JP6933320B2 - Cybersecurity framework box - Google Patents

Description

The present invention relates to the hardware "Cyber Security Framework Box (CSF-Box)" for realizing each function including the security function defined by the Cyber Security Framework (CSF).

Recently, all devices connected to the Internet are exposed to various security risks such as information leakage due to cyber attacks and system destruction. In the United States, Presidential Decree No. 13636 was issued on February 12, 2013 to protect national security, economy, and the safety and health of citizens, and the industry to support the management of security risks in companies thereafter. A "cyber security framework" (hereinafter referred to as "CSF" in the present specification) based on a voluntary risk-based approach that summarizes standards and best practices has been formulated (Non-Patent Document 1).

The purpose of the CSF is to analyze the gap between the current state of the organization's cybersecurity risks and the goals set out as it should be, to consider necessary measures, and to raise the level of measures as an organization. These are the guidelines. Although the details of specific control measures refer to existing standards and best practices, they are necessary for taking cyber security measures, such as "covering from attack detection to countermeasures and recovery" and " It differs from conventional security standards in that it is a framework that goes into the point of "cooperation inside and outside the organization (supply chain)". In addition, CSF can be regarded as a flexible framework regardless of a specific industry or organization, but on the other hand, it is also an abstract or multifaceted writing style, so even if one function is examined, the target management There are a lot of measures. In addition, although a plurality of references for CSF subcategories are described, it is left to the side using the framework to decide which item of which standard should be adopted as a control measure (Non-Patent Document 2).

"Framework for Improving Cyber Security of Critical Infrastructure" 1.0 Edition National Institute of Standards and Technology (February 12, 2014) Information-technology Promotion Agency, Japan What is the security framework "CSF" released by the US White House? Points for corporate utilization (http://www.sbbit.jp/article/cont1/29312)

That is, the security measures required by CSF have an extremely high degree of freedom, and it is premised that they can be flexibly customized according to the environment and requirements of all users.

However, the reality is that there is a large gap between the abstractly defined CSF guidelines and the configuration of the necessary equipment and the construction of the environment on each user side. Users who do not have sufficient knowledge and human resources for server security measures cannot not only build an environment but also operate it.

On the other hand, in the case of an extremely large company, there are multiple people (departments) who have administrator authority for specific roles and functions, and even if it is theoretically possible, in reality, the security policy In many cases, it is extremely difficult to build a cross-cutting security environment in accordance with CSF due to inconsistency in realization.

As a way to improve Internet security, install a firewall or security device called UTM (Unified Threat Management), and each hardware device under the user environment (desktop PC, notebook PC, tablet, personal digital assistant, other peripheral devices, etc.) Measures such as installing security software products on the PC are known, but they only realize a small part of the matters stipulated by the CSF such as "detection and removal of malware". For example, the connection of an unauthorized device (for example, a personal digital assistant or notebook PC) to a network (inside a LAN) under a user environment can be the beginning of a security threat, but it should be classified as a serious incident. It is impossible to determine if it is, without referring to the activity record of the connected device.

The fact that a new device is connected is recorded in the log of the network device to which the IP address is given, but the access record (for example, information such as connection time and IP address) is recorded in the log of the network device to which the IP address is given. Often need to refer to other different devices (eg domain controllers, firewalls, or file server access logs) to each other. That is, an incident can be analyzed only after a comprehensive analysis is performed by mutually referring to a plurality of logs of different types. Further, for example, it is necessary for the user to separately prepare a system for backing up the system and restoring from the backup data as needed.

Therefore, if there is a common customizable platform (hardware configuration) to provide an appropriate security environment in accordance with CSF for all users, it may be possible to greatly contribute to the spread of CSF.

The present invention has been made in view of the above problems, and its main technical problem is to provide a hardware configuration (CSF-Box) for realizing a cyber security framework.

The cyber security framework box according to the present invention is
Installed as a gateway between the user's local area network (LAN) and the Internet,
A cybersecurity framework box that contains virtual servers
At least 1. Database that manages configuration data 2. Database that manages legitimate user information (ID, access authority, employment status, etc.) 3. An asset management database that includes a database that manages risk information (owner, risk assessment, risk response, etc.)
A UTM function that detects, quarantines, and removes unauthorized access to any of the devices identified on the asset management database.
Incident management function for recording and processing incident occurrences,
At least log data including user login information for any of the hosts identified in the asset management database, and logs containing at least each user or device acquired by the asset management data and the UTM function. An analysis function for collecting data and executing analysis in real time,
A data recovery function for performing backup and recovery on the virtual server and all virtual machines driven on the virtual server, and
All of the functions of are executed as virtual appliances on a plurality of virtual servers installed in the LAN.
Based on the analysis function, "identification", "defense" and "detection" of the device affected by the cyber attack, and "response" and "recovery" against the cyber attack are performed.
It is characterized by providing a function to execute simultaneously and continuously.

The CFS-Box in the above configuration is separated from the user network, and external experts cannot directly access the systems and data in the user network. In addition, all access behavior from the outside is logged and designed so that it can be analyzed at all times. If the CFS-Box is attacked and gained unauthorized access, the system and data in the internal user network cannot be protected, so great care is taken in the security of the CFS-Box. All controls required by CSF are also applied and implemented in CSF-Box. For example, monitoring of unexpected configuration changes, patching of vulnerabilities and backup of CSF-Box itself.

Virtual servers are roughly classified into host OS type and hypervisor type depending on the presence or absence of host OS. Furthermore, the hypervisor type also requires a computer equipped with a CPU that supports the virtualization support function. There are two known methods, "paravirtualization" and "full virtualization", depending on whether or not they are. Various methods affect the difference in virtualization performance including overhead, but in the present invention, any method can be used.

Here, "unauthorized access to the cyber security framework system" includes both unauthorized access to the virtual server and unauthorized access to the virtual machine driven on the virtual server.

The UTM function in the above configuration is a virtual appliance for executing various security functions such as anti-virus, intrusion prevention, content filtering, and anti-spam. If desired, it may be configured to perform sandbox functions. A sandbox is a security mechanism that prevents unauthorized operation of a system by operating a program received from the outside in a protected area, and provides effective security functions against unknown threats. Can be done. Further, the UTM function may be configured by a plurality of UTMs.

In the above configuration, when malware is detected in one of the devices, one of the virtual appliances records the occurrence as an "incident" and notifies a preset notification destination.
It may be configured to be characterized in that the infected device is dealt with according to the incident level based on a preset SLA (Service Level Agreement).

Here, the SLA is a basic operation procedure manual for determining the operation of the CSF-Box according to the present invention, and is an administrator (management company) that manages the CSF-Box and a user who installs the CSF-Box. Predetermined based on the contract with. The SLA is preferably compliant with the cybersecurity framework.

In addition, one of the virtual appliances is configured to perform at least a vulnerability scan, including patch management, or a compliance check to check for compliance with PCI DSS security standards. You may.

Vulnerability scanning and compliance checks are also one of the items defined by CSF and are one of the useful means to counter cyber security.

Also, one of the virtual appliances may be configured to include a directory server. The directory server is for managing the account for the CSF-Box administrator or the user's security officer according to the present invention, and when a directory server for managing the user's login account is required, In order to ensure the independence of the CSF-Box, it is preferable to install it in a network lower than the CSF-Box according to the present invention.

Further, one of the virtual appliances may be configured to have a performance monitoring function and a load balancing function of another virtual appliance. At least the virtual server for providing the various virtual appliances of the present invention preferably adopts a redundant configuration, and even if one of the virtual servers becomes unusable due to a failure or a cyber attack, another server is used. Ensures stable long-term operation. In the examples described below, it is preferable to use a clustering configuration from at least 4 nodes (that is, virtual servers are installed on each of the 4 physical computers). It is also preferable to install at least two switching hubs, which are a type of equipment (hub) that relays in a network, in parallel for redundancy.

As described above, according to the CSF-Box according to the present invention, cyber security measures based on the cyber security framework formulated by the National Institute of Standards and Technology described above are the user's environment, budget, required security level, etc. It will be possible to do it efficiently according to the situation.

Since most of the necessary functions of the CSF-Box according to the present invention are provided as a virtual appliance, it is possible to construct an integrated security environment that can be freely customized according to the user's environment. ..

In actual operation, there are many functions that cannot be built in CSF-Box, so by providing them in the form of "services" from the outside on the administrator (management company) side, total cyber security You need to provide a solution. Therefore, in order to actually construct and operate the CSF-Box according to the present invention in the environment of each user, for example, the existing system, the functions to be realized, the cost and compatibility of the system construction, etc. are considered. In the process of deciding the final hardware and software to some extent and constructing an integrated environment (Integration), it is necessary to create an SLA (Service Level Agreement) and define the actual operation form.

FIG. 1 is an example of a network configuration of a virtual appliance shown as an embodiment of the present invention. FIG. 2 is a block configuration diagram showing an example of virtual appliances arranged at the four nodes (I to IV) shown in FIG.

(Basic configuration of cyber security framework)
It is composed of the following three elements.
1. 1. Framework core 2. Framework profile 3. Framework Impression Tier

Above 1. "Framework core" is a compilation of control measures that are considered necessary for implementing cyber security measures, such as "identification (IDENTIFY)", "defense (PROTECT)", and "detection (DETECT)). , "RESPOND", and "RECOVER" are classified into five functions. There are 22 categories for each function, and 98 subcategories are defined as detailed management measures. Multiple standards and best practices are mapped to this subcategory as a reference that details the content of the controls.
For example, in "Defense", which is one of the functions, there is "Access control" in the category, and as a more detailed control measure, "It manages the identification information and authentication information of authorized devices and users". It is organized as a subcategory.
Finally, there is a reference as information when considering specific methods and countermeasures. Looking at the configuration again, in fact, CSF is not a new control measure for cyber security measures, but an existing information security control measure reconstructed from the viewpoint of cyber security. It turns out that there is.

Above 2. "Framework Profile" summarizes the current state of cyber security measures of organizations created based on the core and the goals of cyber security measures to be aimed at.
Clarify the gap between the current status and the target profile, and based on the results, consider the resistance to cyber security risks and the feasibility of countermeasures, prioritize the control measures to be started, secure the budget, and formulate procurement requirements. Is possible. For profiles, there are no templates or lists available.

Above 3. The "Framework Impression Tier" of the organization represents the current state of the organization's cybersecurity measures and is like a maturity evaluation standard for setting goals that the organization should aim for in the future. The tier is represented step by step by "1 to 4", and it is possible to grasp the current level of the organization and the level to be aimed at step by step from the viewpoint of the development status of the risk management process and cooperation with external organizations.

A. Asset Management Security measures begin with "identifying" what to protect. All that is needed is Asset Management, where all assets (hardware, software and data) are registered as a single database, who is responsible, how important it is, and recovery. It is necessary to grasp the dependency between assets (Dependency) from the external supply chain dependency (Supply Chain Dependency), etc., how long it should be restored if necessary. Is.
Specifically, for example, by using a tool that monitors various information such as the IP address and host name of the device existing on the user's internal network (LAN), the type and version of the OS, and the open / closed state of the port. , You can also collect asset management data. Based on the collected data, it is preferable to reflect the necessary information of the administrator etc. in the database.

The most primitive form of the database is a table provided in the form of a spreadsheet or CSV data, but at least a database that manages asset management data associated with the device name to be protected and its local IP address. Therefore, it is preferable that the data is constantly updated to the latest state as it can be dynamically changed.

Then, based on these data, the strategy of "defense" is decided. These include, for example, Configuration Management, Network Management, Vulnerability Management, Patch Management, Database Management, Identity Management, Various functions such as Access Control Management, Secure Software Development Lifecycle (SSDLC), Release Management, BCP / DRP, Backup Management, etc. (These are just examples. There will be a need to realize within the necessary range according to the user environment.

Here, we guarantee that the hardware and software are kept in a secure state, and control who can access which data. This includes the process for promptly changing or deleting access rights due to staff changes or retirement. All log data is created in this defense and is carried over to the next "detection". By analyzing multiple logs, "incidents" that should not normally occur can be detected, and they are alerted and notified. These things are recorded and managed in Incident Management. In log analysis, the data collected for "defense" may be used as a baseline. When an alert comes up, communication is needed and further log analysis is needed. If data leakage is confirmed, it will be necessary to cooperate with the outside such as police and investigative agencies. (These are "correspondence".)

What we have learned here is fed back to the "defense" strategy and "detection" method. If the incident causes the system to go down or the data has been tampered with, start the "recovery" operation. In addition to this, there is Security Awareness Training, and by introducing Risk Management, business impact analysis conducts risk assessment and prioritizes the "defense" strategy. It is also required to attach it.

The big flow is that CSF requires that all of this be done. In addition to providing the necessary data collection and data repository, the CSF-Box of this embodiment needs to be able to create regular reports and reports necessary for further analysis. Is.

The various functions described above will be briefly described below. Looking at each function alone, it is possible to use what is already provided as a product or what is available as open source software, but security measures based on the cyber security framework For the purpose of implementing this, the point is to build the necessary functions required by the user by using the virtual machines or tools provided as virtual appliances on the virtual server installed in the LAN.

(Example) -Functions and operations of each virtual appliance-
Hereinafter, as an embodiment, specific examples of each virtual appliance and basic functions to be provided will be described.

-UTM function-
UTM is a system that integrates required security functions such as firewall, VPN (Virtual Private Network), antivirus, intrusion protection system (IPS) / IDS (intrusion detection system), content filtering, and antispam. Therefore, it is preferable to use the one provided as a virtual appliance or to use it in combination with the hardware device, not as a hardware device.

Any UTM provided as a virtual appliance may be used. This provides a function to detect, quarantine, and remove unauthorized access to devices installed in the LAN, including malware detection.

-File server-
The file server stores log data, various databases necessary for operating CSF, system backup data, and so on.

-Directory server-
A directory server for creating accounts for security administrators.

-Data analysis server-
The data analysis server contains at least log data containing user login information for any host identified on the database, and log containing asset management data and at least network access information for each user or device acquired by UTM. It is a server that provides an analysis function for collecting data and executing analysis in real time.

By collecting and indexing machine data generated from each device in the local area network, machine data from multiple systems can be centrally managed and cross-sectional analysis possible, from data collection, monitoring to analysis. Visualization can be realized quickly and easily. Based on such an analysis function, it is possible to "identify", "defend", and "detect" a device that has been attacked by a cyber attack.

-Network investigation and security audit-
As a method of creating and updating an asset management database, a tool that monitors various information such as the IP address and host name of devices existing on the user's internal network (LAN), OS type and version, and port open / closed status. It is effective to use. Based on the collected data, it is possible to reflect the necessary information of the administrator etc. in the database.

− Vulnerability scan −
Check if security patches are up to date Vulnerability scans, have an appropriate schedule of regular scans, comply with certain specified security standards such as Payment Card Industry Data Security Standard (PCI DSS), or have data It is a server that provides a function to check whether it is encrypted with appropriate strength.

-Backup / recovery server-
Backup / recovery tools differ depending on the type of virtual server, but in any case, it provides a data recovery function for performing backup and recovery on the virtual server and all virtual machines running on the virtual server. By providing a virtual appliance, for example, even if malware is discovered, it is possible to completely disseminate it from scratch in accordance with the best practices stipulated by CSF.

It is preferable that the server that manages the user's system and data is provided separately from the server security framework box.

-Remote Desktop Server-
By making one of the virtual appliances in CSF-Box remotely accessible through VPN (Virtual Private Network), external issues such as management companies that provide CSF-Box can solve problems that users cannot deal with. It will be possible for a team of experts to operate it remotely.

-Performance monitoring function and load balancing function-
It is a tool or server that provides a simple function of continuously receiving a time stamp, a metric name, a metric value, and a set of these values and graphing them as a network service.

(Example)
FIG. 1 is an example of a network configuration of a virtual appliance shown as an embodiment of the present invention. As shown in FIG. 1, the hardware device that provides the function of the virtual server that hosts the virtual machine (VM) is composed of, for example, four blade servers for redundancy (each server is node 1 to node). It is set to 4.). There are various systems in the virtual server, but the virtual server is not particularly limited as long as it hosts a virtual machine that provides each function described below. For example, the virtualization function of VMware, Linux-based KVM, Windows may be used, or other virtual servers may be used. A virtual server can give each virtual machine one or more network interfaces, with multiple different networks, eg,
First network: 192.168.1.0/24
Second network: 192.168.2.0/24
Third network: 192.168.5.0/24
Fourth network: 192.168.99.0/24
Fifth network: 192.168.50.0/24
Is given, and one of them is assigned to the user network outside the CSF-Box. Although the description has been given with an example using an IPv4 format address notation, it may be replaced with an IPv6 format address. Further, the network allocation is appropriately configured as needed, and is not limited to the above.

The network switch installed at the gateway connects to the server of each node with a LAN cable. Each node is provided with at least two network interfaces. The virtual machine is given a network address that is different from the network interface of each node.

FIG. 2 is a block configuration diagram showing an example of virtual appliances arranged at the four nodes (I to IV) shown in FIG. In the following examples, Debian's kernel-based virtual machine (KVM) was used. In addition, a file server function such as Ceph was built on the kernel that is the host of KVM. Ceph is a file system implemented as standard in kernel 2.6.34, and realizes a mechanism for distributed management of data for multiple storage systems. Clients will be able to use a petabyte-scale, extremely large-capacity distributed file system with the same usability as a normal file system. When KVM is not used, the file server function may be configured as one of the virtual appliances.

Each of the checkpoint products shown below is an original OS provided as a virtual appliance, and the remote desktop server located on node 4 uses Windows (registered trademark), but other virtual appliances. All of them are configured to install the necessary programs on Debian, which is one of the distributions of Linux (registered trademark).

(I) In the first node (upper left of FIG. 2), Check Point NGTX (Next Generation Threat Extraction) and Splunk Splunk ES + PCI App Indexer are arranged as the first UTM function. ..

Checkpoint NGTX, a virtual appliance that provides security functions for user data, provides basic UTM functions such as antivirus and sandbox, and creates reports.

(II) The second node (upper right in FIG. 2) is a virtual appliance having the same configuration as the first node, but Splunk ES + PCI App Search head is arranged.

(III) The third node (lower left in FIG. 2) uses Check Point's Check Point NGTP (Next Generation Threat Prevention) and Splunk's Splunk UBA (User Behavior Analytics) as the second UTM function. Placed.

Checkpoint NGTP is a virtual appliance that provides security functions to the internal components (various virtual appliances) of CSF-Box, so sandbox functions are not particularly required, but other than that, other basics Functions are the same as those of the checkpoint NGTX.

Splunk UBA provides a function to analyze user access logs and the like by machine learning.
Splunk ES (Enterprise Security) stores logs and data collected at the fourth node in a database.
Furthermore, based on the baseline data obtained by machine learning and the data collected at the 4th node, the security status is monitored, and if an abnormality that deviates from the baseline is detected, an incident record is created. Send an alert.
It also regularly checks compliance status, creates necessary reports, and manages in-compliance alerts.

(IV) Fourth node (lower right of Fig. 2)
In the fourth node, the following virtual appliances (i) to (viii) are arranged.

(I) CheckPointNGSM5
As a third UTM function, it is one of the UTMs called CenterManagementFirewall of CheckPoint, which provides a function to manage the log data of two types of UTMs placed on other nodes, and is transferred to Splunk together with its own log data. NS.

(Ii) Graphite Server
It is one of the server monitoring tools, and provides a function to continuously receive time stamps, metric names, metric values, and sets of these values, build a time series database, and graph them as a network service.

(Iii) Tenable Manager
Check if security patches are up to date Vulnerability scans, have an appropriate schedule of regular scans, comply with certain specified security standards such as Payment Card Industry Data Security Standard (PCI DSS), or have data It provides a function to check whether it is encrypted with appropriate strength.

(Iv) ApacheSyncpe
It is a function for managing user IDs, and mainly by introducing this function, single sign-on (SSO) becomes possible, and there is an advantage that the user does not have to remember a plurality of IDs and passwords. As a tool for realizing such a function, ApacheSyncpe and the like are known. Apache Syncope runs on JAVA® EE technology and is released under the Apache 2.0 license.

(V) RemoteDesktopServer (Windows10)
Not only from within the LAN, but also by using the VPN function provided by UTM or the like, remote access to the virtual appliance of each node is possible by SSH or the like.

(Vi) OpenLdap + Tacas + DNS
OpenLdap is a server that provides a directory service for administrative users of CSF-Box. Tacas is one of the terminal access control systems, and there is also a daemon running on Unix / Linux to execute the protocol TACACS + for controlling access to network devices. It is published that it is maintained by extending the function originally published by Cisco in GPLv2, and it is also a KVM package. DNS provides the ability to perform name resolution.

(Vii) Balleos Server
Provides backup and recovery capabilities. When using other virtual servers, a backup system corresponding to each virtual server can be used.

(Viii) CheckPointNGTP
It is a redundant configuration of UTM arranged in the third node, and the functions are exactly the same.

As described above, the configuration example of CSF-Box is shown, but it is a cyber security framework box installed in a local area network (LAN) and including at least one virtual server, and is a cyber security framework box for asset management data. By providing the basic functions of the cyber security framework such as the database, UTM function, and data analysis function as a virtual appliance, it is possible to realize a flexible configuration according to the user environment.

Claims (5)

The cyber security framework box according to the present invention is
Installed as a gateway between the user's local area network (LAN) and the Internet,
A cybersecurity framework box that contains virtual servers
At least 1. Database that manages configuration data 2. Database that manages information on regular users 3. An asset management database that contains a database that manages risk information,
A UTM function that detects, quarantines, and removes unauthorized access to any of the devices identified on the asset management database.
Incident management function for recording and processing incident occurrences,
At least log data including user login information for any of the hosts identified in the asset management database, and logs containing at least each user or device acquired by the asset management data and the UTM function. An analysis function for collecting data and executing analysis in real time,
A data recovery function for performing backup and recovery on the virtual server and all virtual machines driven on the virtual server, and
All of the functions of are executed as virtual appliances on a plurality of virtual servers installed in the LAN.
Based on the analysis function, "identification", "defense" and "detection" of the device affected by the cyber attack, and "response" and "recovery" against the cyber attack are performed.
It is characterized by providing a function to execute simultaneously and continuously. When malware is detected in one of the devices, one of the virtual appliances records the occurrence as an "incident" and notifies a preset notification destination.
The cyber security framework box according to claim 1, wherein a response to an infected device according to the incident level is executed based on a preset SLA (Service Level Agreement). One of the virtual appliances is capable of performing a vulnerability scan, including at least patch management, or a compliance check, which checks for compliance with certain specified security standards, including at least PCI DSS. The cyber security framework box according to claim 1 or 2. The cyber security framework box according to any one of claims 1 to 3, wherein one of the virtual appliances includes a directory server. The cyber security framework box according to any one of claims 1 to 4, wherein one of the virtual appliances includes a performance monitoring function and a load balancing function of another virtual appliance.

Images