CN116155531A - Method and device for network equipment security management based on SOAR and electronic equipment - Google Patents
Method and device for network equipment security management based on SOAR and electronic equipment Download PDFInfo
- Publication number
- CN116155531A CN116155531A CN202211456105.9A CN202211456105A CN116155531A CN 116155531 A CN116155531 A CN 116155531A CN 202211456105 A CN202211456105 A CN 202211456105A CN 116155531 A CN116155531 A CN 116155531A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- repair
- security
- network equipment
- repairing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
Some embodiments of the present application provide a method, an apparatus, and an electronic device for secure management of a network device based on an SOAR, where the method includes: the preset scenario based on security orchestration automation and response SOAR performs the following operations: performing vulnerability scanning on network equipment to obtain a vulnerability scanning result, wherein the vulnerability scanning result comprises vulnerabilities existing in the network equipment; generating a security alarm corresponding to the vulnerability scanning result; and determining a repairing mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repairing mode so as to ensure the security of the network equipment. Some embodiments of the present application may implement automated and efficient security management of network devices based on response handling scenario and workflow engines built in the SOAR technology to avoid attacks by malicious users on the network devices.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and an electronic device for security management of a network device based on an SOAR.
Background
With the development of internet technology, a precondition for the normal operation of enterprise business must be that the security of network assets inside network devices is ensured. Moreover, there is an interdependence and linkage relationship between network assets within the network device, so security of the network device is particularly important.
Currently, because of the wide variety of network assets inside network devices and the complex correlation among many network assets, security problems of network assets are various, and attacker approaches are endless. In order to improve the capability of the network equipment for resisting the security risk, the network equipment is scanned through a missing scanning tool, then a work order is created based on a scanning result, then the work order is manually checked and distributed to corresponding responsible persons, and finally the responsible persons accept the work order tasks and submit the task completion certificates. It is easy to see that the whole current process of safety management of the network equipment is complex, the manual workload is large, and the efficiency is low.
Therefore, how to provide a method for security management of network devices with higher automation based on the SOAR is a technical problem to be solved.
Disclosure of Invention
An object of some embodiments of the present application is to provide a method, an apparatus, and an electronic device for security management of a network device based on an SOAR, where the method is based on a preset scenario and a workflow engine built in an SOAR (Security Orchestration, automation and Response) technology, so as to implement automatic security management such as scanning, alarming, repairing, and the like, of the network device. According to the technical scheme, the network equipment can be safely and efficiently managed, the manual workload is reduced, the efficiency is high, and the security defense capacity of the network equipment is improved.
In a first aspect, some embodiments of the present application provide a method for security management of a network device based on SOAR, including: the preset scenario based on security orchestration automation and response SOAR performs the following operations: performing vulnerability scanning on network equipment to obtain a vulnerability scanning result, wherein the vulnerability scanning result comprises vulnerabilities existing in the network equipment; generating a security alarm corresponding to the vulnerability scanning result; and determining a repairing mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repairing mode so as to ensure the security of the network equipment.
According to the method and the device for repairing the vulnerability, after vulnerability scanning is carried out on the network equipment, corresponding security alarms can be generated, and then the repairing mode of the vulnerability can be determined according to the security alarms, so that effective management of the security of the network equipment can be achieved, manual workload is reduced, efficiency is high, and security defense capacity of the network equipment is improved.
In some embodiments, the types of vulnerabilities include: at least one of a system vulnerability, a website vulnerability, a violation configuration problem, and a weak password.
The vulnerability types of some embodiments of the present application may include multiple types, which promote efficient management of network device security.
In some embodiments, the network device comprises: operating systems, applications, middleware, components, enterprise hardware, and enterprise software.
The network equipment of some embodiments of the present application includes various different types of software and hardware in an enterprise, and can implement effective management of security of the network equipment.
In some embodiments, the performing vulnerability scanning on the network device includes: and periodically scanning the loopholes of the network equipment according to a preset time period.
According to the method and the device for performing vulnerability scanning on the network equipment, vulnerability safety problems existing in the network equipment can be found timely, and safety of the network equipment is guaranteed.
In some embodiments, the generating a security alert corresponding to the vulnerability scanning result includes: determining the type of the vulnerability to which the vulnerability belongs; and generating the security alarm corresponding to the vulnerability type.
According to the method and the device for repairing the loopholes, corresponding security alarms are generated through the loophole types of the loopholes, follow-up targeted repair of the loopholes can be ensured, and efficiency is high.
In some embodiments, the determining a repair manner for the vulnerability according to the security alarm, and manually repairing and/or automatically repairing the vulnerability of the network device by using the repair manner includes: if the existence of a repair patch for repairing the vulnerability is confirmed, automatically repairing the vulnerability by using the repair patch to obtain a repair result file; if no repair patch package for repairing the vulnerability exists, sending the security alarm to a responsible person, and acquiring a repair result file submitted by the responsible person; and if the network equipment with the vulnerability is confirmed to be the target equipment, generating an access blocking strategy and repairing the vulnerability to obtain a repairing result file.
According to the method and the device for repairing the loopholes, whether the loopholes exist in the repair patch package is determined, whether the loopholes are repaired manually, repaired fully automatically or repaired semi-automatically is determined, and corresponding strategies can be generated by confirming the types of network equipment with the loopholes, so that the loopholes can be repaired efficiently, and attacks of malicious users are effectively prevented.
In some embodiments, after the obtaining the repair result file submitted by the responsible person, the method further includes: and circularly executing the following operations until the network equipment is confirmed to have no loopholes, and closing the security alarm: scanning the network equipment again; and when confirming that the vulnerability exists in the network equipment, sending the security alarm to the responsible person again, and acquiring a repair result file updated by the responsible person.
According to the method and the device for repairing the vulnerability, the vulnerability is guaranteed to be repaired by checking and checking the repair result file of the responsible person, and the safety of the network equipment can be effectively maintained.
In some embodiments, before the generating the access blocking policy, the method further comprises: and confirming that the repair time of the target equipment exceeds a preset threshold.
According to the method and the device for protecting the target equipment, the target equipment with longer repair time can be effectively protected through comparison of the repair time and the preset threshold value, and access attack of malicious users is effectively prevented.
In some embodiments, the method further comprises: and generating a network equipment security analysis case based on the vulnerability scanning result, the security alarm, the repair mode and the repair result file.
According to the method and the device for analyzing the vulnerability, corresponding analysis cases are generated in the whole process of the vulnerability, so that related personnel can learn and summarize the analysis cases, and the capability of the related personnel for safety management of network equipment is improved.
In a second aspect, some embodiments of the present application provide an apparatus for security management of a SOAR-based network device, including: the scanning module is configured to perform vulnerability scanning on the network equipment to obtain vulnerability scanning results, wherein the vulnerability scanning results comprise vulnerabilities existing in the network equipment; the generating module is configured to generate a security alarm corresponding to the vulnerability scanning result; and the repair module is configured to determine a repair mode of the loopholes according to the security alarm, and manually repair and/or automatically repair the loopholes of the network equipment by utilizing the repair mode so as to ensure the security of the network equipment.
In a third aspect, some embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method according to any of the embodiments of the first aspect.
In a fourth aspect, some embodiments of the present application provide an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, can implement a method according to any of the embodiments of the first aspect.
In a fifth aspect, some embodiments of the present application provide a computer program product comprising a computer program, wherein the computer program, when executed by a processor, is adapted to carry out the method according to any of the embodiments of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of some embodiments of the present application, the drawings that are required to be used in some embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort to a person having ordinary skill in the art.
FIG. 1 is one of the system diagrams of SOAR-based network device security management provided in some embodiments of the present application;
FIG. 2 is one of the flow charts of the method for SOAR-based network device security management provided in some embodiments of the present application;
FIG. 3 is a system diagram of a security management apparatus provided in some embodiments of the present application;
FIG. 4 is a second flowchart of a method for SOAR-based network device security management provided in some embodiments of the present application;
FIG. 5 is a block diagram of an apparatus for SOAR-based network device security management provided in some embodiments of the present application;
fig. 6 is a schematic diagram of an electronic device according to some embodiments of the present application.
Detailed Description
The technical solutions in some embodiments of the present application will be described below with reference to the drawings in some embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
In the related art, a precondition for normal operation of an enterprise service must be that security of network devices is ensured, and the network devices may include various network assets. Since a certain network asset of a network device may have security problems, an attacker may be able to access or destroy the system without authorization, resulting in an interruption or paralysis of the enterprise traffic. More serious persons steal important data or secrets in enterprises, so that illegal actions such as luxury and the like can directly or indirectly cause great economic loss for the enterprises. Thus, in order to prevent the network device from happening, the defending capability of each network device inside the network device is enhanced, and the discovery and repair of the security problem of the network device are necessary daily security operation activities inside the enterprise.
Currently, when network devices are managed, a leaky-scan tool is generally used to discover vulnerability problems (i.e., security problems, such as different types of vulnerabilities) of the network devices, and then a simple plan composed of one or more jobs is formulated by using a work order flow to perform task dispatch, state torsion and treatment progress record. The whole process needs to be manually participated and progress supervision and promotion. For example, a missed scan task for the network device is first formulated by a person, and after the missed scan task is completed, a missed scan result report is obtained and an alarm is generated. And then, the security operator verifies the alarm, and creates a work order to issue the vulnerability restoration task after verification is completed. After reviewing the repair task, the asset liability person confirms whether to accept. If accepted, the asset liability person repairs the vulnerability problem, otherwise the security operator needs to verify again. After the repair of the vulnerability problem by the asset responsibility person is completed, the safety operator examines the repair result, and the worker single-junction flow is closed after the repair result passes. As is clear from the above related art, the prior art has the following problems:
1) The security problem discovery efficiency for the network equipment is low and the manual workload is high. Only hardware network assets within the network device are numerous and complex, and in other cases much more unclear software, middleware, and dependent components, services, etc. Moreover, the detection of the vulnerability of the thousands of network assets by using the missing sweeping tool is more heavy in task and long in time consumption, and the detection result report is more long in space, more in problem and huge in data volume, so that the interference is easily caused to operators. And the safety operators need to have professional vulnerability identification technology or experience, can accurately position the vulnerability of the asset and inform relevant asset responsibility people to repair the vulnerability, and has high difficulty.
2) The vulnerability problem is not repaired timely, and the inter-department collaboration period is long. The traditional safety operation system adopts a work order torsion mode to perform cross-department collaboration. Even though cross-department collaboration is performed through online worksheet procedures, the responsible person for vulnerability problem repair cannot be quickly determined due to uncertainty in the relationship between network assets and responsible persons. Secondly, when the vulnerability problem is more and the cooperative processing of multiple people is needed, the period of the whole response is longer due to the time of waiting for the reaction and communication of the processing people, and the risk that the vulnerability of the assets is discovered and utilized by an attacker possibly exists, so that the safety of the network equipment is not ensured.
In view of this, some embodiments of the present application provide a method of security management of a network device based on a response handling scenario (i.e., a preset scenario) and a workflow engine in the SOAR technology. By automatically carrying out vulnerability scanning on the network equipment, vulnerability scanning results containing the existence of the network equipment can be obtained. And then a corresponding security alarm can be generated based on the vulnerability scanning result. And finally, the repairing mode of the loopholes can be rapidly determined according to the security alarm. According to the method and the device for detecting the security problem in the network equipment, the security problem existing in the network equipment can be timely found, the security problem can be rapidly located to generate the security alarm, the repairing mode is finally and timely determined, the manual workload and the response period of the whole process are reduced, and the efficiency is high.
The overall system architecture for security management of a SOAR-based network device provided in accordance with the following embodiments of the present application is exemplarily described with reference to fig. 1.
As shown in fig. 1, some embodiments of the present application provide a system for security management of a network device based on SOAR, where the system for security management of a network device includes: a network device 100 and a security management device 200. Wherein the network device 100 and the security management device 200 are communicatively connected through a wired or wireless network. The security management apparatus 200 may perform vulnerability scanning on the network asset deployed on the network device 100 to obtain a vulnerability scanning result. The security management device 200 may generate a security alarm according to the vulnerability type of the vulnerability in the vulnerability scanning result, and confirm the repairing manner of the vulnerability according to the security alarm, so as to improve the capability of the network device 100 for resisting risks.
In some embodiments of the present application, the network device 100 may include at least one of the following: operating systems, applications, middleware, components, enterprise hardware and software, and the like, and there are many and complex network asset forms, and there are interdependence and linkage relations between network devices that are all in a traction. Types of vulnerabilities include: system vulnerabilities, website vulnerabilities, offending configuration problems, and weak passwords, etc. In addition, the network device 100 has a vulnerability, which may also be referred to as a vulnerability problem or a security problem, that is, the network device 100 has hidden danger and defect that are easy to be attacked by a malicious user. It should be understood that embodiments of the present application are not limited thereto.
In other embodiments of the present application, the security management device 200 may be deployed inside the network device 100 to implement security management of the network device 100 by the security management device 200. The embodiments of the present application are not specifically limited herein.
An implementation of network device security management performed by security management device 200 provided in some embodiments of the present application is described below by way of example in conjunction with fig. 2.
Referring to fig. 2, fig. 2 is a flowchart of a method for security management of a network device based on SOAR according to some embodiments of the present application, where the method for security management of a network device includes: the SOAR-based preset scenario performs the following operations: s210, performing vulnerability scanning on network equipment to obtain a vulnerability scanning result, wherein the vulnerability scanning result comprises vulnerabilities existing in the network equipment. S220, generating a security alarm corresponding to the vulnerability scanning result. S230, determining a repairing mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repairing mode so as to ensure the security of the network equipment.
In order to realize efficient management of network device security, for example, in some embodiments of the present application, a huge amount of response handling scripts and workflow engines for security problems can be built in based on the SOAR technology, so as to realize automatic management of a full life cycle of network device security (the full life cycle refers to the whole process from discovery of vulnerabilities to repair completion), so as to improve the efficiency of solving the vulnerability problem of the network device and reduce the risk of utilizing the vulnerability of the network device. For example, through the SOAR technology and the setting of the preset automatic response scenario flow, vulnerability scanning (as a specific example of vulnerability scanning) may be performed on all network assets in the network device first, so as to obtain a scanning report (as a specific example of vulnerability scanning result), where the scanning report contains vulnerabilities (which may also be referred to as vulnerability problems) existing in the current network device. And then executing the next step of generating a security alarm corresponding to the scanning report based on the SOAR technology and the preset automatic response script flow. Finally, based on the SOAR technology and the preset automatic response script flow (namely, the preset script) setting, a repair mode for the vulnerability problem is determined according to the security alarm. The repair mode for the vulnerability problem can be manual repair or full-automatic repair without manual participation or a semi-automatic repair mode combining manual and automatic repair processes. In practical application, the repair mode may be selected according to practical situations, which is not specifically limited herein.
The above-described process is exemplarily set forth below.
In some embodiments of the present application, the types of vulnerabilities include: at least one of a system vulnerability, a website vulnerability, a violation configuration problem, and a weak password. The network device includes at least one of: operating systems, applications, middleware, components, enterprise hardware, and enterprise software.
For example, in some embodiments of the present application, a system vulnerability may be generated due to an error or defect in the logic design of the application design software or the operating system software, such as a Windows system vulnerability or a Linux system vulnerability, etc. Web vulnerabilities may also be referred to as Web vulnerabilities, which generally refer to vulnerabilities on Web programs, which may result from code writers taking into account when writing Web service code. The out-of-regulation configuration problem may be a security problem arising from violating a configuration baseline when configuring network device attributes or functions. Weak passwords, i.e., too simple a password (e.g., the password is simply in the form of a series of consecutive numbers or letters) are prone to cracking, etc.
The configuration baseline (often simply referred to as baseline) is a set of network equipment attributes or function configuration standardization requirements generated based on industry laws and regulations or internal enterprise regulations, the network equipment configuration needs to be configured according to the baseline requirements, otherwise, the network equipment has a configuration violation problem.
It should be noted that in some embodiments of the present application, other network security issues often encountered in the network security field may be included in addition to the types of vulnerabilities listed above. The embodiments of the present application are not limited thereto.
In order to find security issues of the network device in time, in some embodiments of the present application, S210 may include: and periodically scanning the loopholes of the network equipment according to a preset time period.
For example, in some embodiments of the present application, in order to implement periodic vulnerability scanning on a network device, the preset time period may be 1 hour, 24 hours, or 7 days, which is not specifically limited herein.
In some embodiments of the present application, S220 may include: determining the type of the vulnerability to which the vulnerability belongs; and generating the security alarm corresponding to the vulnerability type.
For example, in some embodiments of the present application, there is a distinction between the repair methods used subsequently by different vulnerability types, so in order to better distinguish vulnerabilities, a security alert corresponding to the vulnerability type may be directly generated. For example. The vulnerability type is a Windows system vulnerability, at which time Windows system security alarms (as a specific example of security alarms) may be generated.
In some embodiments of the present application, S230 may include: and if the existence of a repair patch for repairing the vulnerability is confirmed, automatically repairing the vulnerability by using the repair patch to obtain a repair result file.
For example, in some embodiments of the present application, for some vulnerabilities in network devices, such as system vulnerabilities, website vulnerabilities, and configuration violations, the vulnerabilities may be automatically matched to a repair patch package through built-in service or component version information, where the vulnerabilities may be automatically repaired. For example, the reason for the occurrence of the Windows system bug is that some plug-ins of the current Windows system have too low versions, at this time, patches can be installed and the version of the Windows system can be updated (as a specific example of a repair patch package), so that the current Windows system is updated in version, automatic repair of the Windows system bug is realized, and a repair result file which is successfully modified is obtained. For example, the repair result file may include: and upgrading the current Windows system version into Windows system version and other information.
In other embodiments of the present application, S230 may include: and if the fact that the repairing patch package for repairing the vulnerability does not exist is confirmed, sending the security alarm to a responsible person, and acquiring a repairing result file submitted by the responsible person.
For example, in some embodiments of the present application, where the security alert requires manual modification of the password for a weak password, automatic remediation cannot be achieved, at which point the security alert needs to be sent to the responsible person. After the repair of the responsible person is completed, the repaired repair result file needs to be uploaded. For example, the security alarm is sent to the responsible person by the weak password, and the responsible person can upload the repair result file after the password is manually modified.
In other embodiments of the present application, S230 may include: and circularly executing the following operations until the network equipment is confirmed to have no loopholes, and closing the security alarm: scanning the network equipment again; and when confirming that the vulnerability exists in the network equipment, sending the security alarm to the responsible person again, and acquiring a repair result file updated by the responsible person.
For example, in some embodiments of the present application, after the responsible person uploads the repair result file, the security management device 200 needs to automatically check the network device after the responsible person repair, that is, actively confirm whether the network device still has a weak password again, so as to ensure the security of the network device. If the bug exists, the responsible person needs to be informed to continue repairing, and the repairing result file is updated after the repairing is completed until the bug of the network equipment is automatically confirmed to be repaired. If not, closing the security alarm to finish the repair flow.
In other embodiments of the present application, S230 may include: and if the network equipment with the vulnerability is confirmed to be the target equipment, generating an access blocking strategy and repairing the vulnerability to obtain a repairing result file. Before generating the access blocking policy, it may further include: and confirming that the repair time of the target equipment exceeds a preset threshold.
For example, in some embodiments of the present application, the network assets in the network device are of a wide variety, and the extent to which the network assets affect the enterprise is also different, and thus the importance of the network assets is also different. For important equipment in the network equipment, and in the case that the network equipment cannot be shut down for performing vulnerability restoration operation in a short period of time, the important equipment can be set as target equipment. When a vulnerability exists in a target device, access to the target device by an external IP (internet protocol) or an IP of a threat area can be blocked through an operation of blocking access at a first time (that is, generating an access blocking policy), so that the risk of utilizing the vulnerability of the asset can be avoided. And then, the loopholes existing in the target equipment can be repaired in a targeted manner, or the loopholes can be treated by combining manual and automatic repair processes, so that the loopholes are repaired as soon as possible.
In other embodiments of the present application, S230 may include: and generating a network equipment security analysis case based on the vulnerability scanning result, the security alarm, the repair mode and the repair result file.
For example, in some embodiments of the present application, by integrating the data such as the vulnerability scanning result, the security alarm, the repair mode, and the repair result file involved in the whole life cycle from the vulnerability scanning to the repair completion of the network device, a case of a treatment mode for a certain vulnerability of the network device may be obtained, so that relevant personnel may conduct reference and study, and further, an automatic treatment mode for the vulnerability of the network device may be perfected, and the security management level and efficiency of the network device may be continuously improved.
The specific constituent structure of the security management apparatus 200 provided in the following embodiment of the present application is exemplarily described below with reference to fig. 3.
Referring to fig. 3, fig. 3 is a system diagram of a security management apparatus 200 according to some embodiments of the present application, where the system includes: an automated response system 310, an asset vulnerability management system 320, a boundary protection system 330, and a smart knowledge system 340. The automated response system 310 may automatically link the asset vulnerability management system 320, the boundary protection system 330, and the intelligent knowledge system 340 under the preset scenario setting, so as to quickly respond and repair the vulnerability problem existing in the network device 100, implement full-automatic and efficient management of the network asset vulnerability whole life cycle in the network device 100, and reduce or avoid the risk that the network asset vulnerability is discovered and utilized by hackers.
The functions of the respective units are exemplarily described below.
In some embodiments of the present application, automated response system 310 is used to formulate, orchestrate, and manage response handling scenarios for network device 100 security. The automated response system 310 may preset a massive amount of response handling scripts and workflow engines for security problems based on the SOAR technology, implementing automated management of the secure full lifecycle of the network device 100 (full lifecycle refers to the whole process from discovery of vulnerabilities to repair completion). Specifically, by mobilizing the workflow engine in response to the disposition scenario, the linked asset vulnerability management system 320, the boundary protection system 330, and the intelligent knowledge system 340 may be automated, reducing the manual workload, the manual collaboration reaction time, and the communication cost, and improving the efficiency of solving the vulnerability problem of the network device.
Illustratively, a response handling scenario of a huge number of security questions may be preset, and a management scenario may be preset for different types of vulnerability questions. For example, for high-risk vulnerability issues, presetting a scenario increases the scanning frequency and shortens the response time of the vulnerability issues, and the first time links the boundary protection system 330 to issue an access control policy, so as to avoid the risk of malicious access and utilization of the vulnerability issues.
In some embodiments of the present application, the automated response system 310 may also customize orchestration of response treatment scripts, through the multi-functional components (e.g., logic components, filtering components, condition components, various notification components, issuing policy components, etc.) provided by the linked asset vulnerability management system 320, the edge protection system 330, the intelligent knowledge system 340, the customer may form a personalized stream of drama responsive to specific business problems based on its own business needs orchestration components to automatically mobilize the plurality of systems in the asset vulnerability management system 320, the edge protection system 330, the intelligent knowledge system 340 to automatically perform action responses to treat vulnerability problems.
In some embodiments of the present application, the automated response system 310 also has machine learning capabilities, provides scenario self-learning functionality, and is capable of automatically learning vulnerability problem handling processes and results, perfecting the flow of a play. For example, the automated response system 310 may self-learn network device security analysis cases, particularly network device security analysis cases in which human repair participates, and may subsequently update the response treatment script so that the response treatment script may be automatically adapted to more business scenarios.
In some embodiments of the present application, the asset vulnerability management system 320 may be based on a response handling scenario and workflow engine for: performing vulnerability scanning on network equipment to obtain a vulnerability scanning result, wherein the vulnerability scanning result comprises vulnerabilities existing in the network equipment; generating a security alarm corresponding to the vulnerability scanning result; and determining a repairing mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repairing mode so as to ensure the security of the network equipment.
For example, in some embodiments of the present application, the asset vulnerability management system 320 is a treatment central that manages all network asset information within a network device as well as vulnerability issues. Which can periodically scan for vulnerability issues with network assets, forming a network asset vulnerability warning event (as a specific example of a security alert). And through scanning, generating security alarms and repairing, the comprehensive management of vulnerability alarm events and network asset vulnerability conditions is realized. For example, uniformly recording network asset alert events triggers preset scripts for automated response handling as well as the status of manual handling, results (as one specific example of a repair results file), and so forth.
In addition, in some embodiments of the present application, the asset vulnerability management system 320 may further provide a visual chart display function, monitor repair and disposal situations of network asset vulnerability problems in real time, and provide data conclusion support for security operation decisions through visual statistical display (for example, displaying situations of vulnerability problem occurrence frequency, disposal efficiency, problem network asset distribution, etc. of the whole network of the network device), so that security operators can conveniently know and control the vulnerability problem disposal progress of the network device in real time, and can evaluate risks and potential safety hazards existing in the current network device.
In some embodiments of the present application, border guard system 330 is used to generate and issue access blocking policies.
For example, in some embodiments of the present application, border protection system 330 may manage network device internal border protection devices (e.g., firewall devices). The access blocking strategy is issued to the boundary protection equipment by centrally managing the boundary protection strategy and linking the boundary protection equipment in real time so as to comprehensively control the access flow between the internal network and the external network and between all security domains of the internal network. Particularly, when the network device with the vulnerability problem is found to be the target device and cannot be repaired in a short period of time, the boundary access control policy (i.e. the access blocking policy) can be issued by the boundary protection system 330, so as to identify and block the malicious access to the target device, and avoid the risk of utilizing the vulnerability of the asset.
In some embodiments of the present application, the intelligent knowledge system 340 is configured to: based on the vulnerability scanning result, the security alarm, the repair mode and the repair result file, generating a network equipment security analysis case.
For example, in some embodiments of the present application, the intelligent knowledge system 340 may form a knowledge system based on the repair result files of the management of the vulnerability full life cycle of the network device, including but not limited to integrating vulnerability questions, vulnerability repair suggestions and opinions of all network devices discovered today, and automatically extracting vulnerability question forming cases in vulnerability alert events, continuously precipitating information and filling the knowledge base, providing effective basis for subsequent processing of vulnerability questions of similar network devices, while avoiding loss of capabilities caused by loss of security operation technicians. Meanwhile, based on the continual accumulation of events of security alarms of relevant vulnerabilities in the cases (i.e., network device security analysis cases), the automated response system 310 can be reacted to, perfecting the flow and content of the response disposition scenario.
For example, as a specific example of the present application, the intelligent knowledge system 340 may sort and integrate the vulnerability questions of the network device, may integrate all security alarm events of the vulnerability questions of the same type to form 1 case, and record the disposal mode (as a specific example of the repair mode) and trace of all security alarm events in the case, and precipitate the disposal experience of the vulnerability questions. The intelligent knowledge system 340 may also link the automated response system 310 to perform scenario self-learning: after the repair treatment flow of the vulnerability problems of the similar network devices and the operation process of manual intervention (as a specific example of manual repair) are recorded, the automatic response treatment flow of the vulnerability problems is gradually perfected.
The following illustrates a specific process for security management of a SOAR-based network device provided in some embodiments of the present application in connection with fig. 4.
Referring to fig. 4, fig. 4 is a flowchart of a method for security management of a network device based on SOAR according to some embodiments of the present application. The above-described process is exemplarily set forth below.
S410, performing vulnerability scanning on the network equipment to obtain a vulnerability scanning result.
For example, as one specific example of the present application, the asset vulnerability management system 320 performs a scanning task (as one specific example of vulnerability scanning) on the network device 100 based on the flow settings of the preset scenario of the automated response system 310 (i.e., the manner in which the scenario call workflow engine is handled by the response based on the SOAR technique hereinabove), resulting in vulnerability scanning results. The vulnerability scanning result contains information of vulnerabilities existing in the current network device 100.
S420, determining the type of the loophole in the loophole scanning result.
For example, as a specific example of the present application, based on the flow setting of the preset scenario of the automated response system 310, the asset vulnerability management system 320 may merge and check information about vulnerabilities existing in the current network device 100 based on the internal preset vulnerability type matching rule, and determine the vulnerability type. For example, the vulnerability type is a web vulnerability.
S430, generating a security alarm corresponding to the vulnerability type.
For example, as one specific example of the present application, the asset vulnerability management system 320 may generate security alerts based on vulnerability types. For example, a web security alert is generated for a web vulnerability (as one specific example of a security alert).
S440, determining a repair mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repair mode.
For example, as a specific example of the present application, because a repair mode for such security alarms is already preset in the flow setting of the preset scenario of the automated response system 310, the asset vulnerability management system 320 repairs system vulnerabilities in the network asset system security alarms based on the flow setting of the preset scenario of the automated response system 310. For example, the cause of a system vulnerability is found by analysis to be a version vulnerability of a certain class of services or components. Through the process of presetting the script, the asset vulnerability management system 320 automatically matches the network device patch library directly according to the service or component version information, directly performs patch repair after matching, installs patches and upgrades software versions, and can fully automatically repair the system vulnerability.
For example, as another specific example of the application, if the asset vulnerability management system 320 does not match the asset patch library according to the service or component information, it will automatically combine with the network device IP association to obtain the information of the asset responsible person (i.e. responsible person), send a communication message such as mail, enterprise WeChat or nail, notify the asset responsible person to repair the system vulnerability, and combine with the intelligent knowledge system 340 to provide a repair scheme of the system vulnerability for the asset responsible person. And after the asset liability person repairs the system bug, uploading a repair result file. Based on the repair result file uploaded by the asset responsibility person, the automatic linkage asset vulnerability management system 320 automatically scans the system vulnerability of the network equipment submitted to repair by the asset responsibility person, and compares and rechecks whether the asset responsibility person actually repairs the system vulnerability. If the asset is scanned and the relevant system loopholes are not found, the vulnerability problem is confirmed to be treated in a response mode, and then the system security alarm can be closed. If the system vulnerability is found by scanning the asset, confirming that the vulnerability problem of the asset is not solved, then notifying an asset liability person to carry out secondary repair, and circulating the process until the related system vulnerability is not scanned by the asset vulnerability management system any more, so that the semi-automatic repair of the vulnerability can be realized.
S450, generating a network equipment security analysis case based on the vulnerability scanning result, the security alarm, the repair mode and the repair result file.
For example, as a specific example of the present application, after repairing or disposing the vulnerability problem of the network device through the disposing process of the system vulnerability described above, the intelligent knowledge system 340 may be linked to extract relevant information of the vulnerability, such as extracting the vulnerability scanning result, security alarm, repairing result file uploaded by the asset responsibility person, operation and input advice of the security operator, etc., to form a targeted case for perfecting the process of the preset script in the automatic response system 310 and gradually fitting the business requirement.
It should be noted that, the above processes can be automatically executed based on the process setting of the preset scenario, so as to repair and treat the vulnerability problem of the network device. Meanwhile, in the above process, the security operator can also join at any node, according to personal expertise and experience, and according to actual business scenario, provide vulnerability handling advice and problem handling progress torsion, and the asset vulnerability management system will record all manual handling information (as a specific example of manual repair), so as to facilitate the subsequent intelligent knowledge system 340 to extract knowledge.
From some embodiments of the present application, it is appreciated that the present application is fully automated or semi-automated to efficiently handle and manage vulnerability issues for network devices. The method and the system are used for carrying out efficient scanning discovery, analysis, repair, rechecking and closing on the vulnerability problem of the network equipment based on the SOAR automation capability association of each large system, so that the safe full life cycle management of the network equipment with knowledge is formed. Based on the process setting and workflow engine of the preset script of the automatic response system 310, the problems of manually repeatedly confirming the similar problems, manually operating to dispatch the repair task, repeatedly checking, re-checking the repair result and the duration of cross-department collaborative reaction are remarkably reduced, the network equipment with the loopholes is quickly repaired, the safety of the network equipment is effectively ensured, and the risk that the vulnerability of the network equipment with the problems is discovered and utilized by an attacker to launch attack and threat to enterprises and cause great loss to the enterprises is reduced or avoided. The method increases the treatment scheme for solving the problem of the vulnerability of important network equipment, which cannot be repaired in a short period, and can effectively protect the vulnerable network equipment from being utilized while ensuring uninterrupted service. Knowledge and general response cases are formed by recording the vulnerability problem handling flow and scheme of the network equipment. The method can be called by an asset vulnerability management system, and an effective asset vulnerability problem repairing scheme is automatically provided when a work order is dispatched; meanwhile, the system can be used by safety operators, the professional technical capability and experience of the operators are converted into knowledge, and the reduction of the management capability of the vulnerability of the assets caused by the loss of the technicians of enterprises is reduced or avoided.
Referring to fig. 5, fig. 5 illustrates a block diagram of an apparatus for security management of a SOAR-based network device according to some embodiments of the present application. It should be understood that the apparatus for securely managing a network device based on the SOAR corresponds to the above method embodiment, and is capable of performing the steps related to the above method embodiment based on security orchestration automation and responding to a preset scenario of the SOAR, and specific functions of the apparatus for securely managing a network device based on the SOAR may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
The apparatus for SOAR-based network device security management of FIG. 5 includes at least one software functional module that can be stored in a memory in the form of software or firmware or cured in the apparatus for network device security management, the apparatus for SOAR-based network device security management comprising: the scanning module 510 is configured to perform vulnerability scanning on a network device to obtain a vulnerability scanning result, where the vulnerability scanning result includes vulnerabilities existing in the network device; a generating module 520 configured to generate a security alert corresponding to the vulnerability scanning result; and the repair module 530 is configured to determine a repair mode of the vulnerability according to the security alarm, and perform manual repair and/or automatic repair on the vulnerability of the network device by using the repair mode so as to ensure the security of the network device.
In some embodiments of the present application, the types of vulnerabilities include: at least one of a system vulnerability, a website vulnerability, a violation configuration problem, and a weak password.
In some embodiments of the present application, the network device includes: operating systems, applications, middleware, components, enterprise hardware, and enterprise software.
In some embodiments of the present application, the scanning module 510 is configured to perform periodic vulnerability scanning on the network device according to a preset time period.
In some embodiments of the present application, the generating module 520 is configured to determine a vulnerability type to which the vulnerability belongs; and generating the security alarm corresponding to the vulnerability type.
In some embodiments of the present application, the repair module 530 is configured to automatically repair the vulnerability by using the repair patch if it is confirmed that there is a repair patch for repairing the vulnerability, so as to obtain a repair result file; if no repair patch package for repairing the vulnerability exists, sending the security alarm to a responsible person, and acquiring a repair result file submitted by the responsible person; and if the network equipment with the vulnerability is confirmed to be the target equipment, generating an access blocking strategy and repairing the vulnerability to obtain a repairing result file.
In some embodiments of the present application, the repair module 530 is configured to cycle the following operations until it is determined that the network device does not have the vulnerability, and close the security alarm: scanning the network equipment again; and when confirming that the vulnerability exists in the network equipment, sending the security alarm to the responsible person again, and acquiring a repair result file updated by the responsible person.
In some embodiments of the present application, the repair module 530 is configured to confirm that the repair time for the target device exceeds a preset threshold.
In some embodiments of the present application, the repair module 530 is configured to generate a network device security analysis case based on the vulnerability scanning result, the security alarm, the repair mode, and the repair result file.
Some embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program, which when executed by a processor, may implement operations of the method corresponding to any of the above-described methods provided by the above-described embodiments.
Some embodiments of the present application further provide a computer program product, where the computer program product includes a computer program, where the computer program when executed by a processor may implement operations of a method corresponding to any of the foregoing methods provided by the foregoing embodiments.
As shown in fig. 6, some embodiments of the present application provide an electronic device 600, the electronic device 600 comprising: memory 610, processor 620, and a computer program stored on memory 610 and executable on processor 620, wherein processor 620 may implement a method as in any of the embodiments described above when reading a program from memory 610 and executing the program via bus 630.
The processor 620 may process the digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, the processor 620 may be a microprocessor.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (13)
1. A method for secure management of a SOAR-based network device, comprising:
the preset scenario based on security orchestration automation and response SOAR performs the following operations:
performing vulnerability scanning on network equipment to obtain a vulnerability scanning result, wherein the vulnerability scanning result comprises vulnerabilities existing in the network equipment;
generating a security alarm corresponding to the vulnerability scanning result;
and determining a repairing mode of the loopholes according to the security alarm, and manually repairing and/or automatically repairing the loopholes of the network equipment by using the repairing mode so as to ensure the security of the network equipment.
2. The method of claim 1, wherein the type of vulnerability comprises: at least one of a system vulnerability, a website vulnerability, a violation configuration problem, and a weak password.
3. The method of claim 1 or 2, wherein the network device comprises: operating systems, applications, middleware, components, hardware, and software.
4. The method according to claim 1 or 2, wherein the performing vulnerability scanning on the network device comprises:
and periodically scanning the loopholes of the network equipment according to a preset time period.
5. The method of claim 1 or 2, wherein the generating a security alert corresponding to the vulnerability scanning result comprises:
determining the type of the vulnerability to which the vulnerability belongs;
and generating the security alarm corresponding to the vulnerability type.
6. The method according to claim 1 or 2, wherein the determining a repair manner for the vulnerability according to the security alarm, and manually repairing and/or automatically repairing the vulnerability of the network device by using the repair manner, includes:
if the existence of a repair patch for repairing the vulnerability is confirmed, automatically repairing the vulnerability by using the repair patch to obtain a repair result file;
if no repair patch package for repairing the vulnerability exists, sending the security alarm to a responsible person, and acquiring a repair result file submitted by the responsible person;
and if the network equipment with the vulnerability is confirmed to be the target equipment, generating an access blocking strategy and repairing the vulnerability to obtain a repairing result file.
7. The method of claim 6, wherein after the obtaining the repair result file submitted by the responsible party, the method further comprises:
And circularly executing the following operations until the network equipment is confirmed to have no loopholes, and closing the security alarm:
scanning the network equipment again;
and when confirming that the vulnerability exists in the network equipment, sending the security alarm to the responsible person again, and acquiring a repair result file updated by the responsible person.
8. The method of claim 6, wherein prior to the generating the access blocking policy, the method further comprises:
and confirming that the repair time of the target equipment exceeds a preset threshold.
9. The method of claim 8, wherein the method further comprises:
and generating a network equipment security analysis case based on the vulnerability scanning result, the security alarm, the repair mode and the repair result file.
10. An apparatus for secure management of a network device based on an SOAR, comprising:
the scanning module is configured to perform vulnerability scanning on the network equipment to obtain vulnerability scanning results, wherein the vulnerability scanning results comprise vulnerabilities existing in the network equipment;
the generating module is configured to generate a security alarm corresponding to the vulnerability scanning result;
And the repair module is configured to determine a repair mode of the loopholes according to the security alarm, and manually repair and/or automatically repair the loopholes of the network equipment by utilizing the repair mode so as to ensure the security of the network equipment.
11. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program, wherein the computer program when run by a processor performs the method according to any of claims 1-9.
12. A computer program product, characterized in that the computer program product comprises a computer program, wherein the computer program, when run by a processor, performs the method according to any of claims 1-9.
13. An electronic device comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the computer program when run by the processor performs the method of any one of claims 1-9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211456105.9A CN116155531A (en) | 2022-11-21 | 2022-11-21 | Method and device for network equipment security management based on SOAR and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211456105.9A CN116155531A (en) | 2022-11-21 | 2022-11-21 | Method and device for network equipment security management based on SOAR and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116155531A true CN116155531A (en) | 2023-05-23 |
Family
ID=86337906
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211456105.9A Pending CN116155531A (en) | 2022-11-21 | 2022-11-21 | Method and device for network equipment security management based on SOAR and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116155531A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116471122A (en) * | 2023-06-12 | 2023-07-21 | 南京众智维信息科技有限公司 | Network security script arrangement method based on Q learning |
CN116611046A (en) * | 2023-06-05 | 2023-08-18 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
-
2022
- 2022-11-21 CN CN202211456105.9A patent/CN116155531A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116611046A (en) * | 2023-06-05 | 2023-08-18 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
CN116611046B (en) * | 2023-06-05 | 2024-04-09 | 武汉思普崚技术有限公司 | Method, device and system for processing weak password based on SOAR |
CN116471122A (en) * | 2023-06-12 | 2023-07-21 | 南京众智维信息科技有限公司 | Network security script arrangement method based on Q learning |
CN116471122B (en) * | 2023-06-12 | 2023-08-29 | 南京众智维信息科技有限公司 | Network security script arrangement method based on Q learning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Mullet et al. | A review of cybersecurity guidelines for manufacturing factories in industry 4.0 | |
US10339309B1 (en) | System for identifying anomalies in an information system | |
US9280661B2 (en) | System administrator behavior analysis | |
US8726393B2 (en) | Cyber security analyzer | |
CN116155531A (en) | Method and device for network equipment security management based on SOAR and electronic equipment | |
US20160182544A1 (en) | Method of protecting a network computer system from the malicious acts of hackers and its own system administrators | |
US20150281287A1 (en) | Policy/rule engine, multi-compliance framework and risk remediation | |
US20120216243A1 (en) | Active policy enforcement | |
CN109672663B (en) | Closed-loop network security supervision method and system for security threat event | |
Serhane et al. | PLC code-level vulnerabilities | |
Lemaire et al. | A SysML extension for security analysis of industrial control systems | |
Leith et al. | Identification and application of security measures for petrochemical industrial control systems | |
EP4104410A1 (en) | Security automation system | |
Bejarano et al. | A vision for improving business continuity through cyber-resilience mechanisms and frameworks | |
Ginter | Secure operations technology | |
CN117240628A (en) | Penetration test system for network security | |
Son et al. | Development of the framework for quantitative cyber risk assessment in nuclear facilities | |
CN114490261A (en) | Terminal security event linkage processing method, device and equipment | |
Ting et al. | Securing Manufacturing through Patch Management for IoT Devices | |
Shirtz et al. | Enhancing Energy Sector Resilience: Integrating Security by Design Principles | |
Brooks | Critical Infrastructure Protection at the Local Level | |
US11822916B2 (en) | Correlation engine for detecting security vulnerabilities in continuous integration/continuous delivery pipelines | |
Pons Sales | Analysis and design of a model of OT control and supervision architectures in the field of industrial cybersecurity | |
US20240305664A1 (en) | Cybersecurity operations mitigation management | |
Christensen et al. | Technical Guide for Implementing Cybersecurity Continuous Monitoring in the Nuclear Industry |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |