네트워크 · 엔드포인트 · 데이터 · 최신 트랜드 · 거버넌스/인증 · 클라우드
강사 박수현 · 🚀 젠아이랩스(GenAI Labs)
🎨 이미지 프롬프트: "Editorial wide cover illustration on dark navy background — a giant hexagonal wheel divided into six glowing segments labeled in Korean: '네트워크' (with tiny sub-labels: Fortinet FortiGate 600F · Palo Alto PA-5450 · F5 Advanced WAF i7800), '엔드포인트' (CrowdStrike Falcon Insight XDR · Microsoft Defender for Endpoint · 안랩 V3 EDR Plus), '데이터' (마크애니 DocuMaker DRM · 신시웨이 Petra DBSafer · Forcepoint DLP), '최신 트랜드' (Zero Trust NIST SP 800-207 · SASE · Palo Alto Cortex XSOAR), '거버넌스·인증' (ISO/IEC 27001:2022 · ISMS-P · CC EAL4+ · KCMVP), '클라우드' (Wiz CNAPP · Palo Alto Prisma Cloud · Netskope CASB); each segment has a small representative icon (rackmount firewall with red logo, laptop with shield + Falcon orange chevron, locked database + key, AI brain with shield, certificate badge with wax seal, cloud with padlock + Kubernetes wheel). Behind the wheel a stylized SOC operations room with three analysts at multi-monitor desks tracking world-map threat feeds (red dots over Russia/CN/NK suggesting APT29·APT41·Lazarus·Kimsuky), Splunk Enterprise Security 7.x Glass Tables and IBM QRadar Offense Manager screens reflected on the wall, blue-purple holographic dashboards floating above; teal #00b894 and purple #6c5ce7 accents, cinematic glow, 16:9, technical editorial style"
2014.01 (공개)
KCB 내부 협력업체 직원이 카드 3사 고객정보 약 1.04억 건 유출. 역대 최대 규모.
💡 교훈 — 외부 위탁 보안 (SAC·DRM·로그 감시) + 개인정보 암호화 의무
참고: 「2014 카드 3사 정보유출」 검색
2023.01 (공개)
LG U+ 고객정보 약 29만 건 (이후 추가 18만 건) 유출. 다크웹 판매 정황.
💡 교훈 — DB 보안(접근제어·암호화·감사) + ISMS-P 2.5.5 특수권한
참고: 「2023 LG유플러스 정보유출」 검색
2025.04.18 (금)
BPFdoor 악성코드로 SKT 핵심 시스템 침투 → USIM 정보 2,695만건 + IMEI 29만건 유출 (9.82GB).
💡 교훈 — EDR·XDR·BPFdoor 대응·KISA 신고 SOP·DRM·SIEM
참고: 위키백과 「2025년 SK텔레콤 유심 정보 유출 사고」
📌 이번 세션의 시각 — 위 3건은 모두 「위탁 보안 통제 부재」「DB 접근 감사 누락」「인증 통제 미흡」. 본 세션의 NGFW·SAC·DLP·DRM·FIDO·PKI·SIEM 6대 도메인 다층 방어가 직접 해법.
보안은 단일 솔루션이 아니라 6대 도메인의 다층 방어. TA는 모든 솔루션을 직접 구현하지 않더라도 배치 위치·정책 흐름·인증 요구사항을 설계한다.
🎨 이미지 프롬프트: "Editorial circular wheel infographic on dark navy background — a central hub labeled '보안 6대 도메인' glowing in teal, with six radial segments equally divided: '① 네트워크 보안' (rackmount firewall icon with red logo accent), '② 엔드포인트 보안' (laptop+shield icon with orange Falcon-style chevron), '③ 데이터 보안' (locked database barrel icon with key), '④ 최신 트랜드' (AI brain + shield icon), '⑤ 거버넌스·인증' (certificate badge icon with red wax seal), '⑥ 클라우드 보안' (cloud + padlock icon with Kubernetes helm wheel overlay); thin teal lines connect adjacent segments suggesting overlap; each segment has 3~4 sub-keywords in tiny text — ① 'NGFW Fortinet FortiGate 600F · WAF F5 i7800 · IPS 윈스 Sniper V40 · Anti-DDoS Radware DefensePro x4420', ② 'EDR CrowdStrike Falcon · NAC Cisco ISE 3.3 · SIEM Splunk ES 7.x · SOAR Cortex XSOAR', ③ 'DRM 마크애니 DocuMaker · DLP 소만사 Mail-i · DB보안 신시웨이 Petra DBSafer · PKI Thales Luna 7', ④ 'ZTNA NIST SP 800-207 · SASE Cato·Netskope · SOAR Splunk Phantom · XDR Palo Alto Cortex', ⑤ 'ISMS-P · ISO/IEC 27001:2022 · CC EAL4+ · NIST CSF 2.0 · KCMVP 검증필', ⑥ 'CASB Netskope · CSPM Wiz · CNAPP Prisma Cloud · CWPP Lacework'; clean editorial wheel diagram, teal #00b894 and purple #6c5ce7 accents, 16:9"
6대 도메인은 독립이 아니라 다층 방어 — 한 곳이 뚫려도 다음이 막는다.

보안 6대 도메인 — 한눈에 보는 전체 지도
기밀성 — 알아야 할 사람에게만 - 권한 없는 자 접근 금지 - 암호화·접근통제·물리 격리 - 망분리·DRM·KMS - 위반 = 유출 사고
무결성 — 변조 없이 그대로 - 데이터 변조 차단 - 해시 (SHA-256·SM3)·전자서명 - WORM 백업·감사로그 - 위반 = 조작 사고
가용성 — 필요할 때 작동 - 서비스·데이터 사용 가능 - HA·DR·DDoS 대응 - Anti-DDoS·백업·이중화 - 위반 = 서비스 중단
확장 5원칙 (Parkerian Hexad): CIA + Authenticity(진본성) · Non-repudiation(부인방지) · Utility(유용성) — 전자서명·PKI 시대에 추가된 축.
6대 도메인의 모든 솔루션은 CIA 중 어떤 축을 지키는가로 분류할 수 있다.
Firewall 4세대 · NGFW · UTM · WAF · IPS · Anti-DDoS · VPN
🎨 이미지 프롬프트: "Editorial horizontal timeline illustration on dark navy background — four evolutionary stages of firewall drawn left to right as connected boxes: '1세대 Packet Filter (Stateless)' with a simple IP/Port filter icon labeled '~1990' and sub-text 'Cisco ACL · ipfw · 5-tuple (src/dst IP·port·proto)', '2세대 Stateful Inspection' with a connection table icon labeled '~1995' and sub-text 'Check Point FireWall-1 · Cisco PIX 515 · TCP state table (ESTABLISHED/SYN_SENT/...)', '3세대 Application Proxy' with a proxy gateway icon labeled '~2000' and sub-text 'TIS Gauntlet · WinGate · Layer-7 HTTP/SMTP/FTP 프록시', '4세대 NGFW' with a multi-feature stacked icon (App-ID, User-ID, IPS, SSL Decrypt, AV, URL Filter) labeled '2010~' and sub-text 'Palo Alto PA-5450 · Fortinet FortiGate 600F · Check Point Quantum 6000 · Cisco Firepower 4145 · 시큐아이 BS5800'; each stage shows its key feature in 2-3 lines of tiny text with throughput examples (e.g. '~1Gbps → ~10Gbps → ~40Gbps → 100Gbps+'); thin teal arrows showing evolution with small CVE/incident notes between them ('Code Red 2001', 'SQL Slammer 2003'); clean editorial timeline diagram, teal #00b894 and purple #6c5ce7 accents, 16:9"
신규 도입은 4세대 NGFW가 표준 — 1·2세대는 백본·내부 분리용으로만 잔존.

Firewall 4세대 진화 — Stateless → NGFW
| 세대 | 검사 깊이 | 성능 | 가시성 | 주 용도 |
|---|---|---|---|---|
| Stateless | L3·L4 헤더만 | 최고 | 낮음 | 백본·라우터 ACL·간단 분리 |
| Stateful | + 세션 추적 | 높음 | 중간 | 내부 망 경계·DMZ |
| App Proxy | L7 페이로드 | 중간 | 높음 | 메일·FTP·웹 게이트웨이 |
| NGFW | L3~L7 + IPS+TI | 중간~높음 | 최고 | 외부 경계·표준 |
| UTM | NGFW + AV/URL/VPN 통합 | 중간 | 높음 | 중소기업·지점 |
NGFW vs UTM의 차이: NGFW는 고성능 단일 기능 통합, UTM은 저비용 다기능 통합. 대기업·금융은 NGFW 다층, 중소기업·지점은 UTM 1대로 처리하는 것이 일반적.
🎨 이미지 프롬프트: "Editorial product-shot illustration on dark navy background — six rackmount firewall appliances arranged in two rows like a product lineup poster: top row 'Fortinet FortiGate 600F' (dark gray 2U with red FortiGate logo + front LCD panel + 16 SFP+ ports + 4 QSFP28 100G ports + dual PSU LEDs, caption '36 Gbps NGFW · ASIC NP7+CP9'), 'Palo Alto Networks PA-5450' (silver 2U with red PA triangle logo + 8 RJ45 + 4 SFP+ + 2 QSFP28 ports + management LCD, caption '72 Gbps App-ID · 5세대 NGFW'), 'Cisco Firepower 4145' (dark blue 2U chassis with Cisco logo + Snort 3 + Talos badge + dual PSU, caption '45 Gbps Threat Inspection'); bottom row 'Check Point Quantum 6000' (black 1U with Check Point chain logo + 10 RJ45 + 2 SFP+ ports, caption 'R81.20 · 28 Gbps'), 'SonicWall NSa 6700' (red 1U with SonicWall shield logo, caption 'RTDMI · 36 Gbps'), '시큐아이 BS5800' (white-gray 2U Korean NGFW with SECUI ribbon logo + CC EAL4+ KCMVP 검증필 시일 sticker on side, caption '국내 NGFW · 시큐아이'); each appliance shown front-face with small caption label below indicating throughput and form-factor; clean editorial product photography style, teal #00b894 and purple #6c5ce7 background accents, 16:9"
🎨 이미지 프롬프트: "Editorial dark-theme console mockup illustration on dark navy background — Fortinet FortiManager 7.4 centralized policy console: top header 'FortiManager 7.4.2 · ADOM: prod-korea · admin@fmg-01', breadcrumb 'Policy & Objects → IPv4 Policy', left navigation tree with 'Device Manager (24 devices)', 'Policy & Objects', 'AP Manager', 'FortiGuard'; main pane shows a tabular policy list with columns Seq/Name/Source/Destination/Service/Action/Profile/Log (sample rows: '1 allow_dmz_web · any · 10.10.0.0/24 · HTTPS · ACCEPT · NGFW_strict (IPS+AV+WebFilter+SSL-Insp) · All', '2 allow_corp_out · 10.20.0.0/16 · all · web-services · ACCEPT · NGFW_balanced · UTM', '3 BLOCK_RU_CN · geoip:RU,CN,KP · any · ALL · DENY · — · All' in red, '4 allow_branch_vpn · IPsec-tunnel-branch · 10.30.0.0/16 · all · ACCEPT · default · Sec'); right side panel shows the matching CLI: 'FGT600F # show full-configuration firewall policy 1'; bottom pane shows policy install status 'fw-edge-01 (FortiGate 600F): Installed · fw-edge-02 (FortiGate 600F): Pending · fw-dc-01 (FortiGate 3500F): Installed'; status bar with green health dots; clean editorial UI mockup style, teal #00b894 accents, 16:9"
📸 NGFW 어플라이언스·관리 콘솔 reference - Fortinet FortiGate 600F / 3000F — fortinet.com/products/next-generation-firewall - Palo Alto PA-1410 / PA-3400 / PA-5400 — paloaltonetworks.com/network-security/next-generation-firewall - Check Point Quantum 6200 / 16200 — checkpoint.com/quantum - Cisco Firepower 9300 / 4100 — cisco.com/c/en/us/products/security/firewalls - F5 BIG-IP iSeries i7800 — f5.com/products/big-ip-services - 관리 콘솔 — FortiManager · Panorama (Palo Alto) · Cisco FMC · Check Point SmartConsole - 시큐아이·안랩 TrusGuard·수산INT — 국내 KCMVP 인증 NGFW - Linux 호스트 — iptables · nftables · firewalld (firewall-cmd) 매뉴얼
NGFW가 막지 못하는 응용 계층 공격 전담.
클라우드형 WAF - Cloudflare WAF · Akamai Kona - AWS WAF · Azure WAF - NCP WAF · KT Cloud WAF - 즉시 도입, 글로벌 분산 - 대규모 DDoS 흡수
온프레미스형 WAF - F5 Advanced WAF (ASM) - Imperva · Radware AppWall - Penta WafXpert · 이트원 WAF - 내부 응용 보호·법규 대응 (국정원 검증)
TA 결정 포인트: 외부 인터넷 노출 = 클라우드 WAF + 온프레미스 WAF 2단이 표준. 내부망 응용은 온프레미스 WAF만으로 충분.
🎨 이미지 프롬프트: "Editorial split illustration on dark navy background — left half labeled 'On-Prem WAF Appliance' showing a 2U F5 BIG-IP Advanced WAF i7800 rackmount with red F-shaped logo, front LCD, 8 SFP28 + 2 QSFP28 ports, dual PSU LEDs (caption 'OWASP Top 10 · L7 DoS · Bot Defense'), mounted in a server rack with a 1U Penta WAPPLES SE-5000 unit below it (white front bezel + Korean 펜타시큐리티 ribbon, caption 'COCEP™ 엔진 · KCMVP 검증필') and an Imperva SecureSphere X8500 2U at the bottom (dark gray with red Imperva logo); right half labeled 'Cloudflare WAF Dashboard' showing a browser dashboard with rule sets panel ('Cloudflare Managed Ruleset', 'OWASP Core Ruleset 4.0', 'Custom Rules · 18 active', 'Rate Limit · 100 req/min/IP'), a world map with red dots for blocked requests concentrated over RU/CN/BR, top counter '4.2M requests blocked / 24h · Top attack: SQLi 38% / XSS 22% / Bot 19%', a stacked area chart of attack types over 24h, side panel 'Top blocked URI: /wp-login.php · /admin · /.env'; clean editorial style with teal #00b894 and purple #6c5ce7 accents, 16:9"
📸 WAF 어플라이언스·콘솔 reference - F5 BIG-IP Advanced WAF / iSeries i7800 — f5.com/products/big-ip-services/advanced-waf - Imperva SecureSphere WAF Gateway — imperva.com/products/web-application-firewall-waf - Cloudflare WAF Dashboard — cloudflare.com/application-services/products/waf - AWS WAF Console — aws.amazon.com/waf - Akamai Kona Site Defender — akamai.com/products/kona-site-defender - 국내 — 펜타시큐리티 WAPPLES · 이트원 WAF (KCMVP)

WAF — 웹 응용 전용 방화벽
UTM은 AIO(All-In-One)의 편리함과 단일 장애점의 트레이드오프 — 지점·소규모에 적합.
🎨 이미지 프롬프트: "Editorial split-screen comparison illustration on dark navy background — left half labeled 'IDS (Tap/SPAN Mode)' showing a core switch with a SPAN port mirror line to a Gigamon network tap, an IDS sensor box drawn off-path labeled 'Snort 3.1 · Suricata 7.0' with a watching eye icon, an alarm bell ringing 'Alert only · syslog → SIEM (Splunk ES 7.x)', side note 'No packet drop · no blocking · 우회 불가 zero risk'; right half labeled 'IPS (Inline Mode)' showing the same network but with the IPS device placed in-line between edge router and core switch, drawn as a gate with a stop sign labeled 'Cisco Firepower NGIPS · 윈스 Sniper IPS V40 · SECUI MFI', blocking malicious red packets (with tags 'CVE-2024-XXXX exploit · SQL injection · Mirai bot') while green ones pass through, side note 'Latency ~수십 μs · fail-open bypass switch · 정책 오탐 시 서비스 영향'; thin teal connector lines, clean isometric perspective, teal #00b894 and purple #6c5ce7 accents, 16:9, technical illustration"
현실의 운영: 신규 도입은 99% IPS(NGFW 내장 또는 별도 어플라이언스). IDS는 로그 수집·SIEM 연동 분석용으로 잔존. 국내 보안기능 확인서 IPS 6종이 공공 표준.

IPS vs IDS — 탐지냐 차단이냐
🎨 이미지 프롬프트: "Editorial terminal screenshot illustration on dark navy background — three stacked dark terminal windows with title bars: top window titled '$ tcpdump -i eth0 -nn -s0 -w /tmp/cap.pcap \"tcp port 443\" &' showing tcpdump capture summary 'listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ... 18472 packets captured · 18512 received · 0 dropped'; middle wide window titled '$ tshark -r /tmp/cap.pcap -Y \"http.request.method == POST\"' showing color-coded packet output with columns No./Time/Source/Destination/Protocol/Info: rows like '1247 12.4231 10.20.1.55 → 10.10.0.80 HTTP POST /api/login HTTP/1.1', '1248 12.4289 10.10.0.80 → 10.20.1.55 HTTP HTTP/1.1 200 OK 1.2k', '1493 14.8821 192.0.2.66 → 10.10.0.80 HTTP POST /admin/exec' with red background labeled 'suspicious · MITRE ATT&CK T1059 Command and Scripting Interpreter'; bottom terminal titled '$ openssl s_client -connect example.com:443 -showcerts -tls1_3' showing TLS 1.3 handshake output with Certificate chain (0: CN=.example.com, 1: CN=DigiCert TLS RSA SHA256 2020 CA1, 2: CN=DigiCert Global Root G2), SAN: DNS:example.com DNS:.example.com, NotBefore 2025-01-15 NotAfter 2027-01-14, 'SSL handshake has read 5328 bytes, written 423 bytes · cipher TLS_AES_256_GCM_SHA384 · Server Temp Key X25519, 253 bits · Verify return code: 0 (ok)'; clean editorial terminal style, teal #00b894 accents, 16:9"

DPI · NDR — 심층 패킷 검사와 네트워크 탐지
🎨 이미지 프롬프트: "Editorial side-by-side comparison illustration on dark navy background — left half labeled 'IPSec VPN (Site-to-Site)' showing two corporate buildings (본사 HQ Seoul · 지사 Branch Busan) connected by a thick encrypted tunnel labeled with 'IKEv2 (UDP 500/4500) · ESP (Encapsulating Security Payload) · AH (Authentication Header) · Tunnel Mode AES-256-GCM · PSK or X.509 인증서', endpoints drawn as 'Cisco ASA 5555-X' and 'Fortinet FortiGate IPsec' rackmount appliances with red logos, side note 'L3 전구간 암호화 · 항상 연결 · 분기·DC 전용'; right half labeled 'SSL VPN (Remote Access)' showing a laptop user (재택근무자) connecting via browser HTTPS (TLS 1.3) to a 'Palo Alto GlobalProtect Portal · Fortinet FortiClient EMS · Cisco AnyConnect Secure Mobility' VPN gateway in front of the corporate network, with sub-text 'TCP 443 · 브라우저만으로 접속 · split-tunnel 옵션 · MFA YubiKey/SMS OTP'; both halves use clean isometric perspective with teal #00b894 and purple #6c5ce7 accents, padlock icons on the tunnels, 16:9, technical illustration"

VPN — 네 가지 표준 + 신흥 두 가지
| 시나리오 | 권장 VPN | 이유 |
|---|---|---|
| 본사 ↔ 지사 상시 | IPSec Site-to-Site | 안정·표준·대역 활용 |
| 재택근무 사용자 | SSL VPN 또는 WireGuard | 클라이언트 단순·HTTPS 통과 |
| 외부 협력사 한시적 | SSL VPN + MFA | 사용자 단위·세분화 |
| 다수 지점 (Hub-Spoke) | DMVPN | 동적 터널·관리 단순 |
| 오픈소스·저예산 | OpenVPN | 무료·검증·널리 호환 |
| 차세대·고성능 | WireGuard | 단순·빠름 |
| 공공·금융 망연계 | 단방향 게이트웨이 | 망분리 의무 |
| 클라우드 VPC 연결 | Cloud VPN (IPSec) | AWS/Azure 표준 |
TA 결정 4축: ① 사용자 vs 사이트 단위, ② 클라이언트 SW 설치 가능 여부, ③ 인증·암호화 강도 요구, ④ 운영 인력 역량.
AV → EPP → EDR → XDR → MDR · NAC · PMS · SIEM · SecureOS
1세대 AV는 더 이상 충분하지 않다 — EDR/XDR + MDR이 2026 신규 도입 표준.
🎨 이미지 프롬프트: "Editorial timeline illustration on dark navy background — horizontal time axis (T-30min → T-0 → T+5min) showing EDR endpoint event streams over time, four swim-lanes labeled 'Process (procmon)', 'File (NTFS USN journal)', 'Network (Sysmon EID 3)', 'Registry (HKLM/HKCU)'; small icons (gear, document, network arrow, key) appear along each lane as events with timestamps (sample: '10:14:22 winword.exe spawned', '10:14:23 ~$invoice.docm written to %TEMP%', '10:14:25 powershell.exe -enc base64...', '10:14:26 outbound 443 → 185.220.x.x (Tor exit)', '10:14:27 HKCU\...\Run added persistence key'); one red exclamation cluster in the middle highlighted with a circular zoom indicator labeled '이상행위 패턴 · CrowdStrike Falcon Insight XDR detection · Severity: High', a thin teal connecting line to a side panel showing 'IoC Match: SHA256 a3f5... · IP 185.220.101.42 (Tor) · ML Score 0.94 · MITRE ATT&CK TTPs: T1566.001 Spearphishing Attachment → T1059.001 PowerShell → T1547.001 Registry Run Keys → T1041 Exfiltration over C2 · Suspected actor: LockBit affiliate / APT29 Cozy Bear pattern' analysis bullets; clean editorial timeline visualization, teal #00b894 and purple #6c5ce7 accents, 16:9"

EDR — 동작 원리와 분석 흐름
둘은 대체가 아니라 보완 — XDR이 1차 자동 분석, SIEM이 통합 보존·감사.
🎨 이미지 프롬프트: "Editorial side-by-side console mockup illustration on dark navy background — left half labeled 'Splunk Enterprise Security 7.x · Glass Tables / Threat Topology' showing a dark-theme SOC dashboard with top notable-events count '47 OPEN / 12 HIGH · Risk Score 893', a horizontal 24h time slider, four correlated widgets: 'Notable Events by Domain (donut: Endpoint 18 / Network 14 / Identity 9 / Access 6)', 'Failed Logins spike (line: 14:22 spike to 1,847 attempts)', 'DNS Exfiltration pattern (table with src/dest/bytes: 10.20.1.55 → dns.malicious.ru 4.2MB)', 'MITRE ATT&CK Heatmap (Tactic x Technique grid with red cells highlighting T1059·T1486·T1041·T1566)', sample SPL query bar 'index=security sourcetype=stream:dns | stats sum(bytes) by query', Splunk green chevron logo top-left; right half labeled 'IBM QRadar SIEM 7.5 · Offense Manager' showing the classic blue QRadar console with 'Offenses' list (ID 18472 Magnitude 8 'Botnet C2 communication · src 10.20.1.55 · dst 185.220.101.42 · 142 events', ID 18415 Magnitude 6 'Brute force - SSH · 1,247 failed logons · src 203.0.113.x', ID 18398 Magnitude 9 'Data Exfiltration suspected · T1041 · 4.2 GB out · 야간'), magnitude bar gauges 1-10, a QFlow network widget at bottom with src/dest/bytes columns, AQL query bar 'SELECT sourceip, SUM(sourcebytes) FROM flows ...', IBM 8-bar logo top-left; thin vertical divider; clean editorial UI mockup style, teal #00b894 and purple #6c5ce7 accents, 16:9"
📸 SIEM 콘솔 reference - Splunk Enterprise Security — splunk.com/en_us/products/enterprise-security.html - IBM QRadar SIEM — ibm.com/products/qradar-siem - Microsoft Sentinel — azure.microsoft.com/products/microsoft-sentinel - Elastic SIEM — elastic.co/security/siem - 이글루코퍼레이션 SPiDER TM · 안랩 TMS — 국내 SIEM
🎨 이미지 프롬프트: "Editorial terminal screenshot illustration on dark navy background — three side-by-side terminal windows each with a dark gray title bar, monospace text and faint teal command prompts: left window titled '[root@rhel9 ~]# iptables -L -n -v --line-numbers' showing output 'Chain INPUT (policy DROP 0 packets, 0 bytes)' with columns num/pkts/bytes/target/prot/opt/in/out/source/destination, sample rules '1 1842 142K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0', '2 8421 1.2M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22', '3 142 18K REJECT all -- * * 192.0.2.0/24 0.0.0.0/0 reject-with icmp-port-unreachable', then 'Chain FORWARD' and 'Chain OUTPUT'; middle window titled '[root@ubuntu24 ~]# nft list ruleset' nftables output with 'table inet filter { chain input { type filter hook input priority filter; policy drop; ct state established,related accept; iifname \"lo\" accept; tcp dport 22 accept; icmp type echo-request limit rate 5/second accept; } chain forward { ... } chain output { ... } }'; right window titled '[admin@centos9 ~]$ sudo firewall-cmd --list-all --zone=public' showing 'public (active) target: default · icmp-block-inversion: no · interfaces: eth0 · sources: · services: ssh dhcpv6-client cockpit · ports: 8080/tcp 443/tcp · protocols: · forward: yes · masquerade: no · forward-ports: · source-ports: · icmp-blocks: · rich rules: rule family=\"ipv4\" source address=\"10.20.0.0/16\" accept'; below the three windows a small caption '리눅스 호스트 방화벽 CLI · iptables → nftables → firewalld'; clean editorial terminal style, teal #00b894 accents, 16:9"

ESM vs SIEM — 통합 보안 관제의 두 세대
DRM · DLP · DB보안 · TDE · PKI · FIDO · KMS/HSM
MFA = 2개 이상 요소 결합
🎨 이미지 프롬프트: "Editorial product flat-lay illustration on dark navy background — six physical authentication devices arranged in a row like a museum display: 'YubiKey 5C NFC' (small black USB-C key with golden touch ring, slim card form factor, label 'FIDO2 · WebAuthn · PIV · OTP'), 'YubiKey 5 NFC (USB-A)' (USB-A version with the touch sensor on the gold disc, label 'NFC tap to phone'), 'YubiKey 5 Bio (Fingerprint)' (black key with on-device fingerprint sensor, label 'biometric match-on-key'), 'Google Titan Security Key (USB-C)' (white rounded USB-C with Google G logo, label 'BLE + NFC · made by Feitian'), 'Feitian ePass FIDO2 NFC' (blue compact key with white side button, label 'CTAP2 · L1 Certified'), 'SafeNet eToken 5300' (black slim USB token with Thales logo, label 'PKI 인증서 저장 · 공인인증서 호환'); to the right of the row a biometric reader terminal 'Suprema BioStation 3' (white wall-mounted unit with green LED + fingerprint sensor + camera, label 'Face + Fingerprint · 출입통제'); below each device a tiny label with model name and FIDO2 / FIDO2.1 / Passkey badge plus 'FIDO Alliance L1 Certified' or 'L2 Certified' shield; each device with subtle soft shadow; clean editorial product photography style, teal #00b894 and purple #6c5ce7 background glow, 16:9"
📸 FIDO 보안키·생체인증 reference - YubiKey 5 Series — yubico.com/products/yubikey-5-overview - Google Titan Security Key — store.google.com/product/titan_security_key - Feitian FIDO2 키 — ftsafe.com - 지문/얼굴 단말 — Suprema BioStation · IDEMIA MorphoWave - Apple Passkey / Windows Hello — FIDO2 OS 내장 인증

FIDO · MFA — 비밀번호 없는 인증
🎨 이미지 프롬프트: "Editorial flow diagram on dark navy background — vertical PKI certificate lifecycle showing four entities labeled in Korean: 'CA (Certificate Authority) · Microsoft AD CS / HashiCorp Vault PKI Engine 1.16 / DigiCert ICA' at top with a wax-seal stamp icon, 'RA (Registration Authority) · KISA · 한국정보인증' below with a form-and-clipboard icon, 'Subscriber 사용자 (서버/사람)' on the left with a person+laptop icon, 'Relying Party 검증자 (브라우저/서버)' on the right with a magnifying-glass icon; arrows show the flow with protocol labels: Subscriber→RA 'CSR 신청 (PKCS#10 · openssl req -new -key key.pem -out csr.pem)', RA→CA '신원 검증 (도메인 소유권 / 기업 등기부)', CA→Subscriber '인증서 발급 (X.509 v3 · SAN · Key Usage · 365일)', Subscriber→Relying Party 'TLS Handshake 시 Certificate 제시', Relying Party→CA 'CRL 다운로드 / OCSP Stapling 검증 (RFC 6066)'; a side panel shows '인증서 수명주기: ① 신청 CSR → ② 발급 (NotBefore/NotAfter) → ③ 배포 (PEM/DER/PFX) → ④ 사용 (TLS·코드서명·S/MIME) → ⑤ 갱신 (ACME automation) → ⑥ 폐기 (Revoke → CRL/OCSP)'; bottom note 'X.509 v3 필드: Version / Serial / Issuer DN / Validity / Subject DN / SubjectPublicKeyInfo / Extensions (SAN·Key Usage·EKU·Basic Constraints·CRL DP·AIA)'; clean editorial flow diagram, teal #00b894 and purple #6c5ce7 accents, 16:9 — CRITICAL: All visible text in this image MUST be in English only; replace all Korean labels with English equivalents (transliterate Korean proper nouns). Do NOT include any Korean characters as they will be garbled by the renderer."
🎨 이미지 프롬프트: "Editorial terminal-and-window illustration on dark navy background — left side shows a dark terminal running '$ openssl x509 -in cert.pem -noout -text' with monospace output displaying X.509 v3 Certificate fields: 'Certificate: Data: Version: 3 (0x2) · Serial Number: 04:3c:8b:1f:7a:e2:9d:55:a4:... · Signature Algorithm: sha256WithRSAEncryption · Issuer: C=US, O=DigiCert Inc, CN=DigiCert Global Root G2 · Validity: Not Before: Jan 15 00:00:00 2025 GMT, Not After: Jan 14 23:59:59 2027 GMT · Subject: C=KR, ST=Seoul, O=Example Corp, CN=.example.kr · Subject Public Key Info: RSA 2048 bit · X509v3 extensions: Basic Constraints: critical CA:FALSE · Key Usage: critical Digital Signature, Key Encipherment · Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication · Subject Alternative Name: DNS:example.kr, DNS:.example.kr · CRL Distribution Points: URI:http://crl3.digicert.com/... · Authority Information Access: OCSP URI:http://ocsp.digicert.com'; below it a second prompt '$ openssl s_client -connect example.kr:443 -servername example.kr' showing TLS handshake summary; right side shows the Microsoft 'Active Directory Certificate Services (AD CS) — Certification Authority' MMC console (Windows Server 2022) titled 'certsrv - [Certification Authority (Local)\corp-CA-01]', left tree (Revoked Certificates, Issued Certificates, Pending Requests, Failed Requests, Certificate Templates), right pane lists issued certs with columns Request ID/Requester Name/Binary Certificate/Serial Number/Certificate Effective Date/Certificate Expiration Date/Certificate Template (rows like '1247 · CORP\web01$ · — · 1a2b... · 2025-03-12 · 2027-03-12 · WebServer'); a teal arrow between them labeled 'CLI ↔ AD CS GUI · 동일 X.509 인증서를 두 시각에서'; clean editorial style, teal #00b894 and purple #6c5ce7 accents, 16:9 — CRITICAL: All visible text in this image MUST be in English only; replace all Korean labels with English equivalents (transliterate Korean proper nouns like company/place names). Do NOT include any Korean characters as they will be garbled by the renderer."
📸 PKI·인증서 reference
- X.509 인증서 구조 — RFC 5280 / DigiCert blog
- OpenSSL CLI 매뉴얼 — openssl.org/docs/man3.0 (openssl x509, openssl s_client, openssl req)
- Microsoft Active Directory Certificate Services (AD CS) Console — learn.microsoft.com/windows-server/identity/ad-cs
- 한국 공동인증서·금융인증서 — yessign.or.kr · 금융결제원
- Let's Encrypt / Certbot — letsencrypt.org · certbot.eff.org

PKI — Public Key Infrastructure
왜 세션키를 쓰나: 공개키 암호는 느리고 큰 데이터 부적합. 빠른 대칭키로 본문 암호화 + 작은 세션키만 공개키로 → 속도+보안 동시 달성.
🎨 이미지 프롬프트: "Editorial product-shot illustration on dark navy background — three Hardware Security Modules displayed as a museum lineup: left 'Thales Luna Network HSM 7 (Model A790)' (silver-blue 1U rackmount with front LCD, PED PIN pad port, smart-card reader slot for cloning domain key, slim form factor, caption 'FIPS 140-3 Level 3 · CC EAL4+ · 20,000 RSA-2048 signs/sec'), center 'Entrust nShield Connect XC (High)' (dark gray 1U with the nShield trefoil logo, smart-card slot for Operator Card Set quorum (k-of-n), dual hot-swap PSU LEDs, caption 'FIPS 140-2 Level 3 · CodeSafe · 8,500 ECC P-256 ops/sec'), right 'Utimaco SecurityServer Se Gen2' (black 2U with red Utimaco accent strip, front PIN pad and SmartCard reader, caption 'FIPS 140-2 Level 3 · BSI eIDAS QSCD · German engineering'); each appliance shown front-face with FIPS 140-3 Level 3 tamper-evident holographic seal sticker visible, KCMVP 검증필 sticker on the Korean-deployed unit, and a CC EAL4+ badge; behind them a faint AD CS / HashiCorp Vault PKI Engine integration diagram showing KMIP/PKCS#11 protocols; tiny caption labels below each unit indicating FIPS level and throughput; clean editorial product photography style, teal #00b894 and purple #6c5ce7 background glow, 16:9"
📸 HSM 어플라이언스 reference - Thales Luna Network HSM 7 — cpl.thalesgroup.com/encryption/hardware-security-modules - Entrust nShield Connect XC (구 nCipher) — entrust.com/products/hsm - Utimaco SecurityServer CSe — utimaco.com/products/general-purpose-hsm - AWS CloudHSM — aws.amazon.com/cloudhsm - 국내 — 펜타시큐리티 ISIGN+ HSM · 시큐브 SecuKMS (KCMVP 검증필 암호 모듈)

KMS · HSM — 키 관리의 인프라
CDR · SOAR · SASE · SDP · ZTNA · Zero-Trust · MITRE ATT&CK · TI · LLM 보안
SOAR 도입 = SOC 자동화의 출발점.
🎨 이미지 프롬프트: "Editorial conceptual diagram on dark navy background — center labeled 'SASE Cloud Edge · Gartner SASE Framework (2019~) · Cato Networks · Zscaler ZIA/ZPA · Netskope Intelligent SSE · Cisco Umbrella · Palo Alto Prisma Access' as a glowing teal cloud icon with global PoP map markers (Seoul·Tokyo·Singapore·Frankfurt·Virginia); two inputs from the left: 'SD-WAN (Cisco Viptela · VMware VeloCloud · Fortinet Secure SD-WAN)' (network branches with optimized routing arrows showing dynamic path selection) and from below: 'Security Stack (FWaaS Fortinet · SWG Zscaler · CASB Netskope · ZTNA NIST SP 800-207 · DLP Forcepoint · RBI Remote Browser Isolation)' as stacked icons; outputs to the right go to multiple destinations: 'Users (Remote 재택·모바일)', 'Branches (지사·매장)', 'SaaS Apps (Microsoft 365 · Salesforce · ServiceNow · Google Workspace)', 'Data Center (On-prem)', 'Public Cloud (AWS·Azure·GCP)'; thin teal connecting lines show all paths flow through the SASE cloud edge with inline inspection labels 'TLS Decrypt · Identity-aware · Continuous Verification'; clean editorial conceptual diagram, teal #00b894 and purple #6c5ce7 accents, 16:9, technical illustration"

SASE — Secure Access Service Edge
| 항목 | VPN | ZTNA |
|---|---|---|
| 접근 단위 | 네트워크 | 응용 |
| 신뢰 모델 | 1회 인증 후 신뢰 | 매번 검증 |
| 가시성 | 외부에 IP 노출 | 숨겨짐 |
| 횡 이동 | 가능 | 차단 |
🎨 이미지 프롬프트: "Editorial pentagonal diagram on dark navy background — based on CISA Zero Trust Maturity Model 2.0 / NIST SP 800-207, five glowing nodes arranged in a pentagon, each labeled in Korean with sub-text: 'Identity 정체성 (Okta · Azure AD · FIDO2 YubiKey · MFA)', 'Device 디바이스 (CrowdStrike Falcon Insight · Intune compliance · TPM 2.0 attestation)', 'Network 네트워크 (Microsegmentation · ZTNA Zscaler ZPA · SDP)', 'Application/Workload 응용 (CWPP Prisma Cloud · Service Mesh Istio mTLS · WAF)', 'Data 데이터 (DLP Forcepoint · DRM 마크애니 · 분류 라벨링 · 암호화 at-rest/in-transit)'; in the center the slogan 'Never Trust, Always Verify · NIST SP 800-207' in teal glow with a small circular 'Policy Engine (PE) + Policy Administrator (PA) + Policy Enforcement Point (PEP)' core; thin teal lines connect each node to the center and to adjacent nodes forming a star pattern; each node has a small icon (user with passkey, laptop with chip, network mesh, app cube, data lock); around the pentagon a faint outer ring labeled 'Visibility & Analytics · Automation & Orchestration · Governance'; clean editorial pentagon visualization, teal #00b894 and purple #6c5ce7 accents, 16:9, technical illustration"

Zero-Trust — NIST SP 800-207 5대 축
정책 4계층 · SOP 4종 · 국내·국제 인증 · 한국 법령
이 4종 SOP는 ISMS-P·SOC 2·ISO 27001 핵심 통제 항목.
| 인증 | 영역 | 운영 | 주요 적용 |
|---|---|---|---|
| ISO 27001 | 정보보호 관리체계 (ISMS) | ISO/IEC | 전 산업 표준 |
| ISO 27017 | 클라우드 보안 통제 | ISO/IEC | CSP·SaaS |
| ISO 27018 | 클라우드 개인정보 | ISO/IEC | 글로벌 CSP |
| ISO 22301 | 사업 연속성 (BCMS) | ISO/IEC | DR·BCP 대응 |
| NIST CSF | 사이버보안 프레임워크 | NIST (미국) | 정부·기간시설 |
| PCI-DSS | 결제카드 데이터 보호 | PCI Council | 결제·카드사 |
| HIPAA | 의료정보 보호 | 미국 HHS | 의료 (미국법) |
| SOC 2 | SaaS·서비스 통제 보고 | AICPA | SaaS·아웃소싱 |
| GDPR | EU 개인정보 보호 규정 | EU | EU 시민 대상 |
한국 글로벌 진출: SaaS·B2B는 SOC 2 + ISO 27001, 결제는 PCI-DSS, EU 대상은 GDPR 추가. ISMS-P만으로는 글로벌 부족.
| 인증 | 준비 기간 | 컨설팅비 | 인증 심사비 | 갱신 주기 |
|---|---|---|---|---|
| ISMS-P | 12~18개월 | 3~5천만원 | 5천만~2억원 | 3년 (사후 매년) |
| ISO 27001 | 6~12개월 | 2~4천만원 | 2~5천만원 | 3년 (사후 매년) |
| CC인증 EAL2~4 | 12~24개월 | 1~3억원 | 3~5천만원 | 5년 |
| KCMVP | 6~12개월 | 5천만원~ | 별도 | 5년 |
| SOC 2 Type 2 | 12~18개월 | 1~3억원 | 5천만~1억원 | 매년 |
| PCI-DSS Level 1 | 6~12개월 | 5천만~1억원 | 5천만원 | 매년 |
SOC Tier 1·2·3 · VA · PT · BAS · TA의 12대 결정
🎨 이미지 프롬프트: "Editorial illustration of a modern 24/7 Security Operations Center on dark navy background — three concentric workstation tiers labeled in Korean: 'Tier 1 모니터링 (Alert Triage · MTTA < 15min)' (front row with 6 analysts at standard dashboards showing Splunk Enterprise Security 7.x Notable Events queue and IBM QRadar Offense list), 'Tier 2 분석 (Incident Response · MTTR < 4h)' (middle row with deeper investigation screens showing CrowdStrike Falcon Console process trees and Palo Alto Cortex XDR Causality Chains), 'Tier 3 헌팅·포렌식 (Threat Hunting · Malware RE)' (back row with advanced threat hunting screens showing MITRE ATT&CK Navigator heatmap, Volatility memory forensics output, YARA rule editor, Cortex XSOAR SOAR playbook canvas); large central video wall showing world map with glowing attack indicators (red dots over RU/CN/NK/IR), threat feed scrolls 'LockBit affiliate · BlackCat ransomware · Cl0p MOVEit · APT29 Cozy Bear · Lazarus · Kimsuky', SIEM dashboards with Risk Score gauges, and a Kill Chain 7-stage banner (Recon → Weaponize → Deliver → Exploit → Install → C2 → Actions on Objectives); side wall plaques showing ISO/IEC 27001:2022 certificate and ISMS-P 인증서; ambient blue-purple lighting, cinematic depth, teal #00b894 and purple #6c5ce7 accents, 16:9, technical editorial style"

SOC — Security Operations Center 운영
SOP·연락망·도구 사전 점검 / 정기 모의 훈련
SIEM·EDR·신고 채널 통합 / 초기 분류
영향 범위 격리 / 단기 vs 장기 격리 결정
악성코드 제거·취약점 패치 / 백도어 제거
정상 운영 복귀 / 점진적·검증 후 단계 확대
Blameless Postmortem / RCA · 재발 방지 · 정책 갱신
KISA 신고 의무: 정보통신서비스 제공자 — 침해사고 인지 후 72시간 이내 KISA 신고. 개인정보 유출 — 5일 이내 정보주체·PIPC 통지.
예상 투자: 초기 12억 + 연 운영 5억
TA 인사이트: B2B는 SOC 2 없으면 영업 자체 불가능한 경우 다수.