JP2019149781A - Security incident detection system - Google Patents

Abstract

To provide a security incident detection system that can reduce a time to report a cause investigation result for a security alarm to related parties.SOLUTION: A security incident detection system 100 includes an alarm reception unit that receives a security alarm from a security incident detection device (monitoring target device) via a network, an incident determination unit that compares the received security alarm notification content with the past security alarm notification content and identifies the risk level of the received security alarm, and a notification unit (data conversion unit) that transmits an incident notification to a pre-registered report destination VoIP system and communication terminal devices 104a to 106a via a voice packet in accordance with the risk level of the received security alarm.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a security incident detection system connected to a security incident detection device.

  Information security incidents (also referred to simply as security incidents or incidents) are undesired or unexpected single or series of information security events that have a high probability of compromising business operations and threatening information security (ISO / IEC 17799). Examples of security incidents include service or facility outages, system malfunction, overload, viruses, worms, bots, and the like. For example, security events are correlated and standardized in order to prevent security incidents such as cyber attacks on various computer systems built in the company and leakage of customer information and confidential information to the outside. Information management (SIM: Security Information Management), security event management SEM (SEM: Security Event Management) that collects and aggregates security events, and security information event management (SIEM: Security Information and Event Management) Technology is used as a security incident detection device or system.

  For example, a security information event management device or system (hereinafter also referred to as a SIEM device) centrally manages log data of various connected network devices in a computer system and correlates in real time based on the log data. Analysis is performed, and a security alarm is displayed on the information terminal of the person in charge (operator) for an event that can be a threat. The person in charge determines whether there is an incident manually using the output security alarm. If it is further determined as an incident, the relevant security officers are contacted and each security officer handles the incident on the computer system.

  Patent Document 1 describes a logging system device for processing log data that is used together with a SIEM device.

Special table 2010-515172

  Even when the conventional logging system apparatus is introduced into the SIEM apparatus, it takes time for the person in charge to investigate the cause of the security alarm when the SIEM apparatus notifies the security alarm of a threatening event. Furthermore, there was a problem that it took time until the person in charge reported the survey results to the relevant places.

  The present invention has been made in view of the above-described conventional problems, and provides a security incident detection system capable of shortening the time for reporting a cause investigation result for a security alarm (also simply referred to as an alarm) notified from a SIEM device to various places. The purpose is to provide.

The security incident detection system according to the present invention includes an alarm reception unit that receives a security alarm from a security incident detection device via a network, compares the notification content of the received security alarm with the past security alarm notification content, and receives the received security alarm. An incident discriminator that identifies the risk level of
A notification unit configured to transmit an incident notification to a pre-registered report destination communication terminal device via a voice packet according to the received security alarm risk level.

  According to the present invention, since a security alarm of an event that is a threat notified from the SIEM device is provided with an incident determination unit and a report unit, the time for investigating the cause of the security alarm is shortened, and the telephone registered in advance Automatic transmission to a contact number such as a number can be realized.

It is a schematic explanatory drawing of the system configuration example which shows the security incident detection system of the Example of this invention. It is an operation | movement flowchart of the security incident detection system of the Example of this invention.

  Hereinafter, an example of a security incident detection system according to an embodiment of the present invention will be described with reference to the drawings. In addition, this invention is not limited to a following example.

[System configuration example]
FIG. 1 is a schematic explanatory diagram of a system configuration example showing a security incident detection system 100 according to an embodiment of the present invention. The security incident detection system 100 includes a SIEM device 101, an incident determination device 102, and a VoIP (Voice over Internet Protocol) system 103.

  As an example of the system configuration, an IP network IP is connected to the security incident detection system 100, and the communication terminal devices 104a, 105a, 106a of a plurality of security officers 104, 105, 106 connected to the network, It consists of a monitoring target device 107 and an operator terminal 108. The connection form of the IP network IP includes, for example, the public network such as a telephone line network and a satellite communication network, various LANs (Local Area Network), WAN (Wide Area Network), and VoPN (Voice over Packet Network). It may include a dedicated line network such as The IP network IP can be connected to communication terminals such as fixed telephones, mobile telephones, PHS telephones, mobile communication terminals, and personal computers. Note that a connection is made between the security incident detection system 100 and the IP network IP via a firewall (not shown).

  The monitoring target device 107 is a log management target device. For example, a server (LDAP server (Lightweight Directory Access Protocol), a RADIUS server (Remote Authentication Dial-in User Service)) that manages the authority of a firewall, a Web proxy server, and a system device. Including dial-up connection user authentication)), mail servers, database servers, file servers, client PCs (Personal Computers), such as servers, switches, routers, and intrusion prevention systems (IPS) included.

  The security officers 104, 105, and 106 are those in charge of dealing with security alarms. Information on the security officers 104, 105, and 106 is pre-registered in the incident discriminating apparatus 102 according to the incident response skill level, and the contact information of the operator is also pre-registered. A person-in-charge information file is constructed in the storage unit. The security officer information includes a security officer ID, a security officer name, an ID of the responsible system or server, a skill level evaluation according to the degree of risk, a telephone number as a contact for tracking the officer, and E- Mail addresses are registered in association with each other. In addition, an SNS (Social Network System) person in charge notification destination such as Twitter (registered trademark), Facebook (registered trademark), Line (registered trademark), or the like may be registered in the person-in-charge information file.

[SIEM equipment]
The SIEM device 101 collects log data output from the monitoring target device 107 and centrally manages them. Further, the SIEM apparatus 101 performs correlation analysis on the collected log data. The SIEM device 101 has a function of issuing an alarm when there is an event with a threat based on the result of the analysis of log data. The alarm 201 is warning information of an event that becomes a threat based on the result of the correlation analysis performed by the SIEM device 101. The SIEM device 101 may have a function of monitoring, maintaining, and operating the monitoring target device 107 by a user operation from the operator terminal 108.

  The hardware of the SIEM apparatus 101 can be realized by a computer apparatus in which a SIEM program controlled by a software operating system (OS) is installed. Although not shown, the SIEM device 101 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a hard disk device, a solid state drive (SSD), etc., and a CPU according to a program stored in the memory unit. Is a computer device that executes a SIEM process using a RAM as a work memory for primary storage. The SIEM device 101 also includes an input / output device such as a keyboard, a USB (Universal Serial Bus), and a network connection unit (NIC: Network Interface Card). Note that the SIEM apparatus 101 may be directly connected to the incident determination apparatus 102.

[Incident discrimination device]
The incident determination device 102 has a function of receiving and receiving an alarm 201 issued from the SIEM device 101 (accepting unit 102a). The incident determination device 102 has a function of receiving an alarm, automatically analyzing the contents of the alarm notification, and outputting a countermeasure 202 according to the degree of risk as a result of readable language information. The countermeasure 202 is analysis information including the incident risk level and the incident countermeasure as a result of analyzing the alarm output from the SIEM apparatus 101 by the incident discriminating apparatus 102.

  The incident determination device 102 includes an alarm comparison unit 203, a countermeasure determination unit 205, and a risk determination unit 207.

  The alarm comparison unit 203 stores a plurality of alarm notification contents that have occurred in the past. The alarm comparison unit 203 has a function of comparing new alarm notification contents newly input to the alarm comparison unit 203 with past alarm notification contents. The alarm comparison result 204 is a result of comparing an alarm newly input by the alarm comparison unit 203 with the past alarm notification content.

  The handling determination unit 205 holds a past corresponding item group corresponding to a comparison result of a plurality of past alarm notification contents inputted in the past. The handling determination unit 205 has a function of selecting a past corresponding item corresponding to new alarm notification contents from the stored past corresponding item group. The countermeasure 206 is a result of selecting a countermeasure by the countermeasure determining unit 205. The data file or database of the past correspondence item group is preferably constructed by associating a correspondence method using an alarm ID or the like according to the type of alarm output of the SIEM device 101. The response method is a specific action that should be taken by the security officer when an alert occurs.

  The risk level determination unit 207 stores the risk level for the past correspondence items stored in the countermeasure determination unit 205. The degree-of-risk determination unit 207 determines the degree of risk from the past correspondence items of the countermeasure 206.

The risk level determination unit 207 holds four-level data of risk levels 1 to 4. The meaning of the risk level is described below.
Risk 1: No effect.
Risk level 2: Continuous monitoring is required.
Risk 3: There is a trace of attack outside / inside, but there is a low possibility that information has been exploited.
Risk level 4: There is a trace of the attack outside / inside, and there is a high possibility that information has been exploited.

  The risk level determination unit 207 assigns the risk levels 1 to 4 based on the past alarm information and the countermeasures to the countermeasure plan 206, and also assigns security personnel according to the risk level.

  The data conversion unit 102b converts the countermeasure 202 (incident notification) including the risk level information into voice data so that it can be transmitted via the VoIP system 103, and transmits the voice data to the VoIP system 103 connected to the incident determination device 102. It is a notification part to do. The data conversion unit 102b also has a function of reporting an incident notification to the report destination communication terminal apparatuses 104a, 105a, and 106a as an e-mail or the like.

[VoIP system]
The VoIP system 103 converts the voice data of the analysis result countermeasure 202 output from the incident determination device 102 into voice packets, and distributes the VoIP to the communication terminal devices 104a, 105a, and 106a corresponding to the security personnel 104, 105, and 106a. That is, it is a notification unit that automatically transmits information of the countermeasure 202. As described above, the security incident detection system 100 can send the countermeasure 202 including the risk level information to the security officer based on the alarm information of the alarm 201 from the SIEM device 101.

(Description of operation)
The operation of the security incident detection system 100 will be described based on the configuration diagram of FIG. An operation flow diagram of the security incident detection system of this embodiment is shown in FIG.

  As shown in FIG. 2, the SIEM apparatus 101 performs correlation analysis from the retained log data (S1). When the SIEM device 101 detects an incident of a threat event in the correlation analysis (S2), the SIEM device 101 notifies the alarm 201 (S3).

  The alarm 201 is input to the reception unit 102a of the incident determination device 102. The receiving unit 102 a receives the alarm 201 and inputs the alarm 201 to the alarm comparison unit 203 inside the incident determination device 102.

  The alarm comparison unit 203 determines whether the received alarm is an alarm that has occurred in the past (S4). The alarm comparison unit 203 holds information on the contents of alarm notifications that have occurred in the past, and compares whether or not the contents of the past alarm notifications and the received alarm 201 are the same.

  When the alarm comparison unit 203 determines that the received alarm is an alarm that has occurred in the past (S4: Y), the alarm comparison result 204 of the comparison between the new alarm notification content and the past alarm notification content is sent to the handling determination unit 205. input.

  The handling determination unit 205 discriminates the input alarm comparison result 204, selects the handling measure 206 from the past handling item group held by itself, and outputs it (S5). The countermeasure determining unit 205 inputs the countermeasure 206 to the risk determining unit 207.

  The risk level determination unit 207 determines and assigns any one of the risk levels 1 to 4 from the four-level list data of the risk levels 1 to 4 held by the risk level determination unit 207 based on the countermeasure 206 and the past occurrence alarm information ( S6). When the risk level determination unit 207 assigns a risk level, the risk level determination unit 207 outputs, as a result of the risk level determination unit 207, an incident notification of the countermeasure 202 to which any risk level is added.

  The data converter 102b converts the incident notification into voice data so that it can be transmitted via the VoIP system 103 (S7), and transmits the incident notification voice data to the VoIP router of the VoIP system 103. The data conversion unit 102b can also report the incident notification to the report destination communication terminal devices 104a, 105a, 106a as an e-mail or the like.

  When the notification of the countermeasure 202 is transmitted to the VoIP system 103, the VoIP system 103 packetizes the voice data of the countermeasure 202 and sends it to the security officers 104, 105, and 106 registered in advance according to the degree of risk. Automatic transmission is performed (S8).

  Here, a case where the result of the alarm comparison unit 203 does not match the past alarm notification content will be described. That is, a case will be described where, in step S4, the alarm comparison unit 203 determines that there is no acceptance alarm in the alarm that has occurred in the past (S4: N).

  In this case, the alarm comparison unit 203 skips step S and assumes that the alarm comparison result 204 is “none”, assuming that the alarm 201 is an unknown alarm that is not included in the alarm information that has occurred in the past. "None" is also output to the risk determination unit 207.

  When a result indicating that there is no alarm comparison result 204 and countermeasure 206 is input to the risk determination unit 207, the risk determination unit 207 recognizes it as an unknown alarm, determines that the risk is 4 (S9), and determines the risk level. The incident notification of the added countermeasure 202 is output to the data conversion unit 102b.

  Thereafter, the data conversion unit 102b converts the incident notification determined to have a risk level of 4 into voice data so that it can be transmitted via the VoIP system 103 (S7), and the VoIP system 103 performs automatic transmission (S8). ).

  Here, for example, when the security officer 104 receives an incident notification determined as an unknown alarm (S10: Y), the security officer 104 performs an alarm analysis on the incident notification and the unknown alarm (S11). When the analysis is completed, a new analysis result is registered as feedback 208 to the incident determination device 102 (S12).

  The contents of the feedback 208 are as follows, for example. The incident determination device 102 receives and accepts the new analysis result registration issued from the security officer 104, and updates the past response item (S13). Specifically, the security officer 104 newly registers in the alarm comparison unit 203 via a Web page under SSL (Secure Sockets Layer) / TLS (Transport Layer Security) by the incident determination device 102. The security officer 104 newly registers in the countermeasure determination unit 205. The security officer 104 newly registers in the risk determination unit 207. If the security officer 104 receives the countermeasure 202 in step S10 (S10: N), the incident is dealt with accordingly and the process ends (S14). By executing the feedback 208, the incident determination device 102 is utilized as a database of past incidents and alarms, and when similar incidents and alarms occur, the security officer can refer to past countermeasures and the like. It becomes like this.

  According to the above embodiment, the alarm 201 output from the SIEM apparatus 101 is analyzed by the incident determination apparatus 102 with respect to the risk level and the countermeasure, and is distributed using the VoIP system 103 without human intervention. The time until the security officers 104, 105 and 106 are contacted can be greatly shortened.

  By automatically determining the alarm from the SIEM device 101, and further systematizing until the result of the automatic determination is communicated to the related parties, until now, the alarm from the SIEM device 101 is manually analyzed to contacted Man-hours can be reduced by about 50%.

  The present invention can be applied not only to the SIEM device but also to all information security devices or systems that output log data and alarms related to information security.

DESCRIPTION OF SYMBOLS 100 ... Security incident detection system, 101 ... SIEM apparatus, 102 ... Incident discrimination apparatus, 107 ... Monitoring object apparatus, 104a, 105a, 106a ... Communication terminal apparatus, 203 ... Alarm comparison part, 205 ... Countermeasure judgment part, 207 ... Risk level Judgment part.

Claims (6)

An alarm reception unit that receives a security alarm from a security incident detection device via a network, and an incident determination unit that compares the received security alarm notification content with the past security alarm notification content and identifies the risk level of the received security alarm When,
A security incident detection system comprising: a notification unit that transmits an incident notification to a pre-registered report destination communication terminal device via a voice packet in accordance with a risk level of the received security alarm; .   The incident determination unit holds the past security alarm notification content and the past response item corresponding thereto, selects the past response item corresponding to the received security alarm notification content, and selects the selected past The security incident detection system according to claim 1, wherein a response item is generated as a countermeasure, and the countermeasure is transmitted to the notifying unit together with the incident notification of a risk level of the accepted security alarm.   The said incident determination part hold | maintains the risk level item corresponding to the said past response item, and determines the said risk level item according to the said countermeasure as a risk level of the received security alarm, It is characterized by the above-mentioned. Item 3. The security incident detection system according to Item 2.   The said notification part has the conversion part which converts the said incident notification into audio | voice data so that it can transmit via a VoIP system, and the VoIP router which relays the said audio | voice data to the said network. The security incident detection system according to any one of claims 1 to 3.   The security incident detection system according to any one of claims 1 to 4, wherein the report destination communication terminal device is a fixed phone, a mobile phone, a PHS phone, a mobile communication terminal, or a personal computer.   The security incident detection system according to claim 1, wherein the notification unit has a function of reporting the countermeasure to the report destination communication terminal device as an e-mail.