CN116055118A - Security arrangement and automatic response processing method and system - Google Patents
Security arrangement and automatic response processing method and system Download PDFInfo
- Publication number
- CN116055118A CN116055118A CN202211635378.XA CN202211635378A CN116055118A CN 116055118 A CN116055118 A CN 116055118A CN 202211635378 A CN202211635378 A CN 202211635378A CN 116055118 A CN116055118 A CN 116055118A
- Authority
- CN
- China
- Prior art keywords
- data
- script
- task
- scenario
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004044 response Effects 0.000 title claims abstract description 139
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 238000013515 script Methods 0.000 claims abstract description 154
- 238000012545 processing Methods 0.000 claims abstract description 82
- 238000000034 method Methods 0.000 claims abstract description 67
- 238000004806 packaging method and process Methods 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims abstract description 26
- 230000006870 function Effects 0.000 claims description 28
- 238000004458 analytical method Methods 0.000 claims description 24
- 230000009471 action Effects 0.000 claims description 22
- 238000007405 data analysis Methods 0.000 claims description 14
- 238000007689 inspection Methods 0.000 claims description 13
- 230000007246 mechanism Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013506 data mapping Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 8
- 238000007726 management method Methods 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 4
- 230000003252 repetitive effect Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 8
- 230000014509 gene expression Effects 0.000 description 6
- 230000000903 blocking effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 235000016936 Dendrocalamus strictus Nutrition 0.000 description 1
- 244000035744 Hura crepitans Species 0.000 description 1
- 241000949456 Zanthoxylum Species 0.000 description 1
- 125000002015 acyclic group Chemical group 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000007711 solidification Methods 0.000 description 1
- 230000008023 solidification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a security arrangement and automatic response processing method and system. The method comprises the following steps: carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a data set; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks; script arrangement operation is carried out on the functional blocks and the data sets based on various service requirements, so that a script is obtained, and the script is saved to generate a corresponding script definition file; based on the network security event to be processed, a corresponding target scenario definition file is called from the scenario definition file, and the target scenario definition file is executed, so that automatic response processing for the network security event is realized. The method provided by the invention can automatically execute routine and repetitive work by flexibly editing the response script, shortens the response time of the network security event, and improves the standardization and efficiency of the security editing and automatic response processing process.
Description
Technical Field
The invention relates to the technical field of security event management, in particular to a security arrangement and automatic response processing method and system. In addition, the invention also relates to an electronic device and a processor readable storage medium.
Background
When network security situation becomes more and more complicated, the security operation challenges of organizations are more and more serious, and when network security events frequently occur, whether emergency response is timely and effective is crucial to reducing loss of the network security events. However, in reality, product capabilities of different security manufacturers cannot effectively cooperate, security analysis and operator equipment are insufficient, and capabilities are uneven, so that response capability for coping with network security events is insufficient, untimely and irregular, and processing efficiency is poor. Therefore, how to design a more effective security arrangement and automatic response processing method to improve the security arrangement and automatic response processing efficiency and normalization becomes a challenge to be solved.
Disclosure of Invention
Therefore, the invention provides a safety arrangement and automatic response processing method and system, which are used for solving the defects of poor safety arrangement and automatic response processing efficiency and normalization caused by higher limitation of a safety arrangement and automatic response processing scheme in the prior art.
In a first aspect, the present invention provides a security orchestration and automated response handling method, comprising: acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets;
Building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event;
performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks;
and calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
Further, the data modeling and packaging processing are performed on the security element data based on various service requirements to obtain a corresponding data set, which specifically includes:
data is picked up from various data sources by utilizing a data pickup device, and is packaged into an initial data set;
the data mapping module is used for mapping the distributed and heterogeneous secure element data in the initial data set to different service requirement types focused by the data analysis module respectively;
Carrying out data modeling on various security element data according to different service requirement types by utilizing the data analysis module to obtain a corresponding data set; the business demand type comprises alarm processing, asset management, vulnerability examination, information analysis, risk processing and threat processing;
the data pick-up device is used for picking up data from various data sources and packaging the data into an initial data set, and the method specifically comprises the following steps:
the method comprises the steps of carrying out structural description on data of a data source to be accessed based on a metadata definition mechanism by utilizing an access data element definition module, and carrying out data filtering from various data sources according to various attributes by utilizing a data filter running on the metadata definition mechanism so as to pick up target data, thereby obtaining an initial data set; wherein the attributes include event type, alert level, and asset attributes.
Further, the building of the functional blocks based on the input task configuration information according to different task types to obtain a plurality of functional blocks corresponding to different task types specifically includes:
acquiring task configuration information input by a user corresponding to different task types;
based on the task configuration information, determining response actions corresponding to different task types and used for realizing different service logics, and receiving instructions and providing specific services or task plug-ins of linkage safety equipment; obtaining the function block based on the response action and the task plugin; the functional blocks are basic components constituting the script;
The task configuration information comprises task names, task descriptions, task types, input parameters and output parameters which are input corresponding to different task types; the task types comprise a linkage disposal task, an approval task, a message notification task, a work order task, a context enrichment task, a log retrieval task, an information query task, a disposal task, a logic analysis task and a flow task.
Further, the scenario editing operation performed on the functional block and the data set based on various service requirements, to obtain a corresponding scenario specifically includes:
performing script arrangement processing on the functional blocks and the data packets based on various business requirements in advance to obtain a preconfigured general script;
the general scenario comprises an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for processing network security attack tasks.
Further, performing scenario editing operation on the functional block and the data set based on various service requirements to obtain a corresponding scenario, and further including:
referencing a start node, a stop node, and at least one function block based on editing operations in a preset canvas; carrying out service logic arrangement on the starting node, the ending node, the at least one functional block and the corresponding data packet according to various service requirements to obtain a corresponding script actively configured by a user;
The script actively configured by the user comprises an active script used for adapting to active daily inspection and/or a passive emergency response script used for processing network security attack tasks.
Further, the storing the scenario to generate a corresponding scenario definition file specifically includes: after the script is stored, defining an automatic response flow of the script based on functional blocks corresponding to various service requirements, wherein the automatic response flow comprises a set of service processing nodes and edges, a data set for defining each service processing node in the automatic response flow and basic parameter information for defining the script, and generating a corresponding script definition file.
Further, after referencing the start node, the end node, and the at least one function block based on the editing operation in the preset canvas, further comprises:
and referring to a preset sub-script based on editing operation in a preset canvas, carrying out service logic arrangement on the starting node, the ending node, the at least one functional block, the corresponding data packet and the sub-script according to various service requirements to obtain a corresponding script so as to realize nested use of the sub-script.
In a second aspect, the present invention also provides a security orchestration and automation response handling system, comprising:
The data modeling and packaging unit is used for acquiring safety element data corresponding to various attributes, and carrying out data modeling and packaging processing on the safety element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets;
the function block construction unit is used for constructing the function blocks according to different task types based on the input task configuration information to obtain a plurality of function blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event;
the script arranging unit is used for arranging the script on the functional blocks and the data sets based on various business requirements to obtain corresponding scripts and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks;
and the scenario execution unit is used for calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed and executing the target scenario definition file so as to realize automatic response processing for the network security event.
Further, the data modeling and packaging unit is specifically configured to:
data is picked up from various data sources by utilizing a data pickup device, and is packaged into an initial data set;
the data mapping module is used for mapping the distributed and heterogeneous secure element data in the initial data set to different service requirement types focused by the data analysis module respectively;
carrying out data modeling on various security element data according to different service requirement types by utilizing the data analysis module to obtain a corresponding data set; the business demand type comprises alarm processing, asset management, vulnerability examination, information analysis, risk processing and threat processing;
the data pick-up device is used for picking up data from various data sources and packaging the data into an initial data set, and the method specifically comprises the following steps:
the method comprises the steps of carrying out structural description on data of a data source to be accessed based on a metadata definition mechanism by utilizing an access data element definition module, and carrying out data filtering from various data sources according to various attributes by utilizing a data filter running on the metadata definition mechanism so as to pick up target data, thereby obtaining an initial data set; wherein the attributes include event type, alert level, and asset attributes.
Further, the functional block construction unit is specifically configured to:
acquiring task configuration information input by a user corresponding to different task types;
based on the task configuration information, determining response actions corresponding to different task types and used for realizing different service logics, and receiving instructions and providing specific services or task plug-ins of linkage safety equipment; obtaining the function block based on the response action and the task plugin; the functional blocks are basic components constituting the script;
the task configuration information comprises task names, task descriptions, task types, input parameters and output parameters which are input corresponding to different task types; the task types comprise a linkage disposal task, an approval task, a message notification task, a work order task, a context enrichment task, a log retrieval task, an information query task, a disposal task, a logic analysis task and a flow task.
Further, the scenario editing unit is specifically configured to:
performing script arrangement processing on the functional blocks and the data packets based on various business requirements in advance to obtain a preconfigured general script;
the general scenario comprises an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for processing network security attack tasks.
Further, the scenario editing unit is specifically further configured to:
referencing a start node, a stop node, and at least one function block based on editing operations in a preset canvas; carrying out service logic arrangement on the starting node, the ending node, the at least one functional block and the corresponding data packet according to various service requirements to obtain a corresponding script actively configured by a user;
the script actively configured by the user comprises an active script used for adapting to active daily inspection and/or a passive emergency response script used for processing network security attack tasks.
Further, the scenario editing unit is specifically configured to: after the script is stored, defining an automatic response flow of the script based on functional blocks corresponding to various service requirements, wherein the automatic response flow comprises a set of service processing nodes and edges, a data set for defining each service processing node in the automatic response flow and basic parameter information for defining the script, and generating a corresponding script definition file.
Further, after referencing the start node, the end node, and the at least one function block based on the editing operation in the preset canvas, further comprises: the sub scenario arrangement unit is used for:
And referring to a preset sub-script based on editing operation in a preset canvas, carrying out service logic arrangement on the starting node, the ending node, the at least one functional block, the corresponding data packet and the sub-script according to various service requirements to obtain a corresponding script so as to realize nested use of the sub-script.
In a third aspect, the present invention also provides an electronic device, including: memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the security orchestration and automated response handling method according to any one of the preceding claims when said computer program is executed by the processor.
In a fourth aspect, the present invention also provides a processor readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the security orchestration and automated response handling method according to any one of the preceding claims.
According to the security arrangement and automatic response processing method provided by the invention, the data set is obtained by acquiring the security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks; script arrangement operation is carried out on the functional blocks and the data sets based on various service requirements, so that a script is obtained, and the script is saved to generate a corresponding script definition file; based on the network security event to be processed, a corresponding target scenario definition file is called from the scenario definition file, and the target scenario definition file is executed, so that automatic response processing for the network security event is realized. The method can automatically execute routine and repetitive work by flexibly editing the response script, effectively shortens the response time of the network security event, reduces the cost in the aspects of security analysis and security operation, and improves the standardization and efficiency of the security editing and automatic response processing process.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will briefly describe the drawings that are required to be used in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without any inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a security orchestration and automated response handling method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a complete flow of a security orchestration and automated response handling method according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of data modeling and packaging of security element data according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating the execution of SOAR business flow interpretation and job scheduling according to an embodiment of the present invention
FIG. 5 is a schematic diagram of a security orchestration and automated response handling system according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which are derived by a person skilled in the art from the embodiments according to the invention without creative efforts, fall within the protection scope of the invention.
Embodiments of the security orchestration and automated response handling method according to the present invention are described in detail below. As shown in fig. 1, a flow chart of a security arrangement and automatic response processing method according to an embodiment of the present invention includes the following steps:
step 101: acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set contains a plurality of data packets and a label for classifying and marking the data packets.
In the implementation process of the step, a Data pick-up device (namely, a Data Picker) can be utilized to pick up Data from various Data sources (namely, data Source) and package the Data into an initial Data set; the Data Mapping module (namely Data Mapping) is utilized to map the distributed and heterogeneous security element Data in the initial Data set to different service requirement types focused by the Data analysis module respectively; using the data analysis module (SOAR Analysis Models, data analysis model) to perform data modeling on various security element data according to different service requirement types to obtain a corresponding data set (namely SOAR database); the business requirement types comprise alarm processing, asset management, vulnerability checking, intelligence analysis, risk processing and threat processing. The data pick-up device is used for picking up data from various data sources and packaging the data into an initial data set, and the method specifically comprises the following steps: and carrying out structural description on the Data of the Data sources to be accessed based on a metadata definition mechanism by utilizing an access Data element definition module (namely Meta Data), and carrying out Data filtering on various Data sources according to various attributes by utilizing a Data Filter (namely Data Filter) running on the metadata definition mechanism so as to pick up target Data, thereby obtaining the initial Data set. Including but not limited to event type, alert level, asset attributes, etc. Including but not limited to asset information bases, threat intelligence bases, vulnerability scanning bases, network traffic, running logs, etc. The SOAR (Security Orchestration, automation and Response, security orchestration and automation response) is security orchestration automation and response.
As shown in fig. 2, in the process of acquiring, modeling and packaging the secure element data, a data source needs to be defined first, and structured and unstructured secure element data can be supported based on NOAH (internal NOAH big data analysis supporting platform) ETL, and secure element data can also be extracted from the third party SIEM (Security Information and Event Management). The method supports data acquisition from a preset situation awareness and security operation platform (NGSOC), and comprises security element data of various concerns such as logs/flows, alarms, assets, vulnerabilities, intelligence, risks, threats and the like.
The system is provided with the SOAR database as an input of a script (Playbooks), and is obtained by data encapsulation of security element data according to service requirements. In particular functional implementations, the SOAR Dataset includes a tag and a data packet. The labels are classification labels for the data packets, such as vulnerability labels and threat alert labels. Vulnerability tag label data packets are descriptions of the vulnerability of IT assets themselves in the environment; the threat alert tag marks the data packet to describe the threat event and behavior found in the network, such as the threat alert data packet, the structure is as follows: { alarm sequence, alarm unique identifier, alarm name, alarm type, first alarm time, latest alarm time, data source IP associated asset, source IP geographical location, source IP associated asset, source port, destination IP geographical location, destination IP associated asset, destination port, communication direction, attacker IP, victim IP, confidence, collapse status, attack chain, attack result, hazard class, IOC, IOC type, domain name, URL, occurrence count, treatment suggestion, treatment sequence, treatment status, treatment time, associated work order, work order status, threat type, associated vulnerability, associated intelligence, associated log, detection rule }. The SOAR DataSet is a set of SOAR Analysis Models, i.e., a set of secure element data. Different playbooks require different SOAR Analysis Models compositions of the SOAR DataSet. The Data Picker can pick up the security element Data through automatic dispatch or manual triggering, and package into the SOAR DataSet. The SOAR Analysis Model is data modeling of various types of security element data. The main classifications are: log/traffic, alarms, assets, vulnerabilities, intelligence, risks, threats, etc. The Meta Data defines a secure element Data structure. The Data Filter implements filtering. The Data Mapping implementation maps with SOAR Analysis Models. That is, the Data Mapping maps access security element Data to different traffic demand types of interest to SOAR Analysis Model, and maps scattered, heterogeneous Data to different traffic demand types of interest to SOAR. The security element Data structure accessed by the Data Mapping is flexibly defined, the Data structure of the Data analysis model is also flexibly defined, and the automatic evidence collection, investigation, analysis, disposal and response can be realized only by extracting the security element type concerned by the Data analysis model from the accessed security element Data. The Data Filter is a Data Filter, and is used for picking up target Data, filtering the Data according to various attributes, and controlling granularity through filtering conditions, such as: by event classification, alert level, asset attributes, etc. The Data Filter runs on the metadata definition, and the Filter is referenced by the Data Picker to pick up different security element Data according to conditions. The Meta Data describes the structure of the Data to be accessed, i.e. metadata, such as: kfk topic, ES index, table structure of DB, structure of interface return data, and the like. Heterogeneous data access is supported by using a metadata definition mechanism. The preset supports various data access of the NGSOC.
Step 102: and constructing functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event.
In the implementation process of the step, task configuration information input by a user corresponding to different task types is firstly obtained; based on the task configuration information, determining response Actions (namely Actions) corresponding to different task types and used for realizing different service logics, and task plugins (namely Apps) which accept instructions and provide specific services or link safety equipment; obtaining the Function Blocks (i.e., function Blocks) based on the response actions and the task plugins; the functional block comprises two parts, namely Actions and Apps, and is a basic component for forming the script. The task configuration information comprises, but is not limited to, task names, task descriptions, task types, input parameters and output parameters which are input corresponding to different task types; the task types include, but are not limited to, a linkage disposition task, an approval task, a message notification task, a work order task, a context enrichment task, a log retrieval task, an information query task, a disposition task, a logic analysis task, and a flow task.
Specifically, as shown in fig. 3, in the process of abstracting and constructing the functional block of the automatic response capability, the Function Blocks are used as basic components of the Playbook, and are atomic in service logic, and comprise two parts, namely Actions and Apps. Where Actions is a highly abstract instruction set for security product capabilities, instructions can be built based on the OpenC2 specification, such as running files in sandboxes, locating IP, blocking URLs on border devices, isolating devices on the network through NAC. Apps are used for realizing response handling capability, supporting third-party security equipment and service integration, expanding security response capability, and supporting a calling mode: python script, java class, RESTful API, etc. Apps are used to accept instructions and provide specific services or linked security devices, and return the results of the device or service execution.
It should be noted that the present Apps use plug-in mechanisms, thereby enabling sustainable enhancement of orchestration and automation response capabilities. Each response action (Actions) in the invention has special business meaning and functional characteristics, and the actual business logic, input parameters, output parameters and user interfaces are different. The plug-in framework of the security arrangement and automation response system provides a runtime engine for dynamically scanning and loading the security capability plug-in, manages the registration of the plug-in, maintains the life cycle of the plug-in, and simultaneously exposes the capability call of the plug-in to the outside to form a plurality of executable tasks in the script.
Taking the application of the Tianqing V10-isolated specific terminal in the security editing script as an example, the abstraction of response capability and the construction of functional blocks are further described. (1) The task configuration interface is input with task configuration information, where the task configuration information includes a task name, a task description (for example, an IP address of a terminal is issued, and then the terminal security management system issues an isolation command to a corresponding terminal, so that the isolated terminal can only access a specific IP address, and by isolating the terminal corresponding to the IP from a network, other network connections can not be initiated except for a TIANQI control center, and propagation is blocked), a task type (such as linkage treatment), an input parameter (such as a device type, a treatment command "isolates a specific terminal", a terminal IP, a treatment description, and a linkage device), and an output parameter (such as a parameter name "total", a data type "numerical value", a description "total number of execution commands", a parameter name "done", a data type "numerical value", and a description "total number of executed commands"). In particular, different task types have different business logic, input/output parameters. (2) Different task plugins are declared according to the plugin specification when registered with the runtime engine. The orchestration engine processes the input and output parameters of the task according to the plug-in declaration, and invokes the plug-in to realize business logic; the front-end program renders the different user interfaces per plug-in declaration. (3) The same type of task can also be implemented by different devices, handling commands. Such as linkage treatment tasks, the devices of the Tianqing, the Zanthoxylum maps, the next generation firewalls and the like are involved. Different device types, different handling commands, and different command parameters.
In the process of blocking a specific terminal by a scenario linkage sky, the actual flow business may include: the scenario input parameters specify a specific terminal IP; the T1 node examines and approves the sensitive operation; the T2 node seals and bans the terminal IP according to the approval result; if the T2 node is successfully blocked, ending the scenario; if the T2 node fails to seal, the T3 node sends mail to inform workers of the intervention. Each node correspondingly refers to a functional block, and task types corresponding to the functional block include, but are not limited to, linkage handling tasks, approval tasks, message notification tasks, work order tasks, context enrichment tasks, log retrieval tasks, information query tasks, logic analysis tasks and flow tasks.
The security arrangement and automatic response processing method provided by the embodiment of the invention can realize multiple types of Apps plug-ins, and can specifically cover more than 50 response Actions such as linkage treatment, approval task, message notification, work order, context enrichment, log retrieval, information inquiry, logic analysis and the like, and forms Actions of a security arrangement system, which are not described in detail herein.
Step 103: performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node, and at least one of the functional blocks.
In the implementation process of the step, the script arrangement processing is needed to be performed on the functional blocks and the data packets in advance based on various service requirements, so that the preconfigured general script is obtained. The general scenario comprises an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for processing network security attack tasks. In addition, the starting node, the ending node, and the at least one function block may be referenced based on editing operations in a preset canvas; and carrying out service logic arrangement on the starting node, the ending node, the at least one functional block and the corresponding data packet according to various service requirements to obtain a corresponding script actively configured by a user. Likewise, the scenario actively configured by the user includes an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for handling network security attack tasks.
In addition, the embodiment of the invention can also realize the use of nested scripts so as to improve the arrangement efficiency. Specifically, after referencing the start node, the end node, and the at least one function block based on the editing operation in the preset canvas, the method further comprises: and referring to a preset sub-script based on editing operation in a preset canvas, carrying out service logic arrangement on the starting node, the ending node, the at least one functional block, the corresponding data packet and the sub-script according to various service requirements to obtain a corresponding script so as to realize nested use of the sub-script.
The scenario is saved to generate a corresponding scenario definition file, and the corresponding implementation process specifically comprises the following steps: after the script is saved, defining an automatic response flow (i.e. diagram) of the script based on functional blocks corresponding to various service requirements, wherein the automatic response flow comprises a set of service processing nodes and edges, namely a set of nodes and edges, a data set (i.e. dataset) for defining each service processing node in the automatic response flow and basic parameter information (i.e. Info) for defining the script, and generating a corresponding script definition file.
Specifically, in the process of safely arranging a scene and representing a business flow of a pair of drama, data, technologies/tools and people/team are combined through the drama to form a flow and strategy, which is the guarantee of safety response standardization, consistency and efficiency, is the solidification of safety analysis, operation and maintenance capability and experience, and is a process which can be followed, tracked, measured and continuously improved. Tasks (tasks) are the basic components of the script, are atomic in business, are highly cohesive in functional design, and are the basic orchestration units. Tasks provide a response capability to security events, and in addition to self-built security capabilities, the security response capability can also be extended by interfacing with third party security devices or service integration (task plugins).
When the script is arranged, the method comprises the following steps: script id; basic names (blocking external IP and notifying responsible person), description of scenario (such as selecting alarm), input parameters of scenario (including data package, the content of data package includes fields/content of corresponding alarm, which are predefined or preconfigured, such as predefined different data package for "alarm", "vulnerability", "asset association", respectively, the corresponding "alarm" data package may include 50 fields, the data package corresponding to "vulnerability" may include 100 fields, thus being further divided into alarm data package, vulnerability data package, etc.). The passive emergency response scenario is a scenario applied to unexpected passive scenes, such as various alarm disposal scenarios, vulnerability disposal scenarios, threat disposal scenarios and security event investigation scenarios. The active scenario is a scenario applied to an active scenario in a plan, such as daily vulnerability-vulnerability scanning, configuration and baseline inspection; and (5) carrying out routine system inspection.
It should be noted that, the scenario arrangement is except for scenario id; the basic name, the input/output parameters of the script and the flow chart loop detection also need that each Function block is applicable to the business context to form effective Playbooks. Currently, a Function Block and a subsequent Function Block and type of the Connector protocol are selected.
Further, the scenario is saved and a corresponding scenario definition file is generated so as to facilitate automated response when a network security event is subsequently monitored. The scenario definition file includes diagram, dataset, info three parts. The diagram comprises nodes and edges sets, which respectively correspond to definitions of nodes and edges in the script flow, is a directed acyclic business flow chart, technically symbolizes a threat event automation response flow, and is logically defined for arrangement of various security response capabilities. The dataset is a data set of each node in the defined scenario flow, and comprises input/output parameters of service nodes, conditional expressions of gateways, flow context data reference statement and the like. And basic parameter information such as input/output parameter definition of the script, script labels, data packets, script names and the like during Info.
The description of the scenario "protection network-blocking suspicious IP" defined above is further described in connection with the security arrangement scenario service, specifically including: (1) The script has a unique identifier, is declared at a starting node of the script, such as P000004, adopts six-bit 36-system coding, takes a character in [0-9a-z ], has the capacity of more than 21 hundred million and 7 million, has the advantages of simplicity, contribution to script context reference and enough service capacity; (2) The script is a nestable script, the nested script is called a sub-script, the sub-script provides flow multiplexing capability, and the arrangement efficiency is improved; (3) The unique identification of the script and the sub-script takes P as prefix, and the task node takes T as prefix. The basic information of the scenario (4) includes: scenario ID, scenario name, scenario description, application module, data packet, and can add any input parameter and input parameter; (5) The task nodes (i.e., nodes in the transcript) may refer to data packets of the transcript, input parameters of the transcript, output parameters of direct and indirect predecessor task nodes, such as: an attacker IP in the data packet of scenario P000004 is referenced by { #P000004. Attcker_ip }; (6) Nodes in the script support a flow gateway besides tasks formed by response Actions (Actions), the trend of a gateway decision flow, and the gateway declares a conditional expression to realize decision by referring to context data; (7) The nodes in the scenario also comprise three kinds of set operations of logic analysis-complement set, intersection set and union set, and the three kinds of set operations are not particularly limited; (8) the scenario comprises unique starting and ending nodes.
Step 104: and calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
Specifically, the network security event to be processed may refer to various network attacks, vulnerabilities, and other events, which include active security inspection and passive security event response. The essence of the orchestration operation of the automated response of the network security event is the generation of scenario definition files. The scenario definition file is an executable code file generated based on the flow of the scenario, and is interpreted and executed by an engine. The target scenario definition file is an executable code file determined from the scenario definition file for automating responsive processing of corresponding network security events
In one example, the scenario "guard-blocking suspicious IP" performs the following: (1) The task node T1 is used for 'internal and external IP packet conversion', the IP lists are grouped into an internal IP list and an external IP list, an attacker IP in a script P000004 data packet is valued by the input parameter IP list, and the expression ${ #P000004. Attcker_ip }; the output parameters include: "status of execution (status), internal IP list (innerIp), external IP list (outerIp), creation time (createTime), error information (error msg)"; (2) The task node T1 is connected with an exclusive branch gateway, and whether T1. Outler ip is empty or not is judged; (3) If T1. The outlip is not empty, executing a task node T2, acquiring a forbidden IP blacklist, preventing repeated forbidden IP blacklist, and outputting parameters including an ' IP blacklist list ', creation time (createTime) and error information (error msg) '; (4) The task node T3 logically analyzes and solves an intersection, input parameters are ${ #T1. Output IP }, ${ #T2. BlackbackIst }, and output parameters (output) are intersections of set operation to obtain an external attacker IP existing in a black IP list; (5) The task node T4 logically analyzes and calculates the complement, the input parameters are ${ # T1.output ip }, ${ # T3.output }, and the output parameters (output) are the complement of the set operation. Obtaining an external attacker IP which is not in the black IP list, namely an external attacker IP list to be blocked; (6) After the task node T4 is accessed to an exclusive branch gateway, judging whether an external attacker IP list to be blocked is empty, { # T4.Output }; (7) If the attacker IP list $ { # T4.Output } is not empty, sequentially executing the task node T5 and the sub scenario P6; (8) Scenario P6 is a sub scenario, the input parameter is ${ # T4.output }, the external attacker IP list to be blocked; (9) Task node T5, send mail to notify relevant personnel, pay attention to the external attacker information; (10) And the task node T7 adds the successfully blocked external attacker IP list ${ # T4.output } into the system black IP single name, and the scenario execution is finished.
As shown in fig. 4, in the scenario business process interpretation and job scheduling process, the PSW (Program Status Word) register is a description of the node task runtime state in the process of the global scenario, and is stored in the redis cache. The run imetask is a physical table for data persistence, and the running state data recorded by the PSW register is written to the run time table periodically. When power failure and equipment failure occur, the data loss of the system can be reduced to the minimum. The flow task scheduling controller periodically polls the PSW register to enable the task in a ready state to enter the job queue; the scenario flow has unique Start and End nodes. After receiving and verifying the flow initialization operations such as the input data of the script, the Start node sends a flow Start event, which causes the change of the PSW, so that the task of the successor node is in a ready state. The End node (i.e., the termination node) represents the End of the scenario flow task, and cannot guarantee that all paths directed to the End node will be executed under the influence of gateway condition decision and path decision in the flow. All tasks to be executed in the business flow of the script are completed, and the End node can dispatch a flow ending event. It should be noted that, in the SOAR, the gateway is a decision point of an execution path of the scenario according to a specific condition and a message adjustment flow, and includes: exclusive branch gateway, compatible branch gateway, OR-type aggregation gateway, AND-type aggregation gateway. And influencing the execution of the scenario flow according to the condition configuration and scenario context data in the flow gateway node. The normal service nodes of the scenario flow are executed in sequential flow.
It should be noted that, before executing this step, the method further includes a standard instruction set and primitive design process for responding to the capability call. In order to standardize the response capability call of the SOAR and better link with the peripheral device, the invention designs an operation command suitable for a network defense system or device, wherein the operation command comprises four elements: operation-what to do; target-a target object to which an operation is to be performed; execution unit-command executor; command option-affects the way the command is executed. The following examples are presented to invoke the NGFW firewall to block access to a particular target IP and Port: operation is declared as a inhibit operation, and also supports general, survey, adjustment, etc.; the target is a statement of a target object for executing the operation, supports the accurate control action range of target screening, and establishes a filter by using a left value, a right value and an operator configuration condition expression; the actor is an executor declaration, and different executors are used for Python script, java class and RESTful API; the option declares the execution mode of the command, including timeout, failure policy, etc.
To further illustrate the responsive capability call of the SOAR, take the example of "call NGFW firewall blocks access to specific target IP and Port:
(1) Scenario instances execute to a tasking node of "NGFW firewall blocks access to specific target IP and Port".
(2) And checking the connectivity of the security arrangement and automatic response system and the NGFW equipment, and completing end-to-end login authentication, which is realized by a plug-in of the linked NGFW corresponding to the task node.
(3) The plug-in constructs a command body linking NGFW to block specific IP and Port network access.
(4) The command body command comprises four element information besides a command unique identifier and description basic information:
(a) Command-operation: the type of operation, in this case a blocking operation, is declared. (b) command-actuator: the response capability provided by the software-disposal-ngfw-app plug-in and uniquely identified as 1d694fa6cc3c4d8eb793a927fa75a3c8 is declared to implement blocking of a specific network address and port, and the calling mode is Java ClassLoader. (c) command-target: the target object that declares the command action, embedded with a filter, contains several expressions, each conditional expression contains a left value, a right value, an operator, as declared as dip_v4= "10.48.105.132" in this example, and dport=8088, indicating that network access to destination addresses and ports of 10.48.105.132:8088 is to be blocked. (d) command-option, declaring options for command execution such as timeout-timeout, policy strategy, in this example timeout=60000 ms, strategy-failure= "retry", strategy-retry-max=3, express command execution timeout set to 60 seconds, and retry 3 times if failed. (e) After the command is issued to the NGFW equipment, the equipment side checks, analyzes and executes according to linkage interface specification convention, and returns an execution result, namely a response body. (f) The security orchestration and automation response system and device linkage supports HTTP/HTTPS, SSH, RPC.
According to the security arrangement and automatic response processing method, the data set is obtained by acquiring the security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks; script arrangement operation is carried out on the functional blocks and the data sets based on various service requirements, so that a script is obtained, and the script is saved to generate a corresponding script definition file; based on the network security event to be processed, a corresponding target scenario definition file is called from the scenario definition file, and the target scenario definition file is executed, so that automatic response processing for the network security event is realized. The method can automatically execute routine and repetitive work by flexibly editing the response script, effectively shortens the response time of the network security event, reduces the cost in the aspects of security analysis and security operation, and improves the standardization and efficiency of the security editing and automatic response processing process.
Corresponding to the above provided safety arrangement and automatic response processing method, the invention also provides a safety arrangement and automatic response processing system. Since the system embodiment is similar to the method embodiment described above, the description is relatively simple, and reference should be made to the description of the method embodiment section described above, and the embodiments of the security orchestration and automated response handling system described below are illustrative only. Fig. 5 is a schematic structural diagram of a security arrangement and automated response processing system according to an embodiment of the invention.
The invention relates to a safety arrangement and automatic response processing system, which comprises the following parts:
the data modeling and packaging unit 501 is configured to obtain security element data corresponding to various attributes, perform data modeling and packaging processing on the security element data based on various service requirements, and obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets;
the functional block construction unit 502 is configured to perform functional block construction according to different task types based on the input task configuration information, so as to obtain a plurality of functional blocks corresponding to the different task types, so as to realize representation of automatic response capability for the network security event;
a scenario editing unit 503, configured to obtain a corresponding scenario by performing scenario editing operations on the functional blocks and the data sets based on various service requirements, and store the scenario to generate a corresponding scenario definition file; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks;
and the scenario execution unit 504 is configured to call a corresponding target scenario definition file from the scenario definition file based on a network security event to be processed, and execute the target scenario definition file, so as to implement automatic response processing for the network security event.
Further, the data modeling and packaging unit is specifically configured to:
data is picked up from various data sources by utilizing a data pickup device, and is packaged into an initial data set;
the data mapping module is used for mapping the distributed and heterogeneous secure element data in the initial data set to different service requirement types focused by the data analysis module respectively;
carrying out data modeling on various security element data according to different service requirement types by utilizing the data analysis module to obtain a corresponding data set; the business demand type comprises alarm processing, asset management, vulnerability examination, information analysis, risk processing and threat processing;
the data pick-up device is used for picking up data from various data sources and packaging the data into an initial data set, and the method specifically comprises the following steps:
the method comprises the steps of carrying out structural description on data of a data source to be accessed based on a metadata definition mechanism by utilizing an access data element definition module, and carrying out data filtering from various data sources according to various attributes by utilizing a data filter running on the metadata definition mechanism so as to pick up target data, thereby obtaining an initial data set; wherein the attributes include event type, alert level, and asset attributes.
Further, the functional block construction unit is specifically configured to:
acquiring task configuration information input by a user corresponding to different task types;
based on the task configuration information, determining response actions corresponding to different task types and used for realizing different service logics, and receiving instructions and providing specific services or task plug-ins of linkage safety equipment; obtaining the function block based on the response action and the task plugin; the functional blocks are basic components constituting the script;
the task configuration information comprises task names, task descriptions, task types, input parameters and output parameters which are input corresponding to different task types; the task types comprise a linkage disposal task, an approval task, a message notification task, a work order task, a context enrichment task, a log retrieval task, an information query task, a disposal task, a logic analysis task and a flow task.
Further, the scenario editing unit is specifically configured to:
performing script arrangement processing on the functional blocks and the data packets based on various business requirements in advance to obtain a preconfigured general script;
the general scenario comprises an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for processing network security attack tasks.
Further, the scenario editing unit is specifically further configured to:
referencing a start node, a stop node, and at least one function block based on editing operations in a preset canvas; carrying out service logic arrangement on the starting node, the ending node, the at least one functional block and the corresponding data packet according to various service requirements to obtain a corresponding script actively configured by a user;
the script actively configured by the user comprises an active script used for adapting to active daily inspection and/or a passive emergency response script used for processing network security attack tasks.
Further, the scenario editing unit is specifically configured to: after the script is stored, defining an automatic response flow of the script based on functional blocks corresponding to various service requirements, wherein the automatic response flow comprises a set of service processing nodes and edges, a data set for defining each service processing node in the automatic response flow and basic parameter information for defining the script, and generating a corresponding script definition file.
Further, after referencing the start node, the end node, and the at least one function block based on the editing operation in the preset canvas, further comprises: the sub scenario arrangement unit is used for:
And referring to a preset sub-script based on editing operation in a preset canvas, carrying out service logic arrangement on the starting node, the ending node, the at least one functional block, the corresponding data packet and the sub-script according to various service requirements to obtain a corresponding script so as to realize nested use of the sub-script.
The security arrangement and automatic response processing system of the embodiment of the invention obtains the security element data corresponding to various attributes, and performs data modeling and packaging processing on the security element data based on various business requirements to obtain a data set; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks; script arrangement operation is carried out on the functional blocks and the data sets based on various service requirements, so that a script is obtained, and the script is saved to generate a corresponding script definition file; based on the network security event to be processed, a corresponding target scenario definition file is called from the scenario definition file, and the target scenario definition file is executed, so that automatic response processing for the network security event is realized. The method can automatically execute routine and repetitive work by flexibly editing the response script, effectively shortens the response time of the network security event, reduces the cost in the aspects of security analysis and security operation, and improves the standardization and efficiency of the security editing and automatic response processing process.
Corresponding to the provided security arrangement and automatic response processing method, the invention further provides electronic equipment. Since the embodiments of the electronic device are similar to the method embodiments described above, the description is relatively simple, and reference should be made to the description of the method embodiments described above, and the electronic device described below is merely illustrative. Fig. 6 is a schematic diagram of the physical structure of an electronic device according to an embodiment of the present invention. The electronic device may include: a processor (processor) 601, a memory (memory) 602, and a communication bus 603, wherein the processor 601, the memory 602, and the communication bus 603 are used to communicate with each other and with the outside through a communication interface 604. The processor 601 may invoke logic instructions in the memory 602 to perform the security orchestration and automated response handling method, the method comprising: acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event; performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks; and calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
Further, the logic instructions in the memory 602 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a Memory chip, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, embodiments of the present invention further provide a computer program product, including a computer program stored on a processor readable storage medium, the computer program including program instructions which, when executed by a computer, enable the computer to perform the security orchestration and automated response processing method provided by the above-described method embodiments. The method comprises the following steps: acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event; performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks; and calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
In yet another aspect, embodiments of the present invention further provide a processor readable storage medium having a computer program stored thereon, which when executed by a processor is implemented to perform the security orchestration and automated response processing method provided by the above embodiments. The method comprises the following steps: acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets; building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event; performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks; and calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
The processor-readable storage medium may be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic storage (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical storage (e.g., CD, DVD, BD, HVD, etc.), semiconductor storage (e.g., ROM, EPROM, EEPROM, nonvolatile storage (NAND FLASH), solid State Disk (SSD)), and the like.
The system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of security orchestration and automated response handling comprising:
acquiring security element data corresponding to various attributes, and carrying out data modeling and packaging processing on the security element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets;
building functional blocks according to different task types based on the input task configuration information to obtain a plurality of functional blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event;
performing script arrangement operation on the functional blocks and the data sets based on various service requirements to obtain corresponding scripts, and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks;
And calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed, and executing the target scenario definition file to realize automatic response processing for the network security event.
2. The security arrangement and automatic response processing method according to claim 1, wherein the data modeling and packaging processing are performed on the security element data based on various service requirements to obtain a corresponding data set, and the method specifically comprises:
data is picked up from various data sources by utilizing a data pickup device, and is packaged into an initial data set;
the data mapping module is used for mapping the distributed and heterogeneous secure element data in the initial data set to different service requirement types focused by the data analysis module respectively;
carrying out data modeling on various security element data according to different service requirement types by utilizing the data analysis module to obtain a corresponding data set; the business demand type comprises alarm processing, asset management, vulnerability examination, information analysis, risk processing and threat processing;
the data pick-up device is used for picking up data from various data sources and packaging the data into an initial data set, and the method specifically comprises the following steps:
The method comprises the steps of carrying out structural description on data of a data source to be accessed based on a metadata definition mechanism by utilizing an access data element definition module, and carrying out data filtering from various data sources according to various attributes by utilizing a data filter running on the metadata definition mechanism so as to pick up target data, thereby obtaining an initial data set; wherein the attributes include event type, alert level, and asset attributes.
3. The method for security arrangement and automatic response processing according to claim 1, wherein the function block construction is performed according to different task types based on the input task configuration information to obtain a plurality of function blocks corresponding to the different task types, specifically comprising:
acquiring task configuration information input by a user corresponding to different task types;
based on the task configuration information, determining response actions corresponding to different task types and used for realizing different service logics, and receiving instructions and providing specific services or task plug-ins of linkage safety equipment; obtaining the function block based on the response action and the task plugin; the functional blocks are basic components constituting the script;
the task configuration information comprises task names, task descriptions, task types, input parameters and output parameters which are input corresponding to different task types; the task types comprise a linkage disposal task, an approval task, a message notification task, a work order task, a context enrichment task, a log retrieval task, an information query task, a disposal task, a logic analysis task and a flow task.
4. The method for security arrangement and automatic response processing according to claim 1, wherein the scenario arrangement operation performed on the functional block and the data set based on various service requirements obtains a corresponding scenario, and specifically includes:
performing script arrangement processing on the functional blocks and the data packets based on various business requirements in advance to obtain a preconfigured general script;
the general scenario comprises an active scenario for adapting to active daily inspection and/or a passive emergency response scenario for processing network security attack tasks.
5. The security orchestration and automated response processing method according to claim 4, wherein the scenario orchestration operation performed on the functional blocks and the data sets based on various business requirements, obtaining corresponding scenarios, further comprises:
referencing a start node, a stop node, and at least one function block based on editing operations in a preset canvas; carrying out service logic arrangement on the starting node, the ending node, the at least one functional block and the corresponding data packet according to various service requirements to obtain a corresponding script actively configured by a user;
The script actively configured by the user comprises an active script used for adapting to active daily inspection and/or a passive emergency response script used for processing network security attack tasks.
6. The security orchestration and automation response processing method according to claim 1, wherein the saving the scenario to generate a corresponding scenario definition file specifically comprises:
after the script is stored, defining an automatic response flow of the script based on functional blocks corresponding to various service requirements, wherein the automatic response flow comprises a set of service processing nodes and edges, a data set for defining each service processing node in the automatic response flow and basic parameter information for defining the script, and generating a corresponding script definition file.
7. The security orchestration and automation response processing method according to claim 5, further comprising, after referencing the start node, the end node, and the at least one function block based on editing operations in a preset canvas:
and referring to a preset sub-script based on editing operation in a preset canvas, carrying out service logic arrangement on the starting node, the ending node, the at least one functional block, the corresponding data packet and the sub-script according to various service requirements to obtain a corresponding script so as to realize nested use of the sub-script.
8. A security orchestration and automated response handling system, comprising:
the data modeling and packaging unit is used for acquiring safety element data corresponding to various attributes, and carrying out data modeling and packaging processing on the safety element data based on various business requirements to obtain a corresponding data set; the data set comprises a plurality of data packets and a label for classifying and marking the data packets;
the function block construction unit is used for constructing the function blocks according to different task types based on the input task configuration information to obtain a plurality of function blocks corresponding to the different task types so as to realize the representation of the automatic response capability aiming at the network security event;
the script arranging unit is used for arranging the script on the functional blocks and the data sets based on various business requirements to obtain corresponding scripts and storing the scripts to generate corresponding script definition files; wherein the scenario is a business process flow representation comprising a start node, a stop node and at least one of the functional blocks;
and the scenario execution unit is used for calling a corresponding target scenario definition file from the scenario definition file based on the network security event to be processed and executing the target scenario definition file so as to realize automatic response processing for the network security event.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the security orchestration and automated response handling method according to any one of claims 1 to 7 when the computer program is executed.
10. A processor readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the security orchestration and automation response handling method according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211635378.XA CN116055118A (en) | 2022-12-19 | 2022-12-19 | Security arrangement and automatic response processing method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211635378.XA CN116055118A (en) | 2022-12-19 | 2022-12-19 | Security arrangement and automatic response processing method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116055118A true CN116055118A (en) | 2023-05-02 |
Family
ID=86120871
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211635378.XA Pending CN116055118A (en) | 2022-12-19 | 2022-12-19 | Security arrangement and automatic response processing method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116055118A (en) |
-
2022
- 2022-12-19 CN CN202211635378.XA patent/CN116055118A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112468472B (en) | Security policy self-feedback method based on security log association analysis | |
CA2604827C (en) | Method for handling a detected error in a script-based application | |
US11507672B1 (en) | Runtime filtering of computer system vulnerabilities | |
CN111835768B (en) | Method, device, medium and computer equipment for processing security event | |
US20100198636A1 (en) | System and method for auditing governance, risk, and compliance using a pluggable correlation architecture | |
US20210026969A1 (en) | Detection and prevention of malicious script attacks using behavioral analysis of run-time script execution events | |
CN110489310B (en) | Method and device for recording user operation, storage medium and computer equipment | |
CN110175027A (en) | A kind of method and apparatus for developing business function | |
CN110245031B (en) | AI service opening middle platform and method | |
CN109871290B (en) | Call stack tracking method and device applied to Java and storage medium | |
CN111831275B (en) | Method, server, medium and computer equipment for arranging micro-scene script | |
CN113138836B (en) | Escape prevention method using escape prevention system based on Docker container | |
US10628591B2 (en) | Method for fast and efficient discovery of data assets | |
US11397808B1 (en) | Attack detection based on graph edge context | |
CN111262875B (en) | Server safety monitoring method, device, system and storage medium | |
CN114579194B (en) | Exception handling method and system based on Spring remote call | |
CN109784054B (en) | Behavior stack information acquisition method and device | |
US8224933B2 (en) | Method and apparatus for case-based service composition | |
CN114189383A (en) | Blocking method, device, electronic equipment, medium and computer program product | |
US20140222496A1 (en) | Determining cost and risk associated with assets of an information technology environment | |
CN116055118A (en) | Security arrangement and automatic response processing method and system | |
CN113301049B (en) | Industrial control equipment auditing method, device, equipment and readable storage medium | |
CN113672910B (en) | Security event processing method and device | |
CN111538491A (en) | Data event processing method, device, equipment and storage medium | |
Singh et al. | Towards Self-Healing in the Internet of Things by Log Analytics and Process Mining |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |