JP7226819B2 - Information processing device, information processing method, program - Google Patents

Description

The present invention relates to an information processing device, an information processing method, and a program.

Terminals on networks have security risks such as vulnerabilities in hardware and software and threats caused by external attacks. Security risks generally have multiple countermeasures.

However, countermeasures against vulnerabilities other than patch application cannot be applied to all terminals because communication restrictions, setting changes, etc. differ for each terminal. Therefore, when dealing with a large number of terminals, it takes a cost to plan a course of action.

Therefore, recently, an invention has been proposed that assists planning of countermeasures (countermeasures) against security risks that exist in each terminal. For example, in Patent Document 1, security risks are analyzed based on the state of a system in operation, and from candidate countermeasures for mitigating security risks, the optimal An invention presenting a countermeasure method is disclosed.

Japanese Patent No. 5304243

As described above, the invention disclosed in Patent Literature 1 proposes an optimal countermeasure method when a terminal has a security risk. However, since the impact on the terminal and system by applying the proposed countermeasures is unknown, the security administrator should immediately apply the proposed countermeasures, and if multiple countermeasures are presented However, it was not possible to determine which was the most appropriate response. Therefore, it has been difficult for security administrators to formulate countermeasures against security risks.

An object of the present invention is to provide a technique capable of solving the above-described problems.

According to one aspect of the present invention, an information processing device includes:
a selection reception unit that receives an input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, an operation information identification unit that identifies a type of operation information corresponding to a countermeasure applicable to the terminal;
an operation information acquisition unit that acquires the type of operation information identified by the operation information identification unit from among the operation information of the terminal;
a remaining terminal identifying unit that identifies a remaining terminal that is a terminal that remains the security risk when the countermeasure received by the selection receiving unit is applied based on the terminal-specific countermeasure information;
a prediction unit that predicts the number of remaining terminals at a future time based on the operation information acquired by the operation information acquisition unit;
a presentation unit that presents a prediction result predicted by the prediction unit;
Prepare.

According to one aspect of the present invention, an information processing method comprises:
An information processing method performed by an information processing device,
receiving input indicating that at least one countermeasure has been selected from among a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, identifying a type of operation information corresponding to a measure applicable to the terminal;
a step of acquiring the specified type of operating information among the operating information of the terminal;
a step of identifying a remaining terminal, which is a terminal where the security risk remains when the accepted countermeasure is applied, based on the terminal-specific countermeasure information;
a prediction step of predicting the number of remaining terminals at a future time based on the acquired operation information;
a presenting step of presenting the predicted prediction result;
including.

According to one aspect of the invention, a program comprises:
to the computer,
a step of receiving input indicating that at least one countermeasure has been selected from among a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, a procedure for identifying a type of operation information corresponding to a measure applicable to the terminal;
a procedure for acquiring the specified type of operating information among the operating information of the terminal;
a procedure for identifying a residual terminal, which is a terminal that remains a security risk when the accepted countermeasure is applied, based on the terminal-specific countermeasure information;
a prediction procedure for predicting the number of remaining terminals at a future time based on the acquired operation information;
a presentation procedure for presenting the predicted prediction result;
It is a program for executing

According to the present invention, a security manager can easily formulate countermeasures against security risks.

2 is a diagram conceptually showing the processing configuration of the information processing apparatus according to Embodiment 1; FIG. 5 is a diagram showing an example of a screen generated by the information processing apparatus according to Embodiment 1; FIG. FIG. 4 is a diagram showing an example of terminal-specific handling information according to Embodiments 1 and 2; FIG. 5 is a diagram showing an example of definition information according to Embodiments 1 and 2; FIG. FIG. 5 is a diagram showing an example of operation information according to Embodiments 1 and 2; FIG. FIG. 5 is a diagram showing an example of a prediction result predicted by a prediction unit according to Embodiment 1; FIG. 5 is a diagram showing an example of a screen presented by a presentation unit according to Embodiment 1; FIG. FIG. 10 is a diagram showing another example of a screen presented by the presentation unit according to Embodiment 1; FIG. 2 is a diagram conceptually showing the hardware configuration of the information processing apparatus according to the first embodiment; FIG. 4 is a flow chart showing the flow of processing of the information processing apparatus according to Embodiment 1; 2 is a diagram conceptually showing the system configuration of an information processing system according to Embodiment 2; FIG. FIG. 10 is a diagram showing an example of terminal information acquired by an information acquisition unit according to Embodiment 2; FIG. 10 is a diagram showing an example of classification information stored in a classification information storage unit according to Embodiment 2; FIG. 10 is a diagram showing an example of a screen generated by a display processing unit according to Embodiment 2; FIG. FIG. 10 is a diagram showing an example of a prediction result predicted by a prediction unit according to Embodiment 2; FIG. 10 is a diagram showing an example of a screen presented by a presentation unit according to Embodiment 2; FIG. FIG. 10 is a diagram showing another example of a screen presented by the presentation unit according to Embodiment 2; FIG. 9 is a flow chart showing the flow of processing of the information processing device according to the second embodiment;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, in all the drawings, the same constituent elements are denoted by the same reference numerals, and the description thereof will be omitted as appropriate.

[Embodiment 1]
[Processing configuration]
FIG. 1 is a diagram conceptually showing the processing configuration of an information processing apparatus 10 according to Embodiment 1 of the present invention. As shown in FIG. 1, the information processing apparatus 10 according to the first embodiment includes a selection reception unit 110, an operation information identification unit 120, an operation information acquisition unit 130, a remaining terminal identification unit 140, a prediction unit 150, and a presentation A unit 160 is provided.

The selection accepting unit 110 accepts an input indicating that at least one measure has been selected from a plurality of measures applicable to a managed terminal having a security risk. Here, the security risk includes a vulnerability existing in the managed terminal or a threat caused by an external attack on the managed terminal. A managed terminal is a terminal that is connected to the information processing apparatus 10 via a network and whose security status is monitored. Terminals to be managed include not only client terminals on the network, servers, communication devices such as switches and routers, but also anything that has a function to connect to the network and a means of communicating via the network (the so-called IoT (Internet of Things)). included). In addition, countermeasures are measures to eliminate, avoid, or reduce vulnerabilities and threats, and applicable countermeasures are measures that can be taken for managed terminals among the measures against vulnerabilities and threats. say. The selection reception unit 110 receives a selection input of countermeasures against a security risk (here, vulnerability A) via a screen as shown in FIG. 2, for example.

FIG. 2 is a diagram showing an example of a screen generated by the information processing device 10 and displayed on a display device (not shown) connected to the information processing device 10. As shown in FIG. Note that FIG. 2 is an example of the screen when the security risk is vulnerability A. As shown in FIG. The screen in Figure 2 shows the number of managed terminals with Vulnerability A (“at risk”) and the number of residual risks (managed terminals with Vulnerability A remaining) after each countermeasure is taken. ("residual risk after countermeasure"), the predicted value of residual risk at future time (here, one week later) ("residual risk predicted value"), and each countermeasure for vulnerability A ("countermeasure (1)", "Action (2)" and "Action (3)") are displayed in association with each other. The numbers in parentheses in the column of each action indicate the number of managed terminals to which the action corresponding to that column can be applied. The screen of FIG. 2 also displays an overview of vulnerability A and details of each countermeasure against vulnerability A. FIG. In the screen example of FIG. 2, out of 90 managed terminals with vulnerability A, 28 managed terminals are applicable to "Action (1)", and "Action (2)" is applicable. This indicates that there are 69 terminals to be managed, and 15 terminals to be managed to which "countermeasure (3)" can be applied. The reason why the sum of the number of terminals for each countermeasure is different from the number of terminals (90 units), which is the parameter, is that there are managed terminals to which a plurality of countermeasures can be applied. In addition, on the screen in Fig. 2, when you click the downward black triangle of "Residual risk prediction value", a drop-down showing selectable future times (for example, immediately, the next day, one week later, one month later, etc.) A list is displayed. When a future time is selected from the drop-down list, a predicted value at the selected future time (here, one week later) is displayed as the residual risk prediction value.

The screen of FIG. 2 is generated by the information processing apparatus 10 based on information (terminal-specific countermeasure information) indicating a countermeasure applicable to each terminal to be managed against vulnerability A as shown in FIG. 3, for example. be. FIG. 3 is a diagram illustrating an example of terminal-specific coping information. FIG. 3 is an example of terminal-specific countermeasure information when vulnerability A is the security risk. The terminal-by-terminal handling information includes terminal identification information (for example, MAC (Media Access Control) address, etc.) for identifying each managed terminal, and information indicating a handling applicable to each managed terminal. For example, the terminal-specific countermeasure information is generated by investigating managed terminals in advance based on information (risk information) indicating security risks and countermeasures provided by each vendor, etc., and is stored in a predetermined storage unit ( (not shown). In the example of FIG. 3, for vulnerability A, terminal A can apply "countermeasure (1)" and "countermeasure (3)", terminal B can apply "countermeasure (2)", Terminal C can apply "countermeasure (3)". The storage unit for storing the terminal-specific coping information as shown in FIG. Also good.

The remaining terminal specifying unit 140 reads the terminal-specific coping information from a predetermined storage unit (not shown), and, based on the read terminal-specific coping information, assumes that the coping indicated by the selection input received by the selection accepting unit 110 is executed. , identify the managed terminals (hereinafter also referred to as remaining terminals) with remaining security risks. As described above, the terminal-specific countermeasure information is information indicating countermeasures that can be applied to security risks for each terminal to be managed, and is stored in the storage unit in the format shown in FIG. The remaining terminal identification unit 140 can identify the managed terminal to which the countermeasure indicated by the selection input can be applied from the corresponding relationship between the terminal identification information of the terminal-specific countermeasure information and the applicable countermeasure as shown in FIG. can. At the same time, the remaining terminal identification unit 140 can identify managed terminals (residual terminals) that have security risks.

The operating information specifying unit 120 uses the above-described terminal-specific handling information and definition information that defines the correspondence relationship between the type of operating information of the managed terminal and the security risk handling, so that the Identify the type of operating information that corresponds to the action. Operation information refers to information indicating the history of operations and processes actually performed on managed terminals (operation history information), or information indicating operations and processes scheduled to be performed by the management device (operation schedule information). Information that includes at least one. These operational information are generated by each managed terminal and stored in the storage unit of the managed terminal according to the execution of a predetermined operation or process or the input of the execution schedule of a predetermined operation or process on each managed terminal. remembered. Also, "type of operation information" means the classification to which each piece of operation information belongs. For example, specific examples of "operation history information types" include "patch application history", "restart history", "continuous operation time", "port usage history", "process operation history", and "application usage history". etc. Further, specific examples of the "type of operation schedule information" include "scheduled patch application date and time", "scheduled reboot date and time", and "scheduled application startup date and time". However, the types of operation information are not limited to the examples given here.

The definition information is stored in a predetermined storage unit (not shown) in the format shown in FIG. 4, for example. FIG. 4 is a diagram showing an example of definition information. FIG. 4 is an example of definition information when the security risk is vulnerability A. As shown in FIG. In FIG. 4, measures for vulnerability A ("Action (1)", "Action (2)", and "Action (3)") and the countermeasures will be helpful when deciding whether or not to apply them. , and the type of operation information of the terminal to be managed are stored in association with each other. In the example of FIG. 4, "countermeasure (1)" is a countermeasure of applying patch AAAA and restarting. "Countermeasure (2)" is a countermeasure to stop process ZZZZ. Also, “countermeasure (3)” is a countermeasure to block the port 1027 . Also, the 'operation information types' corresponding to 'countermeasure (1)' are 'patch application history', 'restart history', and 'continuous operation time'. Also, the 'operation information type' corresponding to 'countermeasure (2)' is the 'use history of process ZZZZ'. Also, the 'operation information type' corresponding to 'countermeasure (3)' is the 'use history of port 1027'. A storage unit for storing definition information as shown in FIG. 4 may be provided in the information processing apparatus 10, or may be stored in another apparatus communicably connected to the information processing apparatus 10. .

The operation information identifying unit 120 identifies, for each terminal to be managed, applicable countermeasures and types of corresponding operation information, based on the terminal-specific countermeasure information in FIG. 3 and the definition information in FIG. 4, for example. Specifically, based on the terminal-specific countermeasure information of FIG. identify something. Based on the definition information in FIG. 4, the operation information specifying unit 120 sets the "type of operation information" corresponding to "countermeasure (1"" to "patch application history", "reboot history", and "continuous operation history". Based on the definition information in FIG. 4, the operation information identifying unit 120 also identifies the "type of operation information" corresponding to "countermeasure (3)" as "usage history of port 1027." The operating information identifying unit 120 identifies the applicable countermeasures for terminal B (only “countermeasure (2)”) and the types of operating information corresponding to the corresponding countermeasures (“process ZZZZ usage history”) for terminal B as well as for terminal A. Identify.

The performance information acquisition unit 130 acquires the type of performance information identified by the performance information identification unit 120 . The operation information acquisition unit 130 acquires the type of operation information identified by the operation information identification unit 120 from among the operation information of the terminal to be managed, for example, as described below.

For example, the operating information acquisition unit 130 notifies the managed terminal of the type of operating information specified by the operating information specifying unit 120, and receives the type of operating information as a response from the managed terminal. Alternatively, the performance information acquiring unit 130 may acquire the performance information stored in the terminal to be managed, and extract the type of performance information specified by the performance information specifying unit 120 from among them. Here, the operation information acquisition unit 130 may acquire necessary operation information from all the operation information stored in the managed terminal, or may acquire necessary operation information for a predetermined period (for example, one time period) stored in the managed terminal. You may acquire the necessary operation information from the operation information in the month etc.). An example of operation information is information related to the operation history performed within a predetermined period of time (for example, past one month), that is, information related to restarts performed in the past and information related to port numbers accessed in the past. , may contain information about previously executed processes. Another example of operation information is information on an operation schedule scheduled for a predetermined future period (for example, one month in the future), that is, information on a restart scheduled to be executed in the future, and port numbers to be accessed in the future. and information about processes scheduled to be executed in the future. Also, the operation information may be a combination of these. If there is a subsystem that manages the terminal to be managed, the future operation schedule may be obtained from that subsystem.

Specifically, the operation information acquisition unit 130 acquires operation information as shown in FIG. FIG. 5 is a diagram showing an example of operation information acquired by the operation information acquisition unit 130. As shown in FIG. Note that FIG. 5 is an example of operation information when the security risk is vulnerability A. In FIG. Based on the type of operation information identified by the operation information identification unit 120, the operation information acquisition unit 130 obtains “patch application history”, “reboot history”, and the operation information of "continuous operation time" is acquired from the terminal A. Further, based on the type of operation information identified by the operation information identification unit 120, the operation information acquisition unit 130 obtains the operation information of the “usage history of port 1027” for “countermeasure (3)” applicable to terminal A. is obtained from terminal A. As with the terminal A, the operation information acquiring unit 130 acquires the operation information of the “usage history of the process ZZZZ” from the terminal B for the “countermeasure (2)” applicable to the terminal B as well. When the operation information relates to past operation history, the date of the operation information is in the past. When the operation information relates to the future operation schedule, the date of the operation information will be the future.

Based on the operation information acquired by the operation information acquisition unit 130, the prediction unit 150 predicts the number of terminals to be managed (remaining terminals) with remaining security risks at future time. For example, according to the operation information shown in FIG. 5, the prediction unit 150 can make the following predictions about the terminal A (here, the prediction unit 150 can predict the operation information of FIG. 5 as of May 2015). It is assumed that it has been confirmed as of the 27th (Wednesday)). The prediction unit 150 can determine the execution timing of periodic restart by referring to the "restart history" associated with "countermeasure (1)". Along with the "reboot history" column or in place of the "reboot history" column, a "restart schedule" column is provided, and information on future reboot schedules is stored in the "restart schedule" column. If so, the execution timing of restart can be determined by referring to the "scheduled restart". For example, the reboot schedule with the closest scheduled date and time may be predicted or determined to be the execution timing of the reboot. Also, the prediction unit 150 can determine the periodical patch application timing by referring to the "patch application history" associated with "countermeasure (1)". Specifically, it can be read that the terminal A is periodically patched and restarted every Thursday morning. From this, the prediction unit 150 determines the application timing of “countermeasure (1)”, that is, the timing of applying patch AAAA and rebooting to “next Thursday morning”, that is, “May 28, 2015”. (Thursday morning)" can be predicted. This is because, according to the history of past reboots, three of the last three reboots have occurred at 10:00 on Thursdays. This is because it can be predicted. In another method, the number of reboots may be counted for each day of the week, and the day of the week with the highest number of counts may be predicted as the most likely day of the week to be restarted. Also, the prediction unit 150 can determine the usage history of the port 1027 by referring to the "usage history of the port 1027" associated with the "measure (3)". Specifically, it can be read that terminal A has been using port 1027 for two consecutive days, the day before and the day before. In this way, when information on a plurality of dates and times of use is stored in the "history of use of port 1027", the prediction unit 150 determines that there is a possibility that port 1027 will be used in the future, and 3)”, that is, the timing of blocking the port 1027, may be the timing after the predetermined number of days that is set longer has passed. Alternatively, the prediction unit 150 may determine that the “measure (3)” for the terminal A is excluded from the target of date and time prediction, that is, the “measure (3)” is not applied to the terminal A. In the first embodiment, the prediction unit 150, like the former, sets the timing to block the port 1027 to the timing after a predetermined number of days have passed, for example, one week later, "June 2015." 3 (Wednesday)”. It should be noted that the predetermined number of days may be set to a predetermined number of days. In this way, by referring to the operation information corresponding to the countermeasure, the prediction unit 150 can easily predict the timing of executing the countermeasure.

As described above, the prediction unit 150 predicts the application timing of applying the applicable countermeasures to the terminals to be managed other than the remaining terminals identified by the remaining terminal identification unit 140 . Specifically, for each terminal to be managed other than the remaining terminal, the prediction unit 150 identifies an applicable countermeasure based on the terminal-specific countermeasure information in FIG. Predict when to apply countermeasures. The prediction unit 150 assumes that the applicable countermeasures have been executed at the predicted application timing and the vulnerability A has disappeared for each managed terminal other than the remaining terminals. For example, for terminal A, as described above, the application timing of "countermeasure (1)" is predicted to be "in the morning of May 28, 2015 (Thursday)", and the application timing of "countermeasure (3)" is predicted as "June 3, 2015 (Wednesday)" is predicted. Therefore, the prediction unit 150 assumes that the terminal A is free of the vulnerability A in the early morning of May 28, 2015 (Thursday). According to this assumption, the prediction unit 150 chronologically performs each future time (for example, immediately, the next day, one week later, one month later), the number of managed terminals with vulnerability A remaining (residual terminals) at that time is aggregated, and this aggregate value is the number of residual risks (managed terminals with vulnerability A remaining). is the predicted value of FIG. 6 is a diagram showing an example of a prediction result predicted by the prediction unit 150. As shown in FIG. Note that FIG. 6 is an example of a prediction result when the security risk is vulnerability A. In FIG. The prediction result of FIG. 6 is a prediction result when the selection receiving unit 110 receives an input indicating that “measure (1)”, “measure (2)”, and “measure (3)” are selected. be. The example of FIG. 6 is an example in which the predetermined number is 0, and the prediction unit 150 chronologically predicts the number of remaining terminals until “three months later” when the number of remaining terminals becomes 0 or less. predicting numbers. Specifically, in the example of FIG. 6, the number of remaining terminals is 22 “after immediate execution”, 13 “next day”, 6 “one week later”, and “one week later”. It is predicted that there will be 2 units in 'three months' and 0 units in 'three months'.

The presentation unit 160 presents the prediction result predicted by the prediction unit 150 on, for example, a display device (not shown) connected to the information processing device 10 . For example, as shown in FIG. 7, the presentation unit 160 aggregates the prediction result (“remaining risk prediction value”) predicted by the prediction unit 150 and the number of remaining terminals identified by the remaining terminal identification unit 140 (“ Residual risk after countermeasures") are reflected on the screen in FIG. FIG. 7 is a diagram showing an example of a screen presented by the presentation unit 160. As shown in FIG. FIG. 7 is an example of the screen when the security risk is vulnerability A. In FIG. FIG. 7 exemplifies a screen when all of "measure (1)", "measure (2)", and "measure (3)" are selected on the screen of FIG. On the screen of FIG. 7, "one week later" is selected in the drop-down list of "predicted value of residual risk". Therefore, the "estimated value of residual risk" in "one week later" is displayed. However, when another future time is selected, the "predicted value of residual risk" at the selected future time (for example, "next day") is displayed. In this way, when a countermeasure against a security risk is selected on the screen presented by the information processing apparatus 10, the result of hypothetical execution of the countermeasure is reflected on the screen.

Alternatively, the presentation unit 160 displays a screen showing a graph in which the "predicted value of residual risk" at each future time is chronologically graphed, as shown in FIG. 8, instead of the screen in FIG. can be FIG. 8 is a diagram showing another example of the screen presented by the presentation unit 160. As shown in FIG. FIG. 8 is an example of the screen when the security risk is vulnerability A. In FIG. FIG. 8 also displays the number of current residual risks (managed terminals with vulnerability A remaining), but whether or not to display the current number of residual risks is not particularly limited.

[Hardware configuration]
FIG. 9 is a diagram conceptually showing the hardware configuration of the information processing apparatus 10 according to the first embodiment. As shown in FIG. 9, the information processing apparatus 10 according to the first embodiment includes a processor 101, a memory 102, a storage 103, an input/output interface (input/output I/F) 1004, and a communication interface (communication I/F). ) 105 and the like. The processor 101, the memory 102, the storage 103, the input/output interface 104, and the communication interface 105 are connected by a data transmission path for mutual data transmission/reception.

The processor 101 is, for example, an arithmetic processing device such as a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit). The memory 102 is, for example, a RAM (Random Access Memory) or a ROM (Read Only Memory). The storage 103 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a memory card. Also, the storage 103 may be a memory such as a RAM or a ROM.

The storage 103 implements the functions of each processing unit (selection reception unit 110, operation information identification unit 120, operation information acquisition unit 130, remaining terminal identification unit 140, prediction unit 150, presentation unit 160, etc.) included in the information processing apparatus 10. I remember the program to implement. The processor 101 implements the function of each processing unit by executing each program. Here, when executing each of the above programs, the processor 101 may execute these programs after reading them onto the memory 102 , or may execute them without reading them onto the memory 102 .

The input/output interface 104 is connected to a display device 1041, an input device 1042, and the like. The display device 1041 is a device that displays a screen corresponding to drawing data processed by the processor 101, such as an LCD (Liquid Crystal Display) or CRT (Cathode Ray Tube) display. The input device 1042 is a device that receives an operator's operation input, such as a keyboard, mouse, and touch sensor. The display device 1041 and the input device 1042 may be integrated and implemented as a touch panel.

A communication interface 105 transmits and receives data to and from an external device. For example, the communication interface 105 communicates with external devices via a wired network or a wireless network.

Note that the hardware configuration of the information processing device 10 is not limited to the configuration shown in FIG.

[Example of operation]
An operation example of the information processing apparatus 10 according to the first embodiment will be described with reference to FIG. FIG. 10 is a flow chart showing the processing flow of the information processing apparatus 10 according to the first embodiment. An operation example when the security risk is vulnerability A will be described below.

First, the selection accepting unit 110 accepts an input from the security administrator via a screen as shown in FIG. 2 (S101). The security administrator's input is an input for selecting at least one of the multiple countermeasures for vulnerability A presented on the screen.

Next, the remaining terminal identification unit 140 refers to the storage unit that stores the terminal-specific countermeasure information, using the countermeasure indicated by the input received by the selection reception unit 110 as a key, and identifies the remaining terminal with the vulnerability A (S102). ). For example, it is assumed that the storage unit stores the terminal-specific handling information of FIG. 3, and the selection accepting unit 110 accepts an input indicating that "measure (1)" has been selected. In this case, the remaining terminal identifying unit 140 identifies at least “terminal B” and “terminal C” as terminals (remaining terminals) to which “measure (1)” cannot be applied.

Next, the performance information identifying unit 120 identifies the type of performance information corresponding to the action applicable to the terminal to be managed (S103), Information is acquired from the managed terminal (S104). For example, it is assumed that the storage unit has terminal-specific coping information shown in FIG. 3 and definition information shown in FIG. In this case, the operation information specifying unit 120 determines that “measure (1)” and “measure (3)” are applicable to terminal A, and that the type of operation information corresponding to “measure (1)” is "patch application history", "restart history", and "continuous operation time", and the type of operation information corresponding to "countermeasure (3)" is "port 1027 usage history"; Identify. Therefore, for terminal A, the operation information acquisition unit 130 obtains "patch application history", "reboot history", "continuous operation time", and "usage history of port 1027" from the operation information of terminal A. get.

Next, the prediction unit 150 predicts the number of remaining terminals at future time based on the operation information acquired by the operation information acquisition unit 130 (S105). For example, assume that the storage unit stores the terminal-specific coping information shown in FIG. 3, and the operation information acquisition unit 130 acquires the operation information shown in FIG. In this case, the prediction unit 150 identifies applicable countermeasures based on the terminal-specific countermeasure information shown in FIG. Based on this, the application timing of applicable countermeasures is predicted, and the number of remaining terminals at that point in time is totaled for each future time, thereby obtaining a prediction result as shown in FIG.
Thereafter, the presentation unit 160 presents the prediction results predicted by the prediction unit 150 (S106). The presentation unit 160 may present a screen in which the prediction results are reflected on the screen in FIG. 2, as shown in FIG. A graph screen may be presented.

[Action and effect of the first embodiment]
As described above, according to the first embodiment, the number of remaining terminals (residual risk) at future time when the selected countermeasure is tentatively executed is predicted, and the prediction result is presented. A security administrator who sees this presentation can grasp how many remaining terminals will remain at a future time by executing which of a plurality of countermeasures. As a result, the security administrator can determine whether the presented countermeasure should be applied immediately, or, if multiple countermeasures are presented, which one is the most appropriate. In other words, according to the first embodiment, the security manager can easily formulate countermeasures against security risks.

[Embodiment 2]
The second embodiment is a more specific version of the first embodiment.

[System configuration]
FIG. 11 is a diagram conceptually showing the system configuration of the information processing system 1 according to the second embodiment. As shown in FIG. 11, the information processing system 1 according to the second embodiment includes an information processing device 10, an administrator terminal 20, and a terminal 30 to be managed. The administrator terminal 20 is a terminal operated by a security administrator, such as a stationary PC (Personal Computer) or a tablet terminal. The managed terminal 30 is not only a client terminal on the network, a server, a communication device such as a switch or a router, but also anything that has a function to connect to the network and means to communicate via the network (so-called IoT (Internet of Things)). is included in).

[Processing configuration]
As shown in FIG. 11, the information processing apparatus 10 according to the second embodiment includes an information acquisition unit 170 in place of the operation information acquisition unit 130 of the first embodiment, and further includes a risk investigation unit 180 and display processing. A section 190 , a risk information storage section 192 , a classification information storage section 194 and a definition information storage section 196 are provided. The information acquisition unit 170 plays a role corresponding to the operation information acquisition unit 130, and also plays other roles described later.

The information acquisition unit 170 acquires terminal information from each of the managed terminals 30, and obtains information as shown in FIG. FIG. 12 is a diagram showing an example of terminal information acquired by the information acquisition unit 170. As shown in FIG. The terminal information includes, for example, the type of OS (Operating System) of the terminal 30 to be managed, the version of the OS, various applications installed in the terminal 30 to be managed, and the like. However, the terminal information is not limited to the information illustrated in FIG. The information acquisition unit 170 also performs the operation of the operation information acquisition unit 130 according to Embodiment 1, that is, the operation of acquiring the type of operation information specified by the operation information specification unit 120 from each of the managed terminals 30 .

The risk investigation unit 180 compares the terminal information acquired by the information acquisition unit 170 with the security risk information provided by each vendor, etc., and investigates the managed terminals 30 with security risks. Generate risk information including terminal-specific coping information as shown. For example, if the security risk is vulnerability A, the risk information may further include information such as an overview of vulnerability A and an explanation of each countermeasure, in addition to terminal-specific countermeasure information as shown in FIG. . The risk investigation unit 180 stores the generated risk information in the risk information storage unit 192 .

The display processing unit 190 uses the risk information stored in the risk information storage unit 192 to generate a screen to be displayed on the display unit (not shown) of the administrator terminal 20 and outputs it to the administrator terminal 20 . In the second embodiment, the display processing unit 190 uses the classification information of the classification information storage unit 194 as shown in FIG. Generate a screen to classify and display. By using the classification information, it is possible to determine the tendency of remaining terminals. FIG. 13 is a diagram showing an example of classification information stored in the classification information storage section 194, and FIG. 14 is a diagram showing an example of a screen generated by the display processing section 190. As shown in FIG. Note that FIG. 14 is an example of the screen when the security risk is vulnerability A. In FIG. In the example of FIG. 13, the classification information storage unit 194 associates and stores terminal identification information (for example, MAC address, etc.) that identifies each terminal to be managed and two types of classification information (terminal type, priority). are doing. Specifically, the managed terminals 30 are first classified into "server" and "client", and the managed terminals 30 belonging to the "client" are further classified according to their priority. Using the classification information shown in FIG. 13, the display processing unit 190 classifies the terminal 30 to be managed as shown in FIG. A screen is generated to be displayed by changing the degree (“large/medium/small”), and displayed on the display unit (not shown) of the administrator terminal 20 .

The security administrator confirms the screen displayed on the administrator terminal 20 (for example, the screen of FIG. 14) and selects and inputs the countermeasure to be applied to the vulnerability A. The result input here is transmitted to the selection reception unit 110 . The selection reception unit 110 receives the selection input for each category via a screen as shown in FIG. A remaining terminal in case of temporary execution is specified for each classification. Also, the prediction unit 150 predicts the number of remaining terminals at a future time when the countermeasure selected for each classification is temporarily executed for each classification. At this time, the prediction unit 150 performs prediction as shown in FIG. 15, for example. FIG. 15 is a diagram showing an example of a prediction result predicted by the prediction unit 150. As shown in FIG. Note that FIG. 15 is an example of a prediction result when the security risk is vulnerability A. In FIG. 15, the selection receiving unit 110 selects "handling (1)", "handling (2)", and "handling (3)" for the "server", and selects "handling (3)" for the "client". This is a prediction result when receiving an input indicating that "measure (1)" and "measure (2)" are selected for all of "high", "medium", and "low" priorities. The example of FIG. 15 is an example in which the predetermined number is 0, and the prediction unit 150 chronologically displays the remaining terminals until “three months later” when the total number of remaining terminals becomes 0 or less. Estimate the number of terminals. Specifically, in the example of FIG. 15, the total number of remaining terminals is 22 “after immediate execution”, 13 “next day”, and 6 “one week later”. It is predicted that there will be 2 units "one month later" and 0 units "three months later".

Then, for example, as shown in FIG. 16, the presentation unit 160 displays the number of remaining terminals for each classification, the total number of remaining terminals (“residual risk after countermeasures”), and the number of remaining terminals at future time for each classification. A screen displaying the estimated value of the number and the estimated value of the total number of remaining terminals (residual risk estimated value) is presented. FIG. 16 is a diagram showing an example of a screen presented by the presentation unit 160. As shown in FIG. Note that FIG. 16 is an example of the screen when the security risk is vulnerability A. As shown in FIG. On the screen of FIG. 16, the numbers in parentheses in the column of each countermeasure column indicate the number of managed terminals 30 that will not have the vulnerability A if the countermeasure corresponding to that column is hypothetically executed. , depending on other coping choices. For example, for "client" with "high" priority, the number written in parentheses in the column of "handling (2)" is "5" on the screen in FIG. It is "2" on the screen. This is because if only "measure (2)" is applied alone, the number of "clients" with "high" priority that eliminates vulnerability A is five. (2)”, 3 of the 5 units will have no vulnerability A due to the application of “Measure (1)”, and the remaining 2 will be affected by the application of “Measure (2)” It means that the vulnerability A disappears.

Alternatively, instead of the screen of FIG. 16, the presentation unit 160 displays a screen showing a graph in which the "predicted value of residual risk" for each classification at each future time is chronologically graphed, as shown in FIG. may be displayed. FIG. 17 is a diagram showing another example of the screen presented by the presentation unit 160. As shown in FIG. FIG. 17 is a diagram showing another example of the screen presented by the presentation unit 160. As shown in FIG. FIG. 17 is an example of the screen when the security risk is vulnerability A. In FIG. FIG. 17 also displays the number of current residual risks (managed terminals with vulnerability A remaining), but whether or not to display the current number of residual risks is not particularly limited.

16 or 17 presented by the presentation unit 160 is output to the administrator terminal 20 by the display processing unit 190 and displayed on the display unit (not shown) of the administrator terminal 20. FIG.

The definition information storage unit 196 stores definition information (for example, the definition information in FIG. 4) that defines the correspondence relationship between the type of operation information of the managed terminal 30 and countermeasures against security risks. The definition information may be distributed to the information processing device 10 from a server device (not shown), for example. The operation information identification unit 120 identifies the type of operation information using definition information stored in the definition information storage unit 196 .

[Hardware configuration]
An information processing apparatus 10 according to the second embodiment has a hardware configuration similar to that of the first embodiment. The storage 103 further stores programs for realizing the functions of the respective processing units (the information acquisition unit 170, the risk investigation unit 180, and the display processing unit 190) according to the second embodiment, and the processor 101 executes these programs , each processing unit according to the second embodiment is realized. The memory 102 and storage 103 also serve as a risk information storage unit 192 , a classification information storage unit 194 and a definition information storage unit 196 .

[Example of operation]
An operation example of the information processing apparatus 10 according to the second embodiment will be described with reference to FIG. FIG. 18 is a flow chart showing the processing flow of the information processing apparatus 10 according to the second embodiment. An operation example when the security risk is vulnerability A will be described below.

For example, the information acquisition unit 170 acquires terminal information of each managed terminal 30 in response to a screen display request from the administrator terminal 20 (S201). Then, the risk investigation unit 180 investigates the managed terminal 30 having the vulnerability A based on the obtained terminal information of each managed terminal 30, and generates risk information (S202). For example, the risk investigation unit 180 compares the acquired terminal information of each managed terminal 30 with information about vulnerability A provided by each vendor, etc., and identifies the managed terminal 30 having vulnerability A and applicable It is possible to specify countermeasures and the like. The processes of S201 and S202 may be executed in advance before receiving the screen display request from the administrator terminal 20. FIG. In this case, the following processing of S203 is executed in response to a screen display request from the administrator terminal 20. FIG.

The display processing unit 190 displays a screen (for example, the 14 screen) is generated and displayed on the display unit (not shown) of the administrator terminal 20 (S203). A security administrator who operates the administrator terminal 20 confirms the content of the displayed screen and performs an input operation to select at least one of a plurality of countermeasures. Then, the selection accepting unit 110 accepts from the administrator terminal 20 information indicating the action selected by the input operation on the administrator terminal 20 (S204). The remaining terminal specifying unit 140 specifies remaining terminals for each category based on the information indicating the handling selected by the administrator terminal 20 and the handling information for each terminal (S205). For example, the risk information storage unit 192 stores the terminal-specific countermeasure information of FIG. Suppose that an input indicating is received. In this case, the remaining terminal identification unit 140 identifies at least “terminal C” as a terminal (residual terminal) to which neither “measure (1)” nor “measure (2)” can be applied.

Next, the performance information identification unit 120 identifies the type of performance information corresponding to the action applicable to the managed terminal 30 (S206), and the performance information acquisition unit 130 obtains the type of Operation information is acquired from the managed terminal 30 (S207). For example, assume that the risk information storage unit 192 stores the terminal-specific countermeasure information shown in FIG. 3, and the definition information storage unit 196 stores the definition information shown in FIG. In this case, the operation information specifying unit 120 determines that “measure (1)” and “measure (3)” are applicable to terminal A, and that the type of operation information corresponding to “measure (1)” is "patch application history", "restart history", and "continuous operation time", and the type of operation information corresponding to "countermeasure (3)" is "port 1027 usage history"; Identify. Therefore, for terminal A, the operation information acquisition unit 130 obtains "patch application history", "reboot history", "continuous operation time", and "usage history of port 1027" from the operation information of terminal A. get.

Next, the prediction unit 150 predicts the number of remaining terminals at future time for each classification based on the operation information acquired by the operation information acquisition unit 130 (S208). For example, assume that the risk information storage unit 192 stores the terminal-specific coping information shown in FIG. 3, and the information acquisition unit 170 acquires the operation information shown in FIG. In this case, the prediction unit 150 identifies applicable measures for the managed terminals 30 other than the remaining terminals specified by the remaining terminal specifying unit 140 based on the terminal-specific measures information in FIG. Based on this, the application timing of applicable countermeasures is predicted, and the number of remaining terminals at that point in time is counted for each future time. By performing this process for each classification, a prediction result as shown in FIG. 15 is obtained.
After that, the presentation unit 160 presents the prediction result predicted by the prediction unit 150 (S209). The presentation unit 160 may present a screen reflecting the prediction results on the screen of FIG. 14 as shown in FIG. A graph screen may be presented.

As described above, according to the second embodiment, the same effects as those of the first embodiment can be obtained.

Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above. Various changes can be made to the configuration and details of the present invention within the scope of the invention that can be understood by those skilled in the art.

For example, in each of the embodiments described above, a button may be further provided on the screen for causing each terminal to be managed to take action based on the content selected on the screen. When the button is pressed, the information processing apparatus 10 generates a command for causing each terminal to take action according to the selected content, and outputs the command to each terminal.

Also, in each of the above-described embodiments, a mode of presenting the number of remaining terminals at future time has been described. However, it is also possible to provide an indication of the remaining terminals. The indicators related to remaining terminals include, for example, the ratio of the number of remaining terminals to the number of terminals with security risks, and the color corresponding to the ratio.

Further, in each of the above-described embodiments, a mode has been described in which the number of remaining terminals at future time is presented in accordance with the selection input of countermeasures against security risks. However, if, for example, the number of applicable countermeasures is small, the number of remaining terminals when all countermeasures are applied can be presented from the beginning regardless of the selection input.

Further, in each of the above-described embodiments, terminal-specific coping information generated by investigating the managed terminals in advance is read, and the number of remaining terminals at future time is presented based on the read terminal-specific coping information. I explained the mode. However, before presenting the number of remaining terminals at the future time, it is also possible to acquire terminal-specific coping information by investigating the managed terminals.

In the second embodiment described above, the terminals to be managed are first classified into servers and clients, and the clients are further classified according to their priority. However, the classification method is not limited to this, and it is also possible to simply classify into servers and clients, or to classify according to priority regardless of servers or clients. They can also be classified by other methods.

Also, in the plurality of flowcharts used in the above description, a plurality of steps (processes) are described in order, but the execution order of the steps executed in each embodiment is not limited to the order of description. In each embodiment, the order of the illustrated steps can be changed within a range that does not interfere with the content. Moreover, each of the above-described embodiments can be combined as long as the contents do not contradict each other.

Some or all of the above embodiments may also be described in the following additional remarks, but are not limited to the following.
(Appendix 1)
a selection reception unit that receives an input indicating that at least one countermeasure has been selected from a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, an operation information identification unit that identifies a type of operation information corresponding to a countermeasure applicable to the terminal;
an operation information acquisition unit that acquires the type of operation information identified by the operation information identification unit from among the operation information of the terminal;
a remaining terminal identifying unit that identifies a remaining terminal that is a terminal that remains the security risk when the countermeasure received by the selection receiving unit is applied based on the terminal-specific countermeasure information;
a prediction unit that predicts the number of remaining terminals at a future time based on the operation information acquired by the operation information acquisition unit;
a presentation unit that presents a prediction result predicted by the prediction unit;
Information processing device.
(Appendix 2)
The prediction unit
chronologically predicting the number of remaining terminals at future time;
The presentation unit
Presenting a graph that chronologically graphs the number of remaining terminals at future time;
The information processing device according to appendix 1.
(Appendix 3)
The prediction unit
chronologically predicting the number of remaining terminals until a future time when the number of remaining terminals becomes equal to or less than a predetermined number;
The information processing device according to appendix 2.
(Appendix 4)
further comprising a classification information storage unit that stores classification information for classifying the terminals;
The prediction unit
predicting the number of remaining terminals at a future time for each classification of the terminals;
The information processing apparatus according to any one of Appendices 1 to 3.
(Appendix 5)
An information processing method performed by an information processing device,
receiving input indicating that at least one countermeasure has been selected from among a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, identifying a type of operation information corresponding to a measure applicable to the terminal;
a step of acquiring the specified type of operating information among the operating information of the terminal;
a step of identifying a remaining terminal, which is a terminal where the security risk remains when the accepted countermeasure is applied, based on the terminal-specific countermeasure information;
a prediction step of predicting the number of remaining terminals at a future time based on the acquired operation information;
a presenting step of presenting the predicted prediction result;
Information processing method including.
(Appendix 6)
In the prediction step,
chronologically predicting the number of remaining terminals at future time;
In the presenting step,
Presenting a graph that chronologically graphs the number of remaining terminals at future time;
The information processing method according to appendix 5, comprising:
(Appendix 7)
In the prediction step,
7. The information processing method according to appendix 6, wherein the number of remaining terminals is predicted in time series until a future time when the number of remaining terminals becomes equal to or less than a predetermined number.
(Appendix 8)
further comprising a classification information storage unit that stores classification information for classifying the terminals;
In the prediction step,
8. The information processing method according to any one of attachments 5 to 7, wherein the number of remaining terminals at a future time is predicted for each classification of the terminals.
(Appendix 9)
to the computer,
a step of receiving input indicating that at least one countermeasure has been selected from among a plurality of countermeasures applicable to a terminal having a security risk;
using terminal-specific countermeasure information indicating a countermeasure applicable to each terminal for the security risk, and definition information defining a correspondence relationship between the type of operating information of the terminal and the countermeasure against the security risk, a procedure for identifying a type of operation information corresponding to a measure applicable to the terminal;
a procedure for acquiring the specified type of operating information among the operating information of the terminal;
a procedure for identifying a remaining terminal, which is a terminal with the remaining security risk when the accepted countermeasure is applied, based on the terminal-specific countermeasure information;
a prediction procedure for predicting the number of remaining terminals at a future time based on the acquired operation information;
a presentation procedure for presenting the predicted prediction result;
program to run the
(Appendix 10)
In the prediction procedure,
chronologically predicting the number of remaining terminals at future time;
In the presentation procedure,
Presenting a graph that chronologically graphs the number of remaining terminals at future time;
9. The program of clause 9, comprising:
(Appendix 11)
In the prediction procedure,
11. The program according to appendix 10, which chronologically predicts the number of remaining terminals until a future time when the number of remaining terminals becomes equal to or less than a predetermined number.
(Appendix 12)
to the computer;
further executing a procedure for storing classification information for classifying the terminal;
In the prediction procedure,
12. The program according to any one of appendices 9 to 11, which predicts the number of remaining terminals at a future time for each classification of the terminals.

1 information processing system 10 information processing device 101 processor 102 memory 103 storage 104 input/output interface 1041 display device 1042 input device 105 communication interface 110 selection reception unit 120 operation information identification unit 130 operation information acquisition unit 140 remaining terminal identification unit 150 prediction unit 160 Presentation unit 170 Information acquisition unit 180 Risk investigation unit 190 Display processing unit 192 Risk information storage unit 194 Classification information storage unit 196 Definition information storage unit 20 Administrator terminal 30 Managed terminal

Claims (13)

An information processing method performed by an information processing device connected to a plurality of terminals,
Acquire countermeasure information on countermeasures against vulnerabilities applicable to each terminal,
Acquiring operation information related to the handling of each of the terminals;
calculating the number of terminals to which the countermeasure has not been applied, based on the countermeasure information and the acquired operation information;
Information processing methods. calculating the number of terminals to which the countermeasure has not been applied by predicting the timing at which each terminal applies the countermeasure based on the countermeasure information and the acquired operation information;
The information processing method according to claim 1 . The operating information is a restart history,
The information processing method according to claim 1 . The operation information is a scheduled restart date and time,
The information processing method according to claim 1 . The countermeasure is application of a patch,
The information processing method according to claim 1 . the countermeasure is port blocking,
The information processing method according to claim 1 . An information processing device connected to a plurality of terminals,
a countermeasure information acquisition unit that acquires countermeasure information regarding countermeasures against vulnerabilities that can be applied to each terminal;
an operation information acquisition unit that acquires operation information related to the countermeasure of each terminal;
a calculation unit that calculates the number of terminals to which the countermeasure has not been applied, based on the countermeasure information and the acquired operation information;
Information processing device. The calculation unit calculates the number of terminals to which the countermeasure has not been applied by predicting the timing at which each terminal applies the countermeasure based on the countermeasure information and the acquired operation information.
The information processing apparatus according to claim 7 . The operating information is a restart history,
The information processing apparatus according to claim 7 . The operation information is a scheduled restart date and time,
The information processing apparatus according to claim 7 . The countermeasure is application of a patch,
The information processing apparatus according to claim 7 . the countermeasure is port blocking,
The information processing apparatus according to claim 7 . A computer connected to multiple terminals,
A procedure for obtaining countermeasure information on countermeasures against vulnerabilities applicable to each terminal;
a procedure for acquiring operation information related to the countermeasure of each terminal;
a procedure for calculating the number of terminals to which the countermeasure has not been applied, based on the countermeasure information and the acquired operation information;
program to run the

Images