Abstract: The means, scale and frequency of network attacks continue to evolve, and the network threats faced by countries and enterprises are becoming increasingly severe. In this context, SOAR (security orchestration automation and response) technology provided a solution for enterprises to balance “security, cost and efficiency” by solidifying automation scenarios. For the dynamic and agile requirements of security device capability access and call, network asset information entry and association in the SOAR practice, the atomization device and asset management strategy based on the concept of standard security orchestration actions and security attribute asset sets was proposed. Through the atomization and instantiation of device capabilities and asset attributes, as well as the integration of standard security orchestration actions and security attribute asset sets based on the knowledge atlas, the agile integration of security equipment and network asset capabilities, efficient resource allocation, and information associated storage to deal with the dynamic changes of network threats and protection requirements can be implemented. At the same time, several SOAR automation scenarios based on this strategy were studied and discussed.

Key words: security orchestration, automated response, atomization, security device management, security asset management, SOAR

摘要： 网络攻击手段持续进化，规模及频率持续增长，国家及企业面临的网络安全威胁日趋严峻，在这一背景下，安全编排自动化与响应(security orchestration automation and response, SOAR)技术通过固化自动化场景为企业平衡“安全、成本及效率”提供了解决方案.针对SOAR实践中安全设备能力接入及调用、网络资产信息录入及关联的动态化和敏捷化需求，提出了围绕标准安全编排动作及安全属性资产集的集成概念的原子化设备及资产管理策略.通过设备能力及资产属性的原子化、实例化以及基于知识图谱的标准安全编排动作及安全属性资产集集成，实现安全设备、网络资产能力敏捷集成、资源高效调配、信息关联存储，以应对网络威胁、防护需求动态变化的场景.同时，对基于该策略的多个SOAR自动化场景实践进行了研究及讨论.

关键词: 安全编排, 自动化响应, 原子化, 安全设备管理, 安全资产管理, 安全编排自动化与响应