

How to Select the Right Penetration Testing Provider for Your Organization
如何为您的组织选择合适的渗透测试提供商

Threat Exposure Management
威胁暴露管理

Analysis By: Pete Shoard, Mitchell Schneider, Jeremy D'Hoinne
分析员：Pete Shoard、Mitchell Schneider、Jeremy D'Hoinne

Benefit Rating: Transformational
效益评级：转型

Market Penetration: 5% to 20% of target audience
市场渗透率：目标受众的5%至20%

Maturity: Adolescent
成熟度：青少年

Definition: 定义：

Threat exposure management encompasses a set of processes and technologies that allows enterprises to continually and consistently assess the visibility and validate the accessibility and exploitability of an enterprise’s digital assets. Threat exposure management must be governed by an effective continuous threat exposure management (CTEM) program.
威胁暴露管理包括一系列流程和技术，使企业能够持续一致地评估企业数字资产的可见性，并验证其可访问性和可利用性。威胁暴露管理必须由有效的持续威胁暴露管理（CTEM）计划进行管理。

Why This Is Important 为什么这很重要

The effort required to resolve exposures and the diversity of discovered issues lead to conflicting priorities. Security teams struggle to prioritize risk reduction actions, leaving gaps where they feel they have less control, such as SaaS and social media. Threat exposure management reduces the challenges organizations face in identifying, prioritizing and validating threat exposures that exist due to the diversity of their attack surfaces. It also extends traditional vulnerability management (VM).
解决风险所需的努力和发现的问题的多样性导致了优先级的冲突。安全团队努力优先考虑降低风险的行动，在他们认为控制力较弱的地方留下空白，例如SaaS和社交媒体。威胁暴露管理减少了组织在识别、优先排序和验证由于其攻击面的多样性而存在的威胁暴露方面所面临的挑战。它还扩展了传统的脆弱性管理（VM）。

Business Impact 业务影响

Threat exposure management is a specialism that governs and prioritizes risk reduction for the modern enterprise and requires assessments of all systems, applications and subscriptions used for business activities, broadening risk understanding for today’s digital landscape. CTEM programs factor in business importance, likelihood of attack, visibility of vulnerability and validation of the existence of an attack path, to enable businesses to mobilize responses to the most relevant risks.
威胁暴露管理是一项专业，用于管理和优先考虑现代企业的风险降低，并需要对用于业务活动的所有系统，应用程序和订阅进行评估，从而扩大对当今数字环境的风险理解。CTEM计划将业务重要性、攻击可能性、漏洞可见性和攻击路径存在性验证纳入考虑因素，使企业能够动员应对最相关的风险。

Drivers 司机

Lack of scope and understanding of prioritization and risk, in line with high volumes of findings, is leaving organizations with far too much to do regarding their exposure and little guidance on what to action first.
对优先次序和风险缺乏范围和了解，与大量的调查结果相一致，使各组织在风险方面有太多的事情要做，而在首先采取什么行动方面却没有什么指导。
A programmatic and repeatable approach to answer the question “How exposed are we?” is necessary for organizations. Threat exposure management aims to allow reprioritization of treatments as environments shift in a rapidly changeable and expanding IT landscape.
一种可重复的程序化方法来回答“我们暴露的程度如何？”对组织来说是必要的。威胁暴露管理旨在允许在快速变化和扩展的IT环境中随着环境的变化而重新确定处理的优先级。
Organizations commonly silo exposure activities such as penetration testing, threat intelligence management and vulnerability scanning. These siloed views provide little or no awareness of the complete picture for cyber risk that the organization has.
组织通常筒仓暴露活动，如渗透测试，威胁情报管理和漏洞扫描。这些孤立的视图很少或根本没有意识到组织的网络风险全貌。
As the modern organization has expanded its critical third-party infrastructure, subscriptions and open-source applications, the potential for exposure to threats through vulnerabilities and misconfiguration issues vastly increases. Using a CTEM program reduces the burden on the business for understanding the individual risks each new part of the system brings.
随着现代组织扩展其关键的第三方基础设施、订阅和开源应用程序，通过漏洞和错误配置问题暴露于威胁的可能性大大增加。使用CTEM程序可以减轻企业了解系统每个新部分所带来的风险的负担。
Vendor offerings used to identify threat exposures are evolving and consolidating to include wider ranges of visibility, meaning end users will have access to new information about potential threats without having to purchase new subscriptions.
用于识别威胁暴露的供应商产品正在不断发展和整合，以包括更广泛的可见性，这意味着最终用户将能够访问有关潜在威胁的新信息，而无需购买新的订阅。

Obstacles 障碍

The increased scope of CTEM programs over traditional VM introduces a number of new complexities often not previously considered or budgeted for.
CTEM程序相对于传统VM的范围增加，引入了许多新的复杂性，这些复杂性通常是以前没有考虑或预算的。
While the concept of evaluating your attack surface is well-understood, continued security tool consolidation in this space, such as external attack surface management with vulnerability assessment, is beginning to simplify day-to-day operational processes. However, formal integration of other technologies such as CAASM is still low.
虽然评估攻击面的概念已得到充分理解，但该领域的持续安全工具整合（例如具有漏洞评估的外部攻击面管理）正开始简化日常运营流程。然而，其他技术（如CAASM）的正式集成仍然很低。
Processes to manage end-to-end awareness (from visibility of possible attack vectors to response to breaches) is virtually nonexistent in most organizations, which often simply scan and test their networks for compliance reasons.
管理端到端感知的流程（从可能的攻击向量的可见性到对违规行为的响应）在大多数组织中几乎不存在，这些组织通常只是出于合规性原因扫描和测试其网络。
The complex way an attack may manifest itself requires certain skill sets to understand. Market areas such as exposure validation make it more simple to test the out-of-the-box scenarios using technologies/services such as breach and attack simulation tools. But new skills and understanding are required to be effective at using these capabilities and developing custom-made simulations.
攻击可能表现出来的复杂方式需要某些技能才能理解。暴露验证等市场领域使使用技术/服务（如违规和攻击模拟工具）测试开箱即用场景变得更加简单。但是，要有效地使用这些功能和开发定制的模拟，需要新的技能和理解。

User Recommendations 用户推荐

Create agreements on tackling exposure with various organizational stakeholders, as success is dependent on it. Automated remediation from tools is unlikely to have a significant impact.
与各种组织利益相关者就解决风险问题达成协议，因为成功取决于此。工具的自动补救不太可能产生重大影响。
Communicate risk to the board. Senior executives must have an awareness of where risks are, and allocate resources to improve awareness of potential threats.
向董事会传达风险。高级管理人员必须意识到风险在哪里，并分配资源以提高对潜在威胁的认识。
Implement wider, more multiplatform programs such as CTEM to manage exposure. Include scoping and directional exposure awareness that deals with issues that are business-critical, not just “fire and forget” approaches.
实施更广泛、更多平台的计划，如CTEM，以管理风险。包括处理业务关键问题的范围和方向性暴露意识，而不仅仅是“解雇和忘记”的方法。
Prepare response and reaction plans. Monitoring and responding to issues and risks identified as a critical part of managing exposure, and validating that exposures exist and controls are functioning are all useful, but it is essential that organizations also prepare to react.
制定应对和反应计划。监测和应对被确定为管理风险的关键部分的问题和风险，以及验证风险的存在和控制措施的运作都是有用的，但组织也必须做好应对准备。
Include in your CTEM program assets that your organization doesn’t directly own, such as social media accounts, SaaS and data held by supply chain partners.
包括您的组织不直接拥有的CTEM计划资产，例如社交媒体帐户，SaaS和供应链合作伙伴持有的数据。

Gartner Recommended Reading
Gartner推荐阅读

Innovation Insight: Attack Surface Management
创新洞察：攻击面管理

2024 Strategic Roadmap for Managing Threat Exposure
2024年管理威胁暴露的战略路线图

Implement a Continuous Threat Exposure Management (CTEM) Program
实施持续威胁暴露管理（CTEM）计划

Top Trends in Cybersecurity for 2024
2024年网络安全的主要趋势

Security Service Edge 安全服务边缘

Analysis By: Charlie Winckless, John Watts
分析师：Charlie Winckless、John Watts

Benefit Rating: Transformational
效益评级：转型

Market Penetration: 5% to 20% of target audience
市场渗透率：目标受众的5%至20%

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Security service edge (SSE) secures access to the web, SaaS applications and private applications. Capabilities include adaptive access control, data security, visibility and compliance. Further capabilities include an advanced threat defense and acceptable use control enforced by network-based and API-based integrations. SSE is primarily delivered as a cloud-based service and may include on-premises or endpoint agent-based components.
安全服务边缘（SSE）保护对Web、SaaS应用程序和私有应用程序的访问。功能包括自适应访问控制、数据安全性、可见性和合规性。进一步的功能包括先进的威胁防御和可接受的使用控制，通过基于网络和基于API的集成来实施。SSE主要作为基于云的服务交付，可能包括本地或基于端点代理的组件。

Why This Is Important 为什么这很重要

SSE offerings converge security functions to improve organizational flexibility to secure the usage of web and cloud services and remote work.
SSE产品融合了安全功能，提高了组织的灵活性，以确保Web和云服务以及远程工作的使用安全。
SSE offerings combine at least secure web gateways (SWGs), cloud access security brokers (CASBs) and zero-trust network access (ZTNA), and are primarily delivered from the cloud.
SSE产品至少联合收割机了安全Web网关（SWG），云访问安全代理（CASB）和零信任网络访问（ZTNA），并且主要从云提供。
When organizations are pursuing a secure access service edge (SASE) architecture, SSE is paired with software-defined WAN (SD-WAN) to simplify networking and security operations.
当组织追求安全访问服务边缘（SASE）架构时，SSE与软件定义的WAN（SD-WAN）配对，以简化网络和安全操作。

Business Impact 业务影响

Organizations continue to adopt SaaS applications for business-critical and other uses. Hybrid work also continues to be widely practiced. SSE allows the organization to support anytime-anywhere workers by using a cloud-centric approach to enforce a security policy when accessing the web, cloud services and private applications. Simultaneously, SSE reduces the administrative complexity of running multiple products and provides greater visibility into end-user actions in one platform.
组织继续采用SaaS应用程序用于业务关键型和其他用途。混合工作也继续广泛实行。SSE允许组织通过使用以云为中心的方法来支持随时随地的工作人员，以便在访问Web、云服务和私有应用程序时实施安全策略。同时，SSE降低了运行多个产品的管理复杂性，并在一个平台上提供了对最终用户操作的更大可见性。

Drivers 司机

Organizations need to secure user, application and enterprise data that is distributed and requires secure remote access. SSE enables flexible and primarily cloud-based security for hybrid workers and devices without being tied to on-premises network infrastructure and connectivity, while cloud and SaaS are augmenting or replacing on-premises applications.
组织需要保护用户、应用程序和企业数据的安全，这些数据是分布式的，需要安全的远程访问。SSE为混合工作人员和设备提供灵活且主要基于云的安全性，而无需绑定到本地网络基础设施和连接，而云和SaaS正在增强或取代本地应用程序。
Hardware and virtual instances of traditional SWGs and VPN solutions limit the capacity for supporting a large, distributed workforce, and require a cloud-based approach to enable resource-intensive security processes in parallel to improve performance.
传统SWG和VPN解决方案的硬件和虚拟实例限制了支持大型分布式工作人员的能力，并且需要基于云的方法来并行启用资源密集型安全流程以提高性能。
For many enterprises, a significant amount of critical business processes and data are now delivered as SaaS. Therefore, there is a need to perform data loss prevention (DLP) on data that is located in, going to and leaving these SaaS platforms.
对于许多企业来说，大量的关键业务流程和数据现在都以SaaS的形式交付。因此，需要对位于、去往和离开这些SaaS平台的数据执行数据丢失防护（DLP）。
Administrators lose visibility on user traffic when users are not connected to enterprise-owned networks and need to retain configuration and monitoring for this traffic.
当用户未连接到企业拥有的网络时，管理员将无法查看用户流量，并且需要保留此流量的配置和监控。
Organizations want to reduce complexity and the number of point vendors enforcing secure access policies, including fewer endpoint agents, and applying controls such as DLP, Advanced Threat Defense and remote browser isolation to secure more use cases from a single provider.
组织希望降低复杂性和实施安全访问策略的点供应商的数量，包括减少端点代理，并应用DLP、高级威胁防御和远程浏览器隔离等控制措施，以保护来自单个提供商的更多用例。
Organizations who cannot dictate the choice of their network edge provider (e.g., SD-WAN), or do not want to migrate from existing providers, need flexibility to choose to integrate security services independent of SD-WAN for their SASE requirements.
无法决定网络边缘提供商选择的组织（例如，SD-WAN），或者不想从现有提供商迁移，需要灵活地选择独立于SD-WAN集成安全服务，以满足其SASE要求。

Obstacles 障碍

As the market continues its high growth trajectory by the convergence of capabilities, vendors may be strong in certain capabilities and weak in others. Vendors are rapidly expanding to single-vendor SASE offerings and may lack the overall tight integration between their own SSE capabilities or with SD-WAN vendors.
随着市场通过能力的融合继续其高增长轨迹，供应商可能在某些能力方面很强，而在其他方面很弱。供应商正在迅速扩展到单一供应商SASE产品，并且可能缺乏自己的SSE功能或与SD-WAN供应商之间的整体紧密集成。
Not all vendors provide sufficient DLP features to manage business risks.
并非所有供应商都提供足够的DLP功能来管理业务风险。
Being cloud-centric, SSE typically doesn’t address every need supported by on-premises controls, such as internal firewalling.
由于以云为中心，SSE通常无法满足内部部署控制（如内部防火墙）支持的所有需求。
Organizations are concerned about uptime, availability and responsiveness of services that they depend on for their business. This is compounded by weak SLAs from some vendors, and that not all vendors provide all features locally in all geographies, resulting in performance or availability issues. Some may limit the points of presence (POPs) available to a client.
组织关心他们业务所依赖的服务的可维护性、可用性和响应性。一些供应商的SLA较弱，并且并非所有供应商都在所有地理位置提供所有本地功能，从而导致性能或可用性问题。有些可能会限制客户端可用的接入点（POP）。
Migrating to ZTNA capabilities in SSE from a VPN will increase costs.
从VPN迁移到SSE中的ZTNA功能将增加成本。

User Recommendations 用户推荐

Exploit this converged market, consolidate vendors and cut complexity as contracts renew for SWGs, CASBs and VPNs by replacing them with a ZTNA approach.
利用这一融合市场，整合供应商，并通过用ZTNA方法取代SWG、CASB和VPN的合同更新来降低复杂性。
Approach SSE consolidation by identifying which elements you may already have in place (for example, existing cloud-based CASB or SWG). Develop a shortlist of vendors based on your use cases regarding secure end-user requirements, the cloud services you use and the data you need to protect.
通过确定您可能已经拥有的元素（例如，现有的基于云的CASB或SWG）来进行SSE整合。根据您的安全最终用户需求、您使用的云服务和您需要保护的数据的使用案例，制定供应商候选名单。
Inventory your equipment and contracts to implement a multiyear phaseout of on-premises perimeter and branch security hardware in favor of the cloud-based SSE.
清点您的设备和合同，以实施多年逐步淘汰本地外围和分支安全硬件的计划，从而支持基于云的SSE。
Validate that remote offices have acceptable performance and features with selected vendors if you are a global enterprise. Vendor POP locations and service support are key.
如果您是一家全球性企业，请确认远程办公室与选定的供应商具有可接受的性能和功能。供应商POP位置和服务支持是关键。
Actively engage with initiatives for branch office transformation, SD-WAN and Multiprotocol Label Switching (MPLS) offload to integrate cloud-based SSE into the scope of project planning.
积极参与分支办公室转型、SD-WAN和多协议标签交换（MPLS）卸载计划，将基于云的SSE整合到项目规划范围内。

Sample Vendors 样本供应商

Broadcom; Cisco; Cloudflare; Forcepoint; iboss; Lookout; Netskope; Palo Alto Networks; Skyhigh Security; Zscaler
Broadcom; Cisco; Cloudflare; Forcepoint;iboss; Lookout; Netskope; Palo Alto Networks; Skyhigh Security;Zscaler

Gartner Recommended Reading
Gartner推荐阅读

Adopt Security Service Edge (SSE) to Replace Stand-Alone SWG, CASB and ZTNA Products
采用Security Service Edge（SSE）取代独立的SWG、CASB和ZTNA产品

Magic Quadrant for Security Service Edge
安全服务优势魔力象限

Critical Capabilities for Security Service Edge
安全服务边缘的关键功能

2024 Strategic Roadmap for SASE Convergence
2024年SASE融合战略路线图

Sliding into the Trough 滑入低谷

Digital Forensics and Incident Response
数字取证和事件响应

Analysis By: Eric Ahlm, Craig Lawson, Andrew Davies, Mitchell Schneider
分析员：Eric Ahlm、克雷格劳森、安德鲁戴维斯、米切尔施耐德

Benefit Rating: Moderate
效益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Mature mainstream
成熟度：成熟主流

Definition: 定义：

Digital forensics and incident response (DFIR) retainer services help organizations assess and manage the impact of a security incident. DF services assist with forensic response, aid in forensic information gathering and advise on proactive best practices for avoiding a breach. IR services assist with breach investigation, triage and impact classification. These capabilities are delivered as professional services, supported by technology services from the same provider.
数字取证和事件响应（DFIR）服务可帮助组织评估和管理安全事件的影响。DF服务协助取证响应，协助取证信息收集，并就避免违规的主动最佳实践提供建议。IR服务协助违规调查、分流和影响分类。这些功能作为专业服务提供，由同一提供商的技术服务提供支持。

Why This Is Important 为什么这很重要

DFIR services are a strategic investment to strengthen an organization’s IR capabilities, both proactively and reactively. Advanced attacks, such as ransomware, require specialized skills in investigation, negotiation, forensics and response. For most organizations, having highly specialized experts on payroll for limited usage doesn’t make sense. DFIR providers can help augment response capabilities through contracted services.
DFIR服务是一项战略投资，旨在主动和被动地加强组织的IR能力。勒索软件等高级攻击需要调查、谈判、取证和响应方面的专业技能。对于大多数组织来说，在工资单上拥有高度专业化的专家来限制使用是没有意义的。DFIR供应商可以通过订约服务帮助增强反应能力。

Business Impact 业务影响

DFIR services are increasingly critical to an organization’s strategic IR plan. Improper handling of response postbreach can lead to extended impacts and losses. Regulatory fines, legal fees, lawsuits, brand devaluation and customer attrition can all be affected by how a breach is handled. Having a robust DFIR capability in place will elevate the response capabilities of the organization, allowing for proportional responses aligned to avoid real impacts.
DFIR服务对组织的战略IR计划越来越重要。违规后应对措施处理不当，可能导致影响和损失扩大。监管罚款、法律的费用、诉讼、品牌贬值和客户流失都可能受到违规处理方式的影响。具备强有力的DFIR能力将提高本组织的应对能力，从而能够采取相称的应对措施，避免产生真实的影响。

Drivers 司机

The increased risk of cyberattacks against organizations has reflected the need to invest in a DFIR provider to react, remediate and recover the business infrastructure.
针对组织的网络攻击风险增加，反映了投资DFIR提供商以应对、修复和恢复业务基础设施的必要性。
DFIR has had a strong increase in popularity within North America, EMEA and the Asia/Pacific region. This highlights the strategic importance of DFIR, but also the value attributed to the brand and reputation of an organization.
DFIR在北美、EMEA和亚太地区的受欢迎程度大幅上升。这突出了DFIR的战略重要性，也突出了一个组织的品牌和声誉的价值。
Businesses want rapid response to incidents with a highly detailed investigation and accuracy to be able to minimize the impact of a breach — reducing any downtime and meeting any regulatory or insurance-driven needs.
企业希望通过高度详细的调查和准确性对事件做出快速响应，以便能够最大限度地减少违规行为的影响-减少任何停机时间并满足任何监管或保险驱动的需求。
DFIR providers offer the expertise required to help organizations recover from security incidents quickly. They provide guidance on security control reconfiguration and granular details regarding the true impact of a breach, without the overhead of directly attracting, compensating and retaining specialist staff.
DFIR提供商提供帮助组织快速从安全事件中恢复所需的专业知识。它们提供有关安全控制重新配置的指导，以及有关违规行为的真实影响的详细信息，而无需直接吸引，补偿和留住专业人员。
Certain clients need assistance in the chain of custody. This is a process that proves that evidence used to prosecute a cybercriminal is legitimate and not edited fraudulently. Most DFIR suppliers can help deliver this if requested, while some even provide litigation support.
某些客户需要监管链方面的帮助。这是一个证明用于起诉网络罪犯的证据是合法的，没有被欺诈性编辑的过程。大多数DFIR供应商可以根据要求提供帮助，有些甚至提供诉讼支持。
Cyberinsurance carriers often require clients to engage with a DFIR provider to reduce the risk, and thus the cost, to the insurance company. Insurance companies may offer reduced premiums if their preferred DFIR provider is used.
网络保险运营商通常要求客户与DFIR提供商合作，以降低保险公司的风险和成本。如果使用保险公司首选的DFIR提供商，保险公司可能会降低保费。

Obstacles 障碍

DFIR vendors have different approaches to providing response and forensics capabilities, which can create confusion for clients. Vendors should use a combination of human and technology approaches, and identify which approach best suits the needs of the buyer.
DFIR供应商有不同的方法来提供响应和取证功能，这可能会给客户带来困惑。供应商应结合使用人力和技术方法，并确定哪种方法最适合买方的需求。
Understanding the DFIR roles and responsibilities when responding to incidents is critical to the success of the program. Organizations must understand what constitutes a call-out and what does not.
了解DFIR在应对事件时的角色和职责对该计划的成功至关重要。组织必须了解什么是号召，什么不是.
The buyer must understand the engagement with the DFIR supplier on a retainer, a zero-hour retainer or a pay-for-retention contract, which is usually assigned against the buyer’s organization.
买方必须了解与DFIR供应商签订的聘用合同、零时聘用合同或按聘用付费合同，这些合同通常针对买方组织进行分配。
A DFIR contract won’t solve the problem of the internal cross-team collaboration required for response. Business decisions about an incident, and internal coordination of the response, can be an obstacle.
DFIR合同不能解决响应所需的内部跨团队协作问题。有关事件的业务决策和响应的内部协调可能是一个障碍。

User Recommendations 用户推荐

Evaluate purchasing a prepaid IR retainer if the budget allows this. DFIR buying options can be confusing. Prepurchasing retainers can maximize investment, and increase priority and access to services to support your DFIR requirements in case of an incident.
如果预算允许，请评估购买预付IR保留器。DFIR购买选项可能会令人困惑。预购保留可以最大限度地提高投资，并增加优先级和访问服务，以支持您的DFIR要求，在发生事故的情况下。
Evaluate the DFIR services for breach planning and avoidance services in addition to postbreach response services. The best option is always to avoid a breach if possible.
评估DFIR的违约计划和避免服务以及违约后响应服务。最好的选择总是尽可能避免违约。
Involve your DFIR provider in your cybersecurity maturity. This can enhance an organization’s other security investments. DFIR providers’ business deals with breaches. The lessons learned from breaches can enhance your cybersecurity defense with more-sophisticated use cases, threat detection and even playbooks.
让您的DFIR提供商参与您的网络安全成熟度。这可以增强组织的其他安全投资。DFIR提供商的业务涉及违规行为。从漏洞中吸取的经验教训可以通过更复杂的用例、威胁检测甚至剧本来增强您的网络安全防御。
Keep in mind that an agreement with a DFIR provider is not a replacement for the buying organization having its own IR process in place.
请记住，与DFIR提供商的协议并不能取代拥有自己IR流程的购买组织。

Sample Vendors 样本供应商

Accenture; BlueVoyant; Booz Allen Hamilton; CrowdStrike; Deloitte; IBM; Mandiant; NCC Group; PwC; Verizon
埃森哲;BlueVoyant;博思艾伦汉密尔顿; CrowdStrike;德勤; IBM; Mandiant; NCC Group;普华永道; Verizon

Gartner Recommended Reading
Gartner推荐阅读

Market Guide for Digital Forensics and Incident Response Retainer Services
数字取证和事件响应保留服务市场指南

Digital Risk Protection Services
数字风险保护服务

Analysis By: Mitchell Schneider, Jonathan Nunez
分析员：Mitchell Schneider、Jonathan Nunez

Benefit Rating: Moderate
效益评级：中等

Market Penetration: More than 50% of target audience
市场渗透率：超过50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Digital risk protection services (DRPS) are a set of technology-led services which enable brand protection, third-party risk assessment and discovery of external-facing threats, and offer technical response to identified risks. They provide visibility into the surface web, social media, dark and deep web sources to identify potential threats to critical assets and provide contextual information on threat actors, their tactics, techniques and procedures for conducting malicious activities.
数字风险保护服务（DRPS）是一套技术主导的服务，可实现品牌保护、第三方风险评估和发现外部威胁，并对已识别的风险提供技术响应。它们提供了对表层网络、社交媒体、暗网和深层网络来源的可见性，以识别对关键资产的潜在威胁，并提供有关威胁行为者、他们进行恶意活动的策略、技术和程序的上下文信息。

Why This Is Important 为什么这很重要

Modern attacks, from commodity exploits to highly curated and sophisticated fraud schemes, are prevalent and effective as threat actor delivery modalities have been commensurately commoditized (across the clear, deep and dark web). DRPS leverage these modalities to discover and mitigate the risks which may directly impact business operations or reputation. These services typically require specialized skill sets to operate and are most often consumed as an outsourced function.
现代攻击，从商品利用到高度策划和复杂的欺诈计划，都是普遍和有效的，因为威胁行为者的交付方式已经被严重商品化（在明网，深网和暗网中）。DRPS利用这些模式来发现和减轻可能直接影响业务运营或声誉的风险。这些服务通常需要专门的技能来操作，并且通常作为外包功能使用。

Business Impact 业务影响

DRPS proactively identify external-facing risks from social-media-related artifacts, provide open and dark web findings, and even support third-party risk initiatives to determine corrective courses of actions, with the purpose of protecting your organization’s reputation and brand. DRPS aim to associate all malign activity on the public internet related to your organization, enrich those findings with threat and business context, and perform technical responses to evict certain threats when possible (takedowns).
DRPS主动识别社交媒体相关工件中的外部风险，提供公开和暗网调查结果，甚至支持第三方风险计划以确定纠正措施，目的是保护组织的声誉和品牌。DRPS旨在将公共互联网上与您的组织相关的所有恶意活动关联起来，利用威胁和业务背景丰富这些调查结果，并在可能的情况下执行技术响应以驱逐某些威胁（删除）。

Drivers 司机

DRPS have been driven by their ability to support a range of use cases and user roles. Example use cases include digital footprinting (e.g., mapping internal/external assets and identifying shadow IT); brand protection (e.g., impersonations, doxing and misinformation); account takeover (e.g., credential theft, lookalike domains and phishing sites); data leakage detection (e.g., detection of intellectual property, personally identifiable information, credit card data, credentials); and high-value target monitoring (e.g., VIP/executive monitoring).
DRPS支持一系列用例和用户角色的能力推动了它的发展。示例用例包括数字足迹（例如，映射内部/外部资产并识别影子IT）;品牌保护（例如，冒充、欺骗和误传）;帐户接管（例如，凭证盗窃、相似域和网络钓鱼站点）;数据泄漏检测（例如，知识产权、个人可识别信息、信用卡数据、证书的检测）;以及高价值目标监控（例如，贵宾/行政人员监测）。
Complexities in the management of risks are key reasons why organizations can benefit from DRPS. These complexities include an expanding attack surface, a more hybrid workforce, higher reliance on e-commerce, regulatory compliance, cloud assets, digital business transformation, a volatile threat landscape, and the magnitude of information derived from monitored risk and security activities (e.g., preextortion related to ransomware).
风险管理的复杂性是组织可以从DRPS中受益的关键原因。这些复杂性包括不断扩大的攻击面、更加混合的员工队伍、对电子商务的更高依赖、监管合规性、云资产、数字业务转型、不稳定的威胁环境以及从受监控的风险和安全活动（例如，与勒索软件有关的预勒索）。
Demand for DRPS is also driven by the accessibility of such offerings for small or midsize enterprises that originally couldn’t benefit from threat intelligence (TI), due to the lack of specialized skills and resources for security, including the time needed to perform follow-up actions. This is because of the less technical and more accessible nature of the intelligence made available by many DRPS providers, as well as the availability of a managed service type of offering.
对DRPS的需求还受到中小型企业对此类产品的可访问性的推动，这些企业最初无法从威胁情报（TI）中受益，因为缺乏专业的安全技能和资源，包括执行后续行动所需的时间。这是因为许多DRPS提供商提供的情报技术性较低，更容易获得，以及提供托管服务类型。

Obstacles 障碍

The DRPS market has been increasing with more than 75 vendors, which makes it difficult for vendors to differentiate themselves from one another. Furthermore, the vendor capabilities vary and may be limited in their ability to provide a comprehensive solution. Some vendors have a best-of-breed approach, whereby they focus heavily on single DRPS use cases (e.g., VIP/executive monitoring), whereas many vendors have expanded to support more than one use case. Moreover, there are variations in the types and scope of takedowns and related investigations DRPS vendors support.
DRPS市场一直在增加，超过75家供应商，这使得供应商很难区分彼此。此外，供应商的能力各不相同，提供全面解决方案的能力可能有限。一些供应商采用同类最佳的方法，他们主要关注单个DRPS用例（例如，VIP/执行监控），而许多供应商已经扩展到支持多个用例。此外，DRPS供应商支持的拆除和相关调查的类型和范围也各不相同。
DRPS is now a predominant feature of almost all the large TI vendors, and overlaps with other complementary markets, such as managed security service providers/managed detection and response (MDR) providers. These markets are experiencing increased competition, and buyers are wanting to spend less money; therefore, consolidating services into an existing procurement vehicle seems plausible for many organizations.
DRPS现在是几乎所有大型TI供应商的主要功能，并与其他互补市场重叠，例如托管安全服务提供商/托管检测和响应（MDR）提供商。这些市场正在经历更激烈的竞争，买方希望花更少的钱;因此，将服务合并到现有的采购工具中对许多组织来说似乎是可行的。

User Recommendations 用户推荐

Evaluate the capabilities and features of DRPS offerings and match them to the needs of your organization’s security programs and business risks. Ask vendors what threats they cover and whether they focus on a specific use case or many (e.g., phishing, dark/deep web monitoring, data leakage and/or social media protection).
评估DRPS产品的功能和特性，并将其与组织的安全计划和业务风险的需求相匹配。询问供应商他们所涵盖的威胁以及他们是否专注于特定用例或多个用例（例如，网络钓鱼、暗网/深网监控、数据泄露和/或社交媒体保护）。
Prioritize best-of-breed solutions to meet specific urgent needs, depending on the urgency and importance of the core use case. One example would be threats arising from consistent lookalike domains and phishing domains requiring takedown services. Assess vendors based on takedown success rates and the ability to work with internet service providers and registrars in foreign locations.
根据核心用例的紧迫性和重要性，优先考虑同类最佳解决方案，以满足特定的紧急需求。其中一个例子是来自一致的外观相似域和需要删除服务的网络钓鱼域的威胁。根据移除成功率以及与国外互联网服务提供商和注册商合作的能力评估供应商。
Prioritize solutions that include managed services in their offerings (especially if there are resource constraints), that can predict and prevent issues from occurring in the first place, and have SLAs that ensure the fastest remediation time.
优先考虑在其产品中包含托管服务的解决方案（特别是在存在资源限制的情况下），这些解决方案可以首先预测和防止问题的发生，并具有确保最快补救时间的SLA。

Sample Vendors 样本供应商

Axur; BforeAI; Bolster AI; CybelAngel; Cyberint; Cybersixgill; Cyble; QuoIntelligence; SOCRadar; ZeroFox

Gartner Recommended Reading
Gartner推荐阅读

Market Guide for Security Threat Intelligence Products and Services
安全威胁情报产品和服务市场指南

Tool: Vendor Identification for Security Threat Intelligence Products and Services
工具：安全威胁情报产品和服务的供应商识别

Innovation Insight: Attack Surface Management
创新洞察：攻击面管理

External Attack Surface Management
外部攻击面管理

Analysis By: Ruggero Contu, Franz Hinner, Mitchell Schneider, Elizabeth Kim
Analysis by：Ruggero Contu，Franz Hinner，Mitchell Schneider，Elizabeth Kim，英国

Benefit Rating: Moderate
效益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

External attack surface management (EASM) refers to the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures. Examples include exposed servers, public cloud service misconfigurations and third-party partner software code vulnerabilities that could be exploited by adversaries.
外部攻击面管理（EASM）是指部署用于发现面向互联网的企业资产和系统以及相关风险的流程、技术和托管服务。示例包括暴露的服务器、公共云服务错误配置以及可能被攻击者利用的第三方合作伙伴软件代码漏洞。

Why This Is Important 为什么这很重要

Digital transformation initiatives have accelerated the expansion of enterprises’ external attack surfaces. Cloud adoption, remote/hybrid working, and IT/OT/Internet of Things (IoT) convergence are some key changes increasing exposure to external threats. EASM helps identify internet-facing assets while also prioritizing discovered vulnerabilities and related threats. It aims to provide risk information relevant to digital assets in the public domain, exposed to threat actors.
数字化转型举措加速了企业外部攻击面的扩大。云采用、远程/混合工作以及IT/OT/物联网（IoT）融合是增加外部威胁风险的一些关键变化。EASM帮助识别面向互联网的资产，同时还优先考虑发现的漏洞和相关威胁。它旨在提供与公共领域中的数字资产相关的风险信息，暴露于威胁行为者。

Business Impact 业务影响

EASM provides valuable risk context and actionable information to security and risk management leaders. EASM delivers visibility through four primary capabilities:
EASM为安全和风险管理领导者提供有价值的风险背景和可操作的信息。EASM通过四个主要功能提供可见性：

Asset discovery/inventory for external-facing assets and systems
面向外部的资产和系统的资产发现/清点
Monitoring for internet-facing enterprise exposures (cloud services, Internet Protocol addresses, domains, certificates and IoT devices)
监控面向互联网的企业风险（云服务、互联网协议地址、域、证书和物联网设备）
Analysis to assess and prioritize the risks and vulnerabilities discovered
进行分析，以评估发现的风险和漏洞并确定其优先次序
Indirect remediation, mitigation and incident response through prebuilt integrations with ticketing systems and security orchestration, automation and response tools
通过与票务系统和安全协调、自动化和响应工具的预建集成，间接进行补救、

Drivers 司机

Interest in understanding what organizations are exposed to from an attacker’s point of view.
有兴趣从攻击者的角度了解组织面临的风险。
Digital business initiatives such as cloud adoption, application development, hybrid working and IT/OT/IoT convergence present new enterprise risks.
数字业务计划，如云采用、应用程序开发、混合工作和IT/OT/IoT融合，带来了新的企业风险。
Demand to quantify third-party risks arising from activities such as mergers and acquisitions and integration of supply chain infrastructure.
要求量化由并购和供应链基础设施整合等活动产生的第三方风险。
EASM’s adoption as part of different security platforms, such as threat intelligence (TI), cybersecurity validation and vulnerability assessment (VA), supporting more precise scoping and actionability.
EASM作为不同安全平台的一部分，如威胁情报（TI），网络安全验证和漏洞评估（VA），支持更精确的范围和可操作性。

Obstacles 障碍

Low perceived value, with EASM leveraged for single use cases rather than multiple areas.
感知价值低，EASM用于单一用例而不是多个领域。
A fast-evolving market due to significant consolidation is a challenge for buyers investing in startups that eventually get acquired.
由于重大整合而快速发展的市场对于投资于最终被收购的初创公司的买家来说是一个挑战。
Already overburdened vulnerability management (VM) capabilities and teams concerned about adding to workloads.
已经不堪重负的漏洞管理（VM）功能和团队担心增加工作负载。

User Recommendations 用户推荐

Review available EASM capabilities arising from converging markets, in areas such as TI, cybersecurity validation and VA, or from providers with broader platforms, such as Palo Alto Networks and Microsoft. You may have an existing commercial relationship in place with a provider, and its functionalities may be good enough.
审查来自融合市场的可用EASM功能，如TI，网络安全验证和VA，或来自具有更广泛平台的提供商，如Palo Alto Networks和Microsoft。您可能与提供商有现有的商业关系，其功能可能足够好。
Review providers’ capabilities such as breadth of coverage (discovery), accuracy, prioritization efficacy and level of automation in supporting remediation activities, as they vary considerably from vendor to vendor.
审查供应商的能力，如覆盖范围（发现）、准确性、优先级效率和支持补救活动的自动化水平，因为这些能力因供应商而异。
Select an EASM technology or service provider based on the recognized use-case priority, but also integration strategy to support TI, threat hunting, VM, and/or security testing/validation activities.
根据公认的用例优先级选择EASM技术或服务提供商，还应选择支持TI、威胁搜索、虚拟机和/或安全测试/验证活动的集成策略。
Ensure your EASM investment fits into the larger ASM strategy where external and internal exposure management is combined together.
确保您的EASM投资符合外部和内部风险管理相结合的更大ASM战略。
Consider EASM a key capability if primary business revenue is driven by externally facing web services.
如果主要业务收入由面向外部的Web服务驱动，则将EASM视为关键能力。

Sample Vendors 样本供应商

Bishop Fox; BreachLock; Censys; CyCognito; Cymulate; FireCompass Technologies; Palo Alto Networks; Pentera; SOCRadar; ZeroFox
Bishop Fox; BreachLock;Censys; CyCognito; Cymulate; FireCompass Technologies; Palo Alto Networks;Pentera; SOCRadar;ZeroFox

Gartner Recommended Reading
Gartner推荐阅读

Market Guide for Security Threat Intelligence Products and Services
安全威胁情报产品和服务市场指南

Emerging Tech: Security — The Future of Attack Surface Management Supports Exposure Management
新兴技术：安全-攻击面管理的未来支持暴露管理

Competitive Landscape: External Attack Surface Management
竞争格局：外部攻击面管理

The Top 5 Elements of Effective Vulnerability Management
有效漏洞管理的五大要素

Identity Threat Detection and Response
身份威胁检测和响应

Analysis By: Mary Ruddy
分析人：玛丽鲁迪

Benefit Rating: High
效益评级：高

Market Penetration: More than 50% of target audience
市场渗透率：超过50%的目标受众

Maturity: Adolescent
成熟度：青少年

Definition: 定义：

Identity threat detection and response (ITDR) is a discipline that includes tools and best practices that secure the identity and access management (IAM) infrastructure itself from attacks. Various ITDR tools can detect threats, confirm administrator posture, respond to different types of attacks or restore normal operation as needed.
身份威胁检测和响应（ITDR）是一个学科，包括保护身份和访问管理（IAM）基础设施本身免受攻击的工具和最佳实践。各种ITDR工具可以检测威胁，确认管理员状态，响应不同类型的攻击或根据需要恢复正常操作。

Why This Is Important 为什么这很重要

Identity is foundational for security operations (identity-first security), and the IAM infrastructure must be operated with a security mindset. As identity becomes more important, threat actors are increasingly targeting the identity infrastructure itself. Identity continues to be a prime target for threat actors, with credential misuse being a popular attack vector. Organizations must increase their focus on protecting their IAM infrastructure. ITDR adds additional layers of security to IAM and cybersecurity deployments.
身份是安全操作的基础（身份优先安全），IAM基础设施必须以安全的心态进行操作。随着身份变得越来越重要，威胁行为者越来越多地针对身份基础设施本身。身份仍然是威胁行为者的主要目标，凭证滥用是一种流行的攻击媒介。组织必须更加重视保护其IAM基础设施。ITDR为IAM和网络安全部署增加了额外的安全层。

Business Impact 业务影响

Securing your IAM infrastructure is mission-critical for security operations. If your accounts are compromised, permissions set incorrectly or your IAM infrastructure itself is compromised, attackers can take control of your systems and disrupt business operations. Protecting your IAM infrastructure must be a top priority. “Business-as-usual” processes that seemed adequate before attackers began targeting identity tools directly are no longer sufficient. This can require one or more ITDR-enabling tools, which may include tools already within the organization’s portfolio.
保护您的IAM基础设施对于安全运营至关重要。如果您的帐户遭到破坏、权限设置不正确或您的IAM基础设施本身遭到破坏，攻击者就可以控制您的系统并中断业务运营。保护您的IAM基础设施必须是重中之重。在攻击者开始直接针对身份工具之前似乎足够的“照常”流程不再足够。这可能需要一个或多个ITDR使能工具，其中可能包括组织组合中已有的工具。

Drivers 司机

More sophisticated attackers are actively targeting the IAM infrastructure itself. For instance:
更复杂的攻击者正在积极地瞄准IAM基础设施本身。例如：

Administrator credential misuse is now a primary vector for attacks against the IAM infrastructure.
管理员证书滥用现在是针对IAM基础设施的攻击的主要媒介。
Attackers can use administrative permissions to gain access to the organization’s global administrator account or trusted Security Assertion Markup Language (SAML) token-signing certificate to forge SAML tokens for lateral movement.
攻击者可以使用管理权限访问组织的全局管理员帐户或受信任的安全断言标记语言（SAML）令牌签名证书，以伪造SAML令牌进行横向移动。
Modern attacks have shown that conventional identity hygiene is not enough. There is no such thing as perfect prevention. Multifactor authentication and entitlement management processes can be circumvented, and the supporting/enabling tools generally lack mechanisms for detection and response if something goes wrong.
现代攻击表明，传统的身份卫生是不够的。没有完美的预防。可以绕过多因素身份验证和授权管理流程，并且支持/启用工具通常缺乏在出现错误时进行检测和响应的机制。
ITDR is an overarching discipline and a set of capabilities to protect the IAM infrastructure itself. It is needed in addition to access management (AM), identity governance and administration, privileged access management, security information and event management, and a security operations center or outsourced managed detection services.
ITDR是一个支配性的规程和一组保护IAM基础设施本身的功能。除了访问管理（AM）、身份治理和管理、特权访问管理、安全信息和事件管理以及安全运营中心或外包托管检测服务之外，还需要它。
There are major detection gaps between IAM and infrastructure security controls. IAM is traditionally used as a preventive control, whereas infrastructure security is used broadly but has limited depth when detecting identity-specific threats. ITDR demands more specific capabilities that operate with lower latency than general purpose configuration management, detection and response tools.
在IAM和基础设施安全控制之间存在重大的检测差距。IAM传统上被用作预防性控制，而基础设施安全被广泛使用，但在检测特定于身份的威胁时深度有限。ITDR需要比通用配置管理、检测和响应工具具有更低延迟的更具体的功能。

Obstacles 障碍

ITDR requires coordination between IAM and security teams. This coordination can be difficult to establish.
ITDR需要IAM和安全团队之间的协调。这种协调可能很难建立。
Lack of awareness of IAM administrator hygiene, detection and response best practices. More is needed than just traditional Active Directory threat detection and response.
缺乏对IAM管理员卫生、检测和响应最佳实践的认识。需要的不仅仅是传统的Active Directory威胁检测和响应。
IAM teams often spend too much effort protecting other groups’ digital assets and not enough protecting their own IAM infrastructure. They tend to operate identity tools in silos, which prevents them from sharing risk signals and prioritizing overall hygiene activities.
IAM团队通常花费太多精力来保护其他团队的数字资产，而没有足够的精力来保护自己的IAM基础设施。他们倾向于在孤岛中操作身份工具，这使他们无法共享风险信号并优先考虑整体卫生活动。
Multiple capabilities are required to fully protect the IAM infrastructure. These include closely monitoring configuration changes to root IAM administrator accounts, detecting when IAM tools are compromised, enabling rapid investigations and efficient remediation and the ability to quickly revert to a known good state. Vendors are investing in improving automation.
需要多种功能来全面保护IAM基础架构。这些功能包括密切监控根IAM管理员帐户的配置更改，检测IAM工具何时受到损害，实现快速调查和有效补救，以及快速恢复到已知良好状态的能力。供应商正在投资改善自动化。
Even though there are many different tools with ITDR capabilities, their disparate architectures limit each of them to specific use cases.
尽管有许多不同的工具具有ITDR功能，但它们不同的体系结构将每个工具都限制在特定的用例中。

User Recommendations 用户推荐

Include an ITDR strategy in your formal IAM program. ITDR requires a sponsor who can identify stakeholders and spearhead this collaborative initiative.
在正式的IAM计划中包括ITDR战略。ITDR需要一个能够确定利益攸关方并带头开展这一合作举措的发起人。
Prioritize securing the IAM infrastructure with tools to discover and monitor identity attack techniques; protect identity and access controls; detect when attacks are occurring; and enable fast remediation.
优先使用发现和监控身份攻击技术的工具来保护IAM基础设施;保护身份和访问控制;检测攻击何时发生;并实现快速补救。
Look for capabilities in existing and new, specialized tools that will provide visibility across your IAM ecosystem, that will prioritize remediation efforts, and can demonstrate (over time) a reduction in the attack surface. Leverage multiple tools to provide all needed IDTR capabilities, as needed.
寻找现有和新的专用工具中的功能，这些工具将在您的IAM生态系统中提供可见性，将优先考虑补救工作，并可以证明（随着时间的推移）攻击面的减少。根据需要，利用多种工具提供所有必需的IDTR功能。
Modernize the IAM infrastructure using current and emerging standards to orchestrate your IAM infrastructure to operate more as an identity fabric that shares risk signals so that it is easier to detect identity threats. Direct alerts generated by ITDR capabilities to your centralized security operations center.
使用当前和新兴标准对IAM基础设施进行现代化改造，以协调您的IAM基础设施，使其更像一个共享风险信号的身份结构，从而更容易检测身份威胁。将ITDR功能生成的警报直接发送到您的集中式安全运营中心。
Use the MITRE ATT&CK framework to correlate ITDR techniques with attack scenarios to ensure that at least well-known attack vectors are addressed. Above all, prevent administrator accounts from being compromised.
使用MITRE ATT& CK框架将ITDR技术与攻击场景相关联，以确保至少解决已知的攻击向量。最重要的是，防止管理员帐户受到损害。
Combine foundational identity hygiene, such as reducing standing privileges, with ITDR. Manage security posture and configuration of user directories and token generators.
将联合收割机基本身份卫生（例如减少站立特权）与ITDR结合起来。管理用户目录和令牌生成器的安全状态和配置。

Sample ITDR Enabling Vendors
ITDR支持供应商示例

CISCO (Oort); CrowdStrike; Delinea (Authomize); Gurucul; Microsoft; Netwrix; Proofpoint (Illusive); Semperis; SentinelOne (Attivo Networks); Silverfort
思科（Oort）;CrowdStrike; Delaware（Authomize）;Gurucul;微软;Netwrix;Proofpoint（Illusive）;Semperis;SentinelOne（Attivo Networks）;Silverfort

Gartner Recommended Reading
Gartner推荐阅读

Top Trends in Cybersecurity for 2024
2024年网络安全的主要趋势

Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response
通过身份威胁检测和响应增强您的网络攻击准备

Quick Answer: Who Is Responsible for Identity Threat Detection and Response?
快速回答：谁负责身份威胁检测和响应？

Infographic: 2024 Technology Adoption Roadmap for Security and Risk Management
信息图：2024年安全和风险管理技术采用路线图

XDR

Analysis By: Eric Ahlm, Thomas Lintemuth, Franz Hinner
分析员：Eric Ahlm、托马斯Lintemuth、Franz Hinner

Benefit Rating: High
效益评级：高

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Extended detection and response (XDR) delivers unified security incident detection and response capabilities. XDRs integrate threat intelligence, security events and telemetry data from multiple sources, with security analytics to provide contextualization and correlation of security alerts. XDR must include native sensors. XDR can be delivered on-premises or as a SaaS offering, and is typically deployed by organizations with smaller security teams.
扩展检测和响应（XDR）提供统一的安全事件检测和响应功能。XDR将来自多个来源的威胁情报、安全事件和遥测数据与安全分析相集成，以提供安全警报的情境化和关联。XDR必须包含本机传感器。XDR可以在内部部署或作为SaaS产品交付，通常由具有较小安全团队的组织部署。

Why This Is Important 为什么这很重要

XDR offers a less complex approach for threat detection and response by using a systematic, rather than an integration, approach to building a detection stack. XDR vendors, for the most part, manage the complex dependencies normally associated with building a detection stack through their use of native APIs. The vendor provides prebuilt playbooks that enable collaboration in their stack and coherence in the detection of common threats.
XDR提供了一种不太复杂的威胁检测和响应方法，它使用系统化而不是集成的方法来构建检测堆栈。在大多数情况下，XDR供应商通过使用本机API来管理通常与构建检测堆栈相关的复杂依赖关系。供应商提供了预构建的剧本，使其堆栈中的协作和常见威胁检测的一致性成为可能。

Business Impact 业务影响

The relative ease of use of XDR to detect common threats reduces the need for internal skill sets and could reduce the staff needed to operate a more complex solution, such as security information and event management (SIEM). XDR can also help reduce the time and complexity associated with security operations tasks through a single centralized investigation and response system.
XDR检测常见威胁的相对易用性降低了对内部技能集的需求，并可能减少操作更复杂解决方案（如安全信息和事件管理（SIEM））所需的员工。XDR还可以通过一个集中的调查和响应系统帮助减少与安全操作任务相关的时间和复杂性。

Drivers 司机

XDRs appeal to organizations with modest maturity needs due to the detection logic, mostly vendor-provided, that generally requires less customization and maintenance.
XDR对成熟度要求不高的组织很有吸引力，因为它的检测逻辑大多由供应商提供，通常需要较少的定制和维护。
XDRs appeal to organizations looking for improved visibility across the security stack, as well as those looking to lower the administration requirements of more complex incident response (IR) solutions.
XDR对于希望提高整个安全堆栈的可见性的组织以及希望降低更复杂的事件响应（IR）解决方案的管理要求的组织具有吸引力。
Midsize organizations that struggle to correlate and respond to alerts generated from disparate security controls appreciate the productivity gain from centralized XDR interfaces.
中型企业很难关联和响应由不同的安全控制生成的警报，他们很欣赏集中式XDR界面带来的生产力提升。
Staff with the required skills to maintain and operate an extensible detection stack are hard to recruit and retrain.
具有维护和操作可扩展检测堆栈所需技能的工作人员很难招聘和再培训。
Purchasing a systemic detection stack in the form of XDR can simplify product selection and acquisition.
购买XDR形式的系统检测堆栈可以简化产品选择和采购。

Obstacles 障碍

XDR’s lack of extensibility creates obstacles for clients who wish to build custom and extensible detection and monitoring use cases.
XDR缺乏可扩展性，这给希望构建自定义和可扩展的检测和监视用例的客户带来了障碍。
Expanding an XDR detection stack’s capabilities through the addition or replacement of security controls may be limited by the vendor.
通过添加或替换安全控制来扩展XDR检测堆栈的功能可能受到供应商的限制。
An XDR product alone does not always meet all needs for long-term log storage for use cases other than incident response, such as compliance, application monitoring and performance monitoring.
XDR产品本身并不总能满足除事件响应以外的所有用例的长期日志存储需求，例如合规性、应用程序监控和性能监控。
XDR may be a poor choice for advanced security operations center (SOC) functions like creating a forensically sound system of record, or threat hunting.
XDR对于高级安全运营中心（SOC）功能（如创建取证健全的记录系统或威胁搜索）来说可能是一个糟糕的选择。

User Recommendations 用户推荐

Evaluate using scaling functions included in the XDR solution such as automation and knowledge augmentation to drive efficiencies in common operation functions associated with threat detection and response.
使用XDR解决方案中包含的扩展功能（如自动化和知识扩充）进行评估，以提高与威胁检测和响应相关的常见操作功能的效率。
Clients with limited SIEM deployments may consider XDR solutions with supplemental log ingestion capabilities as a possible migration candidate of their existing SIEM solution.
SIEM部署有限的客户可以考虑将具有补充日志摄取功能的XDR解决方案作为其现有SIEM解决方案的可能迁移候选方案。
Include the knowledge services provided by the vendor for common detection upkeep as part of the solution cost justification.
将供应商提供的用于常见检测维护的知识服务作为解决方案成本合理性的一部分。
Favor security products that provide APIs for information sharing and that allow automated actions to be sent from an XDR solution.
支持提供用于信息共享的API以及允许从XDR解决方案发送自动操作的安全产品。
Consider a managed detection and response (MDR) solution on top of an XDR product when your organization needs help with daily operations of threat detection and response, not just vendor provided integrations and playbooks.
当您的组织需要在威胁检测和响应的日常操作方面获得帮助时，请考虑在XDR产品之上使用托管检测和响应（MDR）解决方案，而不仅仅是供应商提供的集成和行动手册。

Sample Vendors 样本供应商

Cisco; CrowdStrike; Fortinet; Microsoft; Palo Alto Networks; SentinelOne; Sophos; Stellar Cyber; Trellix; Trend Micro
Cisco;CrowdStrike; Fortinet; Microsoft; Palo Alto Networks; SentinelOne; Sophos; Stellar Cyber;Trellix;Trend Micro

Gartner Recommended Reading
Gartner推荐阅读

Market Guide for Security Orchestration, Automation and Response Solutions
安全监控、自动化和响应解决方案市场指南

Market Guide for Extended Detection and Response
扩展检测和响应市场指南

SOAR 飙升

Analysis By: Eric Ahlm, Craig Lawson
分析员：Eric Ahlm、克雷格劳森

Benefit Rating: Moderate
获益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Gartner defines security orchestration, automation and response (SOAR) as solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single solution. SOAR tools can be used for many security operations tasks, such as documenting and implementing processes, supporting security incident management, applying machine-based assistance to human security analysts and operators, and better operationalizing the use of TI.
Gartner将安全协调、自动化和响应（SOAR）定义为将联合收割机事件响应、协调和自动化以及威胁情报（TI）管理功能结合在一个解决方案中的解决方案。SOAR工具可用于许多安全操作任务，例如记录和实施流程，支持安全事件管理，将基于机器的协助应用于人类安全分析师和操作员，以及更好地操作TI的使用。

Why This Is Important 为什么这很重要

SOAR tools are extensible development platforms for organizations that wish to craft their own automation playbooks for scaling a wide variety of use cases within security operations (SecOps). Current buyers of SOAR tend to be more mature organizations with the resources to invest in their own development teams to support the development requirements of SOAR. For other organizations, consuming automation onboard existing technologies such as security information and event management (SIEM), extended detection and response, IT service management or similar platforms has become more common than acquiring dedicated SOAR technologies.
SOAR工具是可扩展的开发平台，适用于希望制作自己的自动化剧本的组织，以扩展安全操作（SecOps）中的各种用例。目前SOAR的购买者往往是更成熟的组织，他们有资源投资于自己的开发团队，以支持SOAR的开发需求。对于其他组织来说，使用现有技术（如安全信息和事件管理（SIEM）、扩展检测和响应、IT服务管理或类似平台）上的自动化比获取专用SOAR技术更常见。

Business Impact 业务影响

SOAR solutions can help clients:
SOAR解决方案可以帮助客户：

Reduce errors in handling incidents by codifying activities.
通过规范活动减少处理事故的错误。
Scale security operations by adding efficiency in handling various tasks and activities.
通过提高处理各种任务和活动的效率来扩展安全操作。
Improve security operations center (SOC) team morale and reduce analyst turn over by removing repetitive tasks from humans.
提高安全运营中心（SOC）团队的士气，并通过消除人工重复性任务来减少分析人员的流失。

Drivers 司机

SOAR can improve the process and execution speed of repetitive tasks that often torment SOCs, especially tasks that consume time and require little human expertise. This frees teams to spend more time on critical tasks and activities.
SOAR可以提高经常折磨SOC的重复性任务的处理和执行速度，特别是那些耗时且不需要人工专业知识的任务。这使团队能够将更多的时间花在关键任务和活动上。
SOAR can increase alert fidelity and actionability by adding more context and data enrichment. This helps reduce noise due to the high volume of alerts that needs to be handled by the SOC team.
SOAR可以通过添加更多的上下文和数据丰富来提高警报的保真度和可操作性。这有助于减少由于SOC团队需要处理大量警报而产生的噪音。
Security orchestration and automation (SOA) as a capability is increasingly needed by security operations. SOAR solutions offer flexible SOA in the platform. However, SOA is also becoming more available as canned, baked-in functionality in other security technologies, such as email security solutions, to help improve both analysis and triage and automate responses to threats.
安全业务流程编排和自动化（SOA）作为一种功能，越来越受到安全运营的需要。SOAR解决方案在平台中提供灵活的SOA。然而，SOA也越来越多地作为其他安全技术（如电子邮件安全解决方案）中的现成功能提供，以帮助改进分析和分类以及自动响应威胁。

Obstacles 障碍

SOAR requires both development and ongoing operational cycles to maintain, similar to other coding development practices. As such, not all activities will warrant the investment in SOAR development and maintenance.
与其他编码开发实践类似，SOAR需要开发和持续的操作周期来维护。因此，并非所有活动都值得对SOAR开发和维护进行投资。
There are fewer vendor options for SOAR platforms in the market due to acquisitions and the featurization of automation into other larger platforms.
由于收购和自动化功能化到其他更大的平台中，市场上SOAR平台的供应商选择较少。
Justifying the expense of automation and a SOAR purchase remains an obstacle for clients. The value of automation is best described in the language of gains into existing areas of operations.
证明自动化和SOAR购买的费用仍然是客户的障碍。自动化的价值最好用现有业务领域的收益来描述。

User Recommendations 用户推荐

Consider consuming automation features onboard larger security platforms first. Stand-alone SOAR platforms should be the exception for clients with generalized automation requirements.
请考虑首先在较大的安全平台上使用自动化功能。独立的SOAR平台应该是具有一般自动化需求的客户的例外。
Assess the availability of development skill sets internally to develop SOAR’s required functionality. Security leaders should also review the time and cost this may add to the total cost of owning a SOAR toolset.
评估内部开发技能集的可用性，以开发SOAR所需的功能。安全领导者还应该审查时间和成本，这可能会增加拥有SOAR工具集的总成本。
Involve the entire security organization when scoping requirements for SOAR. Organizations must look beyond simply plugging a new technology into SIEM and engage with wider security.
在确定SOAR的需求范围时，涉及整个安全组织。组织必须超越简单地将新技术插入SIEM，并参与更广泛的安全性。
Select an appropriate product based on buyer understanding and its applicable use cases, such as SOC optimization, threat monitoring and response, threat investigation and hunting, and TI management.
根据购买者的理解及其适用的用例选择适当的产品，例如SOC优化、威胁监控和响应、威胁调查和搜索以及TI管理。
Implement well-defined processes and playbooks before acquiring SOAR. Although SOAR promotes lots of benefits, not every security organization is ready for SOAR tools, and a considerable amount of time is required to develop playbooks.
在收购SOAR之前实施定义良好的流程和剧本。虽然SOAR带来了很多好处，但并不是每个安全组织都准备好使用SOAR工具，并且需要大量的时间来开发剧本。

Sample Vendors 样本供应商

Cisco (Splunk); Cyware; D3 Security; Google; Palo Alto Networks; Rapid7; ServiceNow; Swimlane; Tines; Torq
思科（Splunk）; Cyware; D3安全;谷歌;帕洛阿尔托网络; Rapid 7; ServiceNow; Swimlane; Tines; Torq

Gartner Recommended Reading
Gartner推荐阅读

SOAR Will Not Make You Better at Running SIEM
SOAR不会让您更好地运行SIEM

Market Guide for Security Orchestration, Automation and Response Solutions
安全监控、自动化和响应解决方案市场指南

Climbing the Slope 第一千一百一十章爬坡

Co-Managed Security Monitoring Services
共同管理的安全监控服务

Analysis By: Pete Shoard
分析师：Pete Shoard

Benefit Rating: Moderate
效益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Mature mainstream
成熟度：成熟的主流

Definition: 定义：

Co-managed security monitoring offers services that are delivered remotely. These services can manage an individual or an ecosystem of client-owned threat detection, investigation and response (TDIR)-capable technologies. Co-managed security monitoring is delivered using a flexible model that can work with a customer’s security monitoring and response teams as out-of-hours-support. Alternatively, it can deliver 24/7 maintenance, monitoring and investigation.
共同管理的安全监控提供远程交付的服务。这些服务可以管理个人或客户端拥有的威胁检测、调查和响应（THERM）技术生态系统。共同管理的安全监控使用灵活的模型提供，该模型可以与客户的安全监控和响应团队一起工作，作为非工作时间支持。此外，它还可以提供24/7的维护、监控和调查。

Why This Is Important 为什么这很重要

Organizations of all sizes are making strategic investments in TDIR-capable technologies, such as security information and event management (SIEM), endpoint detection and response (EDR), and extended detection and response (XDR). Flexibility, customization and operational delivery are at the center of a decision to utilize co-managed monitoring. The lack of available skills for deployment and maintenance means that buyers require services. Organizations face challenges not only in investing in technology, but also in supporting the ongoing complexity, staffing and costs of these technology deployments.
各种规模的组织都在对支持TDIR的技术进行战略投资，例如安全信息和事件管理（SIEM）、端点检测和响应（EDR）以及扩展检测和响应（XDR）。灵活性、自定义和运营交付是决定使用共同管理监控的核心。缺乏部署和维护技能意味着买方需要服务。组织不仅在技术投资方面面临挑战，而且在支持这些技术部署的持续复杂性、人员配置和成本方面也面临挑战。

Business Impact 业务影响

Organizations make purchases of TDIR-capable products such as SIEM, but often struggle to operate them effectively. Detection and response is critical to the success of any security strategy. Midsecurity and midmaturity buyers recognize continuous monitoring needs and are adopting more accessible tools, such as EDR and XDR. Co-managed security monitoring provides security operations center (SOC) function maturity in areas such as creation/tuning of detection content, platform maintenance and lightweight investigation.
组织购买SIEM等支持TDIR的产品，但通常很难有效运营它们。检测和响应对于任何安全策略的成功都至关重要。Midsecurity和中期买家认识到持续监控需求，并正在采用更易于使用的工具，例如EDR和XDR。共同管理的安全监控在创建/调整检测内容、平台维护和轻量级调查等领域提供安全运营中心（SOC）功能成熟度。

Drivers 司机

Buyers require the ability to continuously build and update detection content and reporting within their TDIR-capable technologies. This requires expert knowledge of the threat landscape and other data manipulation skills, which are hard to acquire and retain.
买方需要能够在其TDIR技术中不断构建和更新检测内容和报告。这需要对威胁形势的专业知识和其他数据操作技能，而这些技能很难获得和保留。
Specifically, the complexity of TDIR-capable technologies and configuration requirements means that many buyers do not have the in-house expertise to build, configure and maintain.
具体而言，TDIR技术和配置要求的复杂性意味着许多买家不具备构建、配置和维护的内部专业知识。
Compared to turnkey services, such as managed detection and response (MDR), co-managed security monitoring provides buyers greater flexibility and customization in configuring a dedicated detection and response capability. As an organization’s security maturity increases and internal skill sets grow, co-managed security monitoring often becomes the preferred follow-up pathway to MDR. Co-managed security monitoring provides resources to triage the large volume of alerts and threats discovered by TDIR-capable technologies in a cost-effective manner. It also provides resources outside of normal business hours.
与托管检测和响应（MDR）等交钥匙服务相比，共同管理的安全监控在配置专用检测和响应功能方面为买家提供了更大的灵活性和定制性。随着组织安全成熟度的提高和内部技能集的增长，共同管理的安全监控通常成为MDR的首选后续途径。共同管理的安全监控提供资源，以经济高效的方式对支持TDI的技术发现的大量警报和威胁进行分类。它还在正常工作时间之外提供资源。
Buyers may already have a services provider or systems integrator, where this partner has implemented TDIR-capable technologies on behalf of the buyer, co-managed monitoring services offer additional subscription-driven support.
买方可能已经有了服务提供商或系统集成商，如果该合作伙伴已代表买方实施了支持TDIR的技术，则共同管理的监控服务将提供额外的订阅驱动支持。
Many buyers have adopted, or plan to adopt, SaaS security monitoring offerings in line with other infrastructure investments, migrating from legacy on-premises technologies or alternative SaaS providers. The associated security monitoring requirements of these migrations can be complex and may benefit from the support of experienced managed providers.
许多买家已经采用或计划采用与其他基础设施投资一致的SaaS安全监控产品，从传统的内部部署技术或替代SaaS提供商迁移。这些迁移的相关安全监控要求可能很复杂，可能会受益于经验丰富的托管提供商的支持。

Obstacles 障碍

Aligning long-term security monitoring goals with a co-management service is difficult. While co-management provides easy acquisition of SOC skills, long-term planning for internal development of security staff requires forethought and a defined roadmap with milestones.
将长期安全监控目标与共同管理服务相结合是困难的。虽然共同管理可以轻松获得SOC技能，但安全人员内部发展的长期规划需要预先考虑和具有里程碑的定义路线图。
Co-managed services require significant input from internal teams into the security monitoring use cases. Without an understanding of what the business-risk-driven objectives for the service provider are, the initial quotation for such a service could spiral.
共同管理的服务需要内部团队对安全监控用例进行大量输入。如果不了解服务提供商的业务风险驱动目标是什么，这种服务的初始报价可能会螺旋上升。
Owning your own TDIR-capable solution may be a preference, but can take a significant amount of time to deploy and get operational. Co-management services rarely provide a fast turnaround related to deployment and value realization.
拥有自己的TDIR解决方案可能是首选，但可能需要大量的时间来部署和运行。共同管理服务很少提供与部署和价值实现有关的快速周转。
The complexity of adopting an already deployed solution can increase cost. Planning for the complexities surrounding changing providers or asking providers to adopt existing technology is essential to avoid wasting time and budget.
采用已部署的解决方案的复杂性可能会增加成本。为改变提供商或要求提供商采用现有技术的复杂性进行规划，对于避免浪费时间和预算至关重要。

User Recommendations 用户推荐

Identify details of use cases early to establish requirements for log data, threat detection and incident response, and any compliance reporting needs to ensure the project costs are well-controlled.
尽早确定用例的详细信息，以确定日志数据、威胁检测和事件响应的要求，以及任何合规性报告需求，从而确保项目成本得到良好控制。
Evaluate SaaS-driven deployment of TDIR-capable tools to identify whether a managed provider is required. SaaS platforms often offer lower overheads for technology maintenance.
评估SaaS驱动的TDIR工具部署，以确定是否需要托管提供程序。SaaS平台通常提供较低的技术维护开销。
Document the organization’s network architecture, including deployed security controls, SaaS and integration as a service investments, and other high-priority integration details, such as identity services, before engaging with co-managed security monitoring providers. If this detail is not easily accessible, invest in a consultative engagement before purchasing a service.
在与共同管理的安全监控提供商合作之前，记录组织的网络架构，包括已部署的安全控制、SaaS和集成即服务投资，以及其他高优先级集成详细信息（如身份服务）。如果这个细节不容易获得，请在购买服务之前进行咨询。
Differentiate the requirements aligned to the management and maintenance of the technology from those regarding the maintenance and design of detection and reporting content. Decide which components are best aligned with the support you seek from a service.
区分与技术的管理和维护相一致的要求和与检测和报告内容的维护和设计相一致的要求。确定哪些组件最适合您从服务中寻求的支持。

Sample Vendors 样本供应商

AT&T; BlueVoyant; Capgemini; IBM; NCC Group; ReliaQuest; Talion; Vodafone; Wipro
AT T; BlueVoyant; Capgemini; IBM; NCC Group; ReliaQuest; Vodafone; Wipro

Gartner Recommended Reading
Gartner推荐阅读

Magic Quadrant for Security Information and Event Management
安全信息和事件管理魔力象限

Critical Capabilities for Security Information and Event Management
安全信息和事件管理的关键功能

Market Guide for Co-Managed Security Monitoring Services
共同管理的安全监控服务市场指南

A Guidance Framework for Architecting and Deploying a Modern SIEM Solution
构建和部署现代SIEM解决方案的指导框架

MDR Services MDR服务

Analysis By: Andrew Davies
分析师：Andrew Davies

Benefit Rating: High
效益评级：高

Market Penetration: More than 50% of target audience
市场渗透率：超过50%的目标受众

Maturity: Mature mainstream
成熟度：成熟的主流

Definition: 定义：

Managed detection and response (MDR) services provide customers with remotely delivered security operations center (SOC) functions. These allow organizations to rapidly detect, analyze, investigate and actively respond through threat disruption and containment. MDR providers offer a turnkey experience, using a technology stack that commonly covers endpoint, network, logs and cloud. This telemetry is analyzed in the provider’s platform by experts skilled in threat hunting and incident management.
托管检测和响应（MDR）服务为客户提供远程交付的安全运营中心（SOC）功能。这些使组织能够快速检测、分析、调查并通过威胁中断和遏制来积极响应。MDR提供商使用通常涵盖端点、网络、日志和云的技术堆栈提供交钥匙体验。这种遥测技术由精通威胁搜索和事件管理的专家在提供商的平台上进行分析。

Why This Is Important 为什么这很重要

The cyberthreat landscape is in constant movement, and the complexity of attacks against organizations is escalating. Most organizations lack the resources, budget or appetite to build and run their own 24/7 SOC function, which is required to help them protect and defend against attacks that increasingly impact and cause more damage to operations. MDR services enable organizations to mature their threat detection and response coverage.
网络威胁形势在不断变化，针对组织的攻击的复杂性正在升级。大多数组织缺乏资源、预算或意愿来构建和运行自己的24/7 SOC功能，这是帮助他们保护和抵御日益影响和造成更多运营损害的攻击所必需的。MDR服务使组织能够完善其威胁检测和响应范围。

Business Impact 业务影响

Organizations that have not invested in threat detection and response capabilities are at greater risk from the impact of cyber incidents. The challenge of finding, acquiring and retaining the necessary expertise and tools makes building an adequate internal capability unappealing. MDR services combine people, process and technology, translating security issues into business-focused risks, impacts and outcomes, reducing complexity, and allowing increased security maturity through turnkey adoption.
没有投资于威胁检测和响应能力的组织面临更大的网络事件影响风险。寻找、获得和保留必要的专门知识和工具的挑战使得建立适当的内部能力没有吸引力。MDR服务将人员、流程和技术联合收割机结合在一起，将安全问题转化为以业务为中心的风险、影响和结果，降低复杂性，并通过交钥匙采用提高安全成熟度。

Drivers 司机

MDR services enable organizations to focus on outcome-driven response, as they provide the expertise to interpret and deliver against a set of requirements in a turnkey format. Ultimately, this delivers relevant and actionable business outcomes.
MDR服务使组织能够专注于结果驱动的响应，因为它们提供了专业知识，可以以交钥匙格式解释和交付一系列要求。最终，这将提供相关且可操作的业务成果。
The expansion of an organization’s IT infrastructure and digital footprint, moving into a broader set of providers and technologies, puts pressure on organizations to maintain visibility across an ever-broader set of attack surfaces. MDR providers offer high-fidelity threat detection and coverage of a wide range of data sources, technologies and SaaS platforms.
企业的IT基础设施和数字足迹不断扩大，涉及到更广泛的提供商和技术，这给企业带来了压力，使其必须在更广泛的攻击面上保持可见性。MDR提供商提供高保真威胁检测并覆盖广泛的数据源、技术和SaaS平台。
MDR providers allow for remotely delivered mitigative response actions, enabling buyers to respond and mitigate issues faster and with less impact to their business, although the level of autonomy granted to vendors varies according to the trust level. With the improved access to MDR service providers’ portals, clients can validate the response for some scenarios, and possibly execute it.
MDR提供商允许远程交付缓解响应行动，使买家能够更快地响应和缓解问题，并且对其业务的影响较小，尽管授予供应商的自主权程度因信任程度而异。通过改进对MDR服务提供商门户的访问，客户端可以验证某些场景的响应，并可能执行它。
With the variety of cyber-risk-based issues that organizations are paying attention to, MDR providers are expanding their capabilities to include exposure management. The combination of this, with a traditional detection and response capability, is helping clients with the visibility they require across on-premises, cloud and SaaS environments .
随着组织关注各种基于网络风险的问题，MDR提供商正在扩展其能力，以包括风险管理。这一点与传统的检测和响应功能相结合，可以帮助客户在内部部署、云和SaaS环境中获得所需的可见性。
Buyers increasingly require fast adoption of mature capabilities that would have taken a long time to build or buy, and have been prohibitively expensive to operate. MDR delivers a turnkey solution for those who have no desire to build and maintain internal capability, or require capability quickly.
买家越来越需要快速采用成熟的功能，这些功能需要很长时间才能构建或购买，并且运营成本高昂。MDR为那些不希望建立和维护内部能力或需要快速获得能力的人提供了一个交钥匙解决方案。

Obstacles 障碍

Providers’ vastly different approaches to offering MDR services often causes buyers to question how strategically to engage a provider.
供应商提供MDR服务的方法大相径庭，这往往会导致买家质疑如何从战略上与供应商合作。
Technology vendors with detection and response solutions offer closely named but often more light-touch overlay services, such as managed endpoint detection and response (MEDR), managed security information and event management (MSIEM), and managed extended detection and response (MXDR). This ends up increasing buyers’ confusion.
具有检测和响应解决方案的技术供应商提供名称接近但通常更轻的覆盖服务，例如托管端点检测和响应（MEDR）、托管安全信息和事件管理（MSIEM）以及托管扩展检测和响应（MXDR）。这增加了买家的困惑。
Performance issues with MDR service providers and failed engagements are often due to misaligned expectations. Buyers should clearly outline what they require the services to deliver, rather than focus on the technology or data that they want monitored.
MDR服务提供商的失误问题和失败的项目通常是由于期望不一致。买家应该清楚地概述他们需要提供的服务，而不是专注于他们想要监控的技术或数据。
Not assigning staff as the point of contact to the service can cause challenges. Segmentation of operational responsibilities between internal contacts and an external partner, if not defined effectively, usually leads to dissatisfaction with services.
不指派工作人员作为该处的联系人可能会造成挑战。内部联系人和外部合作伙伴之间的业务责任分割，如果没有有效定义，通常会导致对服务的不满。

User Recommendations 用户推荐

Focus on outcomes, not technologies, for MDR buyers. Organizations underinvested in TDIR-capable technologies such as EDR should favor an approach in which a vendor is contracted to provide the tools and deliver the desired outcomes.
对MDR买家来说，关注结果，而不是技术。在EDR等具有TDIR能力的技术上投资不足的组织应该倾向于采用一种方法，即与供应商签订合同，由供应商提供工具并交付所需的结果。
Assess MDR services if buyers are lacking staff and expertise to handle incident response activities once a threat has been identified, or want to add threat-hunting capabilities.
如果购买者缺乏员工和专业知识来处理一旦发现威胁后的事件响应活动，或者想要添加威胁搜索功能，请评估MDR服务。
Examine co-managed security monitoring services for compatibility as a requirement if there are existing investments in threat detection technologies, such as EDR and SIEM.
如果在威胁检测技术（如EDR和SIEM）方面有现有投资，则应检查共同管理的安全监控服务的兼容性。
Choose a co-managed security monitoring offering when adjacent capabilities are required to support the management and responsibility of your own TDIR platform.
当需要相邻功能来支持您自己的Tencent平台的管理和责任时，请选择共同管理的安全监控产品。
Buy MDR services that offer a migration path to more self-service in the future. Looking for vendors that have open communication channels with analysts and delivery teams can support that goal.
购买提供未来向更多自助服务迁移路径的MDR服务。寻找与分析师和交付团队有开放沟通渠道的供应商可以支持这一目标。

Sample Vendors 样本供应商

Arctic Wolf Networks; Binary Defense; Critical Start; CrowdStrike; eSentire; Expel; Optiv; Rapid7; Red Canary; SentinelOne

Gartner Recommended Reading
Gartner推荐阅读

Peer Lessons Learned for Managed Detection and Response Services Implementation
从托管检测和响应服务实施中吸取的同行经验教训

Market Guide for Managed Detection and Response
托管检测和响应市场指南

Market Guide for Co-Managed Security Monitoring Services
共同管理的安全监控服务市场指南

How to Make a Successful Security Services RFP
如何做一个成功的安全服务RFP

NDR

Analysis By: Thomas Lintemuth, Jeremy D'Hoinne, Charanpal Bhogal
分析员：托马斯·林特穆特、杰里米·德霍因、查兰帕尔·博加尔

Benefit Rating: Moderate
获益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Early mainstream
成熟度：早期主流

Definition: 定义：

Network detection and response (NDR) products detect anomalies by applying behavioral analytics to network traffic. They continuously analyze network traffic or metadata in internal networks and between internal and external networks. NDR products include automated responses directly or via integration with cybersecurity tools. NDR is offered as hardware and software sensors, some with infrastructure as a service (IaaS) support. Management and orchestration consoles can be software or SaaS.
网络检测和响应（NDR）产品通过对网络流量应用行为分析来检测异常。他们持续分析内部网络以及内部和外部网络之间的网络流量或元数据。NDR产品包括直接或通过与网络安全工具集成的自动响应。NDR作为硬件和软件传感器提供，其中一些具有基础设施即服务（IaaS）支持。管理和协调控制台可以是软件或SaaS。

Why This Is Important 为什么这很重要

NDR provides a complete view of the devices on the network, network activity from these devices, baselines of typical activity and the detection of abnormal activity, all without the need for signature-based controls. NDR analyzes anomalous behavior, supporting the detection of lateral movement and data exfiltration. Automated response capabilities are provided natively or through integration, and incident response workflow automation is increasingly a focus area.
NDR提供了网络上设备的完整视图、这些设备的网络活动、典型活动的基线以及异常活动的检测，所有这些都不需要基于签名的控制。NDR分析异常行为，支持检测横向移动和数据泄漏。自动化响应功能是通过本地或集成提供的，事件响应工作流自动化正日益成为一个重点领域。

Business Impact 业务影响

NDR products provide visibility into network activities to spot anomalies. Machine learning (ML) algorithms at the core of many NDR products detect incidents that are missed by other detection techniques. Automated response capabilities offload some of the workload for incident responders. NDR products help incident responders with their threat hunting by providing useful context and drill-down capabilities.
NDR产品提供对网络活动的可见性，以发现异常。机器学习（ML）算法是许多NDR产品的核心，可以检测到其他检测技术所遗漏的事件。自动响应功能为事件响应人员减轻了一些工作量。NDR产品通过提供有用的上下文和下钻功能，帮助事件响应人员进行威胁搜索。

Drivers 司机

Investigating postbreach activity: NDR complements traditional preventative controls by detecting incidents based on deviations from baseline. This enables security teams to investigate breaches without relying on manual controls.
调查违规后的活动：NDR通过基于与基线的偏差检测事件来补充传统的预防性控制。这使安全团队能够在不依赖手动控制的情况下调查违规行为。
Low risk, high reward: Deploying NDR products is a low-risk project, because the sensors are deployed out-of-band. They don’t inject a point of failure or a “speed bump” for network traffic. Enterprises that implement NDR products as a proof of concept (POC) often report high degrees of satisfaction, because the tools provide much-needed visibility into network traffic and enable even small teams to spot anomalies.
低风险，高回报：部署NDR产品是一个低风险项目，因为传感器是带外部署的。它们不会为网络流量注入故障点或“减速带”。将NDR产品作为概念验证（POC）实施的企业通常表示满意度很高，因为这些工具提供了对网络流量的急需可见性，甚至使小型团队也能发现异常。
Monitoring hybrid and cloud traffic: A key functionality for NDR is the ability to monitor IaaS traffic and Microsoft 365. Organizations expanding their cloud presence use NDR to avoid creating gaps in their ability to monitor interactions among all their systems, whether hybrid or singularly IaaS.
监控混合和云流量：NDR的一个关键功能是监控IaaS流量和Microsoft 365的能力。扩展其云存在的组织使用NDR来避免在监控所有系统（无论是混合系统还是单一IaaS）之间的交互能力方面产生差距。

Obstacles 障碍

NDR is less effective than EDR at finding issues. Enterprises with a lower-maturity security operation program might struggle to justify the expense, compared with more-prolific detection products.
NDR在查找问题方面不如EDR有效。与更多产的检测产品相比，安全操作程序成熟度较低的企业可能难以证明这笔费用的合理性。
The response features of the NDR products are more rarely deployed or focused on specific use cases, such as ransomware, due to the risk of false positives.
由于误报风险，NDR产品的响应功能很少部署或专注于特定用例，例如勒索软件。
NDR products require tuning to the environment in which they are deployed. This necessitates ongoing human resources to achieve maximum benefit.
NDR产品需要根据部署环境进行调优。这就需要持续的人力资源来实现最大效益。
NDR increasingly competes for budget with consolidated platforms such as security information and event management (SIEM) and extended detection and response (XDR).
NDR越来越多地与安全信息和事件管理（SIEM）以及扩展检测和响应（XDR）等整合平台争夺预算。

User Recommendations 用户推荐

Develop a strong understanding of the overall traffic patterns, as well as the specific traffic patterns in your enterprise network to gain maximum value from NDR.
深入了解企业网络中的总体流量模式以及特定流量模式，从而从NDR中获得最大价值。
Plan sensor types and deployment locations so that the most relevant network traffic can be analyzed. Proper positioning of the NDR sensors is critically important to achieve complete visibility, limit the number of false positives and control the cost of the deployment.
规划传感器类型和部署位置，以便分析最相关的网络流量。NDR传感器的正确定位对于实现完全可见性、限制误报数量和控制部署成本至关重要。
Tune out false positives in the implementation phase — false positives may be triggered by vulnerability scanners, shadow IT applications and other factors that may be specific to your environment.
在实施阶段排除误报-误报可能由漏洞扫描程序、影子IT应用程序和其他特定于您环境的因素触发。
Plan for ongoing tuning, as new detection models are deployed from the vendor.
随着供应商部署新的检测模型，计划进行持续的调优。
Select sensor capturing capacity that is sized appropriately for your network.
选择适合您的网络的传感器捕获容量。

Sample Vendors 样本供应商

Cisco; Corelight; Darktrace; ExtraHop; MixMode; Stamus Networks; Vectra AI
Cisco;Corelight;Darktrace;ExtraHop; MixMode; Stamus Networks;VectraAI

Gartner Recommended Reading
Gartner推荐阅读

Market Guide for Network Detection and Response
网络检测和响应市场指南

Emerging Tech: Top Use Cases for Network Detection and Response
新兴技术：网络检测和响应的主要用例

Threat Intelligence Products and Services
威胁情报产品和服务

Analysis By: Jonathan Nunez
分析师：Jonathan Nunez

Benefit Rating: High
效益评级：高

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Mature mainstream
成熟度：成熟的主流

Definition: 定义：

Threat intelligence (TI) services provide organizations with relevant context and insight about the cyberthreat landscape by documenting tactics, techniques and procedures; and by profiling attack campaigns, threats and threat actors. TI products deliver tools to assist organizations in aggregating, collecting, curating and operationalizing their own TI and potentially sharing it with outside entities.
威胁情报（TI）服务通过记录策略、技术和程序，以及分析攻击活动、威胁和威胁行为者，为组织提供有关网络威胁形势的相关背景和见解。透明国际产品提供工具，帮助组织聚合、收集、管理和实施自己的透明国际，并可能与外部实体共享。

Why This Is Important 为什么这很重要

Security leaders have an obligation to understand the organization’s threat landscape. They must ensure their security solutions are updated with the latest threat content and provide contextual information to their teams as it helps inform overall risk. TI provides the means for an organization to maintain visibility of its threat landscape and build timely, accurate and actionable insights that can be applied before, during and after threats present themselves to the organization.
安全领导者有义务了解组织的威胁状况。他们必须确保他们的安全解决方案更新了最新的威胁内容，并为他们的团队提供上下文信息，因为它有助于告知整体风险。TI为组织提供了保持其威胁形势可见性的方法，并建立了及时、准确和可操作的见解，这些见解可以在威胁出现之前、期间和之后应用于组织。

Business Impact 业务影响

TI products and services are applicable in every industry, across security functions and controls, because every organization has unique risks, making them susceptible to cyberthreats.
TI的产品和服务适用于每个行业，涵盖安全功能和控制，因为每个组织都有独特的风险，使其容易受到网络威胁的影响。
TI informs the business about current and potential future threats that could result in business disruption, unexpected monetary loss, reputational damage or impact to human health and safety.
TI告知企业当前和未来可能导致业务中断、意外金钱损失、声誉损害或对人类健康和安全的影响的潜在威胁。
TI solutions can be consumed in machine- or human-readable formats to enhance security technologies and an understanding of adversarial intentions, capabilities and motivations.
TI解决方案可以以机器或人类可读的格式使用，以增强安全技术和对敌对意图、能力和动机的理解。

Drivers 司机

Large security vendors are investing in TI products and services either through organic development or acquisitions. These vendors are delivering an increasing amount of threat intelligence platform (TIP) functionality to aggregate TI and manage it within a single platform offering, accelerating the adoption and utilization of TI in the market.
大型安全供应商正在通过有机开发或收购的方式投资TI产品和服务。这些供应商正在提供越来越多的威胁情报平台（TIP）功能，以聚合TI并在单个平台产品中对其进行管理，从而加速TI在市场上的采用和利用。
TI service providers continue expanding their core use cases and features to include digital risk protection services (DRPS), offering organizations a single-vendor way to deliver highly curated external threat and risk information. Gartner continues to see an interest in DRPS capabilities and features, driving TI solution providers to add the capability to their portfolios.
TI服务提供商继续扩展其核心用例和功能，以包括数字风险保护服务（DRPS），为组织提供单一供应商的方式来提供高度策划的外部威胁和风险信息。Gartner继续看到对DRPS功能和特性的兴趣，推动TI解决方案提供商将该功能添加到其产品组合中。
Organizations are putting more effort toward understanding their external risks by aligning digital exposures with malign threats. Often informed by TI, these vendors are now starting to offer external attack surface management (EASM) in an effort to heighten intelligence curation and increase actionability.
组织正在通过将数字风险与恶意威胁相结合来了解其外部风险。这些供应商通常会收到TI的通知，现在开始提供外部攻击面管理（EASM），以加强情报管理并提高可操作性。
Curation is in heightened demand for organizations as they grapple with increased volumes of data. Customers will continue to demand a deep understanding of the threat landscape as they work to synthesize TI into actionable insights.
随着组织应对不断增加的数据量，对托管的需求越来越大。客户将继续要求深入了解威胁形势，因为他们致力于将TI综合为可操作的见解。

Obstacles 障碍

Many organizations have no formal TI program or dedicated analysts to use TI solutions, like a TIP, or interpret the value from bespoke TI reports. Rather, they focus on tactical indicators like IP addresses, domains and hash values, and allocate too few resources to human-readable or advanced TI solutions.
许多组织没有正式的TI计划或专门的分析师来使用TI解决方案，如TIP，或从定制的TI报告中解释价值。相反，它们专注于IP地址、域和哈希值等战术指标，并为人类可读或高级TI解决方案分配了太少的资源。
Organizations struggle to measure and justify the value of TI solutions. Lack of TI performance reporting will increase the likelihood of TI budget cuts or prohibition of program maturation.
组织努力衡量和证明TI解决方案的价值。缺乏技术创新绩效报告将增加技术创新预算削减或禁止项目成熟的可能性。
Many organizations lack well-defined priority intelligence requirements (PIRs), which can lead to overinvestment in or underutilization of TI solutions.
许多组织缺乏明确的优先级情报要求（PIR），这可能导致对TI解决方案的过度投资或利用不足。
A saturated and seemingly undifferentiated TI marketplace creates buyer confusion and fatigue, especially in light of not having well-defined PIRs, which can aid in the vendor-selection process.
一个饱和的和看似无差别的TI市场会造成买家的困惑和疲劳，特别是在没有明确定义的PIR的情况下，这有助于供应商的选择过程。

User Recommendations 用户推荐

Incorporate TI solutions and services into your overall security program. Define detailed requirements and expectations for TI service providers to deliver outcomes aligned to organizational threat concerns.
将TI解决方案和服务纳入您的整体安全计划。定义TI服务提供商的详细要求和期望，以提供与组织威胁问题相一致的结果。
Ensure PIRs are defined to drive TI solution needs before TI vendor engagement. This is a foundational requirement as it informs what to focus on, what to collect, who to track, and what it means to the business in terms of risk and exposure.
在与TI供应商接洽之前，确保定义PIR以推动TI解决方案需求。这是一个基本要求，因为它告诉我们应该关注什么，收集什么，跟踪谁，以及在风险和暴露方面对业务意味着什么。
Develop operational delivery metrics (ODMs) for the defensible maturation of your TI program. These ODMs should focus on metrics and outcomes that drive faster detection and response, increased efficacy in security tools, and improved efficiency in incident response.
开发运营交付指标（ODM），以确保TI计划的可防御成熟。这些ODM应该专注于推动更快检测和响应的指标和结果，提高安全工具的效率，并提高事件响应的效率。
Consider leveraging TI services through your existing managed security services or managed detection and response providers. These providers can decrease time to value while simultaneously scaling your TI program by providing technical collection, curation, analysis and reporting.
考虑通过现有的托管安全服务或托管检测和响应提供程序来利用TI服务。这些提供商可以缩短价值实现时间，同时通过提供技术收集，管理，分析和报告来扩展您的TI计划。

Sample Vendors 样本供应商

BlueVoyant; Cyberint; Dragos; Flare; Flashpoint; GreyNoise; Intel 471; ThreatBook; Team Cymru; Silobreaker
BlueVoyant; Cyberint; Dragos; Flare; Flashpoint; GreyNoise; Intel 471; ThreatBook;Team Cymru; Silobreaker

Gartner Recommended Reading
Gartner推荐阅读

Define Threat Intelligence Requirements to Improve SecOps Efficiency
定义威胁情报需求以提高SecOps效率

How to Evaluate Your Threat Intelligence Program’s Effectiveness
如何评估威胁情报计划的有效性

Market Guide for Security Threat Intelligence Products and Services
安全威胁情报产品和服务市场指南

Tool: Vendor Identification for Security Threat Intelligence Products and Services
工具：安全威胁情报产品和服务的供应商识别

Entering the Plateau 进入高原

Endpoint Detection and Response
端点检测和响应

Analysis By: Franz Hinner, Satarupa Patnaik, Eric Grenier
分析员：Franz Hinner、Satarupa Patnaik、Eric Grenier

Benefit Rating: High
效益评级：高

Market Penetration: More than 50% of target audience
市场渗透率：超过50%的目标受众

Maturity: Mature mainstream
成熟度：成熟主流

Definition: 定义：

Endpoint detection and response (EDR) tools monitor endpoints for unusual behavior and malicious activity to detect attacks that bypass preventive measures. EDR monitors system, process and user behavior using advanced analytics, machine learning and threat intelligence. It automates cleanup, detects suspicious events and streamlines incident response. In a defense-in-depth strategy, EDR uses AI, threat feeds and automation to prevent damage and streamline operations against emerging assaults.
端点检测和响应（EDR）工具监控端点的异常行为和恶意活动，以检测绕过预防措施的攻击。EDR使用高级分析、机器学习和威胁情报来监控系统、流程和用户行为。它可以自动清理、检测可疑事件并简化事件响应。在深度防御战略中，EDR使用人工智能、威胁源和自动化来防止损害，并简化针对新出现的攻击的操作。

Why This Is Important 为什么这很重要

Modern security and risk management leaders need EDR to provide extensive post-incident awareness when antivirus, firewall and intrusion prevention technologies are evaded.
现代安全和风险管理领导者需要EDR在防病毒、防火墙和入侵防御技术被规避时提供广泛的事件后意识。

EDR’s advanced analytics, threat intelligence and automation empower teams to:
EDR的高级分析、威胁情报和自动化使团队能够：

Detect threats such as ransomware.
检测勒索软件等威胁。
Uncover hidden adversaries.
发现隐藏的敌人。
Leverage EDR for rich data-driven risk management.
利用EDR进行丰富的数据驱动型风险管理。

EDR is essential for defending against evolving attacks, reducing damage and optimizing security operations.
EDR对于防御不断变化的攻击、减少损害和优化安全操作至关重要。

Business Impact 业务影响

Reduced risk of breaches: Proactive detection of threats and advanced attackers minimizes damage and data loss.
降低违规风险：主动检测威胁和高级攻击者，最大限度地减少损坏和数据丢失。
Faster incident response: Automation and threat intelligence accelerate response times, saving businesses downtime and money.
更快的事件响应：自动化和威胁智能加快响应时间，节省企业停机时间和资金。
Enhanced regulatory compliance: EDR helps meet compliance requirements from cyber insurers and data privacy regulations.
增强合规性：EDR有助于满足网络保险公司和数据隐私法规的合规性要求。

Drivers 司机

Evolving threats: Traditional prevention methods, like signature and heuristics, struggle against sophisticated attacks like zero-day exploits, ransomware and advanced persistent threats. EDR’s advanced analytics and threat intelligence enable proactive detection and rapid response.
不断演变的威胁：传统的预防方法，如签名和恶意软件，都在努力应对复杂的攻击，如零日漏洞、勒索软件和高级持续性威胁。EDR的高级分析和威胁情报可实现主动检测和快速响应。
Remote work explosion: The surge in remote work necessitates cloud-based security solutions. EDR offers centralized management and visibility across geographically dispersed devices.
远程工作激增：远程工作的激增需要基于云的安全解决方案。EDR提供跨地理位置分散的设备的集中管理和可见性。
Identity-based attacks: A combination of endpoint detection and response with identity threat detection and response is critical for identifying and responding to prevailing credential and identity theft attacks.
基于身份的攻击：端点检测和响应与身份威胁检测和响应的结合对于识别和响应流行的凭据和身份盗窃攻击至关重要。
Rapid incident response: EDR automates containment and remediation actions, minimizing damage and downtime during an active attack. Real-time threat insights enable security teams to stop incidents in their tracks.
快速的事件响应：EDR自动执行遏制和补救措施，最大限度地减少主动攻击期间的损坏和停机时间。实时威胁洞察使安全团队能够阻止事件发生。
Composable security: EDR integrates with other security tools like firewalls and security information and event management, forming a holistic security fabric. This composable approach comprehensively views the attack surface and facilitates coordinated defense strategies.
可组合的安全性：EDR与防火墙、安全信息和事件管理等其他安全工具集成，形成了一个整体的安全结构。这种可组合的方法全面地查看攻击面，并促进协调防御策略。

Obstacles 障碍

Security skills gap: Leveraging EDR effectively requires specialized expertise. Security teams may need to invest in training or hire personnel with threat-hunting skills to fully utilize the advanced capabilities of EDR solutions.
安全技能差距：有效利用EDR需要专业知识。安全团队可能需要投资培训或雇用具有威胁搜索技能的人员，以充分利用EDR解决方案的高级功能。
Cloud workload integration: The dynamic nature of cloud-native workloads and containerized environments can present integration challenges for traditional EDR agents. Ensuring seamless integration with these environments requires ongoing effort from both EDR vendors and security teams.
云工作负载集成：云原生工作负载和容器化环境的动态特性可能会给传统EDR代理带来集成挑战。确保与这些环境的无缝集成需要EDR供应商和安全团队的持续努力。
Multiplatform support: EDR solutions can struggle to provide consistent protection functionality across a mix of platforms (including virtualized environments, Linux, macOS, mobile OSs and more) in hybrid and multiplatform environments. Achieving consistent protection and feature parity across this diverse range of platforms remains an ongoing challenge.
多平台支持：在混合和多平台环境中，EDR解决方案很难跨多种平台（包括虚拟化环境、Linux、macOS、移动的操作系统等）提供一致的保护功能。在这些多样化的平台上实现一致的保护和功能对等仍然是一个持续的挑战。

User Recommendations 用户推荐

Prioritize lightweight unified agents: Focus on EDR solutions with lightweight endpoint security agents that offer easy deployment across diverse environments, including end-user endpoints, servers and cloud workloads.
优先考虑轻量级统一代理：专注于具有轻量级端点安全代理的EDR解决方案，这些解决方案可在各种环境（包括最终用户端点、服务器和云工作负载）中轻松部署。
Automate for efficiency: Select EDR solutions that provide prebuilt automation playbooks for common threats and incident response workflows. This streamlines security operations and reduces the manual burden on security teams.
自动化提高效率：选择EDR解决方案，为常见威胁和事件响应工作流提供预构建的自动化剧本。这简化了安全操作，减少了安全团队的手动负担。
Invest in security expertise: Recognize the importance of skilled personnel effectively managing EDR. Consider training programs or managed security services to bridge talent gaps and maximize the value of your EDR investment.
投资于安全专业知识：认识到技术人员有效管理EDR的重要性。考虑培训计划或托管安全服务，以弥补人才缺口并最大限度地发挥EDR投资的价值。
Optimize your security posture: Assess how EDR fits with your broader security architecture and security initiatives, such as security operations and workspace security.
优化您的安全状态：评估EDR如何适应您更广泛的安全架构和安全计划，例如安全操作和工作空间安全。

Sample Vendors 样本供应商

Bitdefender; Check Point Software Technologies; CrowdStrike; Fortinet; Microsoft; Palo Alto Networks; SentinelOne; Sophos; Trellix; Trend Micro
Bitdefender; Check Point Software Technologies;CrowdStrike;Fortinet;Microsoft; Palo Alto Networks; SentinelOne; Sophos; Trellix; Trend Micro

Gartner Recommended Reading
Gartner推荐阅读

Critical Capabilities for Endpoint Protection Platforms
端点保护平台的关键功能

SIEM 暹粒

Analysis By: Eric Ahlm, Mitchell Schneider
分析员：Eric Ahlm、Mitchell Schneider

Benefit Rating: Moderate
效益评级：中等

Market Penetration: 20% to 50% of target audience
市场渗透率：20%至50%的目标受众

Maturity: Mature mainstream
成熟度：成熟主流

Definition: 定义：

Security information and event management (SIEM) is a configurable security system of record that aggregates and analyzes security event data from on-premises and cloud environments. SIEM assists with response actions to mitigate issues that cause harm to the organization, and satisfy compliance and reporting requirements.
安全信息和事件管理（SIEM）是一个可配置的安全记录系统，可聚合和分析来自本地和云环境的安全事件数据。SIEM协助采取响应行动，以减轻对组织造成损害的问题，并满足合规性和报告要求。

Why This Is Important 为什么这很重要

Aggregating and normalizing data from various environments to centralize visibility is a core element of effective security programs. SIEM supports an organization’s ability to identify, prioritize and investigate security events of interest, execute response actions and report on current and historical security events.
聚合和规范化来自各种环境的数据以集中可见性是有效安全计划的核心要素。SIEM支持组织识别、优先考虑和调查感兴趣的安全事件，执行响应操作并报告当前和历史安全事件的能力。

Business Impact 业务影响

SIEM solutions can impact the business by:
SIEM解决方案可以通过以下方式影响业务：

Allowing organizations to identify and respond to critical security events earlier in their life cycle to reduce risk.
允许组织在其生命周期的早期识别和响应关键安全事件，以降低风险。
Creating overall situational awareness for security issues and events, providing an efficient and trusted system of record, which can be used for operational security and compliance reporting.
为安全问题和事件创建全面的态势感知，提供一个高效、可信的记录系统，可用于运营安全和合规性报告。
Aligning disparate technology investments and reducing the operational staffing overhead of managing security issues and incidents.
协调不同的技术投资，减少管理安全问题和事故的运营人员开销。

Drivers 司机

Central monitoring of threats, as reported by multiple sources, is a primary driver for SIEM. SIEM offers a central place to monitor and investigate security alerts, as well as to support contextual information required to make an alert actionable.
对多个来源报告的威胁进行集中监控是SIEM的主要驱动力。SIEM提供了一个中心位置来监视和调查安全警报，以及支持使警报可操作所需的上下文信息。
A SIEM can turn raw alert data into actionable intelligence, through whatever analysis method works best for a given monitoring objective.
SIEM可以通过最适合给定监控目标的任何分析方法，将原始警报数据转化为可操作的情报。
The need to expand detection workflow to include response activities with capabilities such as security orchestration, automation and response.
需要扩展检测工作流程，以包括具有安全协调、自动化和响应等功能的响应活动。
SaaS SIEM (cloud-based/native) solutions in the cloud transfer the platform and infrastructure maintenance to the vendor and allow for more predictable linear budgeting for growth.
云端的SaaS SIEM（基于云/本机）解决方案将平台和基础设施维护转移给供应商，并允许更可预测的线性增长预算。
As more assets move to cloud-centric environments, such as Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle and many others, a SIEM must have awareness of the underlying environment to perform well.
随着越来越多的资产迁移到以云为中心的环境，如Microsoft Azure、Amazon Web Services（AWS）、Google Cloud Platform（GCP）、Oracle等，SIEM必须了解底层环境才能良好运行。

Obstacles 障碍

Getting a SIEM to perform well against detecting attacks requires dedication and sufficient staffing. Undermanaged SIEMs continue to plague many organizations.
让SIEM在检测攻击方面表现良好需要奉献精神和足够的人员配备。管理不善的SIEM继续困扰着许多组织。
SIEM budgets and resources are constrained; however, the types of threats to monitor tend to be rather endless. As such, deciding what to monitor with the SIEM resources you have is concession engineering at its best.
SIEM的预算和资源有限;然而，要监控的威胁类型往往是无穷无尽的。因此，决定用您拥有的SIEM资源监控什么是最好的特许工程。
SIEM threat detection performance depends not only on SIEM and its configuration, but also on the detection stack and all chosen supporting telemetry sent to the SIEM.
SIEM威胁检测性能不仅取决于SIEM及其配置，还取决于检测堆栈和发送到SIEM的所有选定支持遥测。
SIEM architecture at large scale may require supplemental technologies that can add to the complexity and cost of the solution. This can cause increased buyer confusion or make justifying complete SIEM more challenging.
大规模的SIEM架构可能需要补充技术，这会增加解决方案的复杂性和成本。这可能会导致买家更加困惑，或者使证明完整的SIEM更具挑战性。

User Recommendations 用户推荐

Preplan what monitoring objectives best meet your organization’s security needs. Use those as design requirements to correctly identify important selection criteria such as analysis methods, performance, sizing and retention.
预先计划哪些监控目标最能满足您组织的安全需求。使用这些作为设计要求，以正确确定重要的选择标准，如分析方法，性能，规模和保留。
Incorporate a learning period of alerting to determine how best to operationalize detection and response, as planning operational support for alert pipeline management without knowing how many alerts and how much work is required can be difficult.
纳入一个警报学习期，以确定如何最好地实施检测和响应，因为在不知道需要多少警报和多少工作的情况下，规划警报管道管理的业务支持可能很困难。
Ensure your cloud-based/native SIEM is aware of the underlying infrastructure which it monitors. A SIEM must understand the nuances of its native environment, such as AWS, Google Cloud or Microsoft Azure.
确保您的基于云的/原生SIEM了解其监控的底层基础架构。SIEM必须了解其原生环境（例如AWS、Google Cloud或Microsoft Azure）的细微差别。

Sample Vendors 样本供应商

Cisco (Splunk); Elastic; Exabeam (LogRhythm); Google; Gurucul; Microsoft; NetWitness; Rapid7; Securonix
思科（Splunk）;Elastic;Exabeam（LogRhythm）;谷歌; Gurucul;微软; NetWitness; Rapid 7; Securonix

Gartner Recommended Reading
Gartner推荐阅读

Magic Quadrant for Security Information and Event Management
安全信息和事件管理魔力象限

Critical Capabilities for Security Information and Event Management
安全信息和事件管理的关键功能

Magic Quadrant for Security Information and Event Management
安全信息和事件管理魔力象限

Critical Capabilities for Security Information and Event Management
安全信息和事件管理的关键功能

Appendixes 附录

See the previous Hype Cycle: Hype Cycle for Security Operations, 2023
Hype Cycle：HypeCycle for Security Operations，2023（2023年安全运营的炒作周期）

Hype Cycle Phases, Benefit Ratings and Maturity Levels
炒作周期阶段、收益评级和成熟度

Table 2: Hype Cycle Phases
表2：炒作周期阶段

Phase 相	Definition 定义
Innovation Trigger 创新触发器	A breakthrough, public demonstration, product launch or other event generates significant media and industry interest. 一个突破、公开演示、产品发布或其他事件会引起媒体和行业的极大兴趣。
Peak of Inflated Expectations 膨胀的期望值	During this phase of overenthusiasm and unrealistic projections, a flurry of well-publicized activity by technology leaders results in some successes, but more failures, as the innovation is pushed to its limits. The only enterprises making money are conference organizers and content publishers. 在这个充满热情和不切实际的预测的阶段，技术领导者的一系列广为宣传的活动取得了一些成功，但随着创新被推到极限，更多的失败。唯一赚钱的企业是会议组织者和内容发布者。
Trough of Disillusionment 幻灭的低谷	Because the innovation does not live up to its overinflated expectations, it rapidly becomes unfashionable. Media interest wanes, except for a few cautionary tales. 因为创新没有达到其过度膨胀的期望，它很快就变得不流行。媒体的兴趣减退，除了一些警示性的故事。
Slope of Enlightenment 启蒙的斜坡	Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the innovation’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process. 越来越多的组织进行集中的实验和扎实的努力工作，使人们真正了解创新的适用性、风险和好处。商业现成的方法和工具简化了开发过程。
Plateau of Productivity 生产力高原	The real-world benefits of the innovation are demonstrated and accepted. Tools and methodologies are increasingly stable as they enter their second and third generations. Growing numbers of organizations feel comfortable with the reduced level of risk; the rapid growth phase of adoption begins. Approximately 20% of the technology’s target audience has adopted or is adopting the technology as it enters this phase. 创新的现实利益得到了展示和接受。随着工具和方法进入第二代和第三代，它们越来越稳定。越来越多的组织对降低风险感到满意;采用的快速增长阶段开始了。大约20%的技术目标受众已经采用或正在采用该技术，因为它进入这一阶段。
Years to Mainstream Adoption	The time required for the innovation to reach the Plateau of Productivity.

Source: Gartner (July 2024)
来源：Gartner（2024年7月）

Table 3: Benefit Ratings 表3：效益评级

Benefit Rating 效益评级	Definition 定义
Transformational 转型	Enables new ways of doing business across industries that will result in major shifts in industry dynamics 实现跨行业开展业务的新方式，这将导致行业动态的重大转变
High 高	Enables new ways of performing horizontal or vertical processes that will result in significantly increased revenue or cost savings for an enterprise 支持执行水平或垂直流程的新方法，从而显著增加企业的收入或节省成本
Moderate 中度	Provides incremental improvements to established processes that will result in increased revenue or cost savings for an enterprise 对已建立的流程进行渐进式改进，从而为企业增加收入或节省成本
Low 低	Slightly improves processes (for example, improved user experience) that will be difficult to translate into increased revenue or cost savings 略微改善流程（例如，改善用户体验），但难以转化为收入增加或成本节约

Source: Gartner (July 2024)
来源：Gartner（2024年7月）

Table 4: Maturity Levels 表4：成熟度级别

Maturity Levels 成熟度级别	Status 地位	Products/Vendors 产品/供应商
Embryonic 胚胎	In labs 在实验室	None 没有一
Emerging 新兴	Commercialization by vendors 供应商的商业化 Pilots and deployments by industry leaders 行业领导者的试点和部署	First generation 第一代 High price 高价 Much customization 大量定制
Adolescent 青少年	Maturing technology capabilities and process understanding 成熟的技术能力和流程理解 Uptake beyond early adopters 超越早期采用者	Second generation 二代 Less customization 减少定制
Early mainstream 早期主流	Proven technology 成熟技术 Vendors, technology and adoption rapidly evolving 供应商、技术和采用率迅速发展	Third generation 三代 More out-of-box methodologies 更多现成的方法
Mature mainstream 成熟的主流	Robust technology 稳健的技术 Not much evolution in vendors or technology 供应商或技术没有太大的发展	Several dominant vendors 几个主要供应商
Legacy 遗产	Not appropriate for new developments 不适合新的发展 Cost of migration constrains replacement	Maintenance revenue focus 维护收入重点
Obsolete	Rarely used	Used/resale market only

Source: Gartner (July 2024)
来源：Gartner（2024年7月）

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner research may not be used as input into or for the training or development of generative artificial intelligence, machine learning, algorithms, software, or related technologies.
© 2024 Gartner公司版权所有和/或其附属公司。All rights reserved. Gartner是Gartner，Inc.的注册商标。及其附属公司。未经Gartner事先书面许可，不得以任何形式复制或分发本出版物。它由Gartner研究机构的意见组成，不应被解释为事实陈述。虽然本出版物中包含的信息来自可靠的来源，但Gartner对此类信息的准确性、完整性或充分性不作任何保证。虽然Gartner的研究可能涉及法律的和财务问题，但Gartner不提供法律的或投资建议，其研究不应被解释或使用。您对本出版物的访问和使用受Gartner使用政策的约束。Gartner以其独立性和客观性的声誉而自豪。其研究由其研究机构独立进行，没有任何第三方的投入或影响。欲了解更多信息，请参见“独立性和客观性指导原则”。Gartner的研究成果不得用于生成式人工智能、机器学习、算法、软件或相关技术的培训或开发。

Hype Cycle for Security Operations, 2024安全运营的炒作周期，2024年

Analysis 分析

What You Need to Know你需要知道的

The Hype Cycle 炒作周期

Continuous Threat Exposure Management持续威胁暴露管理

Evaluating the Hype Cycle评估炒作周期

Innovation Trigger 创新触发器

Peak of Inflated Expectations膨胀的期望值

Trough of Disillusionment幻灭的低谷

Slope of Enlightenment 启蒙的斜坡

Plateau of Productivity 生产力高原

The Priority Matrix 优先矩阵

Table 1: Priority Matrix for Security Operations, 2024表1：2024年安全运营优先级矩阵

Off the Hype Cycle 脱离炒作周期

On the Rise 呈上升

Automated Security Control Assessment自动化安全控制评估

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Sample Vendors 样本供应商

Cybersecurity Mesh Architecture网络安全网状架构

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Gartner Recommended ReadingGartner推荐阅读

Cybersecurity AI Assistants网络安全AI助理

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Gartner Recommended ReadingGartner推荐阅读

Adversarial Exposure Validation对抗性暴露验证

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Sample Vendors 样本供应商

Gartner Recommended ReadingGartner推荐阅读

Exposure Assessment Platforms风险评估平台

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Sample Vendors 样本供应商

Gartner Recommended ReadingGartner推荐阅读

Telemetry Pipelines 遥测管道

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Sample Vendors 样本供应商

Gartner Recommended ReadingGartner推荐阅读

At the Peak 巅峰

CPS Security CPS安全

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Drivers 司机

Obstacles 障碍

User Recommendations 用户推荐

Sample Vendors 样本供应商

Gartner Recommended ReadingGartner推荐阅读

CAASM

Definition: 定义：

Why This Is Important 为什么这很重要

Business Impact 业务影响

Hype Cycle for Security Operations, 2024
安全运营的炒作周期，2024年

What You Need to Know
你需要知道的

Continuous Threat Exposure Management
持续威胁暴露管理

Evaluating the Hype Cycle
评估炒作周期

Peak of Inflated Expectations
膨胀的期望值

Trough of Disillusionment
幻灭的低谷

Table 1: Priority Matrix for Security Operations, 2024
表1：2024年安全运营优先级矩阵

Automated Security Control Assessment
自动化安全控制评估

Cybersecurity Mesh Architecture
网络安全网状架构

Gartner Recommended Reading
Gartner推荐阅读

Cybersecurity AI Assistants
网络安全AI助理

Gartner Recommended Reading
Gartner推荐阅读

Adversarial Exposure Validation
对抗性暴露验证

Gartner Recommended Reading
Gartner推荐阅读

Exposure Assessment Platforms
风险评估平台

Gartner Recommended Reading
Gartner推荐阅读

Gartner Recommended Reading
Gartner推荐阅读

Gartner Recommended Reading
Gartner推荐阅读

Gartner Recommended Reading
Gartner推荐阅读

Penetration Testing as a Service
渗透测试即服务

Gartner Recommended Reading
Gartner推荐阅读

Threat Exposure Management
威胁暴露管理

Gartner Recommended Reading
Gartner推荐阅读

Gartner Recommended Reading
Gartner推荐阅读

Digital Forensics and Incident Response
数字取证和事件响应

Gartner Recommended Reading
Gartner推荐阅读

Digital Risk Protection Services
数字风险保护服务

Gartner Recommended Reading
Gartner推荐阅读

External Attack Surface Management
外部攻击面管理

Gartner Recommended Reading
Gartner推荐阅读

Identity Threat Detection and Response
身份威胁检测和响应

Sample ITDR Enabling Vendors
ITDR支持供应商示例

Gartner Recommended Reading
Gartner推荐阅读