依據國內資訊媒體的企業資安調查,惡意程式及勒索軟體的威脅成為近兩年企業風險的前五名,中大型企業為防範此問題,採用端點特權管理系統的商用解決方案,來對用戶端進行軟體與權限的安全控管。端點特權管理系統 (Endpoint Privilege Management,EPM) 是賦予用戶端軟體適當的執行權限,同時只允許用戶端執行企業信任的軟體,能夠透過權限控管與軟體控管來達到用戶端的保護,並同時提供符合稽核法規的報表。EPM對軟體控管依賴於系統管理員對軟體的分類,當系統管理員對軟體信譽無法判別時,則將其歸類為灰名單軟體。本研究以案例公司的端點特權管理系統為研究對象,透過ELK Stack (Elasticsearch、Logstash、Kibana) 與外部IP Address信譽清單來與EPM整合,設計出一套實用性的系統,能夠自動判別已存在的灰名單軟體信譽,來輔助系統管理人員使用EPM,進而降低系統維護成本與提高資安事件的反應速度。此實驗方法於2021年1月至2021年4月期間運行於案例公司,在約2000台的電腦中,完成即時比對的灰名單軟體對外連線次數為398,642次,而其中有71次的連線是連線至信譽不良的IP Address,若以一次連線比對需5分鐘計算,本研究設計可節省的比對時間約3萬多個小時。;According to the survey of domestic IT media agency, malware and ransomware threats are the top five high-risk ranking with corporations in these two years. To mitigate the risk, corporations adopt Endpoint Privilege Management (EPM) to dominate software security and local privilege on end user computers. EPM is a commercial security solution, which is grant minimum execution permission to software, meanwhile, allow trust software on end user computers only. System administrators need to classify software categories before implementing this solution. Software which is not able to be classified by system administrators we called it gray software. In this research, we take EPM of case study as an example to design a system which is integrated with ELK Stack (Elasticsearch, Logstash and Kibana) and IP address reputation to achieve reputation identification on exist gray software automatically. Moreover, to lower system maintenance effort and enhance the response time of security incidents. We have applied the experimental method on 2000 end user computers in case study environment and found 71 high risk connections in entire 398,642 connections on gray software from January to April 2021. Meanwhile, we saved around thirty thousand hours to check all connections.
