RU2747476C1 - Intelligent risk and vulnerability management system for infrastructure elements - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: invention relates to a system of intelligent risk and vulnerability management of infrastructure elements. The system contains a processor; a storage device; associated with the said processor: a data collection module from sources, made with the ability to obtain information from data sources containing information about vulnerabilities of infrastructure elements (IE), including functional and logical IE, while functional IE are infrastructure assets (IA) containing terminal physical or virtual equipment providing a service, and network IE, representing devices that provide network interaction between all functional IE; logical IEs are a combination of functional IE and logical IE, including entities that interact with the network infrastructure and are selected from the group: automated systems or functional subsystems; data management module, designed to normalize data collected by the data collection module, providing the formation of a unified type of data and the formation of an attribute composition depending on the type of IE; forming an IE profile containing the IE attribute composition; IE profile enrichment module, designed to receive scan data from the data collection module to supplement the attribute composition of the generated IE profiles with information that includes: information about the possibility of network interaction between IA, based on the data of security rules (ACL), as well as translation rules (NAT) and routing defined on network IE; vulnerabilities found on IA; data on the criticality of the operation of logical IE; information about the identified risks, as well as measures to eliminate them; an analytics module designed to account for, analyze, and monitor the external perimeter of the network infrastructure; search by the attribute composition of IE profiles; analyze raw data coming from data sources; manage risks based on vulnerabilities found; search and analyze network routes between IA to determine possible ways of spreading the threat; based on the data of the enriched IE profiles, calculate the criticality of the vulnerable IA by determining the impact of vulnerabilities on the network infrastructure and its functioning; generate a list of vulnerable IE and information about the elimination of identified vulnerabilities with the calculation of the rating and registration of the risk of identified vulnerabilities; process the incoming data flow from the data management module and transfer the list of IE through the integration module to the security scanner that scans and detects IE based on the said list of IE; an integration module designed to control the mode of eliminating identified vulnerabilities, in which data about IE is transmitted to an external update management system based on the list of vulnerable IE generated by the analytics module for performing updates of vulnerable IE.

EFFECT: invention is aimed at identifying and eliminating vulnerabilities in the infrastructure elements.

16 cl, 3 dwg

Description

FIELD OF TECHNOLOGY

[0001] The present technical solution relates to the field of computer technology, in particular to information security, for which a system of intelligent management of risks and vulnerabilities of infrastructure elements is proposed.

LEVEL OF TECHNOLOGY

[0002] Currently, given the massive use of IT (information technology) in various industrial and economic spheres, the development of systems and approaches in the field of cybersecurity is one of the priority areas and requires constant improvement in view of the constant emergence of new types of cyber threats. In this regard, an important aspect of the solutions being created is the updating of information about existing types of cyber threats, as well as information about their elimination and maintaining the current level of cyber protection of the internal infrastructure.

[0003] In the banking sector, cybersecurity plays a key role, since the internal information infrastructure processes a huge amount of structured and unstructured data, which in turn requires huge resources to timely identify potentially malicious objects that can lead to the risk of a cyber threat.

[0004] As one of the examples of applied technologies for managing risks and potential vulnerabilities of the infrastructure, we can consider the solution of Skybox - Vulnerability Control (https://www.skyboxsecurity.com/products/vulnerability-control/). This solution makes it possible to comprehensively assess the potential risks of disrupting the cybersecurity of the infrastructure and monitor vulnerabilities.

[0005] Another well-known solution is an intelligent cyber threat management system (RF patent No. 2702269, 07.10.2019), which contains a modular architecture that allows you to analyze and enrich information about cyber threats to infrastructure for subsequent operational tracking and recognition of cyber threats.

[0006] The claimed solution is aimed at improving existing developments in this field of technology, providing new, expanded functionality in terms of integrated cybersecurity infrastructure management, providing timely identification of vulnerabilities, and analysis of all elements of the infrastructure to ensure network security.

SUMMARY OF THE INVENTION

[0007] The present technical solution addresses the technical problem of creating a new and effective tool for managing infrastructure risks and vulnerabilities.

[0008] The technical result is to improve the efficiency of infrastructure security management by providing a full cycle of vulnerability management and related risks, with the ability to identify and eliminate them in a timely manner.

[0009] An additional result is the enhancement of the functionality of analyzing the occurrence of risks of cyber threats, by tracking the possible paths of propagation of threats between infrastructure elements.

[0010] Another additional result is the formation of the initial data necessary to eliminate vulnerabilities, such as:

- identification information about infrastructure elements (EI);

- information about the detected vulnerability;

- information on the measures required to eliminate the detected vulnerability.

[0011] The claimed technical result is achieved by implementing the present invention, which is a system for intelligent management of risks and vulnerabilities of infrastructure elements, which includes:

- at least one processor;

- at least one memory device;

- a module for collecting data from sources, capable of obtaining information from data sources containing information about the vulnerabilities of infrastructure elements (EI), including functional and logical EI, while functional EI are infrastructure assets (AI) containing a terminal physical or virtual equipment providing a service and / or service, and network EIs, representing devices that provide network interaction between all functional EIs;

logical EI are combinations of functional EI and logical EI, including entities that interact with the network infrastructure and are selected from the group: automated systems, functional subsystems, or services;

- a data management module capable of

normalization of data collected by the data collection module, ensuring the formation of a unified data type and the formation of an attribute composition depending on the type of EI;

formation of the EI profile containing the attribute composition of the EI;

- a module for enriching EI profiles, made with the possibility of supplementing the attribute composition of an EI profile with information, including:

information about the possibility of network interaction between AI, based on these security rules (ACL), as well as translation (NAT) and routing rules defined on the network EI; found vulnerabilities on AI;

data on the criticality of the functioning of logical EI;

information about the identified risks, as well as measures to eliminate them;

- analytics module made with the ability

accounting, analysis and monitoring of the external perimeter of the network infrastructure; search by attribute composition of asset profiles; analysis of raw data coming from data sources; risk management for found vulnerabilities;

search and analysis of network routes between AIs to determine possible ways of threat propagation;

calculating the criticality of a vulnerable AI by determining the impact of vulnerabilities on the network infrastructure and its functioning.

[0012] In one particular embodiment of the system, the attribute composition of the infrastructure asset includes the category and type of infrastructure devices.

[0013] In another particular embodiment of the system, information on enriching the infrastructure asset profile for the interaction of network flows is obtained based on the obtained attributes for the infrastructure devices.

[0014] In another particular embodiment of the system, the information on enriching the asset profile for the vulnerabilities found on the assets is generated based on the results of the security scanner operation.

[0015] In another particular embodiment of the system, data for calculating the criticality of an asset or vulnerability is obtained from external systems.

[0016] In another particular embodiment of the system, the analytics module additionally provides the formation of graph models based on the received data on network flows and information about the connections of functional EI and logical EI among themselves.

[0017] In another particular embodiment of the system, threat propagation is simulated by defining the area of vulnerable infrastructure assets.

[0018] In another particular embodiment of the system, information on the interaction of network flows is additionally taken into account.

[0019] In another particular embodiment of the system, it is possible to determine the nodes of failure during network interaction and the consequences of such a failure.

[0020] In another particular embodiment of the system, the analytics module further provides scan control, which generates a list of network addresses for transmission to the security scanner.

[0021] In another particular embodiment of the system, the analytics module additionally provides management of the vulnerability remediation mode, in which infrastructure assets are identified to eliminate vulnerabilities found on them.

[0022] In another particular embodiment, the system further comprises a visualization module providing a graphical representation of the data being processed.

[0023] In another particular embodiment of the system, the rendering module provides the generation of widgets and / or reports and / or information panels.

[0024] In another particular embodiment, the system further comprises an administration module for managing access policies, directories, and settings of existing system modules.

[0025] In another particular embodiment of the system, when the enrichment module detects AIs for which there is information about vulnerabilities, said information is transmitted to an external system to receive update packages to eliminate vulnerabilities on said AIs.

[0026] In another particular embodiment of the system, the process is performed iteratively for all AIs for which vulnerabilities are detected.

BRIEF DESCRIPTION OF DRAWINGS

[0027] FIG. 1 illustrates a general view of the claimed solution.

[0028] FIG. 2 illustrates an example of an infrastructure asset profile.

[0029] FIG. 3 illustrates a general view of a computing device.

CARRYING OUT THE INVENTION

[0030] In the present description, the following terms and definitions will be used hereinafter.

[0031] Cyber threats are potential events, the action (impact) of which may disrupt the business process or the state of security of the internal information infrastructure.

[0032] External sources of data on Cyberthreats - resources and services that provide data on vulnerabilities, exploits, security updates, scan results of the external infrastructure perimeter.

[0033] Internal data sources are resources and services that provide data from internal infrastructure systems, in particular, from cybersecurity systems, IT systems.

[0034] An exploit is a computer program, piece of software code, or a sequence of commands that exploits vulnerabilities in software and is used to attack a computer system.

[0035] CVE (Common Vulnerabilities and Exposures) is a database of commonly known information security vulnerabilities. Each vulnerability is assigned a CVE-year-number identification number.

[0036] Infrastructure Elements (EI) - functional and logical EI.

[0037] Functional EI - EI including Infrastructure Assets (AI), which are terminal physical or virtual equipment providing a service / service, performing specified functions within the infrastructure, for example: virtual machines, server equipment, AWP, self-service devices (ATMs, terminals ), etc.; and also Network elements of infrastructure - intermediate devices (firewalls, balancers, routers, etc.) that provide network interaction between all functional elements of the infrastructure.

[0038] Logical EI - a group of functional elements and their logical association, for example: automated systems, functional subsystems, or services.

[0039] FIG. 1 shows a general view of the claimed solution (100), which includes a network of data transmission (120), external (110) and internal sources of information (140), a system (130) for intelligent management of risks and vulnerabilities of infrastructure elements and external security scanners.

[0040] Any known principle of network exchange, for example, Internet, Intranet, LAN, WAN, PAN, WLAN, and the like, can be used as the data transmission network (120).

[0041] System (130) can be executed on the basis of one or more computing devices, with software or firmware implementation of modules (131) - (139) of system (130). In this case, each module of the system (130) can be implemented in the form of an FPGA, SoC (system on a chip), a microcontroller, logic gates, program logic, etc. In the general case, the necessary computational logic processes in the system (130) are carried out using one or more processors (131), which process the commands transmitted over the common data bus between the modules of the system (130).

[0042] The module for collecting data from sources (133) is responsible for obtaining information about the vulnerabilities found, as well as obtaining information on the attribute composition of the EI. Module (133) receives data from external (110) and internal (140) data sources, while the collected information contains information about vulnerabilities, infrastructure assets and interactions of their network flows.

[0043] To collect data, the module (133) supports various formats: CPE (Common platform enumeration), XML, JSON, etc. The functionality of the module (133) also provides filtering of the received data and converting the received information into a single presentation format.

[0044] External sources (software) for obtaining data about infrastructure elements (external perimeter) and vulnerabilities can be:

- Systems for security analysis (security scanners - 150), such as:

MaxPatrol, Tenable, Qualys, Rapid7 Nexpose, Nmap, Acunetix, etc.

- TI / Vulnerability services such as:

TIP Sberbank, Shodan, Censys, CPT Bizone, Anomaly, RiskIQ, Kaspersky Threat Lookup, Group-IB, etc.

[0045] Internal sources (140) for obtaining data on infrastructure assets and vulnerabilities can be:

- Management and accounting systems of IT infrastructure, such as:

SCCM, uCMDB, HPSM, EMM (Enterprise Mobility Management - AirWatch), AD (Active Directory), local sensors, etc.

- Infrastructure protection and analysis systems (security scanners), as well as information security events monitoring, such as:

Security scanners MaxPatrol, Qualys, Nessus, Rapid7 Nexpose, Nmap, Acunetix, etc.

- Antivirus protection tools: Kaspersky, ESET, SEP, etc.

- Systems for storing and monitoring information security events: Qradar, ArcSight, ClickHouse, Splunk, etc.

- Management and accounting systems (management / orchestrator) network equipment:

Tufin, Cisco Security Management (FW, NGFW class systems management);

APSolute VISION (load balancing class system management);

BIG-IQ (Web Application Firewall - WAF);

IPAM / NOC (Network Configuration Accounting)

Arbor (control of Anti-DDos class systems), etc. [0046] Based on the collected information, the acquisition module (133) generates a raw (RAW) data set about EI. Further, this information is transmitted to data storage means (132), for example, ROM containing a database (1321). The stored information transmitted from the module (133) is processed by the data management module (134).

[0047] Module (134) Data Management is responsible for working with data that has been collected in the database (1321). The module (134) normalizes the data collected by the module (133), providing the formation of a unified type of data and the formation of an attribute composition depending on the type of EI. Also, the module (134) generates the basic EI profile containing the attribute composition of the EI.

[0048] The algorithms of work performed by the module (134) are responsible for converting at least the following attributes into a single form: the name of the operating system, the name of the software and its version, the name of the services / services, etc.

[0049] Formation of the basic EI profile includes the formation of an attribute composition depending on the type of EI. The same EI attribute can be collected from different systems - master system and auxiliary system. This is necessary to find and control errors in accounting systems. The EI model (AWP, server, mobile phone, printer, network device, FE, scanning, etc.) is based on a two-level model consisting of "Category: Type". For example, "Category" is a network device, "Type" is a switch, router, firewall, balancer, etc.

[0050] Each pair "Category: Type" has its own attribute composition (this means that the attributes of the AWS will differ from the attributes of the network equipment). FIG. 2 shows an example of the basic attribute composition of the AWP profile.

[0051] The module (135) enrichment of profiles allows you to enrich the base profiles of different assets with information from the attribute composition of other assets. For example: "Category" is a network device, "Type" is a firewall. This profile has its own attribute composition, in which there are attributes such as ACL (security rules for a network packet), NAT (translation rules), etc. There are EIs, which are already endpoints - AWP, server, etc. Thus, it is possible to determine the network reachability of EI A (AWP) to EI B (AWP) based on the data of firewalls, which makes it possible to form a mechanism to determine the reachability of EI. [0052] The profile enrichment module (135) provides the addition of the attribute composition of the base EI profile with the following information:

- interaction of network streams, based on the received attributes across network devices;

- found vulnerabilities on EI, based on the results of the security scanner operation, or the proprietary CVE matching algorithm for AE;

- criticality of EI or vulnerabilities from third-party systems;

- identified and / or established risks and measures to eliminate them.

[0053] The module (135) is also configured to enrich the EI for which there is information about the vulnerabilities, for which the said information is transferred to an external system to obtain update packages to eliminate the vulnerabilities on the said EI. This process is performed iteratively for all EIs for which vulnerabilities are detected.

[0054] The analytical module (136) implements analytical algorithms that analyze the accumulated information on vulnerabilities and infrastructure assets, and also performs the prioritization of their processing and elimination.

[0055] In particular, the module (136) analyzes and monitors the outer perimeter of the infrastructure. The infrastructure perimeter can be scanned in the "inventory" mode, as well as in the "search for vulnerabilities" mode. The "inventory" mode operates on data of the "address: port" type to find the corresponding EI, for example, a server, inside the infrastructure, and only then interacts with information about the discovered vulnerabilities. This is due to the fact that the vulnerability found on the perimeter (most of them) cannot be analyzed / verified without knowing at which end / intermediate node it was found.

[0056] Module (136) also provides work with unnormalized data, which allows for deeper analytics, due to the ability to search for "raw" and "unnormalized" data. The search can be performed by the attribute composition of the EI profiles, using the filtering mechanism for the required EI attributes. This function is used to quickly determine the set of EI for a given filter.

[0057] Risk management using the analytics module (136) is performed according to the found vulnerabilities of EI, for which the function of establishing and controlling risks is implemented, in which the following steps can be carried out:

предоставление возможности управления полным циклом работы с рисками как на стороне платформы, так и в сторонней системе управления инцидентами информационной безопасности;

providing the ability to manage the full cycle of working with risks both on the platform side and in a third-party information security incident management system;

выполнение привязки: ЭИ - CVE - риск, что в последствии используется, как данные для учета информации по рискам. Также данная информация позволяет избежать дублирования рисков и активов, за счет отслеживания уже используемых CVE и активов в ранее заведенных рисках;

binding: EI - CVE - risk, which is subsequently used as data for accounting information on risks. Also, this information allows you to avoid duplication of risks and assets by tracking already used CVEs and assets in previously established risks;

обеспечение контроля за выполнением SLA риска, а также нотификация о его нарушении в сторону ответственных/координирующих лиц, указанных в риске;

ensuring control over the implementation of the risk SLA, as well as notification of its violation to the responsible / coordinating persons indicated in the risk;

связывание рисков с автоматизированными системами, за счет обогащения информацией из конфигурационных элементов;

associating risks with automated systems by enriching information from configuration elements;

обеспечение вычисления уровня критичности риска за счет наличия определенных условий: наличие эксплоитов в публичном или ограниченном доступе, уровень критичности актива, возможность эксплуатации уязвимости в зависимости от сетевых потоков данных (сегменты и т.д.), количество подверженных активов и т.д.

ensuring the calculation of the level of criticality of the risk due to the presence of certain conditions: the presence of exploits in public or limited access, the level of criticality of the asset, the possibility of exploiting the vulnerability depending on network data flows (segments, etc.), the number of exposed assets, etc.

[0058] The functionality of the module (136) provides a search for possible network routes between EIs. The mentioned search for routes can be performed using information from systems that are border nodes of the network, separating different subnets, namely, information from access rules (ACL), translation rules (NAT) and routing, possible interactions of network flows are determined: asset-asset, subnet -subnet, asset-subnet, etc.

[0059] Prioritization of processing and remediation of the vulnerability is carried out using the module (136).

[0060] Prioritization of processing allows the analyst to sort the incoming CVE information stream by importance by matching the EI attributes (software, OS, etc.) with vulnerability attributes.

[0061] Vulnerability remediation prioritization is assessed in terms of EI severity, vulnerability severity, and risk rating.

[0062] Determination of the vulnerability applicability is also performed, which allows to determine the applicability of the detected vulnerability to EI assets, at least by the following attributes: OS version, OS bit, security update name, software name and version, service name and version, name driver and its version.

[0063] The analysis of EI vulnerabilities can be performed using graph models based on the received data on network flows, as a result of which it becomes possible to simulate the spread of a threat by identifying a set of vulnerable EIs, as well as information on the interaction of network flows.

[0064] The work of the analytical module (136) also makes it possible to determine the nodes of failure in network interaction and the consequences of this failure (the impact on the AS that provide business processes of the internal infrastructure). In particular, when determining the threat of failure, EIs are identified, in the event of failure of which, the associated infrastructure nodes and / or devices will also be disabled or lose their proper functionality.

[0065] The visualization module (137) provides a graphical representation of the processed data, in particular, the operational presentation of a large data set by creating "widgets", a filtering mechanism and groupings, and the like. The graphical presentation can be formed in the form of various kinds of information panels, graphs, diagrams, maps, etc. The module (137) also provides the formation of reports.

[0066] The administration module (138) provides access control to the system (130), in particular, provides:

Управление информацией о пользователях;

User information management;

Управление политиками доступа;

Access policy management;

Выдачу токенов для доступа по API;

Issuance of tokens for API access;

Управление словарями (учет подсетей периметра и принадлежность их к территориальному блоку и FW; Словарь программного обеспечения, который формируется по результатам сбора профилей активов и последующим наложением на поступающую трубу CVE).

Vocabulary management (accounting for perimeter subnets and their belonging to the territorial block and FW; Software vocabulary, which is formed based on the results of collecting asset profiles and then superimposing CVE on the incoming pipe).

[0067] The integration module (139) provides the transfer of cyber threat data in a unified format to the internal infrastructure, and provides communication with internal data sources (140).

[0068] Next, consider one of the specific examples of the claimed solution. At the first step, EI is collected to perform the scanning procedure (perimeter infrastructure, internal infrastructure). Data from internal sources (140) are collected by polling them by the data collection module (133), for example, according to a given data collection schedule. The information received from the sources (140) is the input data stream for the data management module (134), the task of which is to normalize the data and form a profile of the attribute composition of the EI depending on its type.

[0069] The analytics module (136), based on the received data stream from the data management module (134), uses the integration module (139) to transfer a list of EIs, in particular EI attributes, for example, internal network addresses and / or external network addresses / subnets, to the security scanner to perform scanning tasks.

[0070] After completing the scanning tasks, as well as receiving data from external (110) and internal (140) sources using the data acquisition module (133), the resulting data stream is transmitted to the profile enrichment module (135), which in turn enriches earlier the profile created by the module (134), detected vulnerabilities.

[0071] The mechanisms used to enrich the EI profiles that relate to the outer perimeter of the infrastructure are a special case. Namely, unlike the enrichment of the internal EI profile, the analytics module (136) is additionally activated, which in turn uses algorithms for analyzing the external perimeter of the infrastructure, which allow projecting the external address and port of the EI of the perimeter onto the address and port of the internal EI. After receiving internal EI, the enrichment module (135) supplements the previously collected profile with the found vulnerabilities. The results obtained from the security scanners are kept in the accounting part of the system and are stored in the "Scan Result" accounting object.

[0072] After enriching the EI profiles with the found vulnerabilities, the analytics module (136) calculates the criticality of the vulnerable AI by determining the impact of the vulnerabilities on the network infrastructure and its operation.

[0073] The list of vulnerable EIs is attached to the vulnerability card, which contains the descriptive part of the found vulnerability. Additionally, the vulnerability card contains security updates that fix it, if any, as well as detected exploits on the Internet. Further, from the vulnerability card, manually or automatically, an entity of the "Case" type can be created, which contains information about the vulnerability found, the scale of impact on the infrastructure (list of vulnerable EIs). The system fills in most of the fields automatically from other entities of the platform.

[0074] After filling in all the fields in the "Case" type object, the analytics module (136) calculates the risk rating. After calculating the risk rating, it is registered, taking into account the automatic filling of the fields from the Case and Vulnerability entity. The recorded risk contains a descriptive part, as well as measures that must be taken to eliminate the vulnerabilities. Risk can be registered both within the platform and in a third-party system using the integration module (139).

[0075] After the establishment of the risk, the analytics module (136), using the integration module (139), provides management of the vulnerability remediation mode, in which EIs are detected to eliminate the vulnerabilities found on them, in particular, using the list of vulnerable EIs, which are transferred to an external control system updates.

[0076] After completing the update cycles, the update management system returns a result that is re-sent to the security scanner. As a result of the scan, a result is formed that indicates the elimination or presence of a risk in one or another EI.

[0077] FIG. 3 shows an example of a general view of a computing device (200), with the help of which the functionality of the system (130) can be implemented. The device (200) can be part of a computer system such as a server, computer, cloud platform, or the like.

[0078] In the General case, the computing device (200) contains one or more processors (201) united by a common bus of information exchange, memory means such as RAM (202) and ROM (203), input / output interfaces (204), devices input / output (205), and a device for networking (206).

[0079] The processor (201) (or multiple processors, multi-core processor) can be selected from a range of devices currently widely used, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™ and etc. The processor also needs to consider a graphics processor such as an NVIDIA or ATI GPU, which may also be capable of performing the required computational functionality. In this case, the memory means can also be the available amount of memory of the graphics card or graphics processor.

[0080] RAM (202) is a random access memory and is intended for storing machine-readable instructions executed by the processor (201) for performing the necessary operations for logical data processing. RAM (202), as a rule, contains executable instructions of the operating system and corresponding software components (applications, software modules, etc.).

[0081] ROM (203) is one or more persistent storage devices, for example, hard disk drive (HDD), solid state data storage device (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0082] Various types of I / O interfaces (204) are used to organize the operation of the components of the device (200) and to organize the operation of external connected devices. The choice of the appropriate interfaces depends on the specific version of the computing device, which can be, but are not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0083] To ensure user interaction with the computing device (200), various I / O means (205) are used, for example, a keyboard, display (monitor), touch display, touch pad, joystick, mouse manipulator, light pen, stylus, touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification (retina scanner, fingerprint scanner, voice recognition module), etc.

[0084] The means of networking (206) allows the device (200) to transmit data via an internal or external computer network, for example, Intranet, Internet, LAN, etc. One or more means (206) may be used, but not limited to : Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc.

[0085] In addition, satellite navigation means can also be used as part of the device (200), for example, GPS, GLONASS, BeiDou, Galileo.

[0086] The presented application materials disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, particular examples of its implementation, not going beyond the scope of the claimed legal protection, which are obvious to specialists in the relevant field of technology.

Claims (40)

1. The system of intelligent management of risks and vulnerabilities of infrastructure elements, containing: - at least one processor; - at least one memory device; related to the mentioned processor: - module for collecting data from sources, configured to obtaining information from data sources containing information about the vulnerabilities of infrastructure elements (EI), including functional and logical EI, at the same time, functional EIs are infrastructure assets (AI) containing terminal physical or virtual equipment that provides a service, and network EIs, representing devices that provide network interaction between all functional EIs; logical EI are combinations of functional EI and logical EI, including entities that interact with the network infrastructure and are selected from the group: automated systems or functional subsystems; - a data management module capable of normalization of data collected by the data collection module, ensuring the formation of a unified data type and the formation of an attribute composition depending on the type of EI; formation of the EI profile containing the attribute composition of the EI; - module for enrichment of EI profiles, made with the ability receiving scan data from the data collection module to supplement the attribute composition of the generated EI profiles with information, including: information about the possibility of network interaction between AIs based on these security rules (ACL), as well as translation (NAT) and routing rules defined on the network EI; found vulnerabilities on AI; data on the criticality of the functioning of logical EI; information about the identified risks, as well as measures to eliminate them; - analytics module made with the ability accounting, analysis and monitoring of the external perimeter of the network infrastructure; search by attribute composition of EI profiles; analysis of raw data coming from data sources; risk management for found vulnerabilities; search and analysis of network routes between AIs to determine possible ways of threat propagation; based on the data of the enriched EI profiles, calculate the criticality of the vulnerable AI by determining the impact of vulnerabilities on the network infrastructure and its functioning; formation of a list of vulnerable EI and information on the elimination of identified vulnerabilities with the calculation of the rating and registration of the risk of the identified vulnerabilities; processing the incoming data stream from the data management module and transmitting the EI list by the integration module to the security scanner, which performs scanning and detection of EI based on the said EI list; - an integration module capable of managing the mode of elimination of identified vulnerabilities, in which data on EI is transferred to the external update management system based on the list of vulnerable EI generated by the analytics module for performing updates of the vulnerable EI. 2. The system according to claim 1, characterized in that the attribute composition of the EI includes the category and type of infrastructure devices. 3. The system according to claim 1, characterized in that the information on enriching the EI profile of the infrastructure on the interaction of network flows is obtained on the basis of the obtained attributes for the infrastructure devices. 4. The system according to claim 1, characterized in that the information on enriching the asset profile for the vulnerabilities found on EI is formed on the basis of the obtained results of the security scanner operation. 5. The system according to claim 1, characterized in that the data for calculating the criticality of EI or vulnerability are obtained from external systems. 6. The system according to claim 1, characterized in that the analytics module additionally provides the formation of graph models based on the received data on network flows and information about the connections of functional EI and logical EI among themselves. 7. The system according to claim 6, characterized by the fact that the threat propagation is simulated by identifying the area of vulnerable EI. 8. The system according to claim 7, characterized in that information on the interaction of network flows is additionally taken into account. 9. The system according to claim 6, characterized in that it provides the definition of failure nodes during network interaction and the consequences of such a failure. 10. The system according to claim 1, characterized in that the analytics module additionally provides scan control, in which a list of network addresses is generated for transmission to the security scanner. 11. The system according to claim 1, characterized in that the analytics module additionally provides management of the vulnerability elimination mode, in which infrastructure assets are identified to eliminate the vulnerabilities found on them. 12. The system according to claim 1, further comprising a visualization module providing a graphical representation of the processed data. 13. The system according to claim 12, characterized in that the visualization module provides the formation of widgets and / or reports and / or information panels. 14. The system according to claim 1, characterized in that it additionally contains an administration module that provides management of access policies, reference books, settings of existing system modules. 15. The system according to claim 1, characterized in that when the enrichment module detects AIs for which there is information about vulnerabilities, said information is transmitted to an external system to receive update packages to eliminate vulnerabilities on said AIs. 16. The system according to claim 15, characterized in that the process is performed iteratively for all AIs for which vulnerabilities are detected.

Images