WO2019146346A1 - Security system, security operation method, and overall incident management device - Google Patents

Security system, security operation method, and overall incident management device Download PDF

Info

Publication number
WO2019146346A1
WO2019146346A1 PCT/JP2018/047563 JP2018047563W WO2019146346A1 WO 2019146346 A1 WO2019146346 A1 WO 2019146346A1 JP 2018047563 W JP2018047563 W JP 2018047563W WO 2019146346 A1 WO2019146346 A1 WO 2019146346A1
Authority
WO
WIPO (PCT)
Prior art keywords
incident
management device
response processing
execution
response
Prior art date
Application number
PCT/JP2018/047563
Other languages
French (fr)
Japanese (ja)
Inventor
中村 修
砂原 秀樹
賢郎 近藤
康広 藤井
哲郎 鬼頭
翔太 藤井
倫宏 重本
Original Assignee
株式会社日立製作所
学校法人慶應義塾
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所, 学校法人慶應義塾 filed Critical 株式会社日立製作所
Publication of WO2019146346A1 publication Critical patent/WO2019146346A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to the technology of execution control of incident response processing (response) when an incident occurs.
  • an incident management device in charge of security installed in the system.
  • a manager of the incident management device or the like executes execution of processing (incident response processing: alert, analysis, judgment, response, etc.) corresponding to the incident that has occurred. .
  • the administrator when dealing with an incident, the administrator arranges and acquires log data and the like in a device where an incident necessary for analysis processing has occurred from another system that manages log data and the like. Then, the acquired log data and the like are transmitted to a system or the like that performs the analysis process and executed, and various processes by the administrator such as dealing with an incident occur based on the analysis result.
  • Patent Document 1 a security system for preventing unauthorized intrusion into a network system is known (see, for example, Patent Document 1).
  • the present invention has been made in view of the above-described circumstances, and an object thereof is to provide a technology capable of quickly executing an incident response process at the time of an incident occurrence.
  • a security system comprises one or more incident management devices managing security in a predetermined management target system, a general incident management device managing one or more incident management devices, and an incident
  • a security system including at least one response processing apparatus capable of executing an incident response process which is a process corresponding to the incident, and the incident management apparatus controls the occurrence of the incident when the incident management apparatus detects the occurrence of the incident.
  • the general incident management device transmits a request for executing the incident handling process corresponding to the incident to the response processing device when the general incident management device receives the notification of the occurrence of the incident from the incident management device.
  • Equipped with Nsu processing apparatus includes a processing execution unit for executing incident response process.
  • FIG. 1 is an overall configuration diagram of a security system according to an embodiment.
  • FIG. 2 is a block diagram of a general incident management device according to an embodiment.
  • FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment.
  • FIG. 4 is a diagram showing an example of process request information according to an embodiment.
  • FIG. 5 is a block diagram of an address management table according to an embodiment.
  • FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment.
  • FIG. 7 is a configuration diagram of a capability list table according to an embodiment.
  • FIG. 8 is a flowchart of an incident occurrence process according to an embodiment.
  • FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment.
  • FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment.
  • FIG. 11 is a flowchart of an incident occurrence process according to a modification.
  • information may be described by the expression “AAA table”, but the information may be expressed by any data structure. That is, the "AAA table” can be called “AAA information” to indicate that the information does not depend on the data structure.
  • processing may be described with “program” as the subject, but the program is executed by an arithmetic unit (a processor, for example, a CPU (Central Processing Unit)) to perform predetermined processing.
  • the subject of the processing may be an arithmetic unit (or a processor, an apparatus or system having the processor, or the like), as appropriate, using a storage unit (for example, memory) and / or an interface device (for example, communication port). Good.
  • the arithmetic unit may also include a dedicated hardware circuit that performs part or all of the processing.
  • the program may be installed on a device such as a computer from a program source.
  • the program source may be, for example, a program distribution server or a computer readable storage medium.
  • two or more programs may be realized as one program, or one program may be realized as two or more programs.
  • FIG. 1 is an overall configuration diagram of a security system according to an embodiment.
  • the security system 1 includes a plurality of field systems 10 (10A, 10B, 10X).
  • the field systems 10A, 10B and 10X are connected via the network 40.
  • the network 40 is a communication path such as a LAN (Local Area Network) or a WAN (Wide Area Network).
  • the on-site system 10A (on-site system A) includes a firewall 100, a general incident management apparatus 101, a server 102, a security information event management (SIEM) 103, and a terminal 104.
  • SIEM security information event management
  • the firewall 100 is disposed at the leading end of the network 40 of the on-site system A, and controls whether the communication from the network 40 to the inside of the on-site system 10A and the communication from the inside of the on-site system 10A to the network 40 are possible.
  • the terminal 104 executes various processes based on the user's instruction.
  • the server 102 provides the terminal 104 with various functions.
  • the server 102 also stores, for example, a log of communication by each terminal 104 and a log of processing.
  • the SIEM 103 acquires a log or the like in the server 102 and analyzes the log or the like to detect the occurrence of a security incident (security incident: also simply referred to as an incident), and an alert indicating the occurrence of the incident is managed by the general incident management apparatus 101 Output to
  • the general incident management device 101 When the general incident management device 101 receives an alert from the field system 10A to which the general incident management device 101 belongs, or receives an alert from the incident management device 105 of another field system 10, it responds to the incident corresponding to the alert Control the execution of the processing to be performed (incident response processing).
  • the field systems 10B and 10X each include a firewall 100, a server 102, a security information event management (SIEM) 103, a terminal 104, and an incident management apparatus 105 as an example of an incident processing apparatus.
  • SIEM security information event management
  • symbol is attached
  • the incident management device 105 When the incident management device 105 receives an alert from the SIEM 103 of the on-site system 10 to which it belongs, the type of the alert in the general incident management device 101 and the procedure for executing the incident handling process corresponding to the incident indicated by the alert (execution To notify the contents). Note that the incident management device 105 may execute the processing that can be executed by itself among the incident handling processing, and may notify the general incident management device 101 of only the execution procedure of the processing that can not be executed by itself.
  • FIG. 2 is a block diagram of a general incident management device according to an embodiment.
  • the general incident management device 101 is configured of, for example, a PC (Personal Computer) or a server device, and includes an arithmetic device 200, a memory 201, and a storage device 202.
  • the memory 201 is an example of a capability information storage unit, an information disclosure information storage unit, and an access information storage unit.
  • the arithmetic device 200 includes, for example, one or more processors (CPUs (Central Processing Units)), and executes various processes in accordance with a program stored in the memory 201.
  • processors CPUs (Central Processing Units)
  • CPUs Central Processing Units
  • the storage device 202 is, for example, a hard disk or a flash memory, and stores a program executed by the computing device 200 and data used by the computing device 200.
  • the memory 201 is, for example, a RAM (RANDOM ACCESS MEMORY), and stores a program executed by the arithmetic device 200 and necessary information.
  • the memory 201 includes a situation analysis program 211, a response determination program 212, a corresponding subject determination program 213, an authentication authorization program 214, a response execution program 215, an address management table 216, and an information disclosure contract management.
  • Table 217 and the capability list table 218 are stored.
  • the situation analysis program 211 configures a functional unit by being executed by the computing device 200, and determines whether the received alert is a false alarm.
  • the response determination program 212 configures a functional unit (an example of a process determination unit) by being executed by the arithmetic device 200, and determines an incident handling process (response) to be performed on an incident indicated by an alert.
  • the response subject determination program 213 is executed by the computing device 200 to configure a functional unit (an execution device determination unit, an example of an execution availability confirmation unit), and a device that executes incident response processing (in the present embodiment, for example) Determine the incident management device).
  • the authentication approval program 214 configures a functional unit (an example of a process execution request unit, a transmission control unit, and a result display control unit) by being executed by the arithmetic device 200, and performs an incident handling process on the determined device.
  • Send execution request configures a functional unit (an example of a processing execution unit) by being executed by the arithmetic device 200, and executes at least one of the incident response processing.
  • the incident management device 105 includes an arithmetic device 200, a memory 201, and a storage device 202.
  • the memory 201 may store the response execution program 215.
  • the response execution program 215 of the incident management device 105 constitutes a functional unit (an example of a notification unit and an execution result transmission unit) when executed by the computing device 200, and the response execution program 215 of the general incident management device 101.
  • the type of alert in the general incident management apparatus 101 and the procedure for executing the incident response process corresponding to the incident indicated by the alert Has a function to notify.
  • FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment.
  • FIG. 3 shows an execution procedure of the incident response process when, for example, virus infection of the terminal 104, inflow of illegal packets in the firewall 100, outflow of illegal packets in the firewall 100, and occurrence of Dos attack are assumed as incidents. It shows. In the case of any one incident, a part of these execution procedures will be selected and executed.
  • Examples of incident response processing in the initial response of the first stage include alert content confirmation, log analysis, and PCAP (Packet Capture) analysis.
  • the incident response process in the second stage policy determination includes, for example, service suspension range determination and participant gathering.
  • Examples of incident response processing in the third stage primary handling include evidence collection and service suspension.
  • Incident response processing in the fourth stage of detailed analysis includes, for example, analysis of intrusion methods, malware analysis, forensics, business impact analysis, and countermeasure planning. Examples of the incident response process in the fifth stage of the root countermeasure are restoration and updating.
  • the incident response process in the sixth stage report includes, for example, report creation and reporting inside and outside the company.
  • FIG. 4 is a diagram showing an example of process request information according to an embodiment.
  • the processing request information is information transmitted from the general incident management apparatus 101 to the incident management apparatus 105 determined as an apparatus for executing the incident handling process.
  • the request processing information stores the incident handling processing name to be requested.
  • the first request processing information indicates an example in the case of requesting analysis of an intrusion signature as the incident response processing.
  • FIG. 5 is a block diagram of an address management table according to an embodiment.
  • the address management table 216 stores an entry corresponding to each of the incident management devices in the field system being grasped.
  • the entry of the address management table 216 includes fields of an entry number 2161, an organization name 2162, and an address 2163 of an incident management apparatus.
  • the entry number 2161 stores the number of the entry.
  • the organization name 2162 stores the name (organization name) of the organization that is the entity that manages the field system 10 including the incident management device 105 corresponding to the entry.
  • the address 2163 of the incident management device stores the address (for example, an IP address) of the incident management device 105 corresponding to the entry.
  • FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment.
  • the organization name of the information disclosure source is arranged in the vertical axis direction
  • the organization name of the information disclosure destination is arranged in the horizontal axis direction
  • the information disclosure source corresponding to the intersection is The content of the contract regarding information disclosure with the disclosure destination is stored. For example, in the case of disclosure from company A to company B, it indicates that partial disclosure with deletion of personal information is permitted in a contract, and in the case of disclosure from company A to organization 1, only suspicious files should be disclosed. Indicates that the contract is acceptable.
  • FIG. 7 is a configuration diagram of a capability list table according to an embodiment.
  • the capability list table 218 is a table for managing an incident response process (corresponding to a security operation) having a capability to be executed in a system managed by each organization, and stores an entry for each organization.
  • the entry of the capability list table 218 includes an entry number 2181, an organization name 2182, and an executable security operation 2183.
  • the entry number 2181 stores the number of the entry.
  • the organization name 2182 stores the name of the organization (organization name) corresponding to the entry.
  • Executable security operations 2183 store the security operations executable in the field system 10 (strictly, the incident management device 105) of the organization corresponding to the entry.
  • FIG. 8 is a flowchart of an incident occurrence process according to an embodiment.
  • the SIEM 103 When the SIEM 103 detects the occurrence of an incident in the on-site system 10, the SIEM 103 transmits an alert indicating the occurrence of the incident to the incident management device 105 in the on-site system 10.
  • the incident management apparatus 105 receives this alert (step S300)
  • the incident management apparatus 105 that has received the alert executes an incident handling process that can be executed by itself corresponding to the initial handling (step S301).
  • the incident management device 105 determines whether the alert indicating the occurrence of the incident has been eliminated or not, that is, whether or not the incident has been resolved by the executed initial response incident response process (step S302). As a result, when the incident is resolved (step S302: YES), there is no need to execute any further processing, and the incident management device 105 ends the incident occurrence processing.
  • step S302 if the incident has not been resolved (step S302: NO), the response execution program 215 of the incident management device 105 is executing the type of alert and the incident response process corresponding to the incident indicated by the alert. Incident information including the content of the incident handling process that is not present is transmitted to the general incident management device 101 (step S304).
  • the situation analysis program 211 (precisely, the computing device 200 executing the situation analysis program 211) of the general incident management device 101 analyzes the situation based on the received incident information (step S304).
  • the situation analysis it may be analyzed whether an alert is a false alarm. Note that the situation analysis program 211 may immediately end the process when it is determined to be a false alarm.
  • the response determination program 212 of the general incident management device 101 determines the execution procedure (execution content) of the incident handling process (response) to be executed, based on the type of alert of the received incident information (step S308).
  • the response subject determination program 213 of the general incident management device 101 transmits a notification (offer notification) for recruiting the incident management device 105 that can actually execute the determined incident response process (step S309).
  • the response entity determination program 213 refers to the capability list table 218, and identifies one or more organizations having an incident management device capable of functionally executing the determined incident response process.
  • the response entity determination program 213 transfers information necessary for the determined incident response process between the identified organization and the organization that is the owner entity of the on-site system to which the incident management apparatus 105 that has generated the incident belongs. Whether or not there is an information disclosure contract capable of passing necessary information among the identified organizations by referring to the information disclosure contract management table 217 and confirming whether or not there is an information disclosure contract capable of Select your organization.
  • the response subject determination program 213 refers to the address management table 216 and acquires the address of the incident management apparatus 105 of one or more selected organizations.
  • the correspondent agent determination program 213 transmits, to all the acquired addresses, a solicitation notification that confirms whether execution of the determined incident response process is possible.
  • the handling subject determination program 213 performs the same process as described above for each process.
  • the incident management apparatus 105 that has received the recruitment notification can execute the incident handling process, it transmits a response including that effect to the general incident management apparatus 101.
  • the response subject determination program 213 determines the incident management apparatus 105 that has made the response to the incident management apparatus 105 that executes the incident response process, and notifies the authentication approval program 214 accordingly.
  • the authentication approval program 214 that has received the notification transmits a request for executing the incident handling process to the determined incident management device 105 (step S310). Note that if it is determined that different incident management apparatuses 105 are to execute a plurality of incident response processes, the incident management apparatus 105 is requested to execute an incident response process to be executed by the incident management apparatus 105. Send.
  • the authentication and approval program 214 also makes a request to be able to acquire the information at the execution request destination. Specifically, when there is information necessary for the incident response process for which the execution request has been made, the necessary information is transmitted to the incident management device of the execution request destination to the device etc. storing the necessary information. An instruction may be issued, and notification that necessary information is transmitted to the execution request destination may be notified, and information is obtained from the device or the like storing the necessary information in the execution request destination incident management apparatus 105. You may make it instruct
  • the response execution program 215 of the incident management device 105 that has received the execution request executes the incident handling process based on the execution request (step S311).
  • the response execution program 215 transmits the execution result of the incident handling process to the general incident management device 101 (step S312).
  • the processing results of all the incident handling processes determined to be executed are collected.
  • the authentication approval program 214 of the general incident management apparatus 101 causes each display result to be displayed on a display device (not shown).
  • step S308 of the incident occurrence process details of step S308 of the incident occurrence process will be described.
  • FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment.
  • the response determination program 212 of the general incident management device 101 instructs the incident management device 105 of the on-site system involved in the collection of the evidence information of the incident based on the type of the alert of the received incident information (step S3081).
  • the response determination program 212 of the general incident management device 101 determines necessity of analysis of intrusion method (S3082) and necessity determination of analysis of malware (S3083) according to the type of alert included in the incident information. , At least one of necessity determination of forensics (S3084) and necessity determination of analysis of business impact (S3085), and thereafter, based on the results of steps S3082 to S3085, the design method of implementing measures The necessity determination (S3086) is performed. Each processing determined to be necessary by these processing steps is an incident response processing that needs to be performed.
  • step S311 of the incident occurrence process details of step S311 of the incident occurrence process will be described.
  • FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment.
  • the response execution program 215 of the incident management apparatus 105 executes analysis of the intrusion method (step S3111), execution of analysis of the malware (step S3112), execution of the forensic (step S3113), and business effects. All the processes received as the execution request among the execution of the analysis (step S3114) are executed, and thereafter, the implementation method planning of the countermeasure is executed (step S3115). As a result, the incident response process that has received the execution request will be executed.
  • the security system 1 when an incident occurs and an alert occurs in a certain on-site system 10, the general incident management apparatus from the incident management unit 105 of the on-site system 10 It is notified to 101, and the necessary incident response processing can be distributed to other incident management apparatuses 105. Thereby, necessary incident response processing can be performed promptly and appropriately. Further, since log data etc. necessary for the incident handling process can be acquired by the incident management system 105 which executes the incident handling process without passing through the general incident managing system 101, the load of the general incident managing system 101 can be obtained. It can be reduced.
  • the security system according to the modification differs from the security system according to the above-described embodiment in part of the functions and part of the processing when an incident occurs.
  • FIG. 11 is a flowchart of an incident occurrence process according to a modification.
  • symbol is attached
  • step S311 the response execution program 215 of the incident management apparatus 105 that has executed the incident handling process determines whether another system (such as a field system) involved in the incident is detected by the analysis process or the like included in the incident handling process. It determines (step S313). As a result, when another system involved in the incident is not detected (step S313: NO), the response execution program 215 advances the process to step S312.
  • another system such as a field system
  • the response execution program 215 (specifically, the computing device 200 that executes the response execution program 215: related system detection unit and access An example of the information transmission unit) acquires the organization name of another detected system and the address of a device (incident management device 105 in the present embodiment) that executes the incident response processing of that system, and the incident management device 105
  • the capability information indicating the ability to execute the incident response process which is exemplarily executable is acquired (step S314), the acquired organization name and address, and the capability information are transmitted to the general incident management apparatus 101 (step S315), and the processing is performed.
  • the process proceeds to step S312.
  • the response determination program 212 (specifically, the arithmetic apparatus 200 that executes the response determination program 212: access An example of the information addition registration unit adds a new entry including an organization name and an address to the address management table 216, and adds an entry including an organization name and capability information to the capability list table 218. Furthermore, the response determination program 212 adds the acquired organization name to the disclosure source and the disclosure destination of the information disclosure contract management table, and sets an information disclosure contract at each intersection of this organization and another organization.
  • the information disclosure contract at this point may be the minimum information disclosure contract content. In the following, when an information disclosure contract is concluded, the content of the information disclosure contract may be changed according to the content.
  • a device capable of executing the incident handling process of the newly detected system can be selected as a candidate for executing the incident handling process in the later process, and a broader incident It is possible to cope with the response processing.
  • the incident management apparatus 105 and the general incident management apparatus 101 are configured to be able to execute the incident handling process, but for example, an apparatus (response processing apparatus) that executes the incident handling process It may be provided separately from the device 105 or the general incident management device 101.
  • the execution of the incident handling process is solicited, and the incident handling process execution request is sent to the incident management device 105 that has responded to the solicitation.
  • the management apparatus 105 may be requested to execute an incident handling process.
  • the request destination of the incident handling process when determining the request destination of the incident handling process, it is determined whether or not there is an information disclosure contract capable of passing information necessary for the incident handling process.
  • the present invention is not limited to this, and in the case where only an organization having no problem in information disclosure is targeted for the security system, it is not necessary to execute a process of determining whether an information disclosure contract exists or not.
  • the information disclosure contract management table necessary for the processing may not be provided.
  • a part or all of the processing performed by the arithmetic device 200 may be performed by a dedicated hardware circuit.
  • the program in the above embodiment may be installed from a program source.
  • the program source may be a program distribution server or storage medium (eg, portable non-transitory storage medium).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention enables quick execution of an incident handling process when an incident has occurred. A security system 1 comprises: at least one incident management device 105 that manages security and that is capable of executing an incident handling process; and an overall incident management device 101. The incident management device 105 includes a notification unit that notifies the occurrence of an incident to the overall incident management device 101 when the occurrence of an incident has been detected. The overall incident management device 101 includes a process execution request unit that, upon receiving the notification regarding the occurrence of an incident from the incident management device 105, sends an execution request of an incident handling process corresponding to the incident to another incident management device 105. The other incident management device 105 includes a process execution unit that executes the incident handling process.

Description

セキュリティシステム、セキュリティオペレーション方法、及び統括インシデント管理装置Security system, security operation method, and general incident management device
 本発明は、インシデントの発生時におけるインシデント対応処理(レスポンス)の実行制御の技術に関する。 The present invention relates to the technology of execution control of incident response processing (response) when an incident occurs.
 従来、或るシステム内においてセキュリティ等に関するインシデントが発生した場合に、インシデントの発生をそのシステム内に設置されたセキュリティを担当するインシデント管理装置に通知するようにしている。このようなインシデント管理装置においては、例えば、インシデント管理装置の管理者等が、発生したインシデントに対応する処理(インシデント対応処理:アラート、分析、判断、対処等)の実行を遂行することが行われる。 Conventionally, when an incident related to security or the like occurs in a certain system, the occurrence of the incident is notified to an incident management device in charge of security installed in the system. In such an incident management device, for example, a manager of the incident management device or the like executes execution of processing (incident response processing: alert, analysis, judgment, response, etc.) corresponding to the incident that has occurred. .
 例えば、インシデントに対処しようとする場合には、管理者が分析処理に必要なインシデントが発生した装置におけるログデータ等を、ログデータ等を管理している他のシステムから取得する手配を行って取得し、取得したログデータ等を、その分析処理を行うシステム等に送信して実行させ、その分析結果に基づいて、インシデントに対処する等の管理者による種々の処理が発生する。 For example, when dealing with an incident, the administrator arranges and acquires log data and the like in a device where an incident necessary for analysis processing has occurred from another system that manages log data and the like. Then, the acquired log data and the like are transmitted to a system or the like that performs the analysis process and executed, and various processes by the administrator such as dealing with an incident occur based on the analysis result.
 例えば、ネットワークシステムのセキュリティに関する技術として、ネットワークシステムへの不正侵入を防御するためのセキュリティシステムが知られている(例えば、特許文献1参照)。 For example, as a technology relating to the security of a network system, a security system for preventing unauthorized intrusion into a network system is known (see, for example, Patent Document 1).
国際公開第2016/031101号International Publication No. 2016/031101
 近年、サイバー攻撃が高度化・大規模化しており、或るシステム内のインシデント管理装置及びその管理者によって対処しようとすると、インシデント管理装置やその管理者による対処がボトルネックとなりやすく、サイバー攻撃に起因するインシデントの発生に迅速且つ適切に対処することが困難となっている。 In recent years, cyber attacks have become sophisticated and large-scale, and if it is attempted to cope with an incident management device and its administrator in a certain system, the response by the incident management device and its administrator is likely to become a bottleneck, causing cyber attack. It is difficult to respond promptly and properly to the occurrence of an incident that results.
 本発明は、上記事情に鑑みなされたものであり、その目的は、インシデント発生時におけるインシデント対応処理を迅速に実行することのできる技術を提供することにある。 The present invention has been made in view of the above-described circumstances, and an object thereof is to provide a technology capable of quickly executing an incident response process at the time of an incident occurrence.
 上記目的を達成するため、一観点に係るセキュリティシステムは、所定の管理対象システム内のセキュリティを管理する1以上のインシデント管理装置と、1以上のインシデント管理装置を統括する統括インシデント管理装置と、インシデントに対応する処理であるインシデント対応処理を実行可能な1以上のレスポンス処理装置とを含むセキュリティシステムであって、インシデント管理装置は、インシデントの発生を検知した場合に、インシデントの発生を統括インシデント管理装置に通知する通知部を備え、統括インシデント管理装置は、インシデント管理装置からインシデントの発生の通知を受けた場合に、インシデントに対応するインシデント対応処理の実行要求を、レスポンス処理装置に送信する処理実行要求部を備え、レスポンス処理装置は、インシデント対応処理を実行する処理実行部を備える。 In order to achieve the above object, a security system according to one aspect comprises one or more incident management devices managing security in a predetermined management target system, a general incident management device managing one or more incident management devices, and an incident A security system including at least one response processing apparatus capable of executing an incident response process which is a process corresponding to the incident, and the incident management apparatus controls the occurrence of the incident when the incident management apparatus detects the occurrence of the incident. And the general incident management device transmits a request for executing the incident handling process corresponding to the incident to the response processing device when the general incident management device receives the notification of the occurrence of the incident from the incident management device. Equipped with Nsu processing apparatus includes a processing execution unit for executing incident response process.
 本発明によれば、インシデント発生時におけるインシデント対応処理を迅速に実行することができる。 According to the present invention, it is possible to quickly execute an incident response process when an incident occurs.
図1は、一実施形態に係るセキュリティシステムの全体構成図である。FIG. 1 is an overall configuration diagram of a security system according to an embodiment. 図2は、一実施形態に係る統括インシデント管理装置の構成図である。FIG. 2 is a block diagram of a general incident management device according to an embodiment. 図3は、一実施形態に係るインシデント対応処理の実行手順を示す図である。FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment. 図4は、一実施形態に係る処理依頼情報の一例を示す図である。FIG. 4 is a diagram showing an example of process request information according to an embodiment. 図5は、一実施形態に係るアドレス管理テーブルの構成図である。FIG. 5 is a block diagram of an address management table according to an embodiment. 図6は、一実施形態に係る情報開示契約管理表の構成図である。FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment. 図7は、一実施形態に係るケーパビリティ一覧テーブルの構成図である。FIG. 7 is a configuration diagram of a capability list table according to an embodiment. 図8は、一実施形態に係るインシデント発生時処理のフローチャートである。FIG. 8 is a flowchart of an incident occurrence process according to an embodiment. 図9は、一実施形態に係るインシデント発生時処理のステップS308の詳細なフローチャートである。FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment. 図10は、一実施形態に係るインシデント発生時処理のステップS311の詳細なフローチャートである。FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment. 図11は、変形例に係るインシデント発生時処理のフローチャートである。FIG. 11 is a flowchart of an incident occurrence process according to a modification.
 実施形態について、図面を参照して説明する。なお、以下に説明する実施形態は特許請求の範囲に係る発明を限定するものではなく、また実施形態の中で説明されている諸要素及びその組み合わせの全てが発明の解決手段に必須であるとは限らない。 Embodiments will be described with reference to the drawings. The embodiments described below do not limit the invention according to the claims, and all of the elements described in the embodiments and their combinations are essential to the solution means of the invention. There is no limit.
 以下の説明では、「AAAテーブル」の表現にて情報を説明することがあるが、情報は、どのようなデータ構造で表現されていてもよい。すなわち、情報がデータ構造に依存しないことを示すために、「AAAテーブル」を「AAA情報」と呼ぶことができる。 In the following description, information may be described by the expression “AAA table”, but the information may be expressed by any data structure. That is, the "AAA table" can be called "AAA information" to indicate that the information does not depend on the data structure.
 また、以下の説明では、「プログラム」を主語として処理を説明する場合があるが、プログラムは、演算装置(プロセッサ、例えばCPU(Central Processing Unit))によって実行されることで、定められた処理を、適宜に記憶部(例えばメモリ)及び/又はインターフェースデバイス(例えば通信ポート)等を用いながら行うため、処理の主語が、演算装置(或いは、プロセッサ、そのプロセッサを有する装置又はシステム)とされてもよい。また、演算装置は、処理の一部または全部を行う専用ハードウェア回路を含んでもよい。プログラムは、プログラムソースから計算機のような装置にインストールされてもよい。プログラムソースは、例えば、プログラム配布サーバまたは計算機が読み取り可能な記憶メディアであってもよい。また、以下の説明において、2以上のプログラムが1つのプログラムとして実現されてもよいし、1つのプログラムが2以上のプログラムとして実現されてもよい。 Also, in the following description, processing may be described with “program” as the subject, but the program is executed by an arithmetic unit (a processor, for example, a CPU (Central Processing Unit)) to perform predetermined processing. The subject of the processing may be an arithmetic unit (or a processor, an apparatus or system having the processor, or the like), as appropriate, using a storage unit (for example, memory) and / or an interface device (for example, communication port). Good. The arithmetic unit may also include a dedicated hardware circuit that performs part or all of the processing. The program may be installed on a device such as a computer from a program source. The program source may be, for example, a program distribution server or a computer readable storage medium. Furthermore, in the following description, two or more programs may be realized as one program, or one program may be realized as two or more programs.
 まず、一実施形態について説明する。 First, an embodiment will be described.
 図1は、一実施形態に係るセキュリティシステムの全体構成図である。 FIG. 1 is an overall configuration diagram of a security system according to an embodiment.
 セキュリティシステム1は、複数の現場システム10(10A,10B,10X)を備える。現場システム10A,10B,10Xは、ネットワーク40を介して接続されている。ネットワーク40は、LAN(Local Area Network)、WAN(Wide Area Networm)等の通信路である。 The security system 1 includes a plurality of field systems 10 (10A, 10B, 10X). The field systems 10A, 10B and 10X are connected via the network 40. The network 40 is a communication path such as a LAN (Local Area Network) or a WAN (Wide Area Network).
 現場システム10A(現場システムA)は、ファイヤーウォール100と、統括インシデント管理装置101と、サーバ102と、SIEM(Security Information Event Management)103と、端末104とを備える。 The on-site system 10A (on-site system A) includes a firewall 100, a general incident management apparatus 101, a server 102, a security information event management (SIEM) 103, and a terminal 104.
 ファイヤーウォール100は、現場システムAのネットワーク40側の最先端部に配置され、ネットワーク40から現場システム10A内への通信の可否と、現場システム10A内からネットワーク40への通信の可否を制御する。 The firewall 100 is disposed at the leading end of the network 40 of the on-site system A, and controls whether the communication from the network 40 to the inside of the on-site system 10A and the communication from the inside of the on-site system 10A to the network 40 are possible.
 端末104は、ユーザの指示に基づいて各種処理を実行する。サーバ102は、端末104に対して各種機能を提供する。また、サーバ102は、例えば、各端末104による通信のログや、処理のログを記憶する。SIEM103は、サーバ102におけるログ等を取得し、ログ等を分析することにより、セキュリティに関するインシデント(セキュリティインシデント:単にインシデントともいう)の発生を検出し、インシデントの発生を示すアラートを統括インシデント管理装置101に出力する。 The terminal 104 executes various processes based on the user's instruction. The server 102 provides the terminal 104 with various functions. The server 102 also stores, for example, a log of communication by each terminal 104 and a log of processing. The SIEM 103 acquires a log or the like in the server 102 and analyzes the log or the like to detect the occurrence of a security incident (security incident: also simply referred to as an incident), and an alert indicating the occurrence of the incident is managed by the general incident management apparatus 101 Output to
 統括インシデント管理装置101は、自身の所属する現場システム10Aからのアラートを受領した場合、または、他の現場システム10のインシデント管理装置105からのアラートを受領した場合に、アラートに対応するインシデントに対応する処理(インシデント対応処理)の実行を統括制御する。 When the general incident management device 101 receives an alert from the field system 10A to which the general incident management device 101 belongs, or receives an alert from the incident management device 105 of another field system 10, it responds to the incident corresponding to the alert Control the execution of the processing to be performed (incident response processing).
 現場システム10B,10Xは、ファイヤーウォール100と、サーバ102と、SIEM(Security Information Event Management)103と、端末104と、インシデント処理装置の一例としてのインシデント管理装置105とを備える。なお、現場システム10Aと同様な構成については、同一の符号を付している。 The field systems 10B and 10X each include a firewall 100, a server 102, a security information event management (SIEM) 103, a terminal 104, and an incident management apparatus 105 as an example of an incident processing apparatus. In addition, about the structure similar to the field system 10A, the same code | symbol is attached | subjected.
 インシデント管理装置105は、自身の所属する現場システム10のSIEM103からのアラートを受領した場合に、統括インシデント管理装置101にアラートの種別と、アラートが示すインシデントに対応するインシデント対応処理の実行手順(実行内容)を通知する。なお、インシデント管理装置105は、インシデント対応処理のうち、自身が実行できる処理を実行し、自身が実行できない処理の実行手順のみを統括インシデント管理装置101に通知するようにしてもよい。 When the incident management device 105 receives an alert from the SIEM 103 of the on-site system 10 to which it belongs, the type of the alert in the general incident management device 101 and the procedure for executing the incident handling process corresponding to the incident indicated by the alert (execution To notify the contents). Note that the incident management device 105 may execute the processing that can be executed by itself among the incident handling processing, and may notify the general incident management device 101 of only the execution procedure of the processing that can not be executed by itself.
 次に、統括インシデント管理装置101及びインシデント管理装置105について説明する。 Next, the general incident management device 101 and the incident management device 105 will be described.
 図2は、一実施形態に係る統括インシデント管理装置の構成図である。 FIG. 2 is a block diagram of a general incident management device according to an embodiment.
 統括インシデント管理装置101は、例えば、PC(Personal Computer)、又はサーバ装置によって構成されており、演算装置200と、メモリ201と、記憶装置202とを備える。メモリ201は、ケーパビリティ情報記憶部、情報開示情報記憶部、及びアクセス情報記憶部の一例である。 The general incident management device 101 is configured of, for example, a PC (Personal Computer) or a server device, and includes an arithmetic device 200, a memory 201, and a storage device 202. The memory 201 is an example of a capability information storage unit, an information disclosure information storage unit, and an access information storage unit.
 演算装置200は、例えば、1以上のプロセッサ(CPU(Central Processing Unit))を備え、メモリ201に格納されているプログラムに従って各種処理を実行する。 The arithmetic device 200 includes, for example, one or more processors (CPUs (Central Processing Units)), and executes various processes in accordance with a program stored in the memory 201.
 記憶装置202は、例えば、ハードディスクやフラッシュメモリなどであり、演算装置200で実行されるプログラムや、演算装置200に利用されるデータを記憶する。 The storage device 202 is, for example, a hard disk or a flash memory, and stores a program executed by the computing device 200 and data used by the computing device 200.
 メモリ201は、例えば、RAM(RANDOM ACCESS MEMORY)であり、演算装置200で実行されるプログラムや、必要な情報を記憶する。本実施形態では、メモリ201は、状況分析プログラム211と、レスポンス決定プログラム212と、対応主体決定プログラム213と、認証認可プログラム214と、レスポンス実行プログラム215と、アドレス管理テーブル216と、情報開示契約管理表217と、ケーパビリティ一覧テーブル218とを記憶する。 The memory 201 is, for example, a RAM (RANDOM ACCESS MEMORY), and stores a program executed by the arithmetic device 200 and necessary information. In the present embodiment, the memory 201 includes a situation analysis program 211, a response determination program 212, a corresponding subject determination program 213, an authentication authorization program 214, a response execution program 215, an address management table 216, and an information disclosure contract management. Table 217 and the capability list table 218 are stored.
 状況分析プログラム211は、演算装置200に実行されることにより機能部を構成し、受領したアラートが、誤報であるか否かを判断する。レスポンス決定プログラム212は、演算装置200に実行されることにより機能部(処理決定部の一例)を構成し、アラートが示すインシデントに対して実行するインシデント対応処理(レスポンス)を決定する。 The situation analysis program 211 configures a functional unit by being executed by the computing device 200, and determines whether the received alert is a false alarm. The response determination program 212 configures a functional unit (an example of a process determination unit) by being executed by the arithmetic device 200, and determines an incident handling process (response) to be performed on an incident indicated by an alert.
 対応主体決定プログラム213は、演算装置200に実行されることにより機能部(実行装置決定部、実行可否確認部の一例)を構成し、インシデント対応処理を実行する装置(本実施形態では、例えば、インシデント管理装置)を決定する。認証認可プログラム214は、演算装置200に実行されることにより機能部(処理実行要求部、送信制御部及び結果表示制御部の一例)を構成し、決定された装置に対して、インシデント対応処理の実行要求を送信する。レスポンス実行プログラム215は、演算装置200に実行されることにより機能部(処理実行部の一例)を構成し、インシデント対応処理の少なくとも1つを実行する。 The response subject determination program 213 is executed by the computing device 200 to configure a functional unit (an execution device determination unit, an example of an execution availability confirmation unit), and a device that executes incident response processing (in the present embodiment, for example) Determine the incident management device). The authentication approval program 214 configures a functional unit (an example of a process execution request unit, a transmission control unit, and a result display control unit) by being executed by the arithmetic device 200, and performs an incident handling process on the determined device. Send execution request. The response execution program 215 configures a functional unit (an example of a processing execution unit) by being executed by the arithmetic device 200, and executes at least one of the incident response processing.
 インシデント管理装置105は、統括インシデント管理装置101と同様に、演算装置200と、メモリ201と、記憶装置202とを備える。メモリ201には、レスポンス実行プログラム215が格納されていればよい。なお、インシデント管理装置105のレスポンス実行プログラム215は、演算装置200に実行されることにより機能部(通知部及び実行結果送信部の一例)を構成し、統括インシデント管理装置101におけるレスポンス実行プログラム215の機能に加えて、自身の所属する現場システム10のSIEM103からのアラートを受領した場合に、統括インシデント管理装置101にアラートの種別と、アラートが示すインシデントに対応するインシデント対応処理の実行手順(実行内容)を通知する機能を有する。 Similar to the general incident management device 101, the incident management device 105 includes an arithmetic device 200, a memory 201, and a storage device 202. The memory 201 may store the response execution program 215. The response execution program 215 of the incident management device 105 constitutes a functional unit (an example of a notification unit and an execution result transmission unit) when executed by the computing device 200, and the response execution program 215 of the general incident management device 101. In addition to the function, when an alert is received from the SIEM 103 of the field system 10 to which it belongs, the type of alert in the general incident management apparatus 101 and the procedure for executing the incident response process corresponding to the incident indicated by the alert ) Has a function to notify.
 次に、インシデント対応処理及びその実行手順について説明する。 Next, an incident response process and its execution procedure will be described.
 図3は、一実施形態に係るインシデント対応処理の実行手順を示す図である。図3は、インシデントとして、例えば、端末104のウイルス感染、ファイヤーウォール100における不正パケットの流入、ファイヤーウォール100における不正パケットの流出、及びDos攻撃の発生を想定した場合におけるインシデント対応処理の実行手順を示している。なお、いずれか1つのインシデントの場合には、これら実行手順のうちの一部が選択されて実行されることとなる。 FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment. FIG. 3 shows an execution procedure of the incident response process when, for example, virus infection of the terminal 104, inflow of illegal packets in the firewall 100, outflow of illegal packets in the firewall 100, and occurrence of Dos attack are assumed as incidents. It shows. In the case of any one incident, a part of these execution procedures will be selected and executed.
 第1段階の初期対応におけるインシデント対応処理としては、例えば、アラート内容確認、ログ分析、PCAP(Packet Capture)分析がある。第2段階の方針決定におけるインシデント対応処理としては、例えば、サービス停止範囲決定、関係者召集がある。第3段階の一次対処におけるインシデント対応処理としては、例えば、証拠収集、サービス一時停止がある。第4段階の詳細分析におけるインシデント対応処理としては、例えば、侵入手口の分析、マルウェア分析、フォレンジック、業務影響分析、対策立案がある。第5段階の根本対策におけるインシデント対応処理としては、例えば、復旧、更新がある。第6段階の報告におけるインシデント対応処理としては、例えば、レポート作成、社内外に報告がある。 Examples of incident response processing in the initial response of the first stage include alert content confirmation, log analysis, and PCAP (Packet Capture) analysis. The incident response process in the second stage policy determination includes, for example, service suspension range determination and participant gathering. Examples of incident response processing in the third stage primary handling include evidence collection and service suspension. Incident response processing in the fourth stage of detailed analysis includes, for example, analysis of intrusion methods, malware analysis, forensics, business impact analysis, and countermeasure planning. Examples of the incident response process in the fifth stage of the root countermeasure are restoration and updating. The incident response process in the sixth stage report includes, for example, report creation and reporting inside and outside the company.
 次に、処理依頼情報について説明する。
 図4は、一実施形態に係る処理依頼情報の一例を示す図である。 Next, processing request information will be described.
FIG. 4 is a diagram showing an example of process request information according to an embodiment.
 処理依頼情報は、統括インシデント管理装置101からインシデント対応処理を実行する装置として決定されたインシデント管理装置105に送信される情報である。依頼処理情報には、依頼するインシデント対応処理名が格納されている。例えば、1番目の依頼処理情報は、インシデント対応処理として、侵入手口の分析を依頼する場合の例を示している。 The processing request information is information transmitted from the general incident management apparatus 101 to the incident management apparatus 105 determined as an apparatus for executing the incident handling process. The request processing information stores the incident handling processing name to be requested. For example, the first request processing information indicates an example in the case of requesting analysis of an intrusion signature as the incident response processing.
 次に、アドレス管理テーブル216について詳細に説明する。 Next, the address management table 216 will be described in detail.
 図5は、一実施形態に係るアドレス管理テーブルの構成図である。 FIG. 5 is a block diagram of an address management table according to an embodiment.
 アドレス管理テーブル216は、把握している現場システムのインシデント管理装置毎に対応するエントリを記憶する。アドレス管理テーブル216のエントリは、エントリ番号2161と、組織名2162と、インシデント管理装置のアドレス2163とのフィールドを含む。 The address management table 216 stores an entry corresponding to each of the incident management devices in the field system being grasped. The entry of the address management table 216 includes fields of an entry number 2161, an organization name 2162, and an address 2163 of an incident management apparatus.
 エントリ番号2161には、エントリの番号が格納される。組織名2162には、エントリに対応するインシデント管理装置105を含む現場システム10を管理する主体である組織の名前(組織名)が格納される。インシデント管理装置のアドレス2163には、エントリに対応するインシデント管理装置105のアドレス(例えば、IPアドレス)が格納される。 The entry number 2161 stores the number of the entry. The organization name 2162 stores the name (organization name) of the organization that is the entity that manages the field system 10 including the incident management device 105 corresponding to the entry. The address 2163 of the incident management device stores the address (for example, an IP address) of the incident management device 105 corresponding to the entry.
 次に、情報開示契約管理表217について詳細に説明する。 Next, the information disclosure contract management table 217 will be described in detail.
 図6は、一実施形態に係る情報開示契約管理表の構成図である。 FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment.
 情報開示契約管理表217は、縦軸方向に情報開示元の組織名が並び、横軸方向に情報開示先の組織名が並び、その交点には、その交点に対応する情報開示元と、情報開示先との間の情報開示に関する契約の内容が格納されている。例えば、企業Aから企業Bに開示する場合には、個人情報を削除した部分開示が契約で許容されていることを示し、企業Aから団体1に開示する場合には、不審ファイルのみ開示することが契約で許容されていることを示す。 In the information disclosure contract management table 217, the organization name of the information disclosure source is arranged in the vertical axis direction, the organization name of the information disclosure destination is arranged in the horizontal axis direction, and the information disclosure source corresponding to the intersection is The content of the contract regarding information disclosure with the disclosure destination is stored. For example, in the case of disclosure from company A to company B, it indicates that partial disclosure with deletion of personal information is permitted in a contract, and in the case of disclosure from company A to organization 1, only suspicious files should be disclosed. Indicates that the contract is acceptable.
 次に、ケーパビリティ一覧テーブル218について詳細に説明する。 Next, the capability list table 218 will be described in detail.
 図7は、一実施形態に係るケーパビリティ一覧テーブルの構成図である。 FIG. 7 is a configuration diagram of a capability list table according to an embodiment.
 ケーパビリティ一覧テーブル218は、各組織が管理するシステムにおいて実行する能力を有するインシデント対応処理(セキュリティオペレーションに相当)を管理するテーブルであり、各組織毎のエントリを記憶する。ケーパビリティ一覧テーブル218のエントリは、エントリ番号2181と、組織名2182と、実行可能なセキュリティオペレーション2183とを含む。 The capability list table 218 is a table for managing an incident response process (corresponding to a security operation) having a capability to be executed in a system managed by each organization, and stores an entry for each organization. The entry of the capability list table 218 includes an entry number 2181, an organization name 2182, and an executable security operation 2183.
 エントリ番号2181には、エントリの番号が格納される。組織名2182には、エントリに対応する組織の名前(組織名)が格納される。実行可能なセキュリティオペレーション2183には、エントリに対応する組織の現場システム10(厳密には、インシデント管理装置105)において能力的に実行可能なセキュリティオペレーションが格納される。 The entry number 2181 stores the number of the entry. The organization name 2182 stores the name of the organization (organization name) corresponding to the entry. Executable security operations 2183 store the security operations executable in the field system 10 (strictly, the incident management device 105) of the organization corresponding to the entry.
 次に、セキュリティシステム1の動作について説明する。 Next, the operation of the security system 1 will be described.
 図8は、一実施形態に係るインシデント発生時処理のフローチャートである。 FIG. 8 is a flowchart of an incident occurrence process according to an embodiment.
 現場システム10においてSIEM103は、インシデントの発生を検出すると、インシデントの発生を示すアラートを、その現場システム10内のインシデント管理装置105に対して送信する。このアラートをインシデント管理装置105が受領すると(ステップS300)、アラートを受領したインシデント管理装置105は、初期対応に対応する自身が実行可能なインシデント対応処理を実行する(ステップS301)。 When the SIEM 103 detects the occurrence of an incident in the on-site system 10, the SIEM 103 transmits an alert indicating the occurrence of the incident to the incident management device 105 in the on-site system 10. When the incident management apparatus 105 receives this alert (step S300), the incident management apparatus 105 that has received the alert executes an incident handling process that can be executed by itself corresponding to the initial handling (step S301).
 インシデント管理装置105は、実行した初期対応のインシデント対応処理によって、インシデントの発生を示すアラートが解消されたか否か、すなわち、インシデントが解決されたか否かを判定する(ステップS302)。この結果、インシデントが解決された場合(ステップS302:YES)には、これ以上の処理を実行する必要がないので、インシデント管理装置105は、インシデント発生時処理を終了する。 The incident management device 105 determines whether the alert indicating the occurrence of the incident has been eliminated or not, that is, whether or not the incident has been resolved by the executed initial response incident response process (step S302). As a result, when the incident is resolved (step S302: YES), there is no need to execute any further processing, and the incident management device 105 ends the incident occurrence processing.
 一方、インシデントが解決されていない場合(ステップS302:NO)には、インシデント管理装置105のレスポンス実行プログラム215は、アラートの種類と、アラートが示すインシデントに対応するインシデント対応処理のうち、実行していないインシデント対応処理の内容とを含むインシデント情報を統括インシデント管理装置101に送信する(ステップS304)。 On the other hand, if the incident has not been resolved (step S302: NO), the response execution program 215 of the incident management device 105 is executing the type of alert and the incident response process corresponding to the incident indicated by the alert. Incident information including the content of the incident handling process that is not present is transmitted to the general incident management device 101 (step S304).
 統括インシデント管理装置101の状況分析プログラム211(正確には、状況分析プログラム211を実行する演算装置200)は、受信したインシデント情報に基づいて、状況分析を行う(ステップS304)。ここで、状況分析としては、アラートが、誤報であるか否かを分析するようにしてもよい。なお、誤報と判定した場合には、状況分析プログラム211は、直ちに処理を終了してもよい。 The situation analysis program 211 (precisely, the computing device 200 executing the situation analysis program 211) of the general incident management device 101 analyzes the situation based on the received incident information (step S304). Here, as the situation analysis, it may be analyzed whether an alert is a false alarm. Note that the situation analysis program 211 may immediately end the process when it is determined to be a false alarm.
 次いで、統括インシデント管理装置101のレスポンス決定プログラム212は、受信したインシデント情報のアラートの種類に基づいて、実行するインシデント対応処理(レスポンス)の実行手順(実行内容)を決定する(ステップS308)。 Next, the response determination program 212 of the general incident management device 101 determines the execution procedure (execution content) of the incident handling process (response) to be executed, based on the type of alert of the received incident information (step S308).
 次いで、統括インシデント管理装置101の対応主体決定プログラム213が、決定したインシデント対応処理を実際に実行可能なインシデント管理装置105を募集する通知(募集通知)を送信する(ステップS309)。 Next, the response subject determination program 213 of the general incident management device 101 transmits a notification (offer notification) for recruiting the incident management device 105 that can actually execute the determined incident response process (step S309).
 具体的には、まず、対応主体決定プログラム213は、ケーパビリティ一覧テーブル218を参照し、決定したインシデント対応処理を能力的に実行可能なインシデント管理装置を有する1以上の組織を特定する。次いで、対応主体決定プログラム213は、特定した組織と、インシデントを発生させたインシデント管理装置105が所属する現場システムの所有主体である組織との間で、決定したインシデント対応処理で必要な情報の受け渡しが可能な情報開示契約が存在するか否かを、情報開示契約管理表217を参照して確認し、特定した組織の中で、必要な情報の受け渡しが可能な情報開示契約が存在する1以上の組織を選択する。次いで、対応主体決定プログラム213は、アドレス管理テーブル216を参照し、選択した1以上の組織のインシデント管理装置105のアドレスを取得する。次いで、対応主体決定プログラム213は、取得したすべてのアドレス宛に、決定したインシデント対応処理の実行が可能であるか否かを確認する募集通知を送信する。決定したインシデント対応処理が複数ある場合には、対応主体決定プログラム213は、それぞれの処理に対して上記同様な処理を行う。 Specifically, first, the response entity determination program 213 refers to the capability list table 218, and identifies one or more organizations having an incident management device capable of functionally executing the determined incident response process. Next, the response entity determination program 213 transfers information necessary for the determined incident response process between the identified organization and the organization that is the owner entity of the on-site system to which the incident management apparatus 105 that has generated the incident belongs. Whether or not there is an information disclosure contract capable of passing necessary information among the identified organizations by referring to the information disclosure contract management table 217 and confirming whether or not there is an information disclosure contract capable of Select your organization. Next, the response subject determination program 213 refers to the address management table 216 and acquires the address of the incident management apparatus 105 of one or more selected organizations. Next, the correspondent agent determination program 213 transmits, to all the acquired addresses, a solicitation notification that confirms whether execution of the determined incident response process is possible. When there are a plurality of incident handling processes determined, the handling subject determination program 213 performs the same process as described above for each process.
 なお、募集通知を受け取ったインシデント管理装置105は、インシデント対応処理を実行可能であれば、その旨を含む応答を、統括インシデント管理装置101に対して送信することとなる。 If the incident management apparatus 105 that has received the recruitment notification can execute the incident handling process, it transmits a response including that effect to the general incident management apparatus 101.
 対応主体決定プログラム213は、募集通知の応答を受け取ると、応答を行ったインシデント管理装置105を、インシデント対応処理を実行させるインシデント管理装置105に決定し、その旨を認証認可プログラム214に通知する。通知を受けた認証認可プログラム214は、決定されたインシデント管理装置105に対して、インシデント対応処理の実行依頼を送信する(ステップS310)。なお、複数のインシデント対応処理について、異なるインシデント管理装置105に実行させるように決定された場合には、各インシデント管理装置105に対して、そのインシデント管理装置105に実行させるインシデント対応処理の実行依頼を送信する。 When the response subject determination program 213 receives the response of the recruitment notification, the response subject determination program 213 determines the incident management apparatus 105 that has made the response to the incident management apparatus 105 that executes the incident response process, and notifies the authentication approval program 214 accordingly. The authentication approval program 214 that has received the notification transmits a request for executing the incident handling process to the determined incident management device 105 (step S310). Note that if it is determined that different incident management apparatuses 105 are to execute a plurality of incident response processes, the incident management apparatus 105 is requested to execute an incident response process to be executed by the incident management apparatus 105. Send.
 また、認証認可プログラム214は、実行依頼をしたインシデント対応処理に必要な情報(ログデータ等)がある場合には、その情報を、実行依頼先で取得できるようにする依頼を併せて行う。具体的には、実行依頼をしたインシデント対応処理に必要な情報がある場合には、必要な情報を格納している装置等に対して、実行依頼先のインシデント管理装置に必要な情報を送信する指示を行うと共に、実行依頼先に必要な情報が送信されることを通知するようにしてもよく、実行依頼先のインシデント管理装置105に、必要な情報を格納している装置等から情報を取得させる指示を行うようにしてもよい。このようにすることにより、実行依頼先が必要な情報を、統括インシデント管理装置101を経由せずに、実行依頼先のインシデント管理装置105で取得できるようにすることができ、統括インシデント管理装置101における負荷を低減することができる。 In addition, when there is information (log data and the like) necessary for the incident handling process for which the execution request has been made, the authentication and approval program 214 also makes a request to be able to acquire the information at the execution request destination. Specifically, when there is information necessary for the incident response process for which the execution request has been made, the necessary information is transmitted to the incident management device of the execution request destination to the device etc. storing the necessary information. An instruction may be issued, and notification that necessary information is transmitted to the execution request destination may be notified, and information is obtained from the device or the like storing the necessary information in the execution request destination incident management apparatus 105. You may make it instruct | indicate. By doing this, information required by the execution request destination can be acquired by the incident management device 105 of the execution request destination without passing through the general incident management device 101, and the general incident management device 101 can be obtained. It is possible to reduce the load on the
 実行依頼を受け取ったインシデント管理装置105のレスポンス実行プログラム215は、実行依頼に基づいて、インシデント対応処理を実行する(ステップS311)。次いで、レスポンス実行プログラム215は、インシデント対応処理の実行結果を統括インシデント管理装置101に送信する(ステップS312)。この結果、統括インシデント管理装置101には、実行すると決定された全てのインシデント対応処理の処理結果が集約されることとなる。この統括インシデント管理装置101の認証認可プログラム214は、各処理結果について、図示しない表示装置に表示させる等する。 The response execution program 215 of the incident management device 105 that has received the execution request executes the incident handling process based on the execution request (step S311). Next, the response execution program 215 transmits the execution result of the incident handling process to the general incident management device 101 (step S312). As a result, in the general incident management device 101, the processing results of all the incident handling processes determined to be executed are collected. The authentication approval program 214 of the general incident management apparatus 101 causes each display result to be displayed on a display device (not shown).
 次に、インシデント発生時処理のステップS308の詳細を説明する。 Next, details of step S308 of the incident occurrence process will be described.
 図9は、一実施形態に係るインシデント発生時処理のステップS308の詳細なフローチャートである。 FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment.
 統括インシデント管理装置101のレスポンス決定プログラム212は、受信したインシデント情報のアラートの種類に基づいて、インシデントの証拠情報の収集を関与する現場システムのインシデント管理装置105に指示する(ステップS3081)。 The response determination program 212 of the general incident management device 101 instructs the incident management device 105 of the on-site system involved in the collection of the evidence information of the incident based on the type of the alert of the received incident information (step S3081).
 次いで、統括インシデント管理装置101のレスポンス決定プログラム212は、インシデント情報に含まれるアラートの種類に応じて、侵入手口の分析の必要性判定(S3082)と、マルウェアの分析の必要性判定(S3083)と、フォレンジックの必要判定性(S3084)と、業務影響の分析の必要性判定(S3085)との少なくとも1つを実行し、その後、ステップS3082~S3085の結果に基づいて、対策の実現方法の立案の必要性判定(S3086)を行う。これらの処理ステップにより、必要であると判定された各処理が、実行が必要なインシデント対応処理である。 Next, the response determination program 212 of the general incident management device 101 determines necessity of analysis of intrusion method (S3082) and necessity determination of analysis of malware (S3083) according to the type of alert included in the incident information. , At least one of necessity determination of forensics (S3084) and necessity determination of analysis of business impact (S3085), and thereafter, based on the results of steps S3082 to S3085, the design method of implementing measures The necessity determination (S3086) is performed. Each processing determined to be necessary by these processing steps is an incident response processing that needs to be performed.
 次に、インシデント発生時処理のステップS311の詳細を説明する。 Next, details of step S311 of the incident occurrence process will be described.
 図10は、一実施形態に係るインシデント発生時処理のステップS311の詳細なフローチャートである。 FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment.
 実行依頼を受け取ったインシデント管理装置105のレスポンス実行プログラム215は、侵入手口の分析の実行(ステップS3111)と、マルウェアの分析の実行(ステップS3112)と、フォレンジックの実行(ステップS3113)と、業務影響の分析の実行(ステップS3114)とのうちの実行依頼として依頼を受けた全ての処理を実行し、その後、対策の実現方法立案を実行する(ステップS3115)。これにより、実行依頼を受けたインシデント対応処理が実行されることとなる。 The response execution program 215 of the incident management apparatus 105 that has received the execution request executes analysis of the intrusion method (step S3111), execution of analysis of the malware (step S3112), execution of the forensic (step S3113), and business effects. All the processes received as the execution request among the execution of the analysis (step S3114) are executed, and thereafter, the implementation method planning of the countermeasure is executed (step S3115). As a result, the incident response process that has received the execution request will be executed.
 以上説明したように、本実施形態に係るセキュリティシステム1によると、或る現場システム10においてインシデントが発生してアラートが発生した場合には、その現場システム10のインシデント管理装置105から統括インシデント管理装置101に通知され、必要なインシデント対応処理を他のインシデント管理装置105に振り分けることができる。これにより、必要なインシデント対応処理を迅速且つ適切に実行させることができる。また、インシデント対応処理に必要なログデータ等を、統括インシデント管理装置101を経由せずに、インシデント対応処理を実行するインシデント管理装置105に取得させることができるので、統括インシデント管理装置101の負荷を軽減することができる。 As described above, according to the security system 1 according to the present embodiment, when an incident occurs and an alert occurs in a certain on-site system 10, the general incident management apparatus from the incident management unit 105 of the on-site system 10 It is notified to 101, and the necessary incident response processing can be distributed to other incident management apparatuses 105. Thereby, necessary incident response processing can be performed promptly and appropriately. Further, since log data etc. necessary for the incident handling process can be acquired by the incident management system 105 which executes the incident handling process without passing through the general incident managing system 101, the load of the general incident managing system 101 can be obtained. It can be reduced.
 次に、変形例に係るセキュリティシステムについて説明する。 Next, a security system according to a modification will be described.
 変形例に係るセキュリティシステムは、上記した実施形態に係るセキュリティシステムとは、一部の機能が異なっており、インシデント発生時処理の一部が異なっている。 The security system according to the modification differs from the security system according to the above-described embodiment in part of the functions and part of the processing when an incident occurs.
 図11は、変形例に係るインシデント発生時処理のフローチャートである。なお、実施形態に係るインシデント発生時処理と同様なステップには、同一の符号を付し、ここでは、異なる点を中心に説明する。 FIG. 11 is a flowchart of an incident occurrence process according to a modification. In addition, the same code | symbol is attached | subjected to the step similar to the process at the time of the incident occurrence which concerns on embodiment, and it demonstrates focusing on a different point here.
 ステップS311で、インシデント対応処理を実行したインシデント管理装置105のレスポンス実行プログラム215は、インシデント対応処理に含まれる解析処理等でインシデントに関与する別のシステム(現場システム等)が検出されたか否かを判定する(ステップS313)。この結果、インシデントに関与する別のシステムが検出されなかった場合(ステップS313:NO)には、レスポンス実行プログラム215は、処理をステップS312に進める。 In step S311, the response execution program 215 of the incident management apparatus 105 that has executed the incident handling process determines whether another system (such as a field system) involved in the incident is detected by the analysis process or the like included in the incident handling process. It determines (step S313). As a result, when another system involved in the incident is not detected (step S313: NO), the response execution program 215 advances the process to step S312.
 一方、インシデントに関与する別のシステムが検出された場合(ステップS313:YES)には、レスポンス実行プログラム215(具体的には、レスポンス実行プログラム215を実行する演算装置200:関連システム検出部及びアクセス情報送信部の一例)は、検出された別システムの組織名と、そのシステムのインシデント対応処理を実行する装置(本実施形態では、インシデント管理装置105)のアドレスを取得するとともに、インシデント管理装置105の能力的に実行可能なインシデント対応処理を示すケーパビリティ情報を取得し(ステップS314)、取得した組織名及びアドレスと、ケーパビリティ情報とを統括インシデント管理装置101に送信し(ステップS315)、処理をステップS312に進める。 On the other hand, when another system involved in the incident is detected (step S313: YES), the response execution program 215 (specifically, the computing device 200 that executes the response execution program 215: related system detection unit and access An example of the information transmission unit) acquires the organization name of another detected system and the address of a device (incident management device 105 in the present embodiment) that executes the incident response processing of that system, and the incident management device 105 The capability information indicating the ability to execute the incident response process which is exemplarily executable is acquired (step S314), the acquired organization name and address, and the capability information are transmitted to the general incident management apparatus 101 (step S315), and the processing is performed. The process proceeds to step S312.
 ステップS315で送信された別システムの組織名及びアドレスとケーパビリティ情報とを統括インシデント管理装置101が受信すると、レスポンス決定プログラム212(具体的には、レスポンス決定プログラム212を実行する演算装置200:アクセス情報追加登録部の一例)が、組織名とアドレスとを含む新たなエントリをアドレス管理テーブル216に追加するとともに、組織名とケーパビリティ情報とを含むエントリをケーパビリティ一覧テーブル218に追加する。更に、レスポンス決定プログラム212は、情報開示契約管理表の開示元と開示先とに、取得した組織名を追加するとともに、この組織と他の組織との各交点に、情報開示契約を設定する。この時点での情報開示契約としては、最低限の情報開示契約内容としてもよい。なお、以降において、情報開示契約を結んだ場合には、その内容に応じてその情報開示契約内容を変更すればよい。 When the general incident management apparatus 101 receives the organization name and address of another system and the capability information transmitted in step S315, the response determination program 212 (specifically, the arithmetic apparatus 200 that executes the response determination program 212: access An example of the information addition registration unit adds a new entry including an organization name and an address to the address management table 216, and adds an entry including an organization name and capability information to the capability list table 218. Furthermore, the response determination program 212 adds the acquired organization name to the disclosure source and the disclosure destination of the information disclosure contract management table, and sets an information disclosure contract at each intersection of this organization and another organization. The information disclosure contract at this point may be the minimum information disclosure contract content. In the following, when an information disclosure contract is concluded, the content of the information disclosure contract may be changed according to the content.
 上記した変形例に係る処理によれば、新たに検出されたシステムのインシデント対応処理を実行可能な装置を、後の処理におけるインシデント対応処理を実行させる候補として選択できるようになり、より広範なインシデント対応処理に対応できるようにすることができる。 According to the process according to the above modification, a device capable of executing the incident handling process of the newly detected system can be selected as a candidate for executing the incident handling process in the later process, and a broader incident It is possible to cope with the response processing.
 なお、本発明は、上述の実施形態に限定されるものではなく、本発明の趣旨を逸脱しない範囲で、適宜変形して実施することが可能である。 The present invention is not limited to the embodiments described above, and can be appropriately modified and implemented without departing from the spirit of the present invention.
 例えば、上記実施形態では、インシデント管理装置105、統括インシデント管理装置101がインシデント対応処理を実行可能な構成となっていたが、例えば、インシデント対応処理を実行する装置(レスポンス処理装置)を、インシデント管理装置105又は統括インシデント管理装置101とは別に備えるようにしてもよい。 For example, in the above embodiment, the incident management apparatus 105 and the general incident management apparatus 101 are configured to be able to execute the incident handling process, but for example, an apparatus (response processing apparatus) that executes the incident handling process It may be provided separately from the device 105 or the general incident management device 101.
 また、上記実施形態では、インシデント対応処理の実行の募集を行い、募集に応答したインシデント管理装置105に対してインシデント対応処理の実行要求を送信するようにしていたが、募集を経ずに、インシデント管理装置105にインシデント対応処理の実行要求を行うようにしてもよい。 Further, in the above embodiment, the execution of the incident handling process is solicited, and the incident handling process execution request is sent to the incident management device 105 that has responded to the solicitation. The management apparatus 105 may be requested to execute an incident handling process.
 また、上記実施形態においては、インシデント対応処理の依頼先を決定する際に、インシデント対応処理で必要な情報の受け渡しが可能な情報開示契約が存在するか否かを判定するようにしていたが、本発明はこれに限られず、情報開示において問題のない組織のみをセキュリティシステムの対象としている場合においては、情報開示契約が存在するか否かを判定する処理を実行しなくてもよく、また、その処理に必要な情報開示契約管理表を備えなくてもよい。 Further, in the above embodiment, when determining the request destination of the incident handling process, it is determined whether or not there is an information disclosure contract capable of passing information necessary for the incident handling process. The present invention is not limited to this, and in the case where only an organization having no problem in information disclosure is targeted for the security system, it is not necessary to execute a process of determining whether an information disclosure contract exists or not. The information disclosure contract management table necessary for the processing may not be provided.
 また、上記実施形態において、演算装置200が行っていた処理の一部又は全部を、専用のハードウェア回路で行うようにしてもよい。また、上記実施形態におけるプログラムは、プログラムソースからインストールされてよい。プログラムソースは、プログラム配布サーバ又は記憶メディア(例えば可搬型の非一時的記憶メディア)であってもよい。 In the above embodiment, a part or all of the processing performed by the arithmetic device 200 may be performed by a dedicated hardware circuit. Also, the program in the above embodiment may be installed from a program source. The program source may be a program distribution server or storage medium (eg, portable non-transitory storage medium).
 1…セキュリティシステム、10,10A,10B,10X…現場システム、101…統括インシデント管理装置、105…インシデント管理装置、200…演算装置、201…メモリ、211…状況分析プログラム、212…レスポンス決定プログラム、213…対応主体決定プログラム、214…認証認可プログラム、215…レスポンス実行プログラム、216…アドレス管理テーブル、217…情報開示契約管理表、218…ケーパビリティ一覧テーブル DESCRIPTION OF SYMBOLS 1 security system, 10, 10A, 10B, 10X ... spot system, 101 ... general incident management apparatus, 105 ... incident management apparatus, 200 ... arithmetic unit, 201 ... memory, 211 ... situation analysis program, 212 ... response determination program, 213: Correspondence subject determination program, 214: Authentication and approval program, 215: Response execution program, 216: Address management table, 217: Information disclosure contract management table, 218: Capability list table

Claims (15)

  1.  所定の管理対象システム内のセキュリティを管理する1以上のインシデント管理装置と、前記1以上のインシデント管理装置を統括する統括インシデント管理装置と、インシデントに対応する処理であるインシデント対応処理を実行可能な1以上のレスポンス処理装置とを含むセキュリティシステムであって、
     前記インシデント管理装置は、インシデントの発生を検知した場合に、前記インシデントの発生を前記統括インシデント管理装置に通知する通知部を備え、
     前記統括インシデント管理装置は、前記インシデント管理装置からインシデントの発生の通知を受けた場合に、前記インシデントに対応するインシデント対応処理の実行要求を、前記レスポンス処理装置に送信する処理実行要求部を備え、
     前記レスポンス処理装置は、前記インシデント対応処理を実行する処理実行部を備える
    セキュリティシステム。     One or more incident management devices that manage security in a predetermined management target system, a general incident management device that controls the one or more incident management devices, and an incident response process that is a process corresponding to an incident 1 A security system including the above-described response processing device,
    The incident management device includes a notification unit that notifies the general incident management device of the occurrence of the incident when the occurrence of the incident is detected.
    The general incident management device includes a process execution request unit that transmits, to the response processing device, a request for execution of an incident handling process corresponding to the incident when notified of the occurrence of the incident from the incident management device.
    The security processing system includes a processing execution unit that executes the incident response processing.
  2.  前記統括インシデント管理装置は、
     発生した前記インシデントに対応する実行すべきインシデント対応処理を決定する処理決定部と、
     前記決定された前記インシデント対応処理を実行させる前記レスポンス処理装置を決定する実行装置決定部と、をさらに有し、
     前記処理実行要求部は、前記決定された前記レスポンス処理装置に、前記インシデント対応処理を実行させる処理要求を送信する
    請求項1に記載のセキュリティシステム。     The integrated incident management device
    A process determination unit that determines an incident handling process to be executed corresponding to the incident that has occurred;
    An execution device determination unit that determines the response processing device that executes the determined incident response process;
    The security system according to claim 1, wherein the process execution request unit transmits a process request for executing the incident handling process to the determined response processing apparatus.
  3.  前記統括インシデント管理装置は、
     前記レスポンス処理装置の実行能力を有するインシデント対応処理を示すケーパビリティ情報を記憶するケーパビリティ情報記憶部をさらに備え、
     前記実行装置決定部は、前記ケーパビリティ情報に基づいて、前記インシデントに対応する前記インシデント対応処理を実行させるレスポンス処理装置を決定する
    請求項2に記載のセキュリティシステム。     The integrated incident management device
    The system further comprises a capability information storage unit for storing capability information indicating an incident response process having the execution capability of the response processing device,
    The security system according to claim 2, wherein the execution device determination unit determines a response processing device that executes the incident response process corresponding to the incident based on the capability information.
  4.  前記統括インシデント管理装置は、
     前記インシデント管理装置の所有主体と、前記レスポンス処理装置の所有主体との間の情報開示に関する取り決めの情報である情報開示情報を記憶する情報開示情報記憶部をさらに備え、
     前記実行装置決定部は、前記情報開示情報記憶部の前記情報開示情報に基づいて、前記インシデント対応処理を実行させる前記レスポンス処理装置を決定する
    請求項3に記載のセキュリティシステム。     The integrated incident management device
    It further comprises an information disclosure information storage unit that stores information disclosure information which is information of an agreement regarding information disclosure between the owner entity of the incident management device and the owner entity of the response processing device;
    The security system according to claim 3, wherein the execution device determination unit determines the response processing device that executes the incident handling process based on the information disclosure information of the information disclosure information storage unit.
  5.  前記統括インシデント管理装置は、
     前記決定された前記インシデント対応処理を実行する能力を有する前記レスポンス処理装置に対して前記インシデント対応処理の実行可否を問い合わせる実行可否確認部をさらに有し、
     前記実行装置決定部は、前記インシデント対応処理の実行が可であるレスポンス処理装置を、前記インシデント対応処理を実行させる前記レスポンス処理装置に決定する
    請求項2から請求項4のいずれか一項に記載のセキュリティシステム。     The integrated incident management device
    The system further includes an executability check unit that inquires the response processing apparatus having the capability of executing the determined incident handling process whether or not the incident handling process can be performed.
    The said execution apparatus determination part is a response processing apparatus which can perform execution of the said incident response processing as the said response processing apparatus which performs the said incident response processing in any one of the Claims 2-4. Security system.
  6.  前記インシデント管理装置は、
     前記インシデント対応処理の少なくとも一部を実行可能な、処理実行部をさらに有し、
     前記処理実行部は、前記インシデントに対応する実行すべきインシデント対応処理のうちの実行可能な処理を実行し、
     前記統括インシデント管理装置の前記処理実行要求部は、
     前記インシデント対応処理のうちの実行不可能な処理について、前記レスポンス処理装置に実行要求を送信する
    請求項1から請求項5のいずれか一項に記載のセキュリティシステム。     The incident management device is
    The system further includes a process execution unit capable of executing at least a part of the incident handling process,
    The process execution unit executes an executable process of the incident handling process to be executed corresponding to the incident,
    The process execution request unit of the general incident management device
    The security system according to any one of claims 1 to 5, wherein an execution request is transmitted to the response processing apparatus for an unexecutable process of the incident handling process.
  7.  前記レスポンス処理装置は、
     前記インシデント管理処理の実行結果を、前記統括インシデント管理装置に送信する実行結果送信部をさらに有する
    請求項1から請求項6のいずれか一項に記載のセキュリティシステム。     The response processing device is
    The security system according to any one of claims 1 to 6, further comprising an execution result transmission unit that transmits the execution result of the incident management process to the general incident management device.
  8.  前記統括インシデント管理装置は、
     前記実行要求を送信した全ての前記レスポンス処理装置からの実行結果に基づいて、前記インシデントに関連する総合的な実行結果を表示させる結果表示制御部をさらに有する
    請求項7に記載のセキュリティシステム。     The integrated incident management device
    The security system according to claim 7, further comprising: a result display control unit configured to display an overall execution result related to the incident based on the execution results from all the response processing devices that have transmitted the execution request.
  9.  前記統括インシデント管理装置は、
     前記実行要求を行った前記インシデント対応処理に必要なデータを、前記データを管理している装置から前記統括インシデント管理装置を経由せずに前記実行要求先の前記レスポンス処理装置に送信させるように制御する送信制御部をさらに有する
    請求項1から請求項8のいずれか一項に記載のセキュリティシステム。     The integrated incident management device
    Control is performed so that data necessary for the incident handling process that has made the execution request is transmitted from the device that manages the data to the response processing device that is the execution request destination without passing through the general incident management device. The security system according to any one of claims 1 to 8, further comprising a transmission control unit.
  10.  前記統括インシデント管理装置は、
     前記レスポンス処理装置にアクセスするためのアクセス情報を記憶するアクセス情報記憶部をさらに有し、
     前記レスポンス処理装置の少なくとも1つは、
     前記インシデント対応処理を実行することにより、インシデントに関連する他のシステムのレスポンス処理装置を検出可能な関連システム検出部と、
     前記検出された他のシステムのレスポンス処理装置にアクセスするためのアクセス情報を前記統括インシデント管理装置に送信するアクセス情報送信部と
    をさらに有し、
     前記統括インシデント管理装置は、
     送信された前記アクセス情報を前記アクセス情報記憶部に登録するアクセス情報追加登録部をさらに有する
    請求項1から請求項9のいずれか一項に記載のセキュリティシステム。     The integrated incident management device
    The information processing apparatus further includes an access information storage unit storing access information for accessing the response processing apparatus,
    At least one of the response processing devices is:
    A related system detection unit capable of detecting response processing devices of other systems related to the incident by executing the incident handling process;
    An access information transmitting unit for transmitting access information for accessing the response processing apparatus of another detected system to the general incident management apparatus;
    The integrated incident management device
    The security system according to any one of claims 1 to 9, further comprising an access information additional registration unit that registers the transmitted access information in the access information storage unit.
  11.  所定の管理対象システム内のセキュリティを管理する1以上のインシデント管理装置と、前記1以上のインシデント管理装置を統括する統括インシデント管理装置と、インシデントに対応する処理であるインシデント対応処理を実行可能な1以上のレスポンス処理装置とを含むセキュリティシステムによるセキュリティオペレーション方法であって、
     インシデントの発生を検知した場合に、前記インシデントの発生を前記統括インシデント管理装置に通知し、
     前記統括インシデント管理装置は、前記インシデント管理装置からインシデントの発生の通知を受けた場合に、前記インシデントに対応するインシデント対応処理の実行要求を、前記レスポンス処理装置に送信し、
     前記レスポンス処理装置は、前記インシデント対応処理の実行要求を受けた場合に、前記インシデント対応処理を実行する
    セキュリティオペレーション方法。     One or more incident management devices that manage security in a predetermined management target system, a general incident management device that controls the one or more incident management devices, and an incident response process that is a process corresponding to an incident 1 A security operation method by a security system including the above-described response processing device, comprising:
    When the occurrence of an incident is detected, the occurrence of the incident is notified to the general incident management device;
    When the general incident management device receives notification of the occurrence of an incident from the incident management device, the general incident management device transmits, to the response processing device, a request for execution of an incident handling process corresponding to the incident.
    The security operation method according to claim 1, wherein the response processing apparatus executes the incident handling process when receiving a request to execute the incident handling process.
  12.  前記統括インシデント管理装置は、
     発生した前記インシデントに対応する実行すべきインシデント対応処理を決定し、
     前記決定された前記インシデント対応処理を実行させる前記レスポンス処理装置を決定し、
     前記決定された前記レスポンス処理装置に、前記インシデント対応処理を実行させる処理要求を送信する
    請求項11に記載のセキュリティオペレーション方法。     The integrated incident management device
    Determine the incident response process to be executed corresponding to the incident that has occurred,
    Determining the response processing apparatus to execute the determined incident handling process;
    The security operation method according to claim 11, wherein a processing request to execute the incident handling processing is transmitted to the determined response processing apparatus.
  13.  前記統括インシデント管理装置は、
     前記実行要求を行った前記インシデント対応処理に必要なデータを、前記データを管理している装置から前記統括インシデント管理装置を経由せずに前記実行要求先の前記レスポンス処理装置に送信させるように制御する
    請求項11又は請求項12に記載のセキュリティオペレーション方法。     The integrated incident management device
    Control is performed so that data necessary for the incident handling process that has made the execution request is transmitted from the device that manages the data to the response processing device that is the execution request destination without passing through the general incident management device. The security operation method according to claim 11 or claim 12.
  14.  前記レスポンス処理装置の少なくとも1つは、
     前記インシデント対応処理を実行することにより、インシデントに関連する他のシステムのレスポンス処理装置を検出し、
     前記検出された他のシステムのレスポンス処理装置にアクセスするためのアクセス情報を前記統括インシデント管理装置に送信し
     前記統括インシデント管理装置は、
     送信された前記アクセス情報を前記レスポンス処理装置にアクセスするためのアクセス情報を記憶するアクセス情報記憶部に記憶する
    請求項11から請求項13のいずれか一項に記載のセキュリティオペレーション方法。     At least one of the response processing devices is:
    Detecting response processing devices of other systems related to the incident by executing the incident response process;
    Access information for accessing the response processing apparatus of another detected system is transmitted to the general incident management apparatus, and the general incident management apparatus is configured to
    The security operation method according to any one of claims 11 to 13, wherein the transmitted access information is stored in an access information storage unit storing access information for accessing the response processing apparatus.
  15.  インシデントに対応する処理であるインシデント対応処理の実行を管理する統括インシデント管理装置であって、
     インシデントの発生の通知を受けた場合に、発生した前記インシデントに対応する実行すべきインシデント対応処理を決定する処理決定部と、
     前記決定された前記インシデント対応処理の実行を実行させるレスポンス処理装置を決定する実行装置決定部と、
     前記インシデントに対応するインシデント対応処理の実行要求を、前記レスポンス処理装置に送信する処理実行要求部と、を備える
    統括インシデント管理装置。     It is a general incident management device that manages execution of incident response processing, which is processing corresponding to an incident,
    A process determination unit that determines an incident response process to be performed corresponding to the incident that has been received, upon receiving notification of the occurrence of the incident;
    An execution device determination unit that determines a response processing device that executes the determined incident handling process;
    And a process execution request unit configured to transmit, to the response processing apparatus, a request to execute an incident handling process corresponding to the incident.
PCT/JP2018/047563 2018-01-29 2018-12-25 Security system, security operation method, and overall incident management device WO2019146346A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-012789 2018-01-29
JP2018012789A JP7012958B2 (en) 2018-01-29 2018-01-29 Security system, security operation method, and centralized incident management device

Publications (1)

Publication Number Publication Date
WO2019146346A1 true WO2019146346A1 (en) 2019-08-01

Family

ID=67395849

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/047563 WO2019146346A1 (en) 2018-01-29 2018-12-25 Security system, security operation method, and overall incident management device

Country Status (2)

Country Link
JP (1) JP7012958B2 (en)
WO (1) WO2019146346A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002251374A (en) * 2000-12-20 2002-09-06 Fujitsu Ltd System and method for managing information, program for permitting computer to execute method, and computer readable recording medium recording the program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002251374A (en) * 2000-12-20 2002-09-06 Fujitsu Ltd System and method for managing information, program for permitting computer to execute method, and computer readable recording medium recording the program

Also Published As

Publication number Publication date
JP2019133258A (en) 2019-08-08
JP7012958B2 (en) 2022-01-31

Similar Documents

Publication Publication Date Title
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US11240262B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
EP3127301B1 (en) Using trust profiles for network breach detection
US8375120B2 (en) Domain name system security network
US7941854B2 (en) Method and system for responding to a computer intrusion
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
US20100251369A1 (en) Method and system for preventing data leakage from a computer facilty
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
KR20180097527A (en) Dual Memory Introspection to Protect Multiple Network Endpoints
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
US8458789B1 (en) System, method and computer program product for identifying unwanted code associated with network communications
JP2006119754A (en) Network-type virus activity detection program, processing method and system
JP7204247B2 (en) Threat Response Automation Methods
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US11310278B2 (en) Breached website detection and notification
US20210194915A1 (en) Identification of potential network vulnerability and security responses in light of real-time network risk assessment
US20240045954A1 (en) Analysis of historical network traffic to identify network vulnerabilities
US20230007013A1 (en) Visualization tool for real-time network risk assessment
US9075996B2 (en) Evaluating a security stack in response to a request to access a service
US20080184368A1 (en) Preventing False Positive Detections in an Intrusion Detection System
JP2006040196A (en) Software monitoring system and monitoring method
US10171483B1 (en) Utilizing endpoint asset awareness for network intrusion detection
WO2019146346A1 (en) Security system, security operation method, and overall incident management device
US20200389435A1 (en) Auditing smart bits
WO2020255185A1 (en) Attack graph processing device, method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18901826

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18901826

Country of ref document: EP

Kind code of ref document: A1