CN113672910A - Security event processing method and device - Google Patents
Security event processing method and device Download PDFInfo
- Publication number
- CN113672910A CN113672910A CN202110790309.5A CN202110790309A CN113672910A CN 113672910 A CN113672910 A CN 113672910A CN 202110790309 A CN202110790309 A CN 202110790309A CN 113672910 A CN113672910 A CN 113672910A
- Authority
- CN
- China
- Prior art keywords
- security
- server
- target
- event
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title description 14
- 238000000034 method Methods 0.000 claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 52
- 230000008569 process Effects 0.000 claims abstract description 29
- 238000013515 script Methods 0.000 claims abstract description 22
- 230000006870 function Effects 0.000 claims description 123
- 230000004044 response Effects 0.000 claims description 15
- 238000004891 communication Methods 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 7
- 230000008439 repair process Effects 0.000 abstract description 5
- 230000009471 action Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer And Data Communications (AREA)
- Alarm Systems (AREA)
Abstract
The embodiment of the invention provides a method and a device for processing a security event, wherein the method comprises the following steps: providing a security arrangement platform, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server; and responding to the arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security script so as to process the target security event. The embodiment of the invention can arrange the security script aiming at the security incident through the existing security component in the security arrangement platform, and improve the efficiency of arranging the security script on the security incident, thereby processing the security incident based on the security script, reducing the average repair time and improving the processing efficiency of the security incident.
Description
Technical Field
Embodiments of the present invention relate to the field of network security technologies, and in particular, to a security event processing method, a security event processing apparatus, an electronic device, and a computer-readable storage medium.
Background
With the rapid development of computer technology, information networks have become an important guarantee for social development, and currently, in information networks, various threat scenarios are often encountered, and these threat scenarios are analyzed to determine that there is a security event, such as virus intrusion, network attack, remote connection, and the like.
However, the corresponding fixed processing flow needs to be arranged in advance for the security event, so that the security event can be processed based on the fixed processing flow, but the types of the security event are many, and different enterprises may have differences in the processing modes of the security event, which results in reducing the processing efficiency of the security event.
Disclosure of Invention
Embodiments of the present invention provide a security event processing method, a security event processing apparatus, an electronic device, and a computer-readable storage medium, so as to improve the processing efficiency of a security event. The specific technical scheme is as follows:
in a first aspect of the present invention, there is provided a security event processing method, including:
providing a security arrangement platform, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server;
and responding to the arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security script so as to process the target security event.
Optionally, after determining a target serverless function for a target security event and an execution order of the target serverless function to form a security scenario in response to an orchestration operation on the security components in the security orchestration platform to process the target security event, the method further comprises:
receiving a transmitted security event of a monitoring system;
determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function;
and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
Optionally, the security component is an editable component, and the editable content at least includes a category, a name, a configuration parameter, and a component description.
Optionally, the sequentially triggering the server-less functions of the target security scenario according to the execution order to process the security event includes:
sequentially determining the current server-free functions in the target security scenario according to the execution sequence;
and sending a working signal to the cloud server corresponding to the current server-free function so that the cloud server processes the security event according to the working signal.
Optionally, the editing operation at least comprises selecting, editing, saving, submitting, canceling, redoing, copying, pasting, and setting.
Optionally, the method further comprises: adding a new security component in the security orchestration platform in response to an add operation of the new security component.
In a second aspect of the present invention, there is also provided a security event processing apparatus, including:
the system comprises a security arrangement platform providing module, a security arrangement platform processing module and a security arrangement platform processing module, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server;
and the security scenario arrangement module is used for responding to arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security scenario so as to process the target security event.
Optionally, the apparatus further comprises: the safety event processing module is used for receiving the safety event sent by the monitoring system; determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function; and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
In yet another aspect of the present invention, there is also provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to execute any of the above-described security event processing methods.
In yet another aspect of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above described security event processing methods.
The security arrangement platform comprises security components, wherein the security components are provided with corresponding security events and server-free functions, the server-free functions are functions operated in a cloud server, the arrangement operation of the security components in the security arrangement platform is responded, the execution sequence of target server-free functions and target server-free functions aiming at target security events is determined, and security scripts are formed to process the target security events. The embodiment of the invention can arrange the security script aiming at the security incident through the existing security component in the security arrangement platform, and improve the efficiency of arranging the security script on the security incident, thereby processing the security incident based on the security script, reducing the average repair time and improving the processing efficiency of the security incident.
In addition, as the server-free function provided by the cloud server is utilized, and the server-free function is a function in a server-free platform of a third party, the management and the maintenance of developers are not needed, the resource cost is reduced, and the developers can also concentrate on the construction and the application of the security script.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a flowchart illustrating steps of a security event processing method according to an embodiment of the present invention;
FIG. 2 is a schematic interface diagram of a security orchestration platform according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a security event processing architecture according to an embodiment of the present invention;
FIG. 4 is a flow chart of the processing steps of a security event provided in the embodiment of the present invention;
fig. 5 is a schematic flow chart of security event processing provided in the embodiment of the present invention;
fig. 6 is a block diagram of a security event processing apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of an electronic device provided in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.
In the context of the internet, by analyzing threat scenarios, corresponding security events, such as virus intrusion, network attacks, remote connections, mining, etc., may be determined, which may often be encountered during operation of a system or device. In order to ensure that the system can run safely, developers use an SOAR (Security organization and Automation Response) platform to organize a fixed processing flow, namely a Security script, and use the Security script to analyze and respond to Security events, so that Security risks are avoided.
Specifically, through the SOAR platform, developers can combine the security capabilities of the enterprises to which the developers belong together according to a certain logical relationship, so as to complete a security scenario for a certain security event. However, although the security drama can be conveniently arranged by the SOAR platform to respond to the security events, the security events in the internet are various and include some unknown security events, and the existing SOAR platform cannot quickly arrange the security drama, so that the MTTR (Mean time to replay, average repair time) is long, and the response speed to the security events is slow.
In view of the foregoing problems, an embodiment of the present invention provides a security event processing method, which provides a security orchestration platform including security components corresponding to security events and server-less functions, so that developers can orchestrate security scenarios by orchestrating the security components of the security orchestration platform, so that security scenarios can be used to respond to security events, and by improving the orchestration efficiency of the security scenarios, the average repair time is reduced, and the processing efficiency of security events is further improved.
Referring to fig. 1, which is a flowchart illustrating steps of a security event processing method provided in an embodiment of the present invention, as shown in fig. 1, the method may specifically include the following steps:
The security event is an event corresponding to a threat scene monitored by a monitoring system, such as virus intrusion, network attack, remote connection, mining and the like, the server-free function is a function of a cloud server, specifically, a function (code) or an application provided by a server-free platform of the cloud, which is generally called an Action (Action), and the corresponding resource can be automatically called to perform automatic processing based on the server-free function. For example, the serverless platform may be a knative platform.
The safety arrangement platform is a platform with the functions of arranging graphs and codes. Specifically, one or more security components are included in the security orchestration platform, and correspond to security events or serverless functions, the security components are editable components, and the editable contents at least comprise categories, names, configuration parameters and component descriptions. In embodiments of the present invention, security events may be bound to serverless functions and serverless functions to serverless functions by operating security components on a security orchestration platform. Of course, the security orchestration platform may include other security components, such as built-in components, general components, and the like, besides the security component corresponding to the security event or the serverless function, and the embodiment of the present invention is not limited thereto.
Specifically, referring to fig. 2, there is shown an interface schematic diagram of a security orchestration platform provided in an embodiment of the present invention, in which multiple security components may be included, and the security components may be presented in categories, for example, assuming that the security component categories may include several categories, such as general components, built-in components, threat investigation, and threat operation, the security components may be presented in the corresponding categories, respectively. In addition, when a certain security component is selected, the category, name, configuration parameters and the like of the security component can be correspondingly displayed, and the category, name, configuration parameters and the like can be edited.
The safety scenario is a workflow for automatically responding to a safety event, the workflow is composed of a plurality of server-free functions, and corresponding calculation processing can be realized by calling the server-free functions.
The editing operation may at least include one or more of selection, editing, saving, submitting, canceling, redoing, copying, pasting, and setting, and for development of a security script by a developer, the editing operation may be graphically displayed in the security editing platform, which may specifically refer to the upper left corner of fig. 2.
For example, a developer may select a security component as a target security component in a security orchestration platform when orchestrating a security scenario, and may edit the category, name, configuration parameters of the target security component, and the execution order for the serverless functions, and so on.
Specifically, in the embodiment of the present invention, the security components may be subjected to an organization operation in the security organization platform, for example, a certain security component is selected as a target security component, and the execution order of the target server-free function corresponding to the target security component is further determined, so that the security scenario may be formed based on the target server-free function and the execution order, so that the server-free function, i.e., the action, in the security scenario may be followed. Referring to fig. 3, which is a schematic view of a security event processing architecture provided in an embodiment of the present invention, for a security event, a serverless function may be called based on a security scenario to execute a corresponding serverless function, so as to process the security event.
In the security event processing method, a security orchestration platform including security components is provided, where the security components have corresponding security events and server-less functions, and the server-less functions are functions running on a cloud server, and in response to an orchestration operation on the security components in the security orchestration platform, an execution sequence of a target server-less function and a target server-less function for a target security event is determined, so as to form a security scenario, so as to process the target security event. The embodiment of the invention can arrange the security script aiming at the security incident through the existing security component in the security arrangement platform, and improve the efficiency of arranging the security script on the security incident, thereby processing the security incident based on the security script, reducing the average repair time and improving the processing efficiency of the security incident.
In an exemplary embodiment of the present invention, referring to fig. 4, after determining a target serverless function for a target security event and an execution order of the target serverless function to form a security scenario in response to an orchestration operation on the security components in the security orchestration platform to process the target security event at step 102, the method may further include the following steps:
Specifically, any one of the security events reported by different monitoring systems needs to be monitored, and a target security scenario corresponding to the security event needs to be searched, for example, if a certain security event is a network attack event, all security scenarios may be filtered, and if a certain security scenario is used for processing a network attack, the security scenario is determined as a target security scenario. Then, a corresponding target security scenario is determined for the security event, and then, according to an execution sequence in the target security scenario, server-free functions in the cloud server are sequentially called for calculation processing so as to perform response processing on the security event.
Generally, security scenarios are developed based on Python language, and different security scenarios usually include all server-free functions (actions) for processing different security events, and these server-free functions exist in a serial or parallel combination manner, so as to implement automated workflow in various threat scenarios.
In an exemplary embodiment of the present invention, the step 403, sequentially triggering the server-less functions of the target security scenario according to the execution order, and processing the security event, may include the following steps:
sequentially determining the current server-free functions in the target security scenario according to the execution sequence;
and sending a working signal to the cloud server corresponding to the current server-free function so that the cloud server processes the security event according to the working signal.
Specifically, when the server-free functions are called in sequence according to the execution sequence in the security scenario, the current server-free functions are determined based on the execution sequence, then working signals are sent to the cloud server corresponding to the current server-free functions, and working variable parameters are sent to the cloud server at the same time, so that after the cloud server receives the working signals, the corresponding server-free functions can be called according to the working signals to perform calculation based on the working variable parameters, and calculation results are fed back.
In order to make those skilled in the art better understand the embodiment of the present invention, the following describes the working process of the serverless function by using a specific example, referring to fig. 5, which is a schematic flow chart of security event processing provided in the embodiment of the present invention, specifically, each module of the security event processing is:
a Sensor: monitoring and receiving safety events of an external monitoring system, wherein the number of the sensors can be one or more;
trigger: the method comprises the following steps that a Sensor and a Rule are connected, an event Trigger is used for triggering Trigger when a security event transmitted by the Sensor is received, and data of the security event are injected into the Rule;
rule: mapping all Trigger to Action rules (or the corresponding relation between Trigger and workflow), recording criteria matching rules, mapping Trigger instances to input of actions, and simply understanding that the rules match configuration records;
and (4) Action: specifically, the server-less function is executed, and may be implemented by using a script, a call API, or any other self-defined server-less function, for example, by calling ssh, API call, OpenStack, Docker, salt, puppe, jenkins, or the like;
workflow is a collection of actions, also commonly referred to as a Workflow, that are executed in order, in sequence, according to predefined rules.
The RabbitMQ is open source Message agent software which realizes an Advanced Message Queuing Protocol (AMQP), and is also called Message-oriented middleware; MongoDB is a database that is intermediate between relational and non-relational databases.
Based on the module of the above embodiment, the security event processing flow is as follows: the Sensor receives data of a security event of an external monitoring system in a pull \ push mode, injects the data into the system through Trigger, and receives the data through a Rule module, and meanwhile, the Rule module records a matching Rule based on the event. When the Workflow is executed according to Workflow, the Workflow can send a working signal through the RabbitMQ to call a serverless function of the cloud server, and can read working variables from the MongoDB to call the serverless function based on the working variables.
In the above-mentioned security incident processing method, after the security scenario is arranged by the arrangement platform, the corresponding target security scenario may be determined from the security scenario according to the security incident transmitted by the receiving and monitoring system, so as to process the security incident based on the target security scenario, thereby improving the security of the system.
In an exemplary embodiment of the present invention, the method may further include the steps of:
adding a new security component in the security orchestration platform in response to an add operation of the new security component.
Specifically, in the embodiment of the present invention, as the operation experience is continuously accumulated and the operation is continued, in addition to editing the existing security components, new security components may be added to the security orchestration platform to better deal with the threat scenarios that may occur.
In the security event processing method, the existing security components can be edited in the security arrangement platform, and new security components can be added in the security arrangement platform, so that developers can develop new security scripts by using the new security components, the arrangement efficiency of the security scripts is improved, and the response time is further shortened.
Referring to fig. 6, which is a block diagram of a security event processing apparatus provided in an embodiment of the present invention, as shown in fig. 6, the apparatus may specifically include the following modules:
a security orchestration platform providing module 601, configured to provide a security orchestration platform, where the security orchestration platform includes a security component, where the security component has a corresponding security event and a serverless function, and the serverless function is a function running on a cloud server;
a security scenario orchestration module 602, configured to determine, in response to an orchestration operation on the security components in the security orchestration platform, a target serverless function for a target security event and an execution order of the target serverless function, to form a security scenario, so as to process the target security event.
In an exemplary embodiment of the invention, the apparatus further comprises: the safety event processing module is used for receiving the safety event sent by the monitoring system; determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function; and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
In an exemplary embodiment of the invention, the security component is an editable component, and the editable content at least comprises a category, a name, configuration parameters and a component description.
In an exemplary embodiment of the present invention, the security event processing module is configured to sequentially determine, according to the execution order, current server-free functions in the target security scenario; and sending a working signal to the cloud server corresponding to the current server-free function so that the cloud server processes the security event according to the working signal.
In an exemplary embodiment of the present invention, the editing operation at least includes selecting, editing, saving, submitting, revoking, redoing, copying, pasting, setting.
In an exemplary embodiment of the invention, the apparatus further comprises: and the security component adding module is used for responding to the adding operation of the new security component and adding the new security component in the security arrangement platform.
For the above device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiment of the present invention further provides an electronic device, as shown in fig. 7, which includes a processor 71, a communication interface 72, a memory 73 and a communication bus 74, where the processor 71, the communication interface 72, and the memory 73 complete mutual communication through the communication bus 74,
a memory 73 for storing a computer program;
the processor 71, when executing the program stored in the memory 73, implements the following steps:
providing a security arrangement platform, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server;
and responding to the arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security script so as to process the target security event.
Optionally, after determining a target serverless function for a target security event and an execution order of the target serverless function to form a security scenario in response to an orchestration operation on the security components in the security orchestration platform to process the target security event, the method further comprises:
receiving a transmitted security event of a monitoring system;
determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function;
and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
Optionally, the security component is an editable component, and the editable content at least includes a category, a name, a configuration parameter, and a component description.
Optionally, the sequentially triggering the server-less functions of the target security scenario according to the execution order to process the security event includes:
sequentially determining the current server-free functions in the target security scenario according to the execution sequence;
and sending a working signal to the cloud server corresponding to the current server-free function so that the cloud server processes the security event according to the working signal.
Optionally, the editing operation at least comprises selecting, editing, saving, submitting, canceling, redoing, copying, pasting, and setting.
Optionally, the method further comprises: adding a new security component in the security orchestration platform in response to an add operation of the new security component.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, which has instructions stored therein, and when the computer-readable storage medium runs on a computer, the computer is caused to execute the security event processing method described in any of the above embodiments.
In yet another embodiment, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform the method of processing security events described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. A method for security event processing, comprising:
providing a security arrangement platform, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server;
and responding to the arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security script so as to process the target security event.
2. The method of claim 1, wherein after determining a target serverless function for a target security event and an order of execution of the target serverless function to form a security script to process the target security event in response to an orchestration operation on the security components in the security orchestration platform, the method further comprises:
receiving a transmitted security event of a monitoring system;
determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function;
and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
3. The method of claim 1, wherein the security component is an editable component, the editable content including at least a category, a name, configuration parameters, and a component description.
4. The method of claim 1, wherein the triggering the serverless function of the target security scenario in the order of execution to process the security event comprises:
sequentially determining the current server-free functions in the target security scenario according to the execution sequence;
and sending a working signal to the cloud server corresponding to the current server-free function so that the cloud server processes the security event according to the working signal.
5. The method of claim 1, wherein the orchestration operation comprises at least one of selecting, editing, saving, submitting, undoing, redoing, copying, pasting, and setting.
6. The method of any of claims 1 to 5, further comprising:
adding a new security component in the security orchestration platform in response to an add operation of the new security component.
7. A security event processing apparatus, comprising:
the system comprises a security arrangement platform providing module, a security arrangement platform processing module and a security arrangement platform processing module, wherein the security arrangement platform comprises a security component, the security component is provided with a corresponding security event and a server-free function, and the server-free function is a function operated on a cloud server;
and the security scenario arrangement module is used for responding to arrangement operation of the security components in the security arrangement platform, determining a target server-free function aiming at a target security event and an execution sequence of the target server-free function, and forming a security scenario so as to process the target security event.
8. The apparatus of claim 7, further comprising: the safety event processing module is used for receiving the safety event sent by the monitoring system; determining a target security scenario corresponding to the security event, wherein the target security scenario comprises a server-free function and an execution sequence of the server-free function; and sequentially triggering the server-free functions of the target security scenario according to the execution sequence, and processing the security events.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-6 when executing a program stored in the memory.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110790309.5A CN113672910B (en) | 2021-07-13 | 2021-07-13 | Security event processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110790309.5A CN113672910B (en) | 2021-07-13 | 2021-07-13 | Security event processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113672910A true CN113672910A (en) | 2021-11-19 |
| CN113672910B CN113672910B (en) | 2024-06-11 |
Family
ID=78539112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110790309.5A Active CN113672910B (en) | 2021-07-13 | 2021-07-13 | Security event processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672910B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130097662A1 (en) * | 2011-10-18 | 2013-04-18 | Mcafee, Inc. | Integrating security policy and event management |
| CN109154963A (en) * | 2016-07-14 | 2019-01-04 | 华为技术有限公司 | A kind of device and method for preventing internal storage data from revealing |
| US20190312946A1 (en) * | 2018-04-05 | 2019-10-10 | International Business Machines Corporation | Orchestration engine facilitating management of operation of resource components |
| US20200177615A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Leveraging attack graphs of agile security platform |
| CN111818069A (en) * | 2020-07-14 | 2020-10-23 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for presenting security event processing flow |
| CN111835768A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for processing security event |
| CN112529417A (en) * | 2020-12-14 | 2021-03-19 | 杭州安恒信息技术股份有限公司 | Security event processing method, device, equipment and storage medium |
| US20210176261A1 (en) * | 2019-12-10 | 2021-06-10 | Fortinet, Inc. | Cloud-based orchestration of incident response using multi-feed security event classifications with machine learning |
| CN113037744A (en) * | 2021-03-05 | 2021-06-25 | 中通服创发科技有限责任公司 | Interactive safety event script arranging and disposing method and device |
-
2021
- 2021-07-13 CN CN202110790309.5A patent/CN113672910B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130097662A1 (en) * | 2011-10-18 | 2013-04-18 | Mcafee, Inc. | Integrating security policy and event management |
| CN107563203A (en) * | 2011-10-18 | 2018-01-09 | 迈可菲公司 | Integrated security strategy and incident management |
| CN109154963A (en) * | 2016-07-14 | 2019-01-04 | 华为技术有限公司 | A kind of device and method for preventing internal storage data from revealing |
| US20190312946A1 (en) * | 2018-04-05 | 2019-10-10 | International Business Machines Corporation | Orchestration engine facilitating management of operation of resource components |
| US20200177615A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Leveraging attack graphs of agile security platform |
| US20210176261A1 (en) * | 2019-12-10 | 2021-06-10 | Fortinet, Inc. | Cloud-based orchestration of incident response using multi-feed security event classifications with machine learning |
| CN111818069A (en) * | 2020-07-14 | 2020-10-23 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for presenting security event processing flow |
| CN111835768A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for processing security event |
| CN112529417A (en) * | 2020-12-14 | 2021-03-19 | 杭州安恒信息技术股份有限公司 | Security event processing method, device, equipment and storage medium |
| CN113037744A (en) * | 2021-03-05 | 2021-06-25 | 中通服创发科技有限责任公司 | Interactive safety event script arranging and disposing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113672910B (en) | 2024-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10862906B2 (en) | Playbook based data collection to identify cyber security threats | |
| CN113495820B (en) | Anomaly information collecting and processing method and device and anomaly monitoring system | |
| CN110266670A (en) | A kind of processing method and processing device of terminal network external connection behavior | |
| CN110990233A (en) | Method and system for displaying SOAR by using Gantt chart | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN115378713B (en) | Block chain application early warning defense method, storage medium and electronic equipment | |
| CN115865525B (en) | Log data processing method, device, electronic equipment and storage medium | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN110442582B (en) | Scene detection method, device, equipment and medium | |
| CN114363002B (en) | Method and device for generating network attack relation diagram | |
| CN110930110B (en) | Distributed flow monitoring method and device, storage medium and electronic equipment | |
| US11985149B1 (en) | System and method for automated system for triage of cybersecurity threats | |
| CN113672910B (en) | Security event processing method and device | |
| US12105725B2 (en) | Automatic determination of alternative paths for a process flow using machine learning | |
| CN113992371B (en) | Threat label generation method and device for traffic log and electronic equipment | |
| CN114039765A (en) | Safety management and control method and device for power distribution Internet of things and electronic equipment | |
| CN109327433B (en) | Threat perception method and system based on operation scene analysis | |
| CN109902831B (en) | Service decision processing method and device | |
| CN111291127A (en) | Data synchronization method, device, server and storage medium | |
| CN116781389B (en) | Determination method of abnormal data list, electronic equipment and storage medium | |
| CN110166421B (en) | Intrusion control method and device based on log monitoring and terminal equipment | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN113778800B (en) | Error information processing method, device, system, equipment and storage medium | |
| CN114401246B (en) | Domain name access method and device | |
| CN117370055A (en) | Processing method and device for abnormal conditions of payment products and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |