JP2022079717A - Information processing device, information processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it easier to draw up a plan on how to deal with security risks.

SOLUTION: An information processing method disclosed herein is designed to be implemented by an information processing device managing a first terminal, and comprises storing risk information including security risks and handling methods therefor, and identifying that a first handling method associated with a first security risk included in the risk information is applicable to the first terminal.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2022,JPO&INPIT

Description

The present invention relates to an information processing apparatus, an information processing method, and a program.

Terminals on the network have security risks such as vulnerabilities in hardware and software and threats caused by external attacks. Security risks generally have multiple addresses.

However, measures other than patch application for vulnerabilities cannot be applied to all terminals because communication restrictions, setting changes, etc. differ for each terminal. Therefore, when dealing with a large number of terminals, it is costly to plan the dealings.

Therefore, recently, an invention has been proposed to support the planning of countermeasures (responses) to the security risks existing in each terminal. For example, Patent Document 1 analyzes security risks based on the state of the operating system, considers various restrictions that occur in the operating system from candidate measures for reducing the security risks, and is optimal. Inventions that present countermeasures are disclosed.

Japanese Patent No. 5304243

As described above, the invention disclosed in Patent Document 1 presents an optimum countermeasure method when a security risk exists in a terminal. However, since the impact on the terminal and system by applying the presented countermeasures is unknown, should the security administrator apply the presented countermeasures immediately, or if multiple countermeasures are presented? In addition, it was not possible to determine which was the best solution. Therefore, it has been difficult for the security manager to formulate a countermeasure against the security risk.

An object of the present invention is to provide a technique capable of solving the above-mentioned problems.

According to one aspect of the present invention, the information processing apparatus is
A selection reception unit that accepts an input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to terminals having a security risk.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, An operation information identification unit that specifies the type of operation information corresponding to the measures applicable to the terminal, and
An operation information acquisition unit that acquires the type of operation information specified by the operation information identification unit among the operation information of the terminal, and an operation information acquisition unit.
Based on the terminal-specific handling information, when the handling received by the selection reception unit is applied, the remaining terminal specifying unit that identifies the remaining terminal that is the terminal for which the security risk remains, and the remaining terminal specifying unit.
A prediction unit that predicts the number of remaining terminals at a future time based on the operation information acquired by the operation information acquisition unit.
A presentation unit that presents the prediction result predicted by the prediction unit, and a presentation unit.
To prepare for.

According to one aspect of the present invention, the information processing method is
It is an information processing method performed by an information processing device.
A step that accepts an input indicating that at least one action has been selected from multiple actions applicable to terminals with security risks.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, A step to identify the type of operation information corresponding to the countermeasure applicable to the terminal, and
The step of acquiring the operation information of the specified type among the operation information of the terminal, and
Based on the terminal-specific countermeasure information, the step of identifying the remaining terminal, which is the terminal on which the security risk remains when the accepted countermeasure is applied, and
A prediction step for predicting the number of the remaining terminals in the future time based on the acquired operation information,
A presentation step for presenting the predicted prediction result and
including.

According to one aspect of the invention, the program
On the computer
A procedure for accepting input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to a terminal having a security risk, and a procedure for accepting an input indicating that at least one countermeasure has been selected.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, A procedure for identifying the type of operation information corresponding to the countermeasure applicable to the terminal, and
The procedure for acquiring the specified type of operation information among the operation information of the terminal, and
Based on the terminal-specific countermeasure information, the procedure for identifying the remaining terminal, which is the terminal for which the security risk remains when the accepted countermeasure is applied, and the procedure.
A prediction procedure for predicting the number of the remaining terminals in the future time based on the acquired operation information, and
The presentation procedure for presenting the predicted prediction result and the presentation procedure.
It is a program to execute.

According to the present invention, a security manager can easily plan a countermeasure against a security risk.

It is a figure which conceptually shows the processing structure of the information processing apparatus which concerns on Embodiment 1. FIG. It is a figure which shows an example of the screen generated by the information processing apparatus which concerns on Embodiment 1. FIG. It is a figure which shows an example of the coping information for each terminal which concerns on Embodiments 1 and 2. It is a figure which shows an example of the definition information which concerns on Embodiments 1 and 2. It is a figure which shows an example of the operation information which concerns on Embodiments 1 and 2. It is a figure which shows an example of the prediction result predicted by the prediction unit which concerns on Embodiment 1. FIG. It is a figure which shows an example of the screen which the presentation part which concerns on Embodiment 1 presents. It is a figure which shows the other example of the screen which the presentation part which concerns on Embodiment 1 presents. It is a figure which conceptually shows the hardware composition of the information processing apparatus which concerns on Embodiment 1. FIG. It is a flowchart which shows the flow of processing of the information processing apparatus which concerns on Embodiment 1. It is a figure which conceptually shows the system structure of the information processing system which concerns on Embodiment 2. It is a figure which shows an example of the terminal information acquired by the information acquisition part which concerns on Embodiment 2. FIG. It is a figure which shows an example of the classification information stored in the classification information storage part which concerns on Embodiment 2. FIG. It is a figure which shows an example of the screen generated by the display processing unit which concerns on Embodiment 2. FIG. It is a figure which shows an example of the prediction result predicted by the prediction unit which concerns on Embodiment 2. FIG. It is a figure which shows an example of the screen which the presentation part which concerns on Embodiment 2 presents. It is a figure which shows the other example of the screen which the presentation part which concerns on Embodiment 2 presents. It is a flowchart which shows the flow of processing of the information processing apparatus which concerns on Embodiment 2.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. In all the drawings, similar components are designated by the same reference numerals, and the description thereof will be omitted as appropriate.

[Embodiment 1]
[Processing configuration]
FIG. 1 is a diagram conceptually showing a processing configuration of the information processing apparatus 10 according to the first embodiment of the present invention. As shown in FIG. 1, the information processing apparatus 10 according to the first embodiment has a selection reception unit 110, an operation information identification unit 120, an operation information acquisition unit 130, a remaining terminal identification unit 140, a prediction unit 150, and a presentation unit. A unit 160 is provided.

The selection reception unit 110 receives an input indicating that at least one countermeasure is selected from a plurality of countermeasures applicable to the managed terminal having a security risk. Here, the security risk includes a vulnerability existing in the managed terminal or a threat caused by an external attack on the managed terminal. The managed terminal is a terminal that is connected to the information processing device 10 via a network and whose security status is monitored. Managed terminals are not limited to communication devices such as client terminals, servers, switches and routers on the network, but also anything that has a function to connect to the network and a means to communicate via the network (so-called IoT (Internet of Things)). (Included). In addition, countermeasures are measures to eliminate, avoid, or reduce vulnerabilities and threats, and applicable countermeasures are measures that can be taken on managed terminals among the measures against vulnerabilities and threats. Say. The selection reception unit 110 accepts selection input for dealing with a security risk (here, vulnerability A) via a screen as shown in FIG. 2, for example.

FIG. 2 is a diagram showing an example of a screen generated by the information processing device 10 and displayed on a display device (not shown) connected to the information processing device 10. Note that FIG. 2 is an example of a screen when the security risk is vulnerability A. On the screen of FIG. 2, the number of managed terminals with vulnerability A (“risk”) and the number of residual risks after countermeasures (managed terminals with vulnerability A remaining) if each countermeasure is tentatively executed. (“Residual risk after countermeasures”), predicted value of residual risk at future time (here, one week later) (“predicted residual risk”), and countermeasures for vulnerability A (“Countermeasure (1)”, “Countermeasure (2)” and “Countermeasure (3)”) are displayed in association with each other. The number in parentheses in the column of each action indicates the number of managed terminals to which the action corresponding to that column can be applied. On the screen of FIG. 2, an outline of the vulnerability A and the contents of each countermeasure against the vulnerability A are also displayed. In the screen example of FIG. 2, out of 90 managed terminals having vulnerability A, 28 managed terminals to which "countermeasure (1)" can be applied, and "countermeasure (2)" can be applied. It shows that there are 69 managed terminals and 15 managed terminals to which "Countermeasure (3)" can be applied. The value obtained by adding up the number of terminals for each countermeasure is different from the number of terminals (90) as a parameter because there are managed terminals to which a plurality of countermeasures can be applied. Also, on the screen of FIG. 2, clicking the downward black triangle of "Predicted value of residual risk" will show a dropdown showing the future time that can be selected (for example, immediate, next day, one week, one month, etc.). A list is displayed. When a future time is selected from the drop-down list, the predicted value of the residual risk is displayed with the predicted value at the selected future time (here, one week later).

The screen of FIG. 2 is generated by the information processing apparatus 10 based on information (terminal-specific countermeasure information) indicating measures applicable to each managed terminal for vulnerability A, as shown in FIG. 3, for example. To. FIG. 3 is a diagram showing an example of countermeasure information for each terminal. Note that FIG. 3 is an example of countermeasure information for each terminal when the security risk is vulnerability A. The terminal-specific handling information includes terminal identification information (for example, a MAC (Media Access Control) address) that identifies each managed terminal, and information indicating a handling applicable to each managed terminal. The terminal-specific handling information is generated by investigating the managed terminal in advance based on information (risk information) indicating security risks and countermeasures provided by each vendor, for example, and is a predetermined storage unit (predetermined storage unit). Stored in (not shown). In the example of FIG. 3, for the vulnerability A, "countermeasure (1)" and "countermeasure (3)" can be applied to the terminal A, and "countermeasure (2)" can be applied to the terminal B. "Countermeasure (3)" can be applied to the terminal C. The storage unit for storing the terminal-specific handling information as shown in FIG. 3 may be provided in the information processing device 10, or may be stored in another device communicably connected to the information processing device 10. Is also good.

When the remaining terminal specifying unit 140 reads the terminal-specific handling information from a predetermined storage unit (not shown) and temporarily executes the handling indicated by the selection input received by the selection receiving unit 110 based on the read terminal-specific handling information. In addition, the managed terminal (hereinafter, also referred to as the remaining terminal) in which the security risk remains is specified. As described above, the terminal-specific countermeasure information is information indicating countermeasures applicable to each managed terminal for security risks, and is stored in the storage unit in the format as shown in FIG. The remaining terminal specifying unit 140 may specify the managed terminal to which the countermeasure indicated by the selection input can be applied from the correspondence relationship between the terminal identification information of the terminal-specific countermeasure information as shown in FIG. 3 and the applicable countermeasure. can. At the same time, the remaining terminal specifying unit 140 can specify the managed terminal (residual terminal) for which the security risk remains.

The operation information specifying unit 120 can be applied to a managed terminal by using the above-mentioned terminal-specific countermeasure information and definition information that defines a correspondence relationship between the type of operation information of the managed terminal and the countermeasure against a security risk. Identify the type of operation information that corresponds to the action. The operation information is information indicating the history of operations and processes actually performed on the managed terminal (operation history information), or information indicating the operations and processes scheduled to be performed on the management device (operation schedule information). Information that includes at least one. These operation information are generated in each managed terminal in response to the execution of a predetermined operation or process in each managed terminal or the input of the execution schedule of the predetermined operation or process, and are stored in the storage unit of the managed terminal. It will be remembered. Further, the "type of operation information" means the classification to which each operation information belongs. For example, specific examples of "type of operation history information" include "patch application history", "restart history", "continuous operation time", "port usage history", "process operation history", and "application usage history". And so on. Further, for example, specific examples of the "type of scheduled operation information" include "scheduled patch application date and time", "scheduled restart date and time", and "scheduled application startup date and time". However, the types of operation information are not limited to the examples given here.

The definition information is stored in a predetermined storage unit (not shown) in a format as shown in FIG. 4, for example. FIG. 4 is a diagram showing an example of definition information. Note that FIG. 4 is an example of definition information when the security risk is vulnerability A. FIG. 4 serves as a reference when deciding whether or not to apply the countermeasures (“Countermeasures (1)”, “Countermeasures (2)”, and “Countermeasures (3)”) for Vulnerability A. , And the type of operation information of the managed terminal are stored in association with each other. In the example of FIG. 4, "action (1)" is a measure of applying the patch AAAAA and restarting. Further, "countermeasure (2)" is a countermeasure of stopping the process ZZZZ. Further, "countermeasure (3)" is a countermeasure of blocking port 1027. The "type of operation information" corresponding to "action (1)" is "patch application history", "restart history", and "continuous operation time". Further, the "type of operation information" corresponding to the "countermeasure (2)" is the "use history of process ZZZZ". Further, the "type of operation information" corresponding to the "countermeasure (3)" is the "usage history of port 1027". The storage unit for storing the definition information as shown in FIG. 4 may be provided in the information processing device 10 or may be stored in another device communicably connected to the information processing device 10. ..

The operation information specifying unit 120 specifies applicable measures and types of operation information corresponding to each managed terminal, for example, based on the terminal-specific handling information of FIG. 3 and the definition information of FIG. Specifically, the operation information specifying unit 120 can apply "countermeasure (1)" and "countermeasure (3)" to the vulnerability A based on the countermeasure information for each terminal in FIG. Identify that. Then, based on the definition information in FIG. 4, the operation information specifying unit 120 sets the "operation information type" corresponding to "action (1"" to "patch application history", "restart history", and "continuous operation". The operation information specifying unit 120 specifies the "type of operation information" corresponding to the "action (3)" as the "usage history of port 1027" based on the definition information of FIG. Similar to the terminal A, the operation information specifying unit 120 determines the countermeasures applicable to the terminal B (only "countermeasure (2)") and the types of operation information corresponding to the countermeasures ("use history of process ZZZZ"). Identify.

The operation information acquisition unit 130 acquires the type of operation information specified by the operation information identification unit 120. The operation information acquisition unit 130 acquires the type of operation information specified by the operation information specifying unit 120 from the operation information of the managed terminal, for example, as shown below.

For example, the operation information acquisition unit 130 notifies the management target terminal of the type of operation information specified by the operation information identification unit 120, and receives the operation information of that type as a response from the management target terminal. Alternatively, the operation information acquisition unit 130 may acquire the operation information stored in the managed terminal and extract the operation information of the type specified by the operation information specifying unit 120 from the operation information. Here, the operation information acquisition unit 130 may acquire necessary operation information from all the operation information stored in the managed terminal, or may acquire necessary operation information from all the operation information stored in the managed terminal, or may acquire necessary operation information for a predetermined period stored in the managed terminal (for example, one). You may acquire the necessary operation information from the operation information in (months, etc.). An example of operation information is information on the history of operations performed within a predetermined period in the past (for example, for the past month), that is, information on restarts performed in the past and information on port numbers accessed in the past. , May contain information about processes that have been executed in the past. Another example of operational information is information about upcoming operations scheduled for a given period in the future (for example, one month in the future), that is, information about upcoming restarts and port numbers that will be accessed in the future. May include information about, and processes that are planned to run in the future. Further, the operation information may be a combination of these. If there is a subsystem that manages the managed terminal, the future operation schedule may be acquired from there.

Specifically, the operation information acquisition unit 130 acquires operation information as shown in FIG. FIG. 5 is a diagram showing an example of operation information acquired by the operation information acquisition unit 130. Note that FIG. 5 is an example of operation information when the security risk is vulnerability A. Based on the type of operation information specified by the operation information specifying unit 120, the operation information acquisition unit 130 has "patch application history", "restart history", and "reaction history" for "action (1)" applicable to the terminal A. And, the operation information of "continuous operation time" is acquired from the terminal A. Further, the operation information acquisition unit 130 uses the operation information of the "port 1027 usage history" for the "action (3)" applicable to the terminal A based on the type of operation information specified by the operation information identification unit 120. Is obtained from the terminal A. Similar to the terminal A, the operation information acquisition unit 130 acquires the operation information of the “process ZZZZ usage history” from the terminal B for the “action (2)” applicable to the terminal B. If the operation information is related to the past operation history, the date of the operation information is in the past. If the operation information relates to a future operation schedule, the date of the operation information will be in the future.

The prediction unit 150 predicts the number of managed terminals (remaining terminals) for which security risk remains at a future time based on the operation information acquired by the operation information acquisition unit 130. For example, according to the operation information shown in FIG. 5, the prediction unit 150 can make the following predictions for the terminal A (here, the prediction unit 150 can make the operation information of FIG. 5 in May 2015. It is assumed that it has been confirmed as of Wednesday, 27th). The prediction unit 150 can determine the execution timing of the periodic restart by referring to the "restart history" associated with the "action (1)". Along with the "Restart history" column or in place of the "Restart history" column, a "Restart schedule" column is provided, and information on future restart plans is stored in the "Restart schedule" column. If so, the restart execution timing can be determined by referring to "Restart Schedule". For example, the restart schedule closest to the scheduled date and time may be predicted or determined to be the execution timing of the restart. Further, the prediction unit 150 can determine the periodic patch application timing by referring to the "patch application history" associated with the "action (1)". Specifically, it can be read that the patch is periodically applied to the terminal A every Thursday morning and the terminal A is restarted. From here, the prediction unit 150 sets the application timing of "Countermeasure (1)", that is, the timing of applying the patch AAAA and restarting, to "next Thursday morning", that is, "May 28, 2015". It can be predicted that "Thursday morning". This is because, according to the past restart history, three of the past three restarts were performed at 10 o'clock on Thursday, so based on this periodicity, the next restart will also be at 10 o'clock on Thursday. Because it can be predicted. In another method, the number of restarts may be aggregated for each day of the week, and it may be predicted that the restarts are likely to occur in descending order of the aggregated number. Further, the prediction unit 150 can determine the usage history of the port 1027 by referring to the "usage history of the port 1027" associated with the "action (3)". Specifically, it can be read that the terminal A is using the port 1027 for two consecutive days, the day before the previous day and the day before. In this way, when a plurality of usage date and time information is stored in the "usage history of port 1027", the prediction unit 150 determines that the port 1027 may be used in the future, and "takes action ( The application timing of "3)", that is, the timing of blocking the port 1027 may be set as the timing after a predetermined number of days set longer has elapsed. Alternatively, the prediction unit 150 may determine that the "countermeasure (3)" is excluded from the target of the date and time prediction for the terminal A, that is, the "countermeasure (3)" is not applied to the terminal A. In the first embodiment, as in the former case, the prediction unit 150 sets the timing of blocking the port 1027 to a timing after a predetermined number of days set longer has elapsed, for example, "2015 6" one week later. It is expected to be "Wednesday, March 3". The number of days to be set as the above-mentioned predetermined number of days may be a predetermined number of days. In this way, by referring to the operation information corresponding to the countermeasure, the prediction unit 150 can easily predict the timing of executing the countermeasure.

As described above, the prediction unit 150 predicts the application timing to which the applicable countermeasures are applied to the managed terminals other than the residual terminals specified by the residual terminal identification unit 140. Specifically, the prediction unit 150 identifies applicable countermeasures for each managed terminal other than the remaining terminals based on the terminal-specific countermeasure information of FIG. 3, and is applicable based on the operation information of FIG. Predict the timing of application of countermeasures. It is assumed that the prediction unit 150 takes applicable measures at the predicted application timing for each managed terminal other than the remaining terminals, and the vulnerability A disappears. For example, for terminal A, as described above, the application timing of "countermeasure (1)" is predicted to be "in the morning of May 28, 2015 (Thursday)", and the application timing of "countermeasure (3)" is set. It is predicted to be "Wednesday, June 3, 2015". Therefore, the prediction unit 150 assumes that the vulnerability A disappears in the earlier terminal A "in the morning of May 28, 2015 (Thursday)". According to such an assumption, the prediction unit 150 determines each future time (for example, immediate, next day, one week later) in chronological order until the future time when the number of remaining terminals becomes a predetermined number (for example, 0) or less. For each (one month later, etc.), the number of managed terminals (residual terminals) for which vulnerability A remains at that time is totaled, and this aggregated value is the number of residual risks (managed terminals with remaining vulnerability A). It is the predicted value of. FIG. 6 is a diagram showing an example of the prediction result predicted by the prediction unit 150. Note that FIG. 6 is an example of the prediction result when the security risk is vulnerability A. The prediction result of FIG. 6 is a prediction result when the selection reception unit 110 receives an input indicating that "countermeasure (1)", "countermeasure (2)", and "countermeasure (3)" are selected. be. The example of FIG. 6 is an example in the case where the predetermined number is 0, and the prediction unit 150 determines the remaining terminals in chronological order until "three months later" when the number of remaining terminals becomes 0 or less. I'm predicting the number. Specifically, in the example of FIG. 6, the number of remaining terminals becomes 22 "after immediate execution", 13 "next day", 6 "one week later", and "1". It is predicted that the number will be two in "months later" and zero in "three months later".

The presentation unit 160 presents the prediction result predicted by the prediction unit 150 to, for example, a display device (not shown) connected to the information processing device 10. For example, as shown in FIG. 7, the presentation unit 160 aggregates the prediction result (“residual risk prediction value”) predicted by the prediction unit 150 and the number of remaining terminals specified by the residual terminal identification unit 140 (“remaining risk prediction value”). "Residual risk after coping") is reflected in the screen of FIG. FIG. 7 is a diagram showing an example of a screen presented by the presentation unit 160. Note that FIG. 7 is an example of a screen when the security risk is vulnerability A. FIG. 7 illustrates a screen when all of “Countermeasure (1)”, “Countermeasure (2)”, and “Countermeasure (3)” are selected on the screen of FIG. On the screen of FIG. 7, "one week later" is selected in the drop-down list of "predicted value of residual risk". Therefore, the "predicted value of residual risk" in "one week later" is displayed. However, when another future time is selected, the "predicted value of residual risk" at the selected future time (for example, "next day") is displayed. As described above, when the countermeasure for the security risk is selected on the screen presented by the information processing apparatus 10, the result of the provisional execution of the countermeasure is reflected on the screen.

Alternatively, instead of the screen of FIG. 7, the presentation unit 160 displays a screen showing a graph in which the “predicted value of residual risk” at each future time is graphed in chronological order, as shown in FIG. May be. FIG. 8 is a diagram showing another example of the screen presented by the presentation unit 160. Note that FIG. 8 is an example of a screen when the security risk is vulnerability A. Further, FIG. 8 also displays the number of residual risks at the present time (managed terminals with remaining vulnerability A), but it is not particularly limited whether or not to display the number of residual risks at the present time.

[Hardware configuration]
FIG. 9 is a diagram conceptually showing the hardware configuration of the information processing apparatus 10 according to the first embodiment. As shown in FIG. 9, the information processing apparatus 10 according to the first embodiment includes a processor 101, a memory 102, a storage 103, an input / output interface (input / output I / F) 1004, and a communication interface (communication I / F). ) 105 and the like. The processor 101, the memory 102, the storage 103, the input / output interface 104, and the communication interface 105 are connected by a data transmission line for transmitting and receiving data to and from each other.

The processor 101 is, for example, an arithmetic processing unit such as a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit). The memory 102 is, for example, a memory such as a RAM (Random Access Memory) or a ROM (Read Only Memory). The storage 103 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a memory card. Further, the storage 103 may be a memory such as a RAM or a ROM.

The storage 103 functions as each processing unit (selection reception unit 110, operation information identification unit 120, operation information acquisition unit 130, remaining terminal identification unit 140, prediction unit 150, presentation unit 160, etc.) included in the information processing device 10. I remember the program to be realized. The processor 101 realizes the function of each processing unit by executing each of these programs. Here, when executing each of the above programs, the processor 101 may read these programs onto the memory 102 and then execute the programs, or the processor 101 may execute the programs without reading them onto the memory 102.

The input / output interface 104 is connected to a display device 1041 or an input device 1042. The display device 1041 is a device such as an LCD (Liquid Crystal Display) or a CRT (Cathode Ray Tube) display that displays a screen corresponding to drawing data processed by the processor 101. The input device 1042 is a device that receives an operator's operation input, and is, for example, a keyboard, a mouse, a touch sensor, and the like. The display device 1041 and the input device 1042 may be integrated and realized as a touch panel.

The communication interface 105 transmits / receives data to / from an external device. For example, the communication interface 105 communicates with an external device via a wired network or a wireless network.

The hardware configuration of the information processing apparatus 10 is not limited to the configuration shown in FIG.

[Operation example]
An operation example of the information processing apparatus 10 according to the first embodiment will be described with reference to FIG. FIG. 10 is a flowchart showing a processing flow of the information processing apparatus 10 according to the first embodiment. The following describes an operation example when the security risk is vulnerability A.

First, the selection reception unit 110 accepts the input of the security administrator via the screen as shown in FIG. 2 (S101). The input of the security administrator is an input for selecting at least one countermeasure among a plurality of countermeasures for the vulnerability A presented on the screen.

Next, the remaining terminal specifying unit 140 refers to the storage unit that stores the terminal-specific handling information, using the response indicated by the input received by the selection receiving unit 110 as a key, and identifies the remaining terminal in which the vulnerability A remains (S102). ). For example, it is assumed that the storage unit stores the countermeasure information for each terminal shown in FIG. 3, and the selection reception unit 110 receives an input indicating that "countermeasure (1)" is selected. In this case, the remaining terminal specifying unit 140 specifies at least "terminal B" and "terminal C" as terminals (residual terminals) to which "countermeasure (1)" cannot be applied.

Next, the operation information specifying unit 120 specifies the type of operation information corresponding to the countermeasure applicable to the managed terminal (S103), and the operation information acquisition unit 130 is the operation of the type specified by the operation information specifying unit 120. Information is acquired from the managed terminal (S104). For example, it is assumed that the storage unit has the terminal-specific handling information of FIG. 3 and the definition information of FIG. In this case, the operation information specifying unit 120 can apply "countermeasure (1)" and "countermeasure (3)" to the terminal A, and the type of operation information corresponding to "countermeasure (1)" is "Patch application history", "restart history", and "continuous operation time", and the type of operation information corresponding to "action (3)" is "port 1027 usage history". Identify. Therefore, for the terminal A, the operation information acquisition unit 130 obtains the "patch application history", the "restart history", the "continuous operation time", and the "usage history of the port 1027" from the operation information of the terminal A. get.

Next, the prediction unit 150 predicts the number of remaining terminals in the future time based on the operation information acquired by the operation information acquisition unit 130 (S105). For example, it is assumed that the storage unit stores the terminal-specific handling information of FIG. 3, and the operation information acquisition unit 130 acquires the operation information of FIG. In this case, the prediction unit 150 identifies applicable countermeasures for the managed terminals other than the residual terminals specified by the residual terminal identification unit 140 based on the terminal-specific countermeasure information of FIG. 3, and obtains the operation information of FIG. Based on this, the application timing of the applicable countermeasure is predicted, and the number of remaining terminals at that time is totaled for each future time to obtain the prediction result as shown in FIG.
After that, the presentation unit 160 presents the prediction result predicted by the prediction unit 150 (S106). As shown in FIG. 7, the presentation unit 160 may present a screen that reflects the prediction result on the screen of FIG. 2, or the prediction result is graphed in chronological order as shown in FIG. You may present the screen of the graph.

[Action and effect of Embodiment 1]
As described above, according to the first embodiment, the number of remaining terminals (residual risk) when the selected countermeasure is tentatively executed in the future time is predicted, and the prediction result is presented. The security administrator who sees this presentation can understand which of the multiple measures should be taken to determine how many remaining terminals will remain in the future time. This allows the security administrator to determine whether the suggested action should be applied immediately, and if multiple actions are offered, which is the best action. That is, according to the first embodiment, the security manager can easily plan a countermeasure against a security risk.

[Embodiment 2]
The second embodiment is a more specific version of the first embodiment.

[System configuration]
FIG. 11 is a diagram conceptually showing the system configuration of the information processing system 1 according to the second embodiment. As shown in FIG. 11, the information processing system 1 according to the second embodiment includes an information processing device 10, an administrator terminal 20, and a managed terminal 30. The administrator terminal 20 is a terminal operated by a security administrator, such as a stationary PC (Personal Computer) or a tablet terminal. The managed terminal 30 is not limited to communication devices such as client terminals, servers, switches and routers on the network, but also anything having a function for connecting to the network and a means for communicating via the network (so-called IoT (Internet of Things)). Included in).

[Processing configuration]
As shown in FIG. 11, the information processing apparatus 10 according to the second embodiment includes an information acquisition unit 170 instead of the operation information acquisition unit 130 of the first embodiment, and further includes a risk investigation unit 180 and a display process. A unit 190, a risk information storage unit 192, a classification information storage unit 194, and a definition information storage unit 196 are provided. The information acquisition unit 170 plays a role corresponding to the operation information acquisition unit 130, and also plays other roles described later.

The information acquisition unit 170 acquires terminal information from each of the managed terminals 30, and obtains information as shown in FIG. FIG. 12 is a diagram showing an example of terminal information acquired by the information acquisition unit 170. The terminal information includes, for example, the type of OS (Operating System) of the managed terminal 30, the version of the OS, various applications installed in the managed terminal 30, and the like. However, the terminal information is not limited to the information illustrated in FIG. The information acquisition unit 170 also performs the operation of the operation information acquisition unit 130 according to the first embodiment, that is, the operation of acquiring the operation information of the type specified by the operation information identification unit 120 from each of the managed terminals 30.

The risk investigation unit 180 investigates the managed terminal 30 having a security risk by comparing the terminal information acquired by the information acquisition unit 170 with the information on the security risk provided by each vendor and the like, and FIG. 3 shows. Generate risk information, including terminal-specific action information as shown. For example, when the security risk is Vulnerability A, the risk information may further include information such as an outline of Vulnerability A and an explanation of each countermeasure in addition to the terminal-specific countermeasure information as shown in FIG. .. The risk investigation unit 180 stores the generated risk information in the risk information storage unit 192.

The display processing unit 190 uses the risk information stored in the risk information storage unit 192 to generate a screen to be displayed on the display unit (not shown) of the administrator terminal 20 and outputs the screen to the administrator terminal 20. In the second embodiment, the display processing unit 190 uses the classification information of the classification information storage unit 194 as shown in FIG. 13, for example, to display a terminal having the vulnerability A as shown in FIG. Generate a screen to classify and display. By using the classification information, the tendency of the remaining terminals can be determined. FIG. 13 is a diagram showing an example of classification information stored in the classification information storage unit 194, and FIG. 14 is a diagram showing an example of a screen generated by the display processing unit 190. Note that FIG. 14 is an example of a screen when the security risk is vulnerability A. In the example of FIG. 13, the classification information storage unit 194 stores terminal identification information (for example, MAC address, etc.) for identifying each managed terminal and two types of classification information (terminal type, priority) in association with each other. is doing. Specifically, the managed terminal 30 is first classified into a "server" and a "client", and further, the managed terminal 30 belonging to the "client" is classified according to the degree of priority. The display processing unit 190 uses the classification information shown in FIG. 13 to classify the managed terminal 30 as shown in FIG. 14 (“server” or “client”, or if it is a “client”, its priority). A screen to be displayed is generated by "large / medium / small"), and is displayed on the display unit (not shown) of the administrator terminal 20.

The security administrator confirms the screen displayed on the administrator terminal 20 (for example, the screen of FIG. 14), and inputs the selection of the countermeasure to be applied to the vulnerability A. The result input here is transmitted to the selection reception unit 110. The selection reception unit 110 accepts the selection input for each classification via the screen as shown in FIG. 14, and the remaining terminal identification unit 140 takes measures selected for each classification based on the selection input for each classification. The remaining terminals when executed are specified for each classification. Further, the prediction unit 150 predicts the number of remaining terminals in the future time for each classification when the countermeasure selected for each classification is tentatively executed. At this time, the prediction unit 150 makes a prediction as shown in FIG. 15, for example. FIG. 15 is a diagram showing an example of the prediction result predicted by the prediction unit 150. Note that FIG. 15 is an example of the prediction result when the security risk is vulnerability A. As for the prediction result of FIG. 15, the selection reception unit 110 selects "action (1)", "action (2)", and "action (3)" for the "server", and selects "action (3)" for the "client". It is a prediction result when the input indicating that "countermeasure (1)" and "countermeasure (2)" are selected is accepted in all of the priority "large", "medium", and "small". The example of FIG. 15 is an example when the predetermined number is 0, and the prediction unit 150 remains in chronological order until "three months later" when the total number of remaining terminals becomes 0 or less. Predicting the number of terminals. Specifically, in the example of FIG. 15, the total number of remaining terminals is 22 "after immediate execution", 13 "next day", and 6 "one week later". It is predicted that the number will be 2 in "1 month" and 0 in "3 months".

Then, as shown in FIG. 16, for example, the presentation unit 160 includes the number of remaining terminals for each classification, the total number of remaining terminals (“residual risk after coping”), and the remaining terminals at the future time for each classification. A screen for displaying the predicted value of the number and the predicted value of the total number of remaining terminals (residual risk predicted value) is presented. FIG. 16 is a diagram showing an example of a screen presented by the presentation unit 160. Note that FIG. 16 is an example of a screen when the security risk is vulnerability A. On the screen of FIG. 16, the numbers in parentheses in the column of each countermeasure indicate the number of managed terminals 30 for which vulnerability A disappears if the countermeasure corresponding to that column is tentatively executed. , Varies according to other coping options. For example, for a "client" with a priority of "large", the number in parentheses in the column of "action (2)" is "5" on the screen of FIG. 14, but in FIG. It is "2" on the screen. This is because if only "Countermeasure (2)" is applied independently, the number of "clients" whose priority is "Large" to eliminate vulnerability A is 5, but "Countermeasure (1)" and "Countermeasure". When "(2)" is applied together, 3 out of 5 units will have the vulnerability A eliminated by applying "Countermeasure (1)", and the remaining 2 units will be applied by applying "Countermeasure (2)". It means that the vulnerability A will disappear.

Alternatively, instead of the screen of FIG. 16, the presentation unit 160 is a screen showing a graph in which the “predicted value of residual risk” for each classification at each future time is graphed in chronological order, as shown in FIG. May be displayed. FIG. 17 is a diagram showing another example of the screen presented by the presentation unit 160. FIG. 17 is a diagram showing another example of the screen presented by the presentation unit 160. Note that FIG. 17 is an example of a screen when the security risk is vulnerability A. Further, FIG. 17 also displays the number of residual risks at the present time (managed terminals with remaining vulnerability A), but it is not particularly limited whether or not to display the number of residual risks at the present time.

The screen of FIG. 16 or FIG. 17 presented by the presentation unit 160 is output to the administrator terminal 20 by the display processing unit 190 and displayed on the display unit (not shown) of the administrator terminal 20.

The definition information storage unit 196 stores definition information (for example, definition information in FIG. 4) that defines a correspondence relationship between the type of operation information of the managed terminal 30 and the response to a security risk. The definition information may be distributed, for example, from the server device (not shown) to the information processing device 10. The operation information specifying unit 120 specifies the type of operation information by using the definition information stored in the definition information storage unit 196.

[Hardware configuration]
The information processing apparatus 10 according to the second embodiment has the same hardware configuration as that of the first embodiment. The storage 103 further stores a program that realizes the functions of each processing unit (information acquisition unit 170, risk investigation unit 180, and display processing unit 190) according to the second embodiment, and the processor 101 further stores these programs. By executing the above, each processing unit according to the second embodiment is realized. The memory 102 and the storage 103 also serve as a risk information storage unit 192, a classification information storage unit 194, and a definition information storage unit 196.

[Operation example]
An operation example of the information processing apparatus 10 according to the second embodiment will be described with reference to FIG. FIG. 18 is a flowchart showing a processing flow of the information processing apparatus 10 according to the second embodiment. The following describes an operation example when the security risk is vulnerability A.

The information acquisition unit 170 acquires terminal information of each management target terminal 30 in response to a screen display request from the administrator terminal 20, for example (S201). Then, the risk investigation unit 180 investigates the managed terminal 30 having the vulnerability A based on the acquired terminal information of each managed terminal 30, and generates the risk information (S202). The risk investigation unit 180 compares, for example, the acquired terminal information of each managed terminal 30 with the information about the vulnerability A provided by each vendor or the like, and the managed terminal 30 having the vulnerability A and the applicable one. It is possible to specify the countermeasures. The processes of S201 and S202 may be executed in advance before receiving the screen display request from the administrator terminal 20. In this case, the following processing of S203 is executed in response to the screen display request from the administrator terminal 20.

The display processing unit 190 displays a screen (for example, a figure) for displaying the result of investigating a terminal having vulnerability A based on the risk information generated in S202 and the classification information stored in the classification information storage unit 194. 14 screens) are generated and displayed on the display unit (not shown) of the administrator terminal 20 (S203). The security administrator who operates the administrator terminal 20 confirms the contents of the displayed screen and performs an input operation for selecting at least one of a plurality of countermeasures. Then, the selection reception unit 110 receives information from the administrator terminal 20 indicating the action selected by the input operation on the administrator terminal 20 (S204). The remaining terminal specifying unit 140 identifies the remaining terminal for each classification based on the information indicating the countermeasure selected by the administrator terminal 20 and the countermeasure information for each terminal (S205). For example, the risk information storage unit 192 stores the terminal-specific countermeasure information shown in FIG. 3, and the selection reception unit 110 selects “countermeasure (1)” and “countermeasure (2)” for the “server”. It is assumed that the input indicating the above is accepted. In this case, the remaining terminal specifying unit 140 specifies at least "terminal C" as a terminal (residual terminal) to which neither "countermeasure (1)" nor "countermeasure (2)" can be applied.

Next, the operation information specifying unit 120 specifies the type of operation information corresponding to the measures applicable to the managed terminal 30 (S206), and the operation information acquisition unit 130 is the type specified by the operation information specifying unit 120. The operation information is acquired from the managed terminal 30 (S207). For example, it is assumed that the risk information storage unit 192 stores the terminal-specific countermeasure information of FIG. 3, and the definition information storage unit 196 stores the definition information of FIG. In this case, the operation information specifying unit 120 can apply "countermeasure (1)" and "countermeasure (3)" to the terminal A, and the type of operation information corresponding to "countermeasure (1)" is "Patch application history", "restart history", and "continuous operation time", and the type of operation information corresponding to "action (3)" is "port 1027 usage history". Identify. Therefore, for the terminal A, the operation information acquisition unit 130 obtains the "patch application history", the "restart history", the "continuous operation time", and the "usage history of the port 1027" from the operation information of the terminal A. get.

Next, the prediction unit 150 predicts the number of remaining terminals in the future time for each classification based on the operation information acquired by the operation information acquisition unit 130 (S208). For example, it is assumed that the risk information storage unit 192 stores the terminal-specific countermeasure information of FIG. 3, and the information acquisition unit 170 acquires the operation information of FIG. In this case, the prediction unit 150 identifies applicable countermeasures for the managed terminals 30 other than the residual terminals specified by the residual terminal identification unit 140 based on the terminal-specific countermeasure information of FIG. 3, and the operation information of FIG. Based on, predict the application timing of applicable measures, and total the number of remaining terminals at that time for each future time. By performing this process for each classification, the prediction result as shown in FIG. 15 is obtained.
After that, the presentation unit 160 presents the prediction result predicted by the prediction unit 150 (S209). As shown in FIG. 16, the presentation unit 160 may present a screen that reflects the prediction result on the screen of FIG. 14, or the prediction result is graphed in chronological order as shown in FIG. You may present the screen of the graph.

As described above, according to the second embodiment, the same effect as that of the first embodiment can be obtained.

Although the present invention has been described above with reference to the embodiments, the present invention is not limited to the above. Various changes that can be understood by those skilled in the art can be made to the structure and details of the present invention within the scope of the invention.

For example, in each of the above-described embodiments, a button for causing each managed terminal to take action based on the content selected on the screen may be further provided on the screen. When the button is pressed, the information processing apparatus 10 generates an instruction to cause each terminal to execute a countermeasure according to the selected content, and outputs the command to each terminal.

Further, in each of the above-described embodiments, an aspect of presenting the number of remaining terminals at a future time has been described. However, it is also possible to present an index regarding the remaining terminal. The index relating to the remaining terminals includes, for example, the ratio of the number of remaining terminals to the number of terminals having a security risk, the color corresponding to the ratio, and the like.

Further, in each of the above-described embodiments, an aspect of presenting the number of remaining terminals in the future time according to the selective input of the countermeasure against the security risk has been described. However, for example, when the number of applicable countermeasures is small, the number of remaining terminals when all the countermeasures are applied regardless of the selection input can be presented from the beginning.

Further, in each of the above-described embodiments, the terminal-specific handling information generated by investigating the managed terminal in advance is read, and the number of remaining terminals in the future time is presented based on the read terminal-specific handling information. Aspects have been described. However, it is also possible to acquire countermeasure information for each terminal by investigating the managed terminal before presenting the number of remaining terminals in the future time.

Further, in the second embodiment described above, the managed terminals are first classified into servers and clients, and the clients are further classified according to the degree of priority. However, the classification method is not limited to this, and the classification can be limited to the server and the client, or can be classified according to the priority level regardless of the server or the client. It can also be classified by other methods.

Further, in the plurality of flowcharts used in the above description, a plurality of steps (processes) are described in order, but the execution order of the steps executed in each embodiment is not limited to the order of description. In each embodiment, the order of the illustrated steps can be changed within a range that does not hinder the contents. Further, the above-described embodiments can be combined as long as the contents do not conflict with each other.

Some or all of the above embodiments may be described as in the appendix below, but are not limited to the following.
(Appendix 1)
A selection reception unit that accepts an input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to terminals having a security risk.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, An operation information identification unit that specifies the type of operation information corresponding to the measures applicable to the terminal, and
An operation information acquisition unit that acquires the type of operation information specified by the operation information identification unit among the operation information of the terminal, and an operation information acquisition unit.
Based on the terminal-specific handling information, when the handling received by the selection reception unit is applied, the remaining terminal specifying unit that identifies the remaining terminal that is the terminal for which the security risk remains, and the remaining terminal specifying unit.
A prediction unit that predicts the number of remaining terminals at a future time based on the operation information acquired by the operation information acquisition unit.
A presentation unit that presents the prediction result predicted by the prediction unit, and a presentation unit.
Information processing device equipped with.
(Appendix 2)
The prediction unit
Predict the number of the remaining terminals in the future time in chronological order,
The presentation unit is
Presenting a graph in which the number of the remaining terminals in the future time is graphed in chronological order.
The information processing apparatus according to Appendix 1.
(Appendix 3)
The prediction unit
Predict the number of remaining terminals in chronological order until a future time when the number of remaining terminals becomes a predetermined number or less.
The information processing device according to Appendix 2.
(Appendix 4)
A classification information storage unit for storing classification information for classifying the terminal is further provided.
The prediction unit
For each classification of the terminals, the number of the remaining terminals at the future time is predicted.
The information processing apparatus according to any one of Supplementary note 1 to 3.
(Appendix 5)
It is an information processing method performed by an information processing device.
A step that accepts an input indicating that at least one action has been selected from multiple actions applicable to terminals with security risks.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, A step to identify the type of operation information corresponding to the countermeasure applicable to the terminal, and
The step of acquiring the operation information of the specified type among the operation information of the terminal, and
Based on the terminal-specific countermeasure information, the step of identifying the remaining terminal, which is the terminal on which the security risk remains when the accepted countermeasure is applied, and
A prediction step for predicting the number of the remaining terminals in the future time based on the acquired operation information,
A presentation step for presenting the predicted prediction result and
Information processing methods including.
(Appendix 6)
In the prediction step,
Predict the number of the remaining terminals in the future time in chronological order,
In the presentation step,
Presenting a graph in which the number of the remaining terminals in the future time is graphed in chronological order.
The information processing method according to Appendix 5, which includes the above.
(Appendix 7)
In the prediction step,
The information processing method according to Appendix 6, wherein the number of remaining terminals is predicted in chronological order until a future time when the number of remaining terminals becomes a predetermined number or less.
(Appendix 8)
A classification information storage unit for storing classification information for classifying the terminal is further provided.
In the prediction step,
The information processing method according to any one of Supplementary note 5 to 7, which predicts the number of the remaining terminals in the future time for each classification of the terminals.
(Appendix 9)
On the computer
A procedure for accepting input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to a terminal having a security risk, and a procedure for accepting an input indicating that at least one countermeasure has been selected.
Using the terminal-specific countermeasure information indicating the countermeasures applicable to the security risk for each terminal, and the definition information defining the correspondence relationship between the type of operation information of the terminal and the countermeasure against the security risk, A procedure for identifying the type of operation information corresponding to the countermeasure applicable to the terminal, and
The procedure for acquiring the specified type of operation information among the operation information of the terminal, and
Based on the terminal-specific countermeasure information, the procedure for identifying the remaining terminal, which is the terminal for which the security risk remains when the accepted countermeasure is applied, and the procedure.
A prediction procedure for predicting the number of the remaining terminals in the future time based on the acquired operation information, and
The presentation procedure for presenting the predicted prediction result and the presentation procedure.
A program to execute.
(Appendix 10)
In the prediction procedure,
Predict the number of the remaining terminals in the future time in chronological order,
In the presentation procedure,
Presenting a graph in which the number of the remaining terminals in the future time is graphed in chronological order.
The program described in Appendix 9 including the above.
(Appendix 11)
In the prediction procedure,
The program according to Appendix 10, which predicts the number of remaining terminals in chronological order until a future time when the number of remaining terminals becomes a predetermined number or less.
(Appendix 12)
To the computer
Further execution of the procedure for storing the classification information for classifying the terminal is performed.
In the prediction procedure,
The program according to any one of Supplementary note 9 to 11, which predicts the number of the remaining terminals in the future time for each classification of the terminals.

1 Information processing system 10 Information processing device 101 Processor 102 Memory 103 Storage 104 Input / output interface 1041 Display device 1042 Input device 105 Communication interface 110 Selection reception unit 120 Operation information identification unit 130 Operation information acquisition unit 140 Remaining terminal identification unit 150 Prediction unit 160 Presentation unit 170 Information acquisition unit 180 Risk investigation unit 190 Display processing unit 192 Risk information storage unit 194 Classification information storage unit 196 Definition information storage unit 20 Administrator terminal 30 Management target terminal

Claims (13)

It is an information processing method performed by the information processing device that manages the first terminal.
Memorize risk information, including security risks and how to deal with them,
Identify that the first remedy related to the first security risk included in the risk information is applicable to the first terminal.
Information processing method. It is specified that the second countermeasure related to the first security risk is applicable to the first terminal.
The information processing method according to claim 1. The information processing device further manages the second terminal and
Identify that the first remedy is applicable to the second terminal.
The information processing method according to claim 1. The information processing device further manages the second terminal and
Identify that the first remedy is applicable to the second terminal.
The information processing method according to claim 2. It is specified that the second countermeasure included in the risk information is applicable to the second terminal.
The information processing method according to claim 4. Further memorize the operation information of the first terminal,
Based on the operation information, the timing of applying the first countermeasure is determined.
The information processing method according to claim 1. An information processing device that manages the first terminal.
A storage unit that stores risk information including security risks and countermeasures,
A specific unit that specifies that the first countermeasure related to the first security risk included in the risk information is applicable to the first terminal, and
Information processing device equipped with. The specific unit specifies that the second countermeasure related to the first security risk is applicable to the first terminal.
The information processing apparatus according to claim 7. The information processing device further manages the second terminal and
The specific unit specifies that the first countermeasure is applicable to the second terminal.
The information processing apparatus according to claim 7. The information processing device further manages the second terminal and
The specific unit specifies that the first countermeasure is applicable to the second terminal.
The information processing apparatus according to claim 8. The specific unit specifies that the second countermeasure included in the risk information is applicable to the second terminal.
The information processing apparatus according to claim 10. The storage unit further stores the operation information of the first terminal, and stores the operation information of the first terminal.
The specific unit determines the application timing of the first countermeasure based on the operation information.
The information processing apparatus according to claim 7. To the computer that manages the first terminal,
Procedures for storing risk information, including security risks and countermeasures, and
A procedure for identifying that the first countermeasure related to the first security risk included in the risk information is applicable to the first terminal, and
A program to execute.

Images