基于SOAR的安全运营自动化关键技术构建及未来演进方向
信息技术与网络安全
赵粤征,叶建伟,贠 珊,郭兰杰
(绿盟科技集团股份有限公司,北京100089)
摘要:针对现有的安全可视化编排及自动化响应技术,提出将复杂的APT威胁场景、漏洞、自动化响应验证、关键基础设施合规管理等安全能力纳入到现有SOAR(Security Orchestration Automation Response)的可视化编排及响应中,极大地丰富并完善了Gartner提出的SOAR的安全编排及自动化响应的概念场景,大幅提升安全运营的效能和成熟度;通过DevSecOps开放架构及OpenC2开放式管控接口,自适应支持不同设备的数据接入及安全响应管控,构建围绕SOAR为主体的安全运营生态体系;在此基础上,提出安全运营自动化未来演进方向,即构建多人协同的统一空间协同作战体系,通过多人协同定义并改进安全分析及响应模型,迅速完成“安全策略、保护、检测和响应”的信息循环及信息再利用。
中图分类号:TP309
文献标识码:A
DOI:10.19358/j.issn.2096-5133.2021.03.004
引用格式: 赵粤征,叶建伟,贠珊,等. 基于SOAR的安全运营自动化关键技术构建及未来演进方向[J].信息技术与网络安全,2021,40(3):19-27.
文献标识码:A
DOI:10.19358/j.issn.2096-5133.2021.03.004
引用格式: 赵粤征,叶建伟,贠珊,等. 基于SOAR的安全运营自动化关键技术构建及未来演进方向[J].信息技术与网络安全,2021,40(3):19-27.
Key technology construction and future evolution direction of security operation automation based on SOAR
Zhao Yuezheng,Ye Jianwei,Yun Shan,Guo Lanjie
(NSFOCUS Technologies Group Co.,Ltd.,Beijing 100089,China)
Abstract:Aiming at the existing security visual orchestration and automatic response technology, the paper proposes to integrate the complex security capabilities such as APT threat scenario, vulnerability, automatic response verification, and key infrastructure compliance management into the visual orchestration and automation response of the existing SOAR(Security Orchestration Automation Response), which complements and greatly enricates the conceptual scene of the SOAR proposed by Gartner,which significantly improves the effectiveness and maturity of security operations. Through DevSecOps open architecture and OpenC2 open management and control interface, it can adaptively support data access and security response control of different devices, and build a secure operation ecosystem around SOAR. On this basis, the future evolution direction of security operation automation is proposed, that is, to build a unified space cooperative combat system with multi-person collaboration, and quickly complete the information cycle and information reuse of "Policy, Protection, Detection and Response" by defining and improving the security analysis and response model with multi-person collaboration.
Key words :security operation automation;SOAR;DevSecOps open architecture;OpenC2 interface;secure operation ecosystem;unified space cooperative combat system
0 引言
安全运营核心能力在于将人、数据、以技术为基础的工具和流程有机集合,共同构成安全运营的基本要素,以数据为基础,以安全分析为手段,发现有效威胁;以响应为闭环措施达到对安全风险的抑制或者降低,从而实现从被动安全到主动安全的转变。而SOAR作为近年来推出的安全编排自动化响应解决方案[1-2],充分融合了数据、人的安全技能、工具、流程,从而达到快速高效实现安全运营的目的。随着SOAR解决方案的逐步推进和落地,安全运营自动化已经初见雏形,并在安全运营方面发挥着越来越重要的作用。
本文详细内容请下载:http://www.chinaaet.com/resource/share/2000003422
作者信息:
赵粤征,叶建伟,贠 珊,郭兰杰
(绿盟科技集团股份有限公司,北京100089)
此内容为AET网站原创,未经授权禁止转载。