<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ml-Detection on Tarragon</title><link>https://tarrragon.github.io/blog/tags/ml-detection/</link><description>Recent content in Ml-Detection on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/ml-detection/index.xml" rel="self" type="application/rss+xml"/><item><title>Lacework</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/</guid><description>&lt;p>Lacework 是 CNAPP（Cloud-Native Application Protection Platform）走 &lt;em>Polygraph ML behavioral baseline&lt;/em> 路線的代表廠商、2024 年跟 Fortinet 合併、新品牌叫 &lt;em>Fortinet Lacework FortiCNAPP&lt;/em>、但 Lacework 名稱與獨立產品線仍在運作。它跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &amp;#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &amp;#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &amp;#43; workload &amp;#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon Cloud Security&lt;/a> 的差異在 &lt;em>偵測設計哲學&lt;/em>、覆蓋面相近 — Lacework 的核心競爭力是 Polygraph 自動從 log + process + network + cloud API call 學 baseline、anomaly 自動觸發、不需 SOC 手寫 detection rule。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Lacework 的核心定位是 &lt;em>Polygraph 驅動的 CNAPP&lt;/em>、以 ML 自動學習正常行為作為偵測基礎。產品線涵蓋四個能力面：&lt;em>CSPM&lt;/em>（Cloud Security Posture Management、misconfiguration 與合規 scan）、&lt;em>CWPP&lt;/em>（Cloud Workload Protection Platform、host + container runtime 防護）、&lt;em>Code Security&lt;/em>（IaC scan、container image scan、SAST baseline）、以及貫穿全平台的 &lt;em>Polygraph behavioral baseline engine&lt;/em>。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &amp;#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz&lt;/a> 比、設計哲學是相反的：Wiz 走 &lt;em>Security Graph + Toxic Combination&lt;/em>（你顯式定義「EC2 + RCE + IMDS v1 + cross-account role」是 toxic、graph 找匹配 path）、Lacework 走 &lt;em>Polygraph implicit baseline&lt;/em>（你不定義、ML 從 30 天歷史學 normal、偏離就 alert）。兩種都是 graph、但一個是 rule-driven graph、一個是 behavior-learned graph。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &amp;#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud&lt;/a> 比、Prisma 是 &lt;em>多模組 agent + agentless 寬覆蓋&lt;/em>、Lacework 主打 Polygraph 為單一核心引擎、不靠堆模組廣度競爭。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &amp;#43; workload &amp;#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS&lt;/a> 比、Falcon CS 是 &lt;em>endpoint EDR 延伸到 cloud&lt;/em>、Lacework 從第一天就為 cloud-native designed、沒 endpoint EDR 包袱。&lt;/p></description><content:encoded><![CDATA[<p>Lacework 是 CNAPP（Cloud-Native Application Protection Platform）走 <em>Polygraph ML behavioral baseline</em> 路線的代表廠商、2024 年跟 Fortinet 合併、新品牌叫 <em>Fortinet Lacework FortiCNAPP</em>、但 Lacework 名稱與獨立產品線仍在運作。它跟 <a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> / <a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a> / <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon Cloud Security</a> 的差異在 <em>偵測設計哲學</em>、覆蓋面相近 — Lacework 的核心競爭力是 Polygraph 自動從 log + process + network + cloud API call 學 baseline、anomaly 自動觸發、不需 SOC 手寫 detection rule。</p>
<h2 id="服務定位">服務定位</h2>
<p>Lacework 的核心定位是 <em>Polygraph 驅動的 CNAPP</em>、以 ML 自動學習正常行為作為偵測基礎。產品線涵蓋四個能力面：<em>CSPM</em>（Cloud Security Posture Management、misconfiguration 與合規 scan）、<em>CWPP</em>（Cloud Workload Protection Platform、host + container runtime 防護）、<em>Code Security</em>（IaC scan、container image scan、SAST baseline）、以及貫穿全平台的 <em>Polygraph behavioral baseline engine</em>。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> 比、設計哲學是相反的：Wiz 走 <em>Security Graph + Toxic Combination</em>（你顯式定義「EC2 + RCE + IMDS v1 + cross-account role」是 toxic、graph 找匹配 path）、Lacework 走 <em>Polygraph implicit baseline</em>（你不定義、ML 從 30 天歷史學 normal、偏離就 alert）。兩種都是 graph、但一個是 rule-driven graph、一個是 behavior-learned graph。跟 <a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a> 比、Prisma 是 <em>多模組 agent + agentless 寬覆蓋</em>、Lacework 主打 Polygraph 為單一核心引擎、不靠堆模組廣度競爭。跟 <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a> 比、Falcon CS 是 <em>endpoint EDR 延伸到 cloud</em>、Lacework 從第一天就為 cloud-native designed、沒 endpoint EDR 包袱。</p>
<p>關鍵張力：<em>implicit behavioral baseline</em> ↔ <em>explicit auditable rule</em> 是 Lacework 客戶最大的取捨。Polygraph 內部用 ML 學行為、好處是 zero rule maintenance、自動覆蓋未知 attack pattern；代價是內部邏輯不透明、false positive / false negative 都不容易 debug、強合規場景需要 explicit rule 可審計時會卡住。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Lacework 在 cloud security stack 中承擔哪段（CSPM / CWPP / Code Security / behavioral detection）、哪些要外接（<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> 等 SIEM 接 alert、<a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 事故處理</a> 接 IR routing）</li>
<li>Polygraph ML baseline 的 ownership 設計（誰調 anomaly threshold、false positive 由誰判讀、ML model retraining cadence 誰負責）</li>
<li><em>implicit baseline</em> vs <em>explicit rule</em> 的取捨何時偏 Lacework、何時要補 Wiz / Prisma 的 explicit rule layer</li>
<li>何時用 Lacework、何時走 Wiz / Prisma Cloud / Falcon CS</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Lacework deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Polygraph baseline 覆蓋面</strong>：哪些 cloud account / workload / container 進了 Polygraph 學習、baseline window 多長（預設 30 天）、新 workload 進來幾天才視為 baseline 成熟、未覆蓋的 workload 是否走 fallback rule</li>
<li><strong>Anomaly tuning ownership</strong>：誰看 Polygraph alert、false positive 由誰標記、標記後怎麼回饋 model、有沒有 <em>alert backlog grooming</em> lifecycle（不是黑箱 fire-and-forget）</li>
<li><strong>CSPM 跟合規 mapping</strong>：CIS / PCI / SOC 2 / HIPAA framework 哪些開、misconfiguration finding 走 ticket workflow（誰修、deadline）、Compliance report 多久 export 一次給 audit team</li>
<li><strong>跟 SIEM / SOAR handoff</strong>：Polygraph alert 是否同步進 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 給 SOC、是否跟 <a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 incident response</a> playbook 對接、high severity 是否觸發 SOAR</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Polygraph behavioral baseline</strong>：Lacework 的 first-class concept、從 cloud API call（CloudTrail / Audit Log）+ host process tree + container syscall + network connection 四種 source 同時學習、用 time-series graph 表達「正常情況下 user X 在 workload Y 上會 spawn process Z、連 destination W」。anomaly 是 graph 上不在 baseline 中的 edge、自動 trigger alert。baseline window 預設 30 天、新 workload 進來時用同類 workload 的 baseline 過渡、避免 cold start 全部 alert。</p>
<p><strong>CSPM（misconfiguration + compliance）</strong>：agentless 從 cloud API 拉 resource 設定、對照 CIS Benchmark / PCI / SOC 2 / HIPAA / CSA CCM 等 framework 跑 rule、出 finding。這部分是 <em>explicit rule</em>、不靠 Polygraph、跟 Wiz / Prisma 的 CSPM 能力同等級。Compliance report 可 schedule export 給 audit team。</p>
<p><strong>CWPP（host + container runtime）</strong>：兩種模式 — <em>agentless</em>（從 cloud API + snapshot 掃 vulnerability + misconfiguration、低 overhead 但無 runtime signal）、<em>agent-based</em>（Lacework agent on host / DaemonSet on K8s、提供 process tree + syscall + file integrity monitoring 給 Polygraph）。production runtime detection 必須 agent、不然 Polygraph 沒 process / syscall 資料源。</p>
<p><strong>Code Security（IaC + container image）</strong>：Terraform / CloudFormation / Helm chart 掃 misconfiguration、container image 掃 CVE + secret + SBOM、跟 <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> 同層級。整合 GitHub / GitLab PR check、release gate 前 block 高風險 IaC。</p>
<p><strong>Compliance reporting</strong>：CSPM finding 自動 map 到 framework（CIS AWS / PCI DSS / SOC 2 等）、定期 export PDF / CSV 給 audit team、不需 SOC 手工整理。跨 cloud 帳號 aggregate view 對 multi-account 治理有用。</p>
<p><strong>跟 SIEM 整合</strong>：Polygraph alert 走 webhook / S3 export / Splunk Add-on 進 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a>、做 cross-source correlation。Lacework 不取代 SIEM、是 cloud-native detection 的 <em>upstream signal source</em>。</p>
<p><strong>計費模型</strong>：按 workload count（vCPU 數 / container 數 / cloud account 數）+ 啟用模組。enterprise contract 為主、不公開 list price。跟 Wiz / Prisma 同模型、預算敏感場景需試算。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Lacework</th>
          <th>Wiz</th>
          <th>Prisma Cloud</th>
          <th>CrowdStrike Falcon CS</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>偵測設計哲學</td>
          <td>Polygraph ML implicit baseline</td>
          <td>Security Graph + 顯式 Toxic Combination</td>
          <td>多模組 rule + ML 混合</td>
          <td>EDR 延伸到 cloud、process-centric</td>
      </tr>
      <tr>
          <td>主要訴求</td>
          <td>zero rule maintenance、自動覆蓋未知 attack</td>
          <td>顯式 rule 可審計、cross-asset 關聯路徑清楚</td>
          <td>寬覆蓋、agent + agentless 混合</td>
          <td>endpoint + cloud 同 console、process tree 一致</td>
      </tr>
      <tr>
          <td>Runtime 偵測</td>
          <td>agent (Polygraph syscall + process tree)</td>
          <td>agent (Runtime Sensor、後加)</td>
          <td>agent (Defender)</td>
          <td>強 — 沿用 Falcon EDR agent</td>
      </tr>
      <tr>
          <td>Agentless scan</td>
          <td>強 — CSPM + vulnerability snapshot</td>
          <td>強 — agentless 為 design 起點</td>
          <td>強 — 雙模式並重</td>
          <td>中 — 為 Falcon agent 補位</td>
      </tr>
      <tr>
          <td>合規可審計</td>
          <td>中 — Polygraph 黑箱、CSPM 部分清楚</td>
          <td>強 — 顯式 rule、規則邏輯可審查</td>
          <td>強 — rule-based、模組化清楚</td>
          <td>中</td>
      </tr>
      <tr>
          <td>跟 SIEM 整合</td>
          <td>webhook / Splunk Add-on / S3</td>
          <td>webhook / 多家 SIEM connector</td>
          <td>多家 SIEM connector</td>
          <td>Falcon 自家 NG-SIEM 為主、外接次要</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>cloud-native + 信任 ML、不想自寫 detection rule</td>
          <td>多雲 + 要顯式 rule 治理、需 cross-asset 攻擊路徑</td>
          <td>Palo Alto-heavy 環境、寬覆蓋優先</td>
          <td>CrowdStrike-heavy 環境、endpoint + cloud 統一</td>
      </tr>
      <tr>
          <td>不適合場景</td>
          <td>強合規要 explicit rule 可審計、SOC 要 rule 客製化</td>
          <td>不想自己寫 rule、想 ML 自動覆蓋</td>
          <td>預算敏感（多模組計費容易膨脹）</td>
          <td>沒在用 Falcon EDR、純 cloud-native</td>
      </tr>
      <tr>
          <td>Fortinet 整合</td>
          <td>強（2024+ FortiCNAPP、跟 NGFW / FortiSOAR 整合）</td>
          <td>無 Fortinet 直接整合</td>
          <td>無 Fortinet 直接整合</td>
          <td>無 Fortinet 直接整合</td>
      </tr>
  </tbody>
</table>
<p>選 Lacework 的核心訴求：<em>cloud-native + 信任 ML behavioral baseline + 不想養 detection engineering team 寫 rule</em> + 願意接受 Polygraph 是相對黑箱、false positive 要由 ML retraining 而非 rule edit 解決。強合規要 explicit rule 可審計、或 SOC 要深度 rule 客製化、走 Wiz / Prisma 更合適。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Polygraph internals</strong>：Polygraph 不是單一 ML model、是 time-series behavioral graph + 多個 detection algorithm 組合。node 是 entity（user / workload / process / network endpoint）、edge 是 observed interaction、edge 上掛 frequency + temporal pattern。anomaly detection 用 unsupervised learning（clustering + outlier detection）找 baseline 外的 edge。優點是 <em>zero-day attack pattern 不需事先定義也可能偵測到</em>（行為偏離即可）、缺點是 detection 為何 trigger / 為何沒 trigger 都不易解釋、tuning 不是改 rule、是調整 baseline window 或標記 false positive 回饋 model。</p>
<p><strong>Fortinet FortiCNAPP 整合（2024+）</strong>：Fortinet 收購後加速跟 <em>Fortinet NGFW</em>（network log 進 Polygraph 當 source）、<em>FortiSOAR</em>（Lacework alert 自動觸發 firewall block / endpoint isolation playbook）、<em>FortiSandbox</em>（suspicious file 進 sandbox 再回饋 baseline）整合。Fortinet-heavy 環境吃整合紅利、非 Fortinet 環境 Polygraph 跟原 connector 仍獨立運作。</p>
<p><strong>Anomaly tuning lifecycle</strong>：Polygraph alert 出來不是終點、要走 <em>triage → label false positive → ML model retraining</em> lifecycle。實務上 SOC 看 alert 標 <em>true positive / false positive / benign anomaly</em>（合法但意外）、Lacework 後台用 label 重訓 model、下一個 baseline cycle 調整。組織要決定 <em>誰負責 label</em>（SOC analyst / detection engineer）、<em>backlog grooming cadence</em>（每週 / 每月）、<em>retraining cycle</em>（自動 / 手動觸發）。沒 lifecycle 就是「alert 看一陣子放著」、Polygraph 退化成噪音源。</p>
<p><strong>跨 SIEM webhook / SOAR 整合</strong>：alert 推 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 後、SOC 可用 SIEM correlation 補 cross-source（例如 Polygraph anomaly + Okta MFA fail + GitHub clone spike）、再進 SOAR playbook 自動 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> rotate / <a href="/blog/backend/07-security-data-protection/vendors/cloudflare-waf/" data-link-title="Cloudflare WAF" data-link-desc="Edge WAF &#43; DDoS &#43; Bot management 整合套件、global anycast 網路、控制面信任邊界跟客戶側補強的對照">Cloudflare WAF</a> block。Lacework 是 <em>detective layer</em>、SIEM 是 <em>correlation + orchestration layer</em>。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>新 workload 進來大量 alert（cold start）</strong>：baseline 還沒建好、ML 把正常當異常 — 用同類 workload baseline 過渡、給 7-14 天 warm-up 再 enforce alert</li>
<li><strong>Polygraph alert 看不懂為何 trigger</strong>：ML 黑箱本質、不像 explicit rule 可指 line — 看 alert 帶的 <em>involved entities + observed deviation</em>、跨 entity 對 baseline 看差異、必要時補 Wiz / Prisma explicit rule 在強合規場景</li>
<li><strong>False positive 持續多但 model 沒進步</strong>：label lifecycle 沒跑、analyst 把 alert dismiss 沒打 label — 強制走 <em>true positive / false positive / benign anomaly</em> triage、不能直接 close</li>
<li><strong>Agent 沒裝 / 裝不到的 workload</strong>：legacy host / serverless / edge node 沒 agent、Polygraph 只有 cloud API source 沒 process / syscall — 接受 agentless-only 覆蓋面、不要假設 Polygraph 全 stack 看得到</li>
<li><strong>CSPM finding backlog 爆炸</strong>：framework 一次開全、misconfiguration 數千條沒人修 — 分批 enable framework、按 severity + asset criticality 排優先級、走 ticket workflow + deadline</li>
<li><strong>Compliance audit 要 explicit rule 可審查</strong>：Polygraph 內部邏輯不能交給 auditor — CSPM 部分可以審（是 explicit rule）、Polygraph 部分要補 detection engineering 文件 + label history 證明 ML 有治理</li>
<li><strong>Alert 進 SIEM 後沒 correlation</strong>：Lacework alert 跟 IdP / WAF / cloud control plane log 沒在 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> 跨 source 串 — 寫 correlation rule 把 Polygraph anomaly 當 <em>one signal</em>、不是當 final verdict</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>顯式 rule + 多雲 cross-asset 路徑</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a></td>
      </tr>
      <tr>
          <td>寬覆蓋 + Palo Alto-heavy</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a></td>
      </tr>
      <tr>
          <td>Endpoint EDR + cloud 統一</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon Cloud Security</a></td>
      </tr>
      <tr>
          <td>SIEM 主導、CNAPP signal 進 SOC</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a></td>
      </tr>
      <tr>
          <td>Container image / IaC scan 為主</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a></td>
      </tr>
      <tr>
          <td>資料分類 / DLP</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/google-dlp/" data-link-title="Google DLP" data-link-desc="GCP 原生 Sensitive Data Protection：infoType discovery &#43; transformation (mask / FPE / tokenize / k-anonymity)、整合 BigQuery / GCS / Cloud SQL">Google DLP</a> / <a href="/blog/backend/07-security-data-protection/vendors/microsoft-purview/" data-link-title="Microsoft Purview" data-link-desc="Microsoft 跨 M365 / Azure / endpoint 的 data governance &#43; information protection &#43; DLP &#43; insider risk 統合平台、label-driven">Microsoft Purview</a></td>
      </tr>
      <tr>
          <td>Incident routing</td>
          <td><a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Polygraph ML 演算法的學術細節（unsupervised clustering / graph anomaly detection 具體方法）</li>
<li>FortiCNAPP 跟 Fortinet 其他產品（FortiGate / FortiAnalyzer / FortiSIEM）的 deep integration 設定</li>
<li>Lacework Labs threat research 報告的逐篇解讀</li>
<li>完整 CIS / PCI / SOC 2 framework 對應的 rule 清單</li>
<li>Container runtime 防護的 OS-level 細節（cgroup / namespace / seccomp）</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Lacework 在 07 案例庫沒有直接 vendor-level 事件、但多個 case 是 Polygraph behavioral baseline 的對照啟示：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Lacework 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>Polygraph 在 SolarWinds 期間可從 Orion 程序的 DNS callback 行為偏離 baseline 偵測、不靠 IoC list — Lacework marketing 強打的 zero-day 案例</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/3cx-2023-desktopapp-supply-chain/" data-link-title="7.R7.2.8 3CX 2023：桌面軟體更新鏈攻擊" data-link-desc="合法更新流程被植入後，桌面端供應鏈事件如何傳到企業端點">3CX 2023 Desktop App Supply Chain</a></td>
          <td>Desktop app process spawn 異常 + unusual outbound 是 Polygraph baseline 可抓的 pattern、補簽章驗證通過後的 runtime 偵測窗口</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>Polygraph 偵測 JNDI lookup 後的 outbound LDAP 連線異常、補 CVE scanner agent rollout 之前的偵測窗口、不依賴事先 CVE 公開</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/data-exfiltration/snowflake-2024-credential-abuse/" data-link-title="7.R7.4.2 Snowflake 2024：憑證濫用與資料竊取" data-link-desc="外洩憑證與 MFA 缺口如何在資料平台形成高風險外送事件">Snowflake 2024 Credential Abuse</a></td>
          <td>對照啟示：Polygraph 對 cloud API call pattern 異常（短時間大量 GetObject / 跨 schema query）可 baseline-based 偵測、不需事先寫 query rule</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle (section)</a></td>
          <td>Polygraph 把 detection lifecycle 從「寫 rule → tune → review」改成「baseline → label false positive → retrain」、流程不同但治理責任沒消失</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/alert-fatigue-and-signal-quality/" data-link-title="7.B10 Alert Fatigue and Signal Quality" data-link-desc="建立告警疲勞治理方法，讓訊號品質、分級一致性與處置效率同步提升">Alert Fatigue and Signal Quality (section)</a></td>
          <td>Polygraph 自動 baseline 不等於免 alert fatigue — label lifecycle 跟 retraining cadence 沒做、false positive 一樣會淹 SOC</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a>、<a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a>、<a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon Cloud Security</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a>（SIEM 接 Polygraph alert）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a> / <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>（Code Security 重疊、CI 階段優先級）、<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>（SOAR playbook 拉 API rotate）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（Polygraph alert → IR routing）、<a href="/blog/backend/04-observability/" data-link-title="模組四：可觀測性平台" data-link-desc="整理 log、metric、trace、dashboard 與 alert 的後端操作實務">4 observability</a>（log pipeline 共用）</li>
<li>官方：<a href="https://docs.lacework.net/">Lacework Documentation</a> / <a href="https://www.fortinet.com/products/forticnapp">Fortinet Lacework FortiCNAPP</a></li>
</ul>
]]></content:encoded></item></channel></rss>