JP2019204389A - Security management server, security management method, and security management program - Google Patents

Abstract

To enable appropriate evaluation about security fraud of a user.SOLUTION: A management server 10 includes: a data processing section 13d for acquiring a plurality of types of logs for each user; a first analysis section 13a which calculates an average number of operations by user for each operation in a predetermined period within a target period and an average number of operations by type for each operation of the plurality of types for a plurality of users corresponding to a security policy on the basis of the logs, and analyzes a first type score for each user on the basis of the average number of operations by type and the average number of operations by user; a second analysis section 13a which analyzes a second type score for each user on the basis of the number of appearance of a keyword to determine fraud in the target period on the basis of the plurality of types of logs; a determination section 13c which determines a score for each user on the basis of the first type score and the second type score for each user; and the data processing section 13d which stores the score and the user associated with each other.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for managing security in a user system having a plurality of client terminals.

  In a user system having a plurality of client terminals, in order to deal with fraud such as information leakage by each user or fraud from outside, fraud is detected or fraud risk is analyzed. Yes.

  For example, as a technology related to security analysis or the like, for example, Non-Patent Document 1 discloses a system that analyzes and displays a security risk by each user in the system.

Exabeam Security Intelligence Platform, [Search May 15, 2018], Internet (URL: https://www.exabeam.com)

  For example, in order to detect or analyze security fraud, for example, a log in a user system may be used. In the user system, various logs are managed in various places, but when detecting and analyzing security fraud, it is not possible to say that these various logs are being used effectively. Using these various logs, it is required to more effectively evaluate security fraud related to users.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a technique that makes it possible to easily and appropriately evaluate a user's security fraud.

  In order to achieve the above object, a security management server according to one aspect is a security management server for managing security in a user system having a plurality of client terminals, and acquires a plurality of types of logs of each user using the client terminals. Based on the log acquisition unit and the plurality of types of logs, the average number of operations per user, which is the average number of operations of each of the plurality of types of operations in a predetermined period within the target period for each user, Calculate the average number of operations by type, which is the average number of operations for each of multiple types of operations for a plurality of users corresponding to the security policy set for the user during a given period. Based on the number of operations, the first about the security fraud of each user A first type score analysis unit that analyzes a score, and a second type of security fraud for each user based on the number of appearances of a predetermined keyword for judging fraud in the target period based on a plurality of types of logs A second type score analysis unit that analyzes the score, a score integration unit that determines a score relating to security fraud for each user based on the first type score and the second type score for each user; A storage control unit that stores the score obtained in association with the user.

  According to the present invention, it is possible to easily and appropriately evaluate a user's security fraud.

FIG. 1 is a configuration diagram of a management system for a computer system according to an embodiment. FIG. 2 is a configuration diagram of a customer system of a computer system according to an embodiment. FIG. 3 is a configuration diagram of a customer personnel data table according to an embodiment. FIG. 4 is a configuration diagram of the employee-specific score table according to the embodiment. FIG. 5 is a configuration diagram of an in-house / organization tendency table according to an embodiment. FIG. 6 is a configuration diagram of a tendency table by position / employment type according to an embodiment. FIG. 7 is a configuration diagram of a tabulation table for each employee according to an embodiment. FIG. 8 is a configuration diagram of an average value table according to an embodiment. FIG. 9 is a configuration diagram of a weighting rule table according to an embodiment. FIG. 10 is a configuration diagram of a temporary score table according to an embodiment. FIG. 11 is a configuration diagram of an integrated score table according to an embodiment. FIG. 12 is a configuration diagram of a policy rule table according to an embodiment. FIG. 13 is a configuration diagram of a baseline table according to an embodiment. FIG. 14 is a first configuration diagram of log data according to an embodiment. FIG. 15 is a second configuration diagram of log data according to an embodiment. FIG. 16 is a flowchart of security management processing according to an embodiment. FIG. 17 is a configuration diagram of a policy configuration file according to an embodiment. FIG. 18 is a flowchart of security information display processing according to an embodiment. FIG. 19 is a diagram illustrating a security information screen according to an embodiment.

  Embodiments will be described with reference to the drawings. The embodiments described below do not limit the invention according to the claims, and all the elements and combinations described in the embodiments are essential for the solution of the invention. Is not limited.

  In the following description, information may be described using the expression “AAA table”, but the information may be expressed in any data structure. That is, the “AAA table” can be referred to as “AAA information” to indicate that the information does not depend on the data structure.

  FIG. 1 is a configuration diagram of a management system for a computer system according to an embodiment, and FIG. 2 is a configuration diagram of a customer system for the computer system according to an embodiment.

  A computer system 1 according to an embodiment includes a management system 2 and one or more customer systems 3 (user systems). The management system 2 and the customer system 3 are connected via a network 40. The network 40 is, for example, the Internet, but may be another network.

  The management system 2 includes a management server 10 as an example of a security management server, a DB (Data Base) server 20, and one or more log collection servers 30. The management server 10, the DB server 20, and one or more log collection servers 30 are connected via an internal network 35. The internal network 35 may be a wired LAN (Local Area Network) or a wireless LAN.

  The management server 10 includes, for example, a PC (Personal Computer), a general-purpose computer, and the like, and includes an input unit 11, a storage unit 12, a processor 13, a display unit 14, and a communication unit 15.

  The processor 13 executes various processes according to a program stored in the storage unit 12. In the present embodiment, the processor 13 executes the program 12a in the storage unit 12 to thereby execute a first analysis unit 13a as an example of the first type score analysis unit and a second analysis as an example of the second type score analysis unit. The unit 13b, the determination unit 13c, and the data processing unit 13d are configured. The determination unit 13c is an example of a score integration unit, a policy element setting determination unit, and a threshold information reception unit. The data processing unit 13d is an example of a storage control unit, a policy rule storage control unit, an information output unit, and a policy element setting transmission unit.

  The 1st analysis part 13a determines the score (1st type score) of each employee (user) by the behavior anomaly detection type | mold analysis process mentioned later. The first analysis unit 13a functions as AI (Artificial Intelligence). The 2nd analysis part 13b determines the score (2nd type score) of each employee by the weight type | mold analysis process mentioned later. The second analysis unit 13b functions as an AI. The determination unit 13c determines the score (integrated score) of each employee based on the first type score and the second type score. The data processing unit 13d executes log data aggregation, processing for generating a screen based on various tables, and the like. Details of these components will be described later.

  The storage unit 12 is, for example, a RAM (Random Access Memory), a hard disk, a flash memory, or the like, and stores a program executed by the processor 13 and data used by the processor 13. In the present embodiment, the storage unit 12 stores a program (security management program) 12 a executed by the processor 13.

  The input unit 11 is a mouse, a keyboard, or the like, for example, and accepts an operation input by an administrator of the management server 10. The display unit 14 is, for example, a display device such as a liquid crystal display, and displays and outputs various types of information. The communication unit 15 is a communication interface such as a wired LAN card or a wireless LAN card, for example, and is connected to another device (for example, the DB server 20, the log collection server 30, the customer system 3 side) via the internal network 35, the network 40, and the like. , Etc.).

  The DB server 20 is a server that manages information such as tables used by the processing of the management server 10, and is composed of, for example, a PC having a processor, a storage device, etc., a general-purpose computer, and the like. DB22 for use.

  The communication processing unit 21 performs processing for transmitting and receiving information between the analysis DB 22 and other devices. In the present embodiment, the communication processing unit 21 extracts information from various tables in response to a request from the management server 10 and transmits the information to the management server 10, or receives information from the management server 10 and stores it in the various tables.

  The analysis DB 22 includes an employee-by-employment totaling table 221, a customer personnel data table 222, a position / employment form-specific tendency table 223, an in-house / organization tendency table 224, a weighting rule table 225, a baseline table 226, and a temporary table. The score table 227, the employee-specific score table 228, the average value table 229, the policy rule table 230, and the integrated score table 231 are stored. The configuration of these tables will be described later.

  The log collection server 30 is a server that collects log data of the customer system 3, and is provided, for example, for each customer system. The log collection server 30 includes, for example, a PC including a processor and a storage device, a general-purpose computer, and the like, and includes a communication processing unit 31 and a log DB 32.

  The communication processing unit 31 performs processing for transmitting and receiving information between the log DB 32 and other devices. In the present embodiment, the communication processing unit 31 acquires various logs in the customer system 3 from the log relay server 50 of one customer system 3 in charge, and stores them in the log DB 32. In addition, the communication processing unit 31 acquires log data from the log DB 32 according to an instruction from the management server 10 and transmits the log data to the management server 10.

  The log DB 32 stores various log data 33 (log data 331, 332, etc.) acquired from the customer system 3.

  The customer system 3 includes a log relay server 50, a security server 60, one or more client terminals 70, a mail server 81, a proxy server 84, a firewall (FW) 87, and a file server 90. In the present embodiment, the internal network 41 and the internal network 42 are connected to the network 40 via the firewall 87. The log relay server 50, the security server 60, one or more client terminals 70, the firewall 87, and the file server 90 are connected via the internal network 41. In addition, the mail server 81, the proxy server 84, and the firewall 87 are connected via the internal network 42.

  The client terminal 70 is composed of, for example, a PC including a processor, a storage device, and the like, and includes a security agent unit 71 and a storage unit 72. The security agent unit 71 sets an operation related to the security of the client terminal 70 in accordance with an instruction from the security server unit 61 of the security server 60. In addition, the security agent unit 71 stores log data indicating the operation contents of the user in the storage unit 72 and transmits the log data to the security server 60.

  The firewall 87 controls communication among the network 40, the internal network 41, and the internal network 42.

  The proxy server 84 performs processing for proxying communication via the network 40 of each client terminal 71. In the present embodiment, the proxy server 84 stores log data 86 in the processing in the storage unit 85.

  The mail server 81 performs transmission / reception processing of mail (electronic mail) via the network 40. In the present embodiment, the mail server 81 stores log data 83 in mail transmission / reception processing in the storage unit 82.

  The log relay server 50 includes, for example, a PC including a processor and a storage device, a general-purpose computer, and the like, and includes a log relay unit 51 and a storage unit 52. The log relay unit 51 collects various log data 53 in the customer system 3 and stores it in the storage unit 52. In this embodiment, the log relay unit 51 includes log data 63 stored in the storage unit 62 of the security server 60, log data 83 stored in the storage unit 82 of the mail server 81, and storage of the proxy server 84. The log data 86 stored in the unit 85 and the log data 89 stored in the storage unit 88 of the firewall 87 are collected and stored. In addition, the log relay unit 51 transmits the log data 53 stored in the storage unit 52 to the log collection server 30 of the management system 2 for managing the log data of the customer system 3 to which the log relay unit 51 belongs via the network 40. To do.

  The file server 90 includes, for example, a PC including a processor and a storage device, a general-purpose computer, and the like, and includes a storage unit 91 that stores file data.

  The security server 60 includes, for example, a PC including a processor and a storage device, a general-purpose computer, and the like, and includes a security server unit 61 and a storage unit 62. The storage unit 62 stores log data 63 of each employee collected from the client terminal 70 and a baseline table 64. When the security server unit 61 accepts an employee login request (employee number and password) from the security agent unit 71 and is authenticated, the security server unit 61 refers to the baseline table 64, and in accordance with the contents of the policy for the employee, the security agent unit An instruction to make the security setting to 71 is transmitted. Further, the security server unit 61 instructs the security agent unit 71 to transmit log data of the employee, acquires the log data 73 via the security agent unit 71, and stores the acquired log data 73 in the storage unit 62. The baseline table 64 is set in advance by the administrator of the security server 60, and thereafter updated to the content transmitted from the management server 10. The baseline table 64 has the same field configuration as the baseline table 226 described later.

  Next, various tables stored in the DB server 20 will be described.

  FIG. 3 is a configuration diagram of a customer personnel data table according to an embodiment.

  The customer personnel data table 222 is a table provided for each customer system 3 and stores an entry for each employee in the corresponding customer system 3. The customer personnel data table 222 is acquired as data from the customer system 3 or created based on information from the customer of the customer system 3, for example. The entry of the customer personnel data table 222 includes fields of employee number 222a, name 222b, job title 222c, affiliation 222d, application policy 222e, mail address 222f, work shift 222g, and others 222h.

  The employee number 222a stores the employee number (identification information) of the employee corresponding to the entry. The name 222b stores the name of the employee corresponding to the entry. The job title 222c stores the job title of the employee corresponding to the entry. The affiliation 222d stores the affiliation (department) name of the employee corresponding to the entry. The application policy 222e stores the name of the security policy (security policy) applied to the employee corresponding to the entry. The email address of the employee corresponding to the entry is stored in the email address 222f. The work shift of the employee corresponding to the entry is stored in the work shift 222g. The other 222h stores special notes about the employee corresponding to the entry. As a special note, for example, there is a scheduled date when an employee leaves the company.

  FIG. 4 is a configuration diagram of the employee-specific score table according to the embodiment.

  The employee-specific score table 228 is a table provided for each customer system 3 and stores an entry for each employee in the corresponding customer system 3. The entry of the employee-specific score table 228 includes the following fields: employee number 228a, take-out count 228b, prohibited act count 228c, consistency unmatch 228d, monitor folder operation 228e, monitor flag 228f, and score 228g. Including.

  The employee number of the employee corresponding to the entry is stored in the employee number 228a. The number of take-out times 228b is determined by the employee corresponding to the entry in a predetermined period (target period: for example, 1 month, 3 months, etc.) during a predetermined period (counting unit: for example, 1 day, 1 week, etc.) The number of times the data is taken out (or the average value thereof) is stored. The number of prohibited actions 228c stores the number of prohibited actions (or an average value thereof) performed by the employee corresponding to the entry during a predetermined period within a predetermined target period. The consistency unmatch 228d stores the number of times (or the average value) that the consistency corresponding to the operation performed by the employee corresponding to the entry in the predetermined target period during the predetermined period. An example of an operation that does not match consistency is, for example, that an employee is logged out, but an operation of referring to a file that cannot normally occur at the time of logout is performed. In the operation 228e to the monitoring folder, the number of times (or an average value thereof) the employee corresponding to the entry performs an operation on the folder (monitoring folder) set as the monitoring target in the predetermined period. Stored. The monitoring flag 228f stores a flag (monitoring flag) indicating whether or not the employee corresponding to the entry is a monitoring target that requires security monitoring. For example, the monitoring flag is set to “1” when the employee is a monitoring target, and is set to “0” when the employee is not the monitoring target. The score 228g stores a score relating to security fraud for the employee corresponding to the entry. In the present embodiment, the score becomes higher as the possibility of fraud in security is higher.

  FIG. 5 is a configuration diagram of an in-house / organization tendency table according to an embodiment.

  The in-house / organization tendency table 224 is a table provided for each customer system 3 and stores an entry for each customer department (affiliation) in the corresponding customer system 3. The entries in the in-house / organization tendency table 224 include fields of affiliation 224a, number of people to be monitored 224b, tendency number of people Chaos 224c, trend number of people Neutral 224d, trend number of people Law 224e, and monitoring regular number of people 224f.

  The department name corresponding to the entry is stored in the affiliation 224a. The number of monitoring target persons 224b stores the number of monitoring target persons in the department corresponding to the entry. The number of employees Chaos 224c stores the number of employees who tend to be chaotic about security in the department corresponding to the entry. The number of employees Neutral 224d stores the number of employees who tend to be neutral with respect to security in the department corresponding to the entry. The number of employees with tendency tendency regarding security in the department corresponding to the entry is stored in the tendency number Law 224e. The monitoring regular number of people 224f stores the number of people who need to be monitored multiple times in the past predetermined period (for example, one year) in the department corresponding to the entry.

  FIG. 6 is a configuration diagram of a tendency table by position / employment type according to an embodiment.

  The tendency / employment form tendency table 223 is a table provided for each customer system 3 and stores an entry for each position or employment form in the corresponding customer system 3. The entries in the position / employment type tendency table 223 include fields of a position or employment form 223a, a monitoring target number 223b, a trending number Chaos 223c, a trending number Neutral 223d, a trending number Law 223e, and an audit regular number 223f. .

  The title or employment form 223a stores the name of the post or employment form corresponding to the entry. The number of persons to be monitored 223b stores the number of persons to be monitored in the post or employment form corresponding to the entry. The tendency number of people Chaos 223c stores the number of employees who tend to be chaotic about security in the post or employment form corresponding to the entry. The trend number Neutral 223d stores the number of employees who tend to be neutral with respect to security in the post or employment format corresponding to the entry. The number of employees in the tendency number Law 223e stores the number of employees who have an order tendency with respect to security in the post or employment form corresponding to the entry. The monitoring regular number of persons 223f stores the number of persons that need to be monitored a plurality of times in the past predetermined period (for example, one year) in the post or employment form corresponding to the entry.

  FIG. 7 is a configuration diagram of a tabulation table for each employee according to an embodiment.

  The employee total table 221 is a table provided for each customer system 3 and stores an entry for each employee in the corresponding customer system 3. The entry of the employee total table 221 includes employee number 221a, policy 221b, print-success 221c, print-failure 221d, removable take-out success 221e, removable take-out failure 221f, and PC operation-action time. 221g and PC operation-behavior time 221h are included.

  The employee number 221a stores the employee number of the employee corresponding to the entry. The policy 221b stores the name of the policy assigned to the employee corresponding to the entry. The print-success 221c stores the number of times (or the average value) that the employee corresponding to the entry succeeded in executing printing in a predetermined target period. Stored in the print-failure 221d is the number of times (or the average value) of failure of the employee corresponding to the entry executing printing in a predetermined period of a predetermined target period. The removable removal-success 221e stores the number of times (or the average value) that the employee corresponding to the entry has successfully stored the data in the removable medium (portable storage medium) in the predetermined period of the predetermined target period. The In the removable removal-failure 221f, the number of times (or the average value thereof) that the employee corresponding to the entry failed to store data in the removable medium in a predetermined period of the predetermined target period is stored. The PC operation-behavior time 221g stores the number of times (or the average value) the PC corresponding to the entry performs the PC operation within the action period during the predetermined period. The PC operation-behavior time outside 221h stores the number of times (or the average value) that the employee corresponding to the entry performed the PC operation outside the action time during a predetermined period of the predetermined target period.

  FIG. 8 is a configuration diagram of an average value table according to an embodiment.

  The average value table 229 is a table provided for each customer system 3 and stores an entry for each policy in the corresponding customer system 3. The entries in the average value table 229 include a policy 229a, a print-success 229b, a print-failure 229c, a removable take-out 229d, a removable take-out 229e, a PC operation-activity time 229f, and a PC operation- It includes a field of 229g outside of action time.

  The policy 229a stores the name of the policy corresponding to the entry. The print-success 229b stores an average value of the number of times printing has been successfully executed for a predetermined period (total unit) for the employee for whom the policy corresponding to the entry is set. The target period for which the average value is taken may be any period, for example, the target period. The same applies to the other average values below. Stored in the print-failure 229c is an average value of the number of times printing failed for a predetermined period for an employee for whom a policy corresponding to the entry is set. In the removable removal-success 229d, an average value of the number of times that data has been successfully stored in the removable medium in a predetermined period for the employee for whom the policy corresponding to the entry is set is stored. In the removable removal-failure 229e, an average value of the number of times data storage to the removable media has failed for a predetermined period for an employee for whom a policy corresponding to the entry is set is stored. Stored in the PC operation-behavior time 229f is an average value of the number of times the PC operation is performed within the action time for the employee for whom the policy corresponding to the entry is set. The PC operation-outside action time 229g stores an average value of the number of times the PC operation is performed outside the action time for a predetermined period for the employee for whom the policy corresponding to the entry is set.

  FIG. 9 is a configuration diagram of a weighting rule table according to an embodiment.

  The weighting rule table 225 stores an entry for each rule when executing a weighting type analysis process described later. The entries of the weighting rule table 225 include a rule type 225a, a log type 225b, a keyword 225c, a description 225d, and a weight score 225e.

  The rule type 225a stores the rule type (rule type) corresponding to the entry. As the rule type, “URL” indicating a rule related to access to a URL (Uniform Resource Locator), “SHAREFOLD” indicating a rule related to a shared folder, “FILETYPE” indicating a rule related to a file, and “TIME_RANGE” indicating a rule related to a time range. And “MAIL_DOM” indicating a rule regarding a mail transmission destination. The log type 225b stores the type of log data (log type) to which the rule corresponding to the entry is applied. As the log type, “PROXY” indicating log data of the proxy server 84, “ACCESS” indicating log data for accessing a file, etc., “ALL” for all log data, mail server There are “MAIL” indicating 81 log data. The keyword 225c stores a keyword to which a score is added in the rule corresponding to the entry. The description 225d stores a description of the rule corresponding to the entry. The weight score 225e stores a score value (weight score) that is added when one log corresponds to the rule corresponding to the entry. Since the amount of log data to be processed has a large amount, it is preferable that the weight score added for each piece of log data is a small value.

  The contents of each entry in the weighting rule table 225 may be received from an administrator via, for example, a Web user interface (for example, by an operation by the input unit 11 of the management server 10).

  FIG. 10 is a configuration diagram of a temporary score table according to an embodiment.

  The temporary score table 227 is a table that is provided for each customer system 3 and is temporarily created for each predetermined target period. The temporary score table 227 stores an entry for each employee of the customer of the corresponding customer system 3. The entries in the temporary score table 227 include entries for an employee number 227a and a score 227b. The employee number 227a stores the employee number of the employee corresponding to the entry. The score 227b stores a score that is aggregated by the weighted analysis processing for the employee corresponding to the entry. Here, the score of the score 227b after the weighted analysis processing is performed on all the log data to be processed corresponds to the second type score. The value of the score 227b in the temporary score table 227 is initialized to 0 when a new target period starts.

  FIG. 11 is a configuration diagram of an integrated score table according to an embodiment.

  The integrated score table 231 is provided for each customer system 3, and scores based on behavioral anomaly detection type analysis processing and weighted type analysis processing for each employee of the customer of the corresponding customer system 3 in a predetermined target period ( This is a table for managing integrated scores. The integrated score table 231 stores an entry for each employee of the customer of the corresponding customer system 3. The entry of the integrated score table 231 includes an entry of an employee number 231a and a score 231b. The employee number 231a stores the employee number of the employee corresponding to the entry. The score 231b includes a score (integrated score) obtained by integrating the score (first type score) of the behavior anomaly detection type analysis process for the employee corresponding to the entry and the score (second type score) of the weight type analysis process. Stored

  FIG. 12 is a configuration diagram of a policy rule table according to an embodiment.

  The policy rule table 230 is a table that is provided for each of the customer systems 3 and manages rules for determining setting contents for policy elements constituting the policy. The policy rule table 230 stores entries corresponding to policy elements included in the policy in the security server 60 of each customer system 3. The entry of the policy rule table 230 includes a policy element 230a, a rule 230b, and setting contents 230c.

  The policy element 230a stores the name of the policy element corresponding to the entry. The rule 230b stores a threshold condition for a score (integrated score) for determining setting contents of a policy element. The setting content 230c stores setting content to be set as a policy element when the threshold condition corresponding to the entry is satisfied. For example, when the integrated score for a certain employee is 90, the rule of the second entry (less than 120: here, 80 (the threshold value of the rule of the immediately preceding entry related to the same policy element)) is less than 120. Therefore, “Normal” is set for the log acquisition level.

  Regarding the rules and setting contents of the policy rule table 230, for example, via the Web user interface (for example, an input screen is displayed on the display device 14 of the management server 10 and an operation by the input unit 11 of the management server 10 is accepted. May be accepted from the administrator.

  FIG. 13 is a configuration diagram of a baseline table according to an embodiment.

  The baseline table 226 is a table that is provided for each customer system 3 and manages policy setting contents for each employee of the customer of the customer system 3. The baseline table 226 has the same field configuration as the baseline table 64. After the baseline table 226 is updated, the entire table or the contents of the table are transmitted to the security server 60, and the security server 60 At 60, the contents of the baseline table 64 are updated to the same state as the bale sign table 226.

  The baseline table 226 stores an entry for each employee of the customer of each customer system 3. The entries in the baseline table 226 include entries for an employee number 226a, a score 226b, a log acquisition level 226c, an action tendency 226d, an agent notification 226e during an illegal action, a monitoring flag 226f, and a mirroring 226g.

  The employee number of the employee corresponding to the entry is stored in the employee number 226a. The score 226b stores a score (integrated score) for the employee corresponding to the entry. The log acquisition level 226c stores a level related to log data collection. In the present embodiment, the higher the level, the more detailed the log data to be acquired. The behavior tendency 226d stores a behavior tendency regarding the security of the employee corresponding to the entry. The behavior tendency includes “Chaos” indicating disordered tendency, “Law” indicating orderly tendency, and “Nutral” indicating neutral tendency. The agent notification 226e at the time of illegal behavior stores a setting as to whether or not the security server 60 is notified by the agent (security agent unit 71) at the time of the illegal behavior of the employee corresponding to the entry. The setting includes “TRUE” indicating that notification is performed by the agent at the time of illegal behavior and “FALSE” indicating that notification is not performed. The monitoring flag 226f stores a flag (monitoring flag) indicating whether or not the employee corresponding to the entry is a monitoring target. For example, the monitoring flag is set to “1” when the employee is a monitoring target, and is set to “0” when the employee is not the monitoring target. The mirroring 226g stores a setting indicating whether or not the data taken out is mirrored on the file server 90 when the employee corresponding to the entry is a monitoring target. For example, “TRUE” is set in the mirroring 226g when mirroring is performed, and “FALSE” is set when mirroring is not performed.

  Next, log data collected by the customer system 3 and aggregated in the management system 2 will be described. Regarding log data, the log format differs depending on the device or the like that outputs the log data, and the customer system 3 has various log data. Hereinafter, some of the log data will be described.

  FIG. 14 is a first configuration diagram of log data according to an embodiment. In FIG. 14, one log data corresponds to one entry in the illustrated table. One log data is not limited to a table entry format, and may be a text format (for example, CSV format) in which elements are separated by a delimiter (delimiter).

  The log data 331 is log data related to operations using the client terminal 70, and includes fields of date / time 331a, employee number 331b, use terminal 331c, policy 331d, action 331e, and result 331f. The date and time 331a stores the date and time when the operation (action) corresponding to the log data has occurred. The employee number 331b stores the employee number of the employee who performed the action corresponding to the log data. The usage terminal 331c stores the identification number of the client terminal 70 used for the action corresponding to the log data. The policy 331d stores the name of the security policy set for the employee who has performed the action corresponding to the log data. The action 331e stores the contents of the action corresponding to the log data. The result 331f stores the result of the action corresponding to the log data (for example, success, failure, etc.).

  Next, another type of log data will be described.

  FIG. 15 is a second configuration diagram of log data according to an embodiment.

  The log data 332 is log data related to operations on files and folders, and includes fields of date and time 332a, employee number 332b, use terminal 332c, operation 332d, operation target 332e, and attribute 332f. The date and time 332a stores the date and time when the operation (action) corresponding to the log data has occurred. The employee number 332b stores the employee number of the employee who performed the operation corresponding to the log data. The usage terminal 332c stores the identification number of the client terminal 70 used for the operation corresponding to the log data. The action 332d stores the contents of the action corresponding to the log data. The operation target 332e stores information indicating an action target (operation target) corresponding to the log data. The attribute 332f stores an attribute for the operation target. As attributes, there are “SECRET” indicating that the operation target is secret, “RELEASE” indicating that the operation target is free, and the like.

  Next, each part comprised by the processor 13 of the management server 10 of the management system 2 is demonstrated in detail.

  The data processing unit 13d creates the employee-specific score table 228 based on log data (processing target log data) in a predetermined determination target period (for example, one week, one month, three months, etc.). Specifically, an employee-specific score table 228 (no entry) is prepared, and an entry corresponding to each employee in the customer personnel data table 222 is added. Next, the data processing unit 13d refers to the contents of the processing target log data, and if there is log data on data take-out, prohibited action, consistency mismatch, operation on the monitoring folder, etc. in the processing target log data, Aggregation processing is performed in which the value of the corresponding field in the employee entry corresponding to the data is added. For example, when the log data is log data related to data takeout, the data processing unit 13d adds 1 to the value of the entry takeout count 228b for the employee corresponding to the log data. If the log data includes data that has been taken out and the operation is NG, the data processing unit 13d adds 1 to the value of the number of entry prohibited actions 228c.

  In this way, by executing the aggregation process for all the processing target log data in the predetermined period (aggregation unit) in the determination target period, the aggregation value for each operation for each employee in the aggregation unit is aggregated. The Rukoto. The data processing unit 13d performs such processing for each of the plurality of aggregation units, and stores the average value of the values in the corresponding field of the employee-specific score table 228. Further, the data processing unit 13d stores a value obtained by adding the values of the fields 228b to 228e in the score 228g in the entry. Further, the data processing unit 13d sets the monitoring flag to “1” meaning that the monitoring target is to be monitored when the value of the score 228g is equal to or greater than a predetermined threshold.

  Further, the data processing unit 13d determines whether the security operation tendency of each employee is Chaos, Neutral, or Law based on the score of each employee in the employee-specific score table 228, and the customer personnel data table Referring to 222, an in-house / organization tendency table 224 is generated by counting by department, and a tendency table 223 by position / employment form is generated by counting by position. Note that the data processing unit 13d displays a screen showing the number of trends by department and the number of trends by job / employment type based on the generated in-house / organization trend table 224 or trend table by job / employment type 223. It may be created and displayed on the security server 60.

  The first analysis unit 13a calculates an average value of operation times (average operation frequency by type) in a predetermined period (for example, one day, one week) for each of a plurality of types of operation contents for each policy from the log data. Detecting that the average number of operations (average number of operations per user) in a predetermined period for a plurality of types of operation contents deviates from the average number of operations for each type by a predetermined value or more and deviates by more than a predetermined value Is added to the user's score to execute a process (behavior anomaly detection type analysis process) for determining each employee's score (first type score).

  Specifically, the first analysis unit 13a first determines a plurality of types of operation contents for each policy from the log data (for example, printing-success, printing-failure, removable take-out-success, removable take-out-failure, An average value of the number of operations in a predetermined period (for example, one day, one week) for each of the PC operation-behavior time and the PC operation-outside the action time is specified, and the average value of these operation times is stored in the average value table 229 ( It is stored in each field corresponding to the operation content of the entry corresponding to the policy of FIG. Note that the period to be targeted for specifying the average value in the predetermined period may be the determination target period or may be a period longer than the determination target period.

  Next, the first analysis unit 13a calculates an average value of the number of operations in a predetermined period for each of a plurality of types of operation contents for each employee from a plurality of log data, and the average value of these operations is calculated for the employee total table 221 ( (See FIG. 7), the information is stored in each field corresponding to the operation content of the entry corresponding to the employee.

  Next, the first analysis unit 13a acquires the entry of each employee in the employee totaling table 221 and refers to the average value table 229. For each operation content in the entry, the average value corresponds to the average value table 229. If the difference from the average value of the operation content is greater than or equal to a predetermined value, the score for this employee is added (for example, a predetermined value or a value corresponding to the difference is added), and processing for all operation content is performed. The score (first type score) after the completion is stored in the score 228g of the employee-specific score table 228, for example.

  Here, according to the score determination method by the first analysis unit 13a, the average number of operations for each type is calculated for a plurality of employees who have similar work styles (work styles in which log data is similar). Then, the security score can be calculated with higher accuracy. On the other hand, if the average number of operations for each type is calculated for a plurality of employees whose work styles vary, that is, the daily behavior varies greatly, the accuracy of the security score may be lowered. Therefore, in the present embodiment, not only the score (first type score) by the first analysis unit 13a but also the score (second type score) by the second analysis unit 13b to be described later is combined (score of each employee) (integrated score). To decide.

  The second analysis unit 13b executes the execution of notable operation content (for example, operation content that should not be performed) set in the weighting rule table 225 for a plurality of log data in the determination target period (target period). A process (weighted analysis process) for determining a score (second-type score) for each employee is executed by counting the weight score corresponding to the content for each employee in the temporary score table 227. Since the contents set in the weighting rule table 225 can be determined for each customer, an appropriate score counting method can be set in accordance with the customer's security concept and operation.

  Since the second analysis unit 13b sets the score according to the preset weighting rule table 225, the second analysis unit 13b performs scoring for access to an unknown element that is not registered in the weighting rule table 225, for example. Can not. On the other hand, for example, the second analysis unit 13b identifies an employee who has a high possibility of fraud (for example, an employee with a high score) and analyzes which element is accessed from the log data of the identified employee. Then, an entry about an element suspected of having a problem may be added to the weighting rule table 225.

  The determination unit 13c determines an integrated score of each employee based on the first type score determined by the first analysis unit 13a and the second type score determined by the second analysis unit 13b, and determines the integrated score. Stored in the score 231 b of each employee entry in the integrated score table 231. In the present embodiment, the determination unit 13c adds the first type score and the second type score to obtain an integrated score. However, the present invention is not limited to this. Also good.

  Next, the processing operation in the management system 2 will be described.

  FIG. 16 is a flowchart of security management processing according to an embodiment.

  Here, before the security management process is started, the log collection server 30 receives various log data from the log relay server 50 and stores them in the log DB 32. Thereafter, for example, every predetermined time, for example. The log data is received from the log relay server 50 and stored in the log DB 32.

  First, the data processing unit 13d of the management server 10 creates the employee-specific score table 228 based on log data (processing target log data) in a predetermined determination target period (for example, one week, one month, etc.) (S11). ).

  Next, the first determination unit 13a determines the first type score of each employee by executing the behavior anomaly detection type analysis process, and the second determination unit 13b performs each of the weight type analysis processes by executing the weight type analysis process. The second type score of the employee is determined, and the determination unit 13c determines an integrated score of each employee based on the first type score and the second type score, and determines the integrated score of each employee in the integrated score table 231. The entry is stored in the score 231b (S12).

  Next, the determination unit 13c acquires a policy configuration file 250 (see FIG. 17: policy configuration information) indicating the policy configuration in the baseline table 64 from the security server 60, and based on the policy configuration file 250, the policy rule table 230. Are created (S13). At this time, no value is set in the rule 230b in the entry of the policy rule table 230.

  Here, the policy configuration file 250 will be described.

  FIG. 17 is a configuration diagram of a policy configuration file according to an embodiment.

  The policy configuration file 250 is information indicating the configuration of the policy included in the baseline table 64 used by the security server 60. Specifically, the policy configuration file 250 includes policy elements (policy elements) included in the baseline table 64, that is, policy elements (log acquisition level, behavior tendency, fraudulent) constituting a part of entries. (Agent notification at the time of action, monitoring flag, mirroring) and a plurality of setting values set in each policy element are included. According to this policy configuration file 250, it is possible to specify what kind of policy element exists and what value is set. In the policy configuration file 250 shown in FIG. 17, for example, it is understood that the behavior tendency of the policy element takes Law, Neutral, and Chaos as set values.

  Returning to the description of FIG. 16, the determination unit 13c sets the threshold value for the score for the rule 230b of each entry in the policy rule table 230, thereby creating the policy rule table 230 in a complete state (S14). The score threshold may be determined by a predetermined algorithm, or input from an administrator may be received via the input unit 11.

  Next, the determination unit 13c creates a baseline table 226 based on the policy configuration file 250 (S15). Specifically, the determination unit 13c creates a baseline table 226 including an employee number 226a, a score 226b, and a field (226c to 226g) of each policy element included in the policy configuration file 250. Add an entry. Next, the determination unit 13c sets the value (integrated score) of each employee's score 231b in the integrated score table 231 in the score 226b of each entry. Next, the determination unit 13c refers to the policy rule table 230, determines the setting contents of each policy element based on the integrated score, and stores the determined setting contents in the fields (226c to 226g) of each policy element. To do. As a result, as shown in FIG. 13, the baseline table 226 is in a state in which a score is set for each employee and setting contents for each policy element are set.

  Next, the data processing unit 13d secures information (which may be the data of the baseline table 226 itself or the value of each field in the table) that can construct the created baseline table 226. Export to the server 60 (S16). Thereby, the security server 60 can hold the baseline table 64 in the same state as the baseline table 226 at this time.

  Next, the data processing unit 13d determines whether or not a certain time (time until the next determination target period) has elapsed (S17). If the certain period has not elapsed (S17: NO), the data processing unit 13d performs processing. Is returned to step S17. On the other hand, if the predetermined period has elapsed (S17: YES), it means that it is the time for the next security determination, and the data processing unit 13d advances the process to step S18.

  In step S18, the first determination unit 13a executes behavior anomaly detection type analysis processing to determine the first type score of each employee, and the second determination unit 13b executes weighting type analysis processing, The second type score of the employee is determined, and the determination unit 13c determines an integrated score of each employee based on the first type score and the second type score, and determines the integrated score of each employee in the integrated score table 231. Stored in the entry score 231b.

  Next, the determination unit 13c sets (reflects) the value (integrated score) of each employee's score 231b in the integrated score table 231 in the score 226b of each entry in the baseline table 226 (S19). Next, the determination unit 13c refers to the policy rule table 230, determines the setting contents of each policy element for each employee based on the integrated score 231b, and sets the determined setting contents in the field of each policy element. (226c to 226g) (S20). As a result, the baseline table 226 is updated to the setting contents of each policy element corresponding to the newly determined integrated score.

  Next, the data processing unit 13d exports the information capable of constructing the created baseline table 226 to the security server 60 (S22), and advances the processing to step S18. Thereby, the security server 60 can hold the baseline table 64 having the same contents as the baseline table 226 at this time. As a result, the security server 60 can appropriately perform the security setting in each client terminal 70 in accordance with the new setting contents of each policy element in the baseline table 64. For this reason, the administrator of the security server 60 does not need to perform a process of changing the security setting or the like on the security server 60 side.

  FIG. 18 is a flowchart of security information display processing according to an embodiment.

  The security information display process is executed, for example, when the data processing unit 13d of the management server 10 receives a security information screen display request from the security server 60.

  When the data processing unit 13d receives the display request for the security information screen, the data processing unit 13d refers to the integrated score table 231 and identifies an employee with a score equal to or higher than a predetermined threshold as a person to be monitored (S31). Next, the data processing unit 13d identifies the monitoring target person instructed from the security server 60 (S32).

  Next, the data processing unit 13d sorts the ranks of the employees based on the scores of the score 228g in the employee-specific score table 228, and ranks (ranks) the top ranks (for example, the top 50) from the results. A list of superiors including a score and an employee number is created, and an employee whose monitoring flag 228f of the employee-specific score table 228 is “1” is extracted, and the rank (rank) of the extracted employee is determined. The monitoring target person list including the score and the employee number is created, and the security information screen 250 including these (see FIG. 19) is transmitted to the security server 60 (S33). Thereby, in the security server 60, the security information screen 250 is displayed, and the administrator can specify the score of the person to be monitored or the employee whose score is higher.

  Next, the security information screen will be described.

  FIG. 19 is a diagram illustrating a security information screen according to an embodiment.

  The security information screen 100 includes a superior list display area 110 where the score displays a superior list, and a monitoring target list display area 120 so as to display a list of persons requiring monitoring. In the list of the superior list display area 110, the data processing unit 13d sorts the ranks of each employee based on the scores of the score 228g of the employee-specific score table 228. Name) is created by including a rank, a score, and an employee number.

  In the supervisor list table in the supervisor list display area 120, the data processing unit 13d extracts employees whose monitoring flag 228f in the employee-specific score table 228 has a monitoring flag “1”. (Rank), score, and employee number.

  In the present embodiment, when an employee number is pressed in the superior list or the monitoring target person list, the data processing unit 13d causes the personal details window 150 including personal detailed information regarding the employee corresponding to the pressed employee number. Is displayed. In the personal details window 150, for example, personal information of the employee, information regarding the set policy, a list of logs regarding the operation of the employee, and the like are displayed. According to this security information screen 100, it is possible to easily grasp the superior score person and the monitoring target person, and by displaying the personal details window 150, it is possible to grasp the detailed information of each employee.

  As described above, according to the present embodiment, based on the first type score determined by executing the behavior anomaly detection type analysis process and the second type score obtained by executing the weight type analysis process, Since the integrated score indicating the employee's security risk is determined, the employee's security fraud can be evaluated appropriately.

  In addition, this invention is not limited to the above-mentioned embodiment, In the range which does not deviate from the meaning of this invention, it can change suitably and can implement.

  For example, in the above embodiment, in the management system 2, the management server 10, the DB server 20, and the log collection server 30 are configured separately, but any one of these is configured on the same device. You may make it comprise. For example, the function of the DB server 20 may be included in the management server 10. A part of information such as a table managed by the DB server 20 may be managed by another device, the management server 10 or the log collection server 30.

  Further, in the above embodiment, part or all of the processing performed by the processor may be performed by a hardware circuit. In addition, the program in the above embodiment may be installed from a program source. The program source may be a program distribution server or a storage medium (for example, a portable and non-volatile storage medium).

DESCRIPTION OF SYMBOLS 1 ... Computer system, 2 ... Management system, 3 ... Customer system, 10 ... Management server, 11 ... Input part, 12 ... Memory | storage part, 13 ... Processor, 13a ... 1st analysis part, 13b ... 2nd analysis part, 13c ... Determination unit, 13d ... data processing unit, 20 ... DB server, 30 ... log collection server, 40 ... network, 50 ... log relay server, 60 ... security server, 70 ... client terminal

Claims (8)

A security management server for managing security in a user system having a plurality of client terminals,
A log acquisition unit for acquiring a plurality of types of logs of each user using the client terminal;
Based on the plurality of types of logs, the average number of operations per user, which is the average number of operations of each of the plurality of types of operations in a predetermined period within the target period for each user, is totalized, and the number of operations in the predetermined period An average operation count by type, which is an average operation count of each of a plurality of types of operations for a plurality of users corresponding to the security policy set for the user, is calculated, and the average operation count by type and the average operation for each user are calculated. A first type score analysis unit that analyzes a first type score for security fraud of each user based on the number of times;
A second type score analysis unit that analyzes a second type score for security fraud of each user based on the number of appearances of a predetermined keyword for judging fraud in the target period based on the plurality of types of logs When,
A score integration unit for determining a score relating to security fraud for each user based on the first type score and the second type score for each user;
A security management server comprising a storage control unit that stores the determined score in association with a user The security management server according to claim 1, further comprising an information output unit that outputs information related to the score associated with the user. The security management server according to claim 1, further comprising a policy element setting determination unit that determines setting of a policy element included in a security policy in a security server that manages security in the user system based on the score. . The security management server according to claim 3, further comprising a policy element setting transmission unit configured to transmit a setting of a policy element included in the determined security policy to the security server. A policy rule storage control unit that stores threshold information regarding a score for determining a setting of a policy element included in the security policy;
The security management server according to claim 3 or 4, wherein the policy element setting determination unit determines setting of a policy element based on the threshold information. The security management server according to claim 5, further comprising a threshold information receiving unit that receives input of threshold information related to the score. A security management method by a security management server for managing security in a user system having a plurality of client terminals,
It is a plurality of types of logs of each user using the client terminal, and acquires a plurality of types of logs managed by a plurality of devices,
Based on the plurality of types of logs, the average number of operations per user, which is the average number of operations of each of the plurality of types of operations in a predetermined period within the target period for each user, is totalized, and the number of operations in the predetermined period An average operation count by type, which is an average operation count of each of a plurality of types of operations for a plurality of users corresponding to the security policy set for the user, is calculated, and the average operation count by type and the average operation for each user are calculated. Based on the number of times, analyze the first type score for each user's security fraud,
Based on the plurality of types of logs, the second type score for security fraud of each user is analyzed based on the number of appearances of a predetermined keyword for judging fraud in the target period,
Based on the first type score and the second type score for each user, a score for security fraud for each user is determined,
A security management method for storing the determined score in a storage unit in association with a user. A security management program for causing a computer configuring a security management server to manage security in a user system having a plurality of client terminals,
The computer,
A log acquisition unit for acquiring a plurality of types of logs managed by a plurality of devices, which are a plurality of types of logs for each user using the client terminal;
Based on the plurality of types of logs, the average number of operations per user, which is the average number of operations of each of the plurality of types of operations in a predetermined period within the target period for each user, is totalized, and the number of operations in the predetermined period An average operation count by type, which is an average operation count of each of a plurality of types of operations for a plurality of users corresponding to the security policy set for the user, is calculated, and the average operation count by type and the average operation for each user are calculated. A first type score analysis unit that analyzes a first type score for security fraud of each user based on the number of times;
A second type score analysis unit that analyzes a second type score for security fraud of each user based on the number of appearances of a predetermined keyword for judging fraud in the target period based on the plurality of types of logs When,
A score integration unit for determining a score relating to security fraud for each user based on the first type score and the second type score for each user;
A security management program that functions as a storage control unit that stores the determined score in association with a user.