用devops学习

Achieving a technology-enabled business nirvana is a goal of a cloud adoption (cloud migration, digital transformation, digital modernization, IT modernization, whatever buzz phrase you like). This is an end state where an organization has achieved some aspirational business agility where any competitor can be challenged and adapt to the marketplace in near-real-time — securely! Dear reader, close your eyes and imagine such a moment in time. Imagine that global webscale infrastructure of thousands of microservices. Imagine thousands of transactions per second in all time zones. Now imagine your current organization keeping the lights on at web-scale. It is okay if you need to open your eyes to escape the horror.

实现基于技术的业务必杀技是采用云的目标(云迁移，数字化转型，数字现代化，IT现代化，任何您喜欢的时髦短语)。 这是最终状态，在此状态下，组织已实现了一些雄心勃勃的业务敏捷性，在此状态下，任何竞争对手都可以安全地挑战并几乎实时地适应市场！ 亲爱的读者，闭上你的眼睛，想象一下这样的时刻。 想象一下，成千上万个微服务的全球Webscale基础架构。 想象一下在所有时区每秒都有数千笔交易。 现在想象一下您当前的组织如何保持网络规模的正常运转。 如果您需要睁开眼睛躲避恐怖，那就可以了。

Adjusting the organization to operate at web-scale securely is a multi-dimensional task. There are so many different concerns spanning people, process, and technology; where does anyone even begin? To anchor this story in some real-world context, I will describe some initial technology conditions of the enterprise wanting to become webscale.

调整组织以在Web规模上安全地运行是一项多维任务。 涉及人员，流程和技术的问题太多了。 有人从哪里开始？ 为了在真实世界中了解这个故事，我将描述想要成为Webscale的企业的一些初始技术条件。

• The customer base is external and not internal corporate users.
  客户群是外部用户，而不是内部公司用户。
• The organization has a few customer-facing products (the software applications) that are composed of various technologies.
  该组织有一些由各种技术组成的面向客户的产品(软件应用程序)。
• Some products are simple and some resemble the complexity of supply chain or customer relationship management solutions.
  有些产品很简单，有些类似于供应链或客户关系管理解决方案的复杂性。
• Some applications are composed of imperfect microservices and others are monoliths/microlith cash machines.
  一些应用程序由不完善的微服务组成，而其他应用程序则是整体/微机取款机。
• There are some applications running in Kubernetes and the organization has generally started to adopt cloud-native concepts.
  Kubernetes中运行着一些应用程序，并且该组织通常已经开始采用云原生概念。
• The customer-facing portfolio is not 100% in the cloud — the payment gateways are still on-premise (as an example).
  面向客户的投资组合并不是100％在云中-付款网关仍处于内部部署(例如)。
• The organization is on the cusp of expanding beyond using just two cloud regions.
  该组织正处于仅使用两个云区域进行扩展的风口浪尖。
• There are active product roadmaps and active infrastructure roadmaps.
  有活跃的产品路线图和活跃的基础结构路线图。

That is the reference enterprise throughout this article.

那是本文全文中的参考企业。

Regarding the people dimension, This article will also address a couple of questions your CISO will need answers for:

关于人员方面，本文还将解决您的CISO需要针对以下几个问题的答案：

• Can my SOC (Security Operations Center) proactively see when a customer-facing app is compromised?
  我的SOC(安全运营中心)可以主动查看面向客户的应用程序何时受到威胁吗？
• Can my application operators resolve issues that span multiple clouds?
  我的应用程序操作员可以解决跨越多个云的问题吗？
• Can I leverage DevOps to deliver webscale security capabilities?
  我可以利用DevOps提供Webscale安全功能吗？

The primary focus of this article will be the exploration of “SOAR” as a means to answer those questions for our representative enterprise.

本文的主要重点是探索“ SOAR”，以此作为我们代表企业回答这些问题的一种手段。

What is SOAR? SOAR stands for Security Orchestration Automation and Response. Conceptually, it is an approach to deliver a robust security capability by aligning tools and processes in such a manner that an enterprise can successfully respond to security incidents quickly. Each security vendor has its own story for SOAR and definition. Curiously, each vendor’s SOAR story aligns with the products and services it offers — hmm, never would have thought that (wink). For the purposes of this article, SOAR represents one of the rare occurrences where the acronym describes what needs to be achieved. An organization attempting to SOAR is pursuing a level of Automated Security capabilities coupled with an intelligent(maybe AI-assisted) Response capability that can all be Orchestrated. A vendor may frame the discussion around threat detection — this refers to a response capability. Another vendor may frame a SOAR conversation around vulnerability management — this is about automating the management.

什么是SOAR？ SOAR看台对于s ecurityörchestration甲utomation和React的影响。 从概念上讲，这是一种通过以使企业可以快速成功地对安全事件做出响应的方式调整工具和流程来提供强大的安全功能的方法。 每个安全厂商都有自己的SOAR和定义故事。 奇怪的是，每个供应商的SOAR故事都与其所提供的产品和服务保持一致-嗯，从来没有想过(眨眼)。 出于本文的目的，SOAR代表一种罕见的情况，其中的首字母缩写词描述了需要实现的目标。 试图SOAR追求A的水平的组织utomated加上一个智能(AI也许辅助)React的影响能力，可以全部为O rchestrated小号ecurity能力。 供应商可以围绕威胁检测展开讨论，这是指响应能力。 另一个供应商可能围绕漏洞管理进行SOAR对话-这是关于自动化管理。

This article is organized as follows:

这篇文章的结构安排如下：

1. Response: The organization needs response capability. What does this mean in the SOAR context?

   响应：组织需要响应能力。 在SOAR上下文中这意味着什么？

2. Orchestration and Automation: These terms are often conflated. An attempt is made to differentiate and define these terms.

   编排和自动化：这些术语经常被混淆。 试图区分和定义这些术语。

3. DevOps: Is there a relationship between SOAR and DevOps? How does a software development organization leverage or participate in SOAR related activities?

   DevOps ：SOAR和DevOps之间有关系吗？ 软件开发组织如何利用或参与SOAR相关活动？

4. Parting Thoughts: What are the next steps a CISO should take?

   离别的想法：CISO应该采取哪些下一步措施？

响应 (Response)

The last letter in SOAR is probably the most important letter in the acronym. Keeping the lights on is all about how an organization responds to events that can turn the lights out. Traditionally, organizations already have various incidence response plans. There is even an ISO specification for incident management. Therefore, the concepts required to deal with all types of incidences (security or otherwise) are broadly known.

SOAR中的最后一个字母可能是首字母缩写词中最重要的字母。 保持常亮与组织如何响应可能会熄灭的事件有关。 传统上，组织已经制定了各种事件响应计划。 甚至还有一个用于事件管理的ISO规范。 因此，处理所有类型的事件(安全性或其他方面)所需的概念已广为人知。

An effective response capability depends on good sensing capabilities — AKA observability; you can’t manage what you can’t measure. This is the first place where the SecOps teams and Ops teams in the composite SRE team should align. The orchestration and automation will not matter if the sensing to support response is disjointed, disparate, and incomplete. Therefore, those teams should also use the same monitoring, logging, and tracing tools. I cannot stress enough how important the unification of visibility is for a technology organization operating at webscale. Unified visibility leads to a unified canonical language across the organization. Other industries have decades of research and targeted analysis regarding the impact of language and error prevention[1]. If the mix skill SRE team was assembled correctly (no small feat and topic for another time), that team will coalesce on common language eventually. However, coalescence should be facilitated by deploying common visibility solutions. This does not mean that there shouldn’t be specialized dashboards or a subset of tools only used by specific teams.

有效的响应能力取决于良好的感知能力-AKA可观察性； 您无法管理您无法衡量的事情。 这是复合SRE团队中的SecOps团队和Ops团队应排在第一位。 如果支持响应的感知是脱节的，分散的和不完整的，那么编排和自动化将无关紧要。 因此，这些团队还应该使用相同的监视，日志记录和跟踪工具。 我无法强调可见性的统一对于在Webscale上运作的技术组织有多么重要。 统一的可见性导致整个组织内使用统一的规范语言。 其他行业对语言和错误预防的影响进行了数十年的研究和针对性分析[1]。 如果混合技巧SRE团队组装正确(再也没有小专长和话题)，那么该团队最终将在通用语言上结盟。 但是，应通过部署通用的可见性解决方案来促进合并。 这并不意味着不应有专门的仪表板或仅由特定团队使用的工具子集。

For example, you cannot have a security operations conversation without mentioning SIEM. SIEM stands for Security Information and Event Management. SIEM solutions are what security professionals use as their observability solution. SIEM products in the marketplace also provide some SecOps capabilities. Thusly, it makes sense that security professionals reading this story would assume that focusing on a SIEM solution solves the response component of SOAR. However, consider that the business value creators are software engineers working on products that make money (unless you are a security consultancy). SIEM products are built and sold to security people and not to software engineers. Therefore, your webscale observability solution should be composed of tools your webscale builders and operators are using — making a handful of security people happy while upsetting a factor of ten (or even 100) more software engineers is an emotionally and organizational incompetent thing to do. The types of observability tools one should focus using are often called APMs.

例如，不提及SIEM就无法进行安全操作对话。 SIEM代表安全信息和事件管理。 SIEM解决方案是安全专业人员用作其可观察性解决方案的工具。 市场上的SIEM产品还提供了一些SecOps功能。 因此，有意义的是，阅读此故事的安全专业人员会假设专注于SIEM解决方案可以解决SOAR的响应组件。 但是，请考虑业务价值创造者是致力于赚钱产品的软件工程师(除非您是安全咨询公司)。 SIEM产品被制造并出售给安全人员，而不是软件工程师。 因此，您的Webscale可观察性解决方案应由Webscale建造者和操作员使用的工具组成–使少数安全人员感到高兴，同时使更多的10名(甚至100名)软件工程师心烦意乱，这在情感上和组织上都是无能为力的。 人们应该重点使用的可观察性工具的类型通常称为APM。

APMs (Application Performance Management) solutions provide various views into the state of applications and software platforms. The leading APMs even feature real-time machine learning-based analysis. Describing APMs in detail is beyond the scope of this article. However, the target customers for APMs are software engineers working on products that make money. Ask your random software engineer working on products that make money about APM products and that will solicit various product names and opinions on dashboards and what granularity of metrics/logs you should use. Ask this same population about SIEM tools…crickets.

APM(应用程序性能管理)解决方案提供了有关应用程序和软件平台状态的各种视图。 领先的APM甚至具有基于实时机器学习的分析功能。 详细描述APM不在本文讨论范围之内。 但是，APM的目标客户是致力于赚钱产品的软件工程师。 询问您的随机软件工程师，他们正在研究能够从APM产品中获利的产品，并且会在仪表板上征求各种产品名称和意见，以及应使用的指标/日志的粒度。 向同一群人询问SIEM工具... cri。

The APM/SIEM integration space is ripe for disruption. Maybe Datadog intends to do such a thing. Anyone that can merge the APM and SIEM ecosystems will help bring the Op and Sec communities together — and make buckets of money in the process.

APM / SIEM集成空间已经成熟，可以中断。 也许Datadog打算做这样的事情。 任何可以合并APM和SIEM生态系统的人都将帮助将Op和Sec社区整合在一起，并在此过程中赚大钱。

Can Response answer the following question?

Response可以回答以下问题吗？

Can my SOC (Security Operations Center) even proactively see when a customer-facing app is compromised?

我的SOC(安全运营中心)是否可以主动查看面向客户的应用程序何时受到侵害？

YES

是

Response depends on a robust observability capability. With a proper instrumented environment your SOC will have the intelligence gathering capability required to respond.

响应取决于强大的可观察性功能。 在适当的仪器环境下，您的SOC将具有响应所需的情报收集功能。

编排与自动化 (Orchestration and Automation)

Now that we have established the need to collect actionable intelligence about the computing environment, we need to take action. This is where the orchestration and automation from SOAR come into play. First question — what is the difference between orchestration and automation?

现在，我们已经确定需要收集有关计算环境的可操作情报，我们需要采取行动。 这就是SOAR的编排和自动化发挥作用的地方。 第一个问题–编排和自动化之间有什么区别？

Ah, yes that question. These internets are full of various definitions.

嗯，是这个问题。 这些互联网充满了各种定义。

Automation refers to converting an existing mechanical action that requires human labor into actions that can be executed without human labor. A simple example is converting all manual shell commands into a bash script that contains all the shell commands. An iteration on the shell script could be an ansible playbook or chef cookbook. The automation processes will result in the creation of various automated systems.

自动化是指将需要人工的现有机械动作转换为无需人工即可执行的动作。 一个简单的示例就是将所有手动Shell命令转换为包含所有Shell命令的bash脚本。 Shell脚本的迭代可以是Ansible Playbook或Chef Cookbook。 自动化过程将导致创建各种自动化系统。

Orchestration refers to collecting and sequencing various processes together. Those processes could be a mix of human processes and automated systems. For example, in some regulated industries, you need a person (entity) of record to initiate an action. This initiation could lead many automated systems to be invoked. Therefore, one can consider orchestration as macro in scope and automation as micro in scope (like micro and macroeconomics).

编排是指一起收集和排序各种过程。 这些流程可能是人工流程和自动化系统的混合。 例如，在某些受管制的行业中，您需要有记录的人(实体)来发起诉讼。 这种启动可能导致调用许多自动化系统。 因此，人们可以将编排视为范围的宏，而将自动化视为范围的微观(如微观和宏观经济学)。

Orchestration and automation are the foundational capabilities of any serious cloud journey. Each cloud provider delivers various services that are manipulatable via an API. The preferred way to interact with cloud providers is with their APIs. Additionally, each cloud provider has some sort of automation language (like YAML) or tooling construct. There are third-party cloud management solutions like Terraform that interact with cloud provider APIs. Cloud providers themselves promote automation. Azure features workflow automation in the Security Center product. Google cloud’s API and CLI often have more parameter options than their web console. AWS has its automation markup called Cloud Formation. Instead of getting lost in different cloud providers, this article will use AWS.

编排和自动化是任何严肃的云之旅的基础能力。 每个云提供商都提供可通过API进行操作的各种服务。 与云提供商进行交互的首选方式是使用其API。 此外，每个云提供商都具有某种自动化语言(如YAML)或工具构造。 有第三方云管理解决方案(例如Terraform)可与云提供商的API进行交互。 云提供商自己促进自动化。 Azure在Security Center产品中具有工作流自动化功能。 Google Cloud的API和CLI通常具有比其Web控制台更多的参数选项。 AWS的自动化标记称为Cloud Formation 。 本文将使用AWS，而不是迷失在其他云提供商中。

For starting the initial entry into AWS with best practices, AWS Control Tower allows the creation of a new multi-account AWS environment. AWS Control Tower is the managed version of an AWS Landing Zone solution, which itself represents an implementation of AWS’s Well-Architected Framework. The landing zone solution is code and markup to automate AWS management at the account level. With this automated account management framework, an organization can layer automation of security controls- even automated responses! With AWS, it is possible to implement automated responses to security misconfigurations with custom AWS Config rules. Without belaboring the details of AWS Config, if someone changes a security group (AKA firewall) configuration to one not aligned with corporate policy, a custom config rule can automatically revert the change.

为了以最佳实践开始进入AWS， AWS Control Tower允许创建一个新的多账户AWS环境。 AWS Control Tower是AWS Landing Zone解决方案的托管版本，其本身代表了AWS结构完善的框架的实现。 登陆区解决方案是代码和标记，可在帐户级别自动执行AWS管理。 借助此自动帐户管理框架，组织可以对安全控制(甚至是自动响应)进行自动化！ 使用AWS，可以使用自定义AWS Config规则对安全性错误配置实施自动响应。 在不浪费AWS Config细节的情况下，如果有人将安全组(AKA防火墙)配置更改为与公司策略不符的配置，则自定义配置规则可以自动还原更改。

The capabilities of AWS Config enabled an automated response based on the ability to detect a change. As mentioned in the previous section, one cannot respond to something that cannot be detected. Once there is a rich intelligence gathering capability it is possible to automate the actions that can be taken. However, obtaining rich intelligence gathering capability requires the instrumentation of EVERYTHING in the environment. It is impossible to manually instrument a globally dispersed webscale environment. Therefore the deployment of the instrumentation must be automated. One could say there is a small feedback loop between creating a response capability and creating automation.

AWS Config的功能可基于检测到更改的功能启用自动响应。 如上一节所述，无法响应无法检测到的内容。 一旦有了丰富的情报收集能力，就有可能使可以采取的行动自动化。 然而，获得丰富的情报收集能力，需要在环境中的所有的仪器。 手动检测遍布全球的Webscale环境是不可能的。 因此，仪器的部署必须是自动化的。 可以说在创建响应能力和创建自动化之间存在一个很小的反馈回路。

The AWS example can be expanded into an orchestration scenario. We will assume the same security group change. The detected change is not a clear policy violation. In reality, such situations are common and lead to exposure via misconfiguration. Making the appropriate risk assessment to prevent exposure is where an enterprise wants to spend the high-value human intelligence effort on (as opposed to running scanners all day). Thus, the following three actions must be performed:

AWS示例可以扩展为业务流程方案。 我们将假定相同的安全组更改。 检测到的更改不是明确的策略违规。 实际上，这种情况很常见，并会导致配置错误。 进行适当的风险评估以防止暴露是企业要花费高价值的人力资源(而不是整天运行扫描仪)的地方。 因此，必须执行以下三个操作：

1. Route the notification of the configuration change to the correct parties
   将配置更改的通知路由到正确的参与者
2. Perform a risk-based assessment of the change
   对变更进行基于风险的评估
3. Perform remediation if required
   根据需要执行修复

Configuring and deploying the notification is just another automation task. In our AWS example, one can use AWS SNS and subscriptions. Step three is just more automation. Someone on the SRE team would change Cloud Formation and/or Terraform and have the configuration applied via automation. Step two is a completely human intelligence-driven process. It may involve a ticketing system, a review board, a security test, and/or other activities.

配置和部署通知只是另一项自动化任务。 在我们的AWS示例中，可以使用AWS SNS和订阅。 第三步是更多的自动化。 SRE团队中的某人将更改云形成和/或Terraform，并通过自动化应用配置。 第二步是完全由人类智能驱动的过程。 它可能涉及票务系统，审查委员会，安全测试和/或其他活动。

Essentially, the O and A in SOAR address the following question:

本质上，SOAR中的O和A解决了以下问题：

Can my application operators be able to resolve issues that span multiple clouds?

我的应用程序操作员能否解决跨越多个云的问题？

Yes, assuming the threat intelligence exists, an organization with mature automation and orchestration can respond accordingly.

是的，假设存在威胁情报，则具有成熟的自动化和协调能力的组织可以做出相应的响应。

开发运维 (DevOps)

With the elements of SOAR defined, how can we relate this security community term with the rest of the software community? Specifically, how does SOAR relate to DevOps? First, we need a definition of DevOps. We will use the following from research[2].

定义了SOAR的元素后，我们如何将这个安全性社区术语与其他软件社区联系起来？ 具体来说，SOAR与DevOps有何关系？ 首先，我们需要定义DevOps。 我们将从研究中使用以下内容[2]。

DevOps is a development methodology aimed at bridging the gap between Development (Dev) and Operations, emphasizing communication and collaboration, continuous integration, quality assurance and delivery with automated deployment using a set of development practices

DevOps是一种开发方法，旨在弥合开发(Dev)与运营之间的差距，强调沟通和协作，持续集成，质量保证以及使用一套开发实践进行自动部署的交付

There are obvious alignments with how this article describes SOAR and the presented definition of DevOps. For example, the automation and orchestration elements of SOAR align with software delivery via automated deployments. A successful response capability begins with situational awareness but a resolution (at the macro scale implied by orchestration) will require efficient communication and collaboration. However, there are still gaps between DevOps and SOAR.

与本文描述SOAR和提出的DevOps定义有明显的一致。 例如，SOAR的自动化和编排元素通过自动部署与软件交付保持一致。 成功的响应能力始于态势感知，但解决方案(业务流程所隐含的宏观尺度)将需要有效的沟通与协作。 但是，DevOps和SOAR之间仍然存在差距。

One example of such a gap is the significant difference between how DevOps is described for the enterprise and how security is described within the enterprise. DevOps practices are centered around teams within an enterprise. Specifically, how individual teams deliver their features and products. Security is about protecting the enterprise in totality. This is reflected in the APM versus SIEM conversation. The marketing around APM solutions suggests customizations for various types of teams. SIEM products focus on enterprise-wide integrations. Additionally, there are DevOps practices while SOAR is still a conceptual path to delivering robust security. Can these differing views of the enterprise and concept versus practices be bridged?

这种差距的一个例子是，如何为企业描述DevOps与如何在企业内部描述安全性之间存在显着差异。 DevOps实践以企业内团队为中心。 具体来说，各个团队如何交付其功能和产品。 安全性是关于整体保护企业。 这反映在APM与SIEM的对话中。 有关APM解决方案的市场营销建议针对各种类型的团队进行自定义。 SIEM产品专注于企业范围的集成。 此外，虽然有DevOps实践，但SOAR仍然是实现强大安全性的概念途径。 可以弥合企业，概念与实践的这些不同观点吗？

When examining the DevSecOps manifesto, It represents an attempt to align the security community with the developer community. Specifically, by pushing the security community into a development frame of reference with the opening gambit of security-as-code. This allows some alignment around languages and processes between software creators and security practitioners. One can consider security-as-code in the same vein as infrastructure-as-code (IaC); whereas, cloud providers are configured via APIs implying that the infrastructure lifecycle can be managed similarly to the application lifecycle. Thusly, security-as-code allows the management of security controls using the same application lifecycle concepts. Alongside DevSecOps there is SecDevOps and DevOpsSec. At the macro level, they are identical but at the micro-level there are differences — this article makes no recommendation between them.

在检查DevSecOps宣言时，它表示尝试使安全社区与开发人员社区保持一致。 具体而言，通过将安全性作为代码的开端，将安全性社区推向发展的参考框架。 这允许在软件创建者和安全从业者之间围绕语言和过程进行一些调整。 人们可以按照与基础架构代码(IaC)相同的方式来考虑安全代码。 而通过API配置云提供商，则意味着可以像管理应用程序生命周期一样管理基础结构生命周期。 因此，安全性代码允许使用相同的应用程序生命周期概念来管理安全性控件。 除了DevSecOps，还有SecDevOps和DevOpsSec。 在宏观级别上，它们是相同的，但在微观级别上，则存在差异-本文对此不做任何建议。

Quickly, we must examine the people component of the enterprise. Which community of technologists will have robust experience with cloud automation technologies like AWS CloudFormation and Terraform? These are your cloud platform engineers and not your security engineers. Your platform engineers naturally work with your application teams (many are former application developers!). Your security engineers should be working with platform engineers to deliver robust security automation.

很快，我们必须检查企业的人员组成部分。 哪个技术人员社区将对AWS CloudFormation和Terraform等云自动化技术拥有丰富的经验？ 这些是您的云平台工程师，而不是您的安全工程师。 您的平台工程师自然会与您的应用程序团队一起工作(许多人以前是应用程序开发人员！)。 您的安全工程师应与平台工程师合作，以提供强大的安全自动化。

This leaves us with the question:

这给我们留下了一个问题：

Can I leverage DevOps to deliver webscale security capabilities?

我可以利用DevOps提供Webscale安全功能吗？

YES, but SOAR does NOT directly enable this. DevOps provides a series of practices and methodologies the security organization can adopt. SOAR highlights what elements the security team should focus on. Identifying the automation they should participate in, determine where they should merge process orchestration, and enhancing collective observability. The last point enabling response.

是的，但是SOAR不会直接启用此功能。 DevOps提供了安全组织可以采用的一系列实践和方法。 SOAR强调了安全团队应关注的要素。 确定他们应该参与的自动化，确定他们应该在哪里合并流程业务流程，并增强集体的可观察性。 最后一点使响应成为可能。

离别的想法 (Parting Thoughts)

This article explained the SOAR acronym beyond the Gartner definition and without a security vendor focus. The purpose was to explore if SOAR provides a path to answer CISO questions when operating at webscale. The article then attempted to relate SOAR to DevOps. The CISO questions were answerable!

本文解释了Gartner定义之外的SOAR缩写，并且没有关注安全厂商。 目的是探讨SOAR在网络规模下运行时是否提供了回答CISO问题的途径。 然后，本文尝试将SOAR与DevOps相关。 CISO问题是可以回答的！

Hopefully, the dissection of the SOAR acronym aides those not in the security space to understand what the cloud-capable security practitioner wants to achieve. For the security practitioner, it allows him/her to frame conversations with the rest of the enterprise in terms they are familiar with (also why this article has little security jargon).

希望，SOAR首字母缩略词的剖析有助于那些不在安全领域中的人理解具有云功能的安全从业者想要实现的目标。 对于安全从业者，它使他/她可以用他们熟悉的术语来构架与企业其余部分的对话(这也是为什么本文几乎没有安全术语)。

SOAR provides a framework that enables the CISO to have a conversation across the enterprise about delivering robust security capabilities. For the enterprise on the cusp of being webscale, the foremost goal is achieving a robust observability capability. It is the root of Response. This will require a conversation about standard metrics and measures. This includes mundane conversations about implementing standard log messages and message formats. For our reference enterprise, it will require developing a roadmap that identifies when some acceptable level of uniformity will be achieved. The same roadmap development will be required regarding automation and orchestration.

SOAR提供了一个框架，使CISO可以在整个企业中进行有关提供强大安全功能的对话。 对于即将成为Webscale的企业而言，首要目标是实现强大的可观察性。 这是响应的根源。 这将需要就标准度量标准进行对话。 这包括有关实现标准日志消息和消息格式的普通对话。 对于我们的参考企业，它将需要制定一个路线图，该路线图确定何时将达到可接受的均匀性水平。 关于自动化和编排，将需要相同的路线图开发。

The CISO will not “own” all the skills necessary to succeed. As briefly mentioned earlier, the population of people in our reference enterprise with the cloud automation skills will not be from the security community. Thusly, any roadmap the CISO would even propose is highly dependent on what the engineering organization is pursuing. This is why DevSecOps is important. The CISO’s organization needs to align with how the engineering organization executes delivery.

CISO不会“拥有”成功所需的所有技能。 正如前面简单提到的那样，人在我们与云自动化技术参考企业的人口将无法从安全社区。 因此，CISO甚至提出的任何路线图都高度依赖于工程组织追求的目标。 这就是为什么DevSecOps很重要的原因。 CISO的组织需要与工程组织执行交付的方式保持一致。

Finally, we come to the security marketplace where vendors are hawking their SOAR solutions. Some even refer to their solutions as “SOAR platforms”. If you are a technology executive and someone is selling you a “SOAR Platform” it should:

最后，我们来到了安全市场，供应商正在兜售他们的SOAR解决方案。 有些甚至将其解决方案称为“ SOAR平台”。 如果您是技术主管，并且有人向您出售“ SOAR平台”，则应：

1. Have out-of-the-box API integrations with a cloud provider with an ability to invoke provider automation. For example, can the SOAR platform apply an AWS Cloud Formation template? If it can’t, how can it deliver automation for the cloud?
   与云提供商具有现成的API集成，能够调用提供商自动化。 例如，SOAR平台可以应用AWS Cloud Formation模板吗？ 如果不能，它将如何为云提供自动化？

2. It must have the ability to create workflows with lots of API integrations. Can the workflow be invoked via an API? Can the workflow invoke other APIs? This workflow integration allows for Orchestration. Look for Git, Slack, Jira as example integrations.

   它必须具有创建具有大量API集成的工作流的能力。 可以通过API调用工作流程吗？ 工作流程可以调用其他API吗？ 此工作流程集成允许进行编排。 寻找Git ， Slack ， Jira作为示例集成。

3. It must have customizable dashboards and integrations with SIEM products and standard security ecosystem products ( think IDS, WAF, etc). Obviously integrations with cloud provider observability solutions (like AWS CloudWatch). Remember, your primary webscale dashboards should be APMs while the SOAR displays are specific to your security team. Hence, it should be able to integrate with APMs (in both directions). As APMs use machine learning to help identify the signal from the noise, your chosen “SOAR Platform” should have the same capability.

   它必须具有可自定义的仪表板，并与SIEM产品和标准安全性生态系统产品(例如IDS ， WAF等)集成。 显然与云提供商可观察性解决方案(例如AWS CloudWatch )的集成。 请记住，您的主要Webscale仪表板应该是APM，而SOAR显示则是针对您的安全团队的。 因此，它应该能够与APM集成(双向)。 由于APM使用机器学习来帮助从噪声中识别信号，因此您选择的“ SOAR平台”应该具有相同的功能。

To repeat, a technology executive should not deploy a magic SOAR tool if the organization is not already pursuing an integrated DevSecOps (or SecDecOps or DevOpsSec) approach.

重复一遍，如果组织尚未采用集成的DevSecOps(或SecDecOps或DevOpsSec)方法，则技术主管不应部署魔术SOAR工具。

The expanding SOAR ecosystem will include ever-improving best practices and solutions. SOAR as a concept provides a framework to better protecting the enterprise at webscale. Delivering automated responses to security incidents is several times better than manual methods. Merging the goals of SOAR (evolved security through orchestration and automated response) with DevOps practices will allow the webscale enterprise to respond in near-realtime — the operational nirvana that everyone in the C-suite desires, the lights never off.

不断扩展的SOAR生态系统将包括不断改进的最佳实践和解决方案。 SOAR作为一个概念提供了一个框架，可以更好地在Web级保护企业。 对安全事件进行自动响应要比手动方法好几倍。 将SOAR的目标(通过编排和自动响应来发展安全性)与DevOps实践相结合，将使Webscale Enterprise几乎实时地做出响应，这是C级套件所有人都希望的操作必杀技，但灯永远不会熄灭。

Come SOAR with me.

和我一起狂奔。

— Nicholas

—尼古拉斯

翻译自: https://medium.com/swlh/soarn-with-devops-b831d041aceb