CN-121997317-A - Automatic arrangement and response method, device, medium and equipment

Abstract

The invention discloses an automatic arrangement and response method, an automatic arrangement and response device, a medium and equipment. The method comprises the steps of collecting security events of various oil fields through an automation tool and adding the security events into a security event library to formulate a response strategy, coordinating corresponding teams of the events, a evidence obtaining team and an IT team to cooperate, creating a workflow, formulating an automation arrangement and response flow, carrying out predefined response operation based on the automation response tool, monitoring an execution result after the response action, adjusting the strategy and the optimization flow in real time, identifying and tracking corresponding system vulnerabilities after threat information and the security events are correlated, executing a vulnerability restoration flow and generating a compliance report. When threat information is needed to be responded, people do not need to respond manually, response efficiency is greatly improved, and response time is shortened. The invention improves the flow of investigation and evidence obtaining, and improves the accuracy and efficiency of threat information and security event processing.

Inventors

• SUN JUNJUN
• XIAN GUOMING
• REN XIN
• HAN LEI
• ZHANG JING
• LI YANG
• HUANG LIN
• Tu Hanlin
• QI XIAOTING
• ZHENG CHANGMIN
• ZHAO ZIXUAN
• CHEN SHIYI
• LI WEI
• CHEN GANG
• SHI YOUCHEN
• WANG YINQUAN
• ZHAO ZEYANG
• LI HUAN
• LI PENG

Assignees

• 中国石油天然气股份有限公司

Dates

Publication Date

20260508

Application Date

20241107

Claims (10)

1. 1. An automatic arrangement and response method is characterized in that, the automatic arrangement and response method comprises the following steps: s10, collecting safety events of various oil fields through an automation tool, adding the safety events into a safety event library, and formulating a response strategy; S20, coordinating the corresponding team of the event, the evidence obtaining team and the IT team to cooperate, creating a workflow, and formulating an automatic arrangement and response flow; s30, performing predefined response operation based on the automatic response tool; S40, monitoring an execution result after the response action, adjusting a strategy and an optimization flow in real time, and identifying and tracking a corresponding system vulnerability after the threat information and the security event are correlated; s50, executing the vulnerability restoration process and generating a compliance report.
2. 2. The automated orchestration and response method according to claim 1, wherein step S10 comprises the steps of: s110, collecting threat information which can exist from various channels through an automation tool and adding the threat information into a security event library; S120, analyzing known software vulnerabilities or malicious software activities possibly existing in the threat information, and determining threat levels, threat types, attack methods and affected ranges of the software vulnerabilities or malicious software activities; s130, carrying out correspondence and association on threat information and various oilfield security events collected in a security event library, and making a corresponding response strategy to improve the accuracy and efficiency of security event response, wherein the oilfield security events comprise external malicious attacks, high-risk alarms and abnormal behavior alarms of the oilfield.
3. 3. The automated orchestration and response method according to claim 2, wherein in step S130, the response policy comprises blocking malicious traffic, quarantining infected hosts, and updating defense policies.
4. 4. The automated orchestration and response method according to claim 1, wherein step S20 comprises the steps of: S210, coordinating the corresponding team of the event, the evidence obtaining team and the IT team to cooperate, centralizing a plurality of security events and corresponding response actions thereof on a platform, and creating a workflow; s220, according to the result of team to information analysis, corresponding response strategies are formulated, and response tools and teams are coordinated to respond; s230, an automatic arrangement and response flow is established, and when the monitoring system detects an abnormal event or threat information update, the automatic arrangement and response flow can be triggered.
5. 5. The automated orchestration and response method according to claim 1, wherein in step S30, the predefined response actions include notification, quarantine, organization and forensics, quarantining infected hosts, and initiating investigation flows.
6. 6. The automated orchestration and response method according to claim 1, wherein in step S40, the system vulnerabilities include patches, configuration errors, and software bugs.
7. 7. The automated orchestration and response method according to claim 1, wherein step S50 comprises the steps of: s510, prioritizing the corresponding vulnerabilities according to the severity of the security event; s520, automatically performing a bug repair flow, and monitoring the progress of bug repair; s530, generating a compliance report for the vulnerability restoration process.
8. 8. An automated orchestration and response device, comprising: the analysis module is used for collecting safety events of various oil fields through an automation tool and adding the safety events into a safety event library to formulate a response strategy; the process designating module is used for coordinating the corresponding team of the event, the evidence obtaining team and the IT team to cooperate, creating a workflow and formulating an automatic arrangement and response process; a response module for performing a predefined response operation based on the automated response tool; The identifying and tracking module is used for monitoring the execution result after the response action, adjusting the strategy and the optimization flow in real time, and identifying and tracking the corresponding system vulnerability after the threat information and the security event are correlated; and the vulnerability restoration module is used for executing the vulnerability restoration process and generating a compliance report.
9. 9. A computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the automated orchestration and response method according to any one of claims 1-7.
10. 10. A computing device, the computing device comprising: At least one processor, memory, and input output unit; Wherein the memory is configured to store a computer program and the processor is configured to invoke the computer program stored in the memory to perform the automated orchestration and response method according to any one of claims 1-7.

Description

Automatic arrangement and response method, device, medium and equipment Technical Field The present invention relates to the field of automation technologies, and in particular, to an automatic arrangement and response method, apparatus, medium, and device. Background With the increasing trend of network security attack and defense, the national regulatory authorities have strict rules on "network security normalization management is to be done". Automated orchestration and response of cyber threat information is an integral part of cyber security. Recently, a plurality of oil fields in China suffer from multiple external malicious attacks, high-risk alarms and abnormal behavior alarms, and the analysis and the disposal of network security events face huge pressure. Therefore, the method and the device can respond to the suffered security threat quickly, prevent and stop the security threat timely, and implement an effective control strategy is indispensable. The existing network security risk control handling capability in the market adopts a manual mode to deploy access control strategies on boundary equipment such as a firewall, a gatekeeper and the like, so that blocking of attack communication is realized, emergency handling efficiency is low, influence on service continuity operation is large, targeted, large-scale and high-frequency fire collecting attack scenes are difficult to adapt, and meanwhile, threat behaviors such as controlled external connection of a host which is frequent in the growing course cannot be effectively treated. Therefore, automated orchestration and response methods are widely used to help organizations increase the speed and accuracy of threat handling. However, the existing automatic arrangement and response method generally corresponds the security threat event to the line of the security event scenario, and then responds correspondingly, if no line of the security event scenario is corresponding, people are required to respond manually, so that the response speed of part of the network threat information is slower and the accuracy is lower. Disclosure of Invention The invention mainly aims to provide an automatic arrangement and response method and device, which are used for solving the technical problems of slower response speed and lower accuracy of partial network threat information in the prior art. The invention provides an automatic arrangement and response method for achieving the purposes, which comprises the following steps of S10, collecting security events of various oil fields through an automatic tool and adding the security events into a security event library, making response strategies, S20, coordinating corresponding teams of events, evidence obtaining teams and IT teams to cooperate, creating workflows, making automatic arrangement and response flows, S30, carrying out predefined response operation based on the automatic response tools, S40, monitoring execution results after the response actions, adjusting strategies and optimization flows in real time, identifying corresponding system vulnerabilities after the threat information and the security events are correlated and tracking, S50, executing a vulnerability restoration flow and generating compliance reports. Optionally, the step S10 comprises the steps of S110, collecting possible threat information from various channels through an automation tool, S120, analyzing known software vulnerabilities or malicious software activities possibly existing in the threat information, determining threat levels, threat types, attack methods and affected ranges of the known software vulnerabilities or malicious software activities, S130, carrying out correspondence and association on the threat information and the security events of various oil fields collected in a security event library, and formulating corresponding response strategies to improve the accuracy and efficiency of the response of the security events, wherein the security events of the oil fields comprise external malicious attacks, high-risk alarms and abnormal behavior alarms of the oil fields. Optionally, in the step S130, the response policy includes blocking malicious traffic, quarantining the infected host, and updating the defense policy. Optionally, the step S20 includes the steps of coordinating the event corresponding team, the evidence obtaining team and the IT team to cooperate, centralizing a plurality of security events and corresponding response actions thereof on one platform to create a workflow, establishing a corresponding response strategy according to the result of analysis of the information by the team, coordinating the response tool and the team to respond, establishing an automatic arrangement and response flow, and ensuring that the automatic arrangement and response flow can be triggered when the monitoring system detects an abnormal event or threatens the update of the information, wherein the step S210 is used for coordin