JP2006295232A - Security monitoring device, security monitoring method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect a security incident at an early stage and take countermeasures at an early stage.
SOLUTION: A firewall 10 constructed between a security monitoring target system and an external network, a log collection server 20 that collects a communication log from the firewall 10, and a log analysis that occurs in the security monitoring target system An analysis server 30 that detects a security incident, a database 40 that stores event occurrence information related to the occurrence of a security incident, a mail server 50 that transmits an e-mail informing the detection of a security incident to a predetermined destination, and an e-mail And a Web server 70 that retrieves the event occurrence information from the database 40 and transmits the event occurrence information to the customer terminal 60.
[Selection] Figure 1

Description

  The present invention relates to a security monitoring apparatus and the like for monitoring whether or not a security problem has occurred in a computer system subject to security monitoring.

With the explosive spread of the Internet in recent years, threats existing on the network cannot be ignored. For example, a worm that infects other computers via a network and performs destructive activities, or a backdoor that is set as a route for the next intrusion when entering another computer. To date, companies and organizations have been defending themselves by building firewalls. A firewall allows packets communicated between a company or organization system and an external network to pass or be discarded based on certain rules. If a firewall is constructed, it will be possible to protect corporate and organizational systems from external networks.
However, there are many cases where the subsequent operation is not performed just by building a file wall. This is thought to be due to the shortage of personnel with advanced expertise in security measures and the circumstances of each company, etc. that do not have enough time for security measures.

  In view of such circumstances, it has been proposed to provide security measures as a service for users who do not have advanced expertise (see, for example, Patent Document 1). In the invention of Patent Document 1, warning information indicating that an illegal packet has been detected by a firewall is transmitted to a user terminal as a warning mail, and statistical information regarding such an unauthorized access tendency and pattern is transmitted, for example, as a report mail every month. That's it.

JP-A-2004-348292 (page 6-7, FIG. 6)

However, in the invention of Patent Document 1, although warning information is immediately notified, detailed information is provided in the form of a monthly report, for example. Therefore, the user cannot obtain detailed information on unauthorized access in real time, and there is a problem that countermeasures are delayed and damage may be expanded.
Further, the invention of Patent Document 1 merely detects illegal packets passing through a firewall, that is, detects an attack. In recent years, worms and the like have become more and more sophisticated, and it is difficult to detect such attacks, and there are cases where damage is spreading without realizing it. In such a case, there was a problem that the invention of Patent Document 1 cannot cope with it.

The present invention has been made to solve the above technical problems, and its purpose is to detect security incidents (events that cause security problems) at an early stage and to take countermeasures at an early stage. There is to be able to do it.
Another object of the present invention is to prevent the spread of damage due to a security incident.

  For this purpose, according to the present invention, security incident detection reports to advice (providing countermeasures, etc.) are performed in real time. That is, the security monitoring apparatus of the present invention analyzes log collected by a log collecting means for collecting communication logs passing through a firewall established between the security monitoring target system and the network, and the log collected by the log collecting means. Analysis means for detecting an event that causes a security problem in the security monitoring target system, storage means for storing advice information regarding the event detected by the analysis by the analysis means, and notification of the detection of the event to a predetermined destination, And a notification means for making the advice information immediately viewable.

  Further, the present invention can be grasped by paying attention to detecting a security incident that actually causes damage. In that case, the security monitoring device of the present invention analyzes log collected by the log collecting means for collecting a log of communication passing through a firewall constructed between the security monitoring target system and the network, and the log collected by the log collecting means. And analyzing means for detecting an event that actually causes damage in the security monitoring target system, and notifying means for notifying a predetermined destination that an event has been detected by the analysis by the analyzing means.

  Furthermore, the present invention can also be understood as a method for performing in real time from reporting a security incident detection to providing advice (providing a countermeasure). In this case, the security monitoring method of the present invention is a security monitoring method for a security monitoring target system connected to a network through a firewall, and includes an event that causes a security problem of the security monitoring target system and advice information related to the event. A step of storing in association with each other, a step of collecting a log of communication through the firewall, a step of analyzing the collected log to detect an event, and obtaining advice information on the event based on the detected event And a step of notifying a predetermined destination of information indicating that an event has been detected and information for browsing advice information.

  On the other hand, the present invention can also be understood as a computer program for causing a computer to realize a predetermined function. In that case, the program of the present invention analyzes a collected log and a function for collecting a log of communication via the firewall in a computer that monitors the security of the security monitoring target system connected to the network via the firewall. This is to realize a function of detecting an event that actually causes damage in the security monitoring target system.

  According to the present invention, it is possible to detect a security incident at an early stage and take countermeasures at an early stage.

The best mode for carrying out the present invention (hereinafter referred to as “embodiment”) will be described below in detail with reference to the accompanying drawings.
FIG. 1 is a diagram showing a configuration of a computer system to which the present embodiment is applied. This computer system includes a firewall 10, a log collection server 20, an analysis server 30, a database 40, a mail server 50, a customer terminal 60, and a Web server 70. Among these, the firewall 10 and the log collection server 20, the mail server 50 and the customer terminal 60, and the customer terminal 60 and the Web server 70 are connected by a network such as the Internet.

  The firewall 10 is constructed between a customer-side security monitoring target system (hereinafter referred to as “security monitoring target system”) and an external network, and monitors communication between the security monitoring target system and the external network. , An apparatus having a function of outputting the record as a log. Specifically, there are a case where it is realized by incorporating software into an existing computer and a case where it is realized using dedicated hardware. The log output from the firewall 10 includes a device name, transmission source IP address, transmission destination IP address, transmission source port protocol, transmission destination port protocol, and time that uniquely identify the firewall 10 that has output the log. This information is included.

The log collection server 20 is a server that collects logs output from the firewall 10, and the analysis server 30 is a server that receives logs from the log collection server 20 and analyzes them according to a predetermined rule. The specific hardware configuration of these servers is the same as that of a normal server computer, and has a central processing unit (CPU), a main storage device, an external storage device (for example, a magnetic disk device), a communication control device, etc. ing. These server functions are realized by the CPU of the server loading, for example, a program stored in an external storage device into the main memory and executing it.
The database 40 is a storage device (storage means) that stores information referred to by the analysis server 30, the mail server 50, and the Web server 70, and is realized by a magnetic disk, for example. The specific contents of the information stored in the database 40 will be described later.

  The mail server 50 is a server that transmits an e-mail to a predetermined destination (e-mail address) according to the contents of the database 40. The specific hardware configuration and function implementation method of this server is the same as that of each server computer described above. It is the same. The customer terminal 60 is a terminal device installed on the customer side and having a function of receiving an e-mail or accessing a web page, and is realized by, for example, a PC (Personal Computer). The Web server 70 is a server having a function of acquiring a requested Web page and transmitting it to a request source, and a specific hardware configuration and function realizing method of this server is the same as that of each server computer described above. . Note that the mail server 50 and the Web server 70 can be collectively understood as a notification unit from the viewpoint of immediately reporting occurrence of an event and detailed information regarding the event.

Here, specific contents of the information stored in the database 40 will be described in detail.
First, information as shown in FIG. 2 is stored in the database 40 in advance.
Among these, FIG. 2A shows information (customer information) of each customer who owns the security monitoring target system. Specifically, a customer ID that uniquely identifies a customer, a customer name, a device name that is a name that uniquely identifies the firewall 10 built in the customer's system, and an electronic device when an abnormality is detected from a log of the firewall 10 The e-mail address that is the destination for sending the e-mail is associated with the password that is required when the customer accesses the information via the Web server 70. In addition to these pieces of information, information such as a contact telephone number, which is generally managed as customer information, may be stored, but is omitted here because it is not directly related to the invention.

FIG. 2B shows definition information (event definition information) related to an event that can be grasped by analyzing a log output from the firewall 10. Specifically, an event summary that directly expresses the content of the event, the importance of each event given from the viewpoint of whether or not the actual harm has occurred, the conditions and events used to detect the event by analyzing the log The countermeasures for are associated.
Here, there are three types of importance, “High”, “Medium”, and “Low”. “High” refers to the importance given to events that are considered to cause actual harm such as worm infections, backdoors, and Trojan horses. “Medium” refers to the use of file sharing software. Depending on the security policy of the customer, etc., this is the importance given to the event that causes the actual harm, and “Low” is the importance given to the event that does not cause the actual harm at that time, such as an external investigation activity. is there. In this example, the importance is defined as being uniquely determined for the event. For example, for an event whose importance differs according to the customer's security policy, the importance is set for each customer. May be.

In addition, the conditions include a plurality of information such as information on the transmission source and transmission destination such as transmission source IP address, transmission destination IP address, transmission source port protocol, transmission destination port protocol, etc. included in the log, and information on time Conditions that combine items are set. In conventional IDS (Intrusion Detection System), only illegal packets are detected by performing pattern matching on packets flowing on the network. In the present invention, however, the conditions combining such information items are uniquely set. One feature is that it is incorporated as a know-how and detects an event causing damage using such conditions.
In FIG. 2 (b), specific conditions and countermeasures are omitted for the sake of space, but corresponding conditions and countermeasures are also defined for the omitted parts. To do.
The database 40 also records information related to the occurrence of an event as a result of analysis by the analysis server 30, which will be described later.

Next, the operation of the computer system shown in FIG. 1 will be described.
First, the firewall 10 outputs a log of communication between the security monitoring target system and the external network. Then, the log collection server 20 collects the log output from the firewall 10 and passes it to the analysis server 30. As a result, log analysis processing by the analysis server 30 starts.

FIG. 3 is a flowchart showing the operation of the analysis server 30.
First, the analysis server 30 receives a log from the log collection server 20 (step 101). The analysis server 30 actually accepts logs collected from a plurality of firewalls 10, but in the following, only logs collected from one specific firewall 10 are accepted for the sake of simplicity. Will be described. In addition, the log has an expiration date, and analysis is performed on logs that occur within 24 hours.
Next, the analysis server 30 pays attention to one event in the event definition information in FIG. 2B, collates the condition for the event with the log (step 102), and determines whether the log satisfies the condition. Determination is made (step 103).
As a result, if the log satisfies the condition, information (event occurrence information) relating to the occurrence of the currently focused event is recorded in the database 40 (step 105).

FIG. 4 is an example of event occurrence information recorded at this time. Specifically, an event number, which is a serial number given every occurrence of an event, the date and time when the event occurred, and an event summary that directly represents the content of the event are recorded in association with each other. Although not shown in the figure, the number of logs from which the event is detected may be recorded in association with the event.
The event occurrence information in FIG. 4 is recorded for each firewall 10. That is, a storage area for storing event occurrence information is assigned to each device name, and event occurrence information related to the device is recorded in the storage area assigned to the device name currently focused on.

On the other hand, if the log does not satisfy the condition, it is determined whether another event exists in the event definition information (step 104). If another event exists, the processing of steps 102 and 103 is repeated. Thereafter, the same process is repeated until an event that satisfies the log condition appears. If no event exists in step 104, the process is terminated.
Thus, the operation of the analysis server 30 ends.

In addition, the mail server 50 monitors event occurrence information recorded in the database 40 and detects information on a newly occurring event. Here, since the event occurrence information is recorded for each firewall 10 as described above, it is possible to identify the firewall 10 that has output the log that is the source of the detection of a new event. Then, the mail server 50 searches the customer information in FIG. 2A using the device name of the firewall 10 as a key, and acquires the customer ID and the mail address.
As a result, the mail server 50 transmits information for accessing the customer-specific Web portal, for example, an e-mail in which a URL (Uniform Resource Locator) is described to the e-mail address. That is, the e-mail includes, for example, a message such as “A security incident has been found. Refer to the following URL for details” and the URL of the Web portal that displays event occurrence information. Yes.
Therefore, the customer operator displays the contents of the e-mail on the customer terminal 60 and clicks the URL. Thereby, the customer terminal 60 is connected to the Web server 70, and the Web server 70 requests the customer terminal 60 to input a password.
When the customer operator inputs a password in response to this request, the Web server 70 extracts the password from the customer information in the database 40, and verifies whether the entered password is consistent with the stored password. . As a result, if the passwords match, the Web server 70 transmits a Web portal dedicated to the customer to the customer terminal 60. Then, the customer operator can refer to the event occurrence information related to all the firewalls 10 of the customer from this Web portal.

5 and 6 are diagrams showing examples of screens for displaying event occurrence information.
Among these, FIG. 5 is an example of a screen displaying a summary of event occurrence information. When “FW security monitoring” is selected from the menu on the left side, information is appropriately extracted from the event definition information and event occurrence information in the database 40 and displayed. Specifically, the event number, date, and event summary are extracted from the event occurrence information. Further, since the importance is defined for the event summary in the event definition information, this information is extracted.
On the other hand, a status field is also provided on the screen of FIG. This is a column for inputting the response status on the customer side for each event. Further, a “detail” button is provided in the detail column, and when the “detail” button corresponding to a specific event is clicked, detailed information regarding the event is displayed.

  FIG. 6 is an example of a screen that displays such detailed information. In the figure, specific contents are omitted as countermeasures, but actually, the countermeasures for the event are described in detail in text. The information here is also appropriately extracted from the event definition information and the event occurrence information and displayed. Specifically, the event number, date, and event summary are extracted from the event occurrence information, and the importance and the countermeasure are extracted from the event definition information. The number of logs is not shown in FIG. 4, but if such information is managed as event occurrence information, it can be extracted from the event occurrence information and displayed. Also here, a status column is provided for inputting the response status on the customer side for each event.

This is the end of the description of the present embodiment.
In the present embodiment, as a method for performing real-time from reporting of occurrence of an event to advice, the occurrence of the event is reported using an e-mail, and the advice is provided by a Web portal. This is because there is a risk of inconveniences such as leakage of confidential information when detailed information about the event is transmitted by electronic mail. However, the present invention does not limit what method is used to perform real-time processing from event occurrence reporting to advice. In other words, in an environment in which troubles such as leakage of confidential information do not occur, a configuration may be adopted in which information from the occurrence of an event to detailed information regarding the event is included in the e-mail.

As described above, in the present embodiment, events are reported in real time to advice in real time. In other words, when a suspicious log came up, an appropriate countermeasure was provided. As a result, it becomes possible to detect a security problem at an early stage and take countermeasures at an early stage, and it is also possible to quickly avoid subsequent risks.
Further, in the present embodiment, the occurrence of actual damage is detected instead of detecting an attack. This will also help prevent the damage from spreading when an attack is allowed.

It is the block diagram which showed the whole structure of the computer system to which this Embodiment is applied. It is the figure which showed an example of the customer information and event definition information which are memorize | stored in the database of this Embodiment. It is the flowchart which showed the operation | movement of the analysis server in this Embodiment. It is the figure which showed an example of the event occurrence information memorize | stored in the database of this Embodiment. It is the figure which showed the example of the list information displayed on a customer terminal in this Embodiment. It is the figure which showed the example of the detailed information displayed on a customer terminal in this Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Firewall, 20 ... Log collection server, 30 ... Analysis server, 40 ... Database, 50 ... Mail server, 60 ... Customer terminal, 70 ... Web server

Claims (9)

A log collection means for collecting a log of communication via a firewall constructed between the security monitoring target system and the network;
Analyzing means for analyzing the log collected by the log collecting means to detect an event that causes a security problem in the security monitoring target system;
Storage means for storing advice information related to the event detected by the analysis by the analysis means;
A security monitoring apparatus comprising: a notification unit that notifies a predetermined destination of the detection of the event and makes the advice information ready for browsing.   The security monitoring apparatus according to claim 1, wherein the analysis unit detects an event that actually causes damage in the security monitoring target system.   The security monitoring apparatus according to claim 1, wherein the notification unit notifies the detection of the event by an electronic mail in which information for browsing the advice information is described. A log collection means for collecting a log of communication via a firewall constructed between the security monitoring target system and the network;
Analyzing means for analyzing the log collected by the log collecting means and detecting an event that actually causes damage in the security monitoring target system;
A security monitoring apparatus comprising: a notification unit configured to notify a predetermined destination that the event has been detected by the analysis by the analysis unit.   The security monitoring apparatus according to claim 4, wherein the analysis unit detects the event by comparing the log with conditions for a plurality of items included in the log. A security monitoring method for a security monitoring target system connected to a network through a firewall,
Storing an event that is a security problem of the security monitoring target system and advice information related to the event in association with each other;
Collecting a log of communication through the firewall;
Analyzing the collected log to detect the event;
Obtaining advice information about the event based on the detected event;
And a step of notifying a predetermined destination of information indicating that the event has been detected and information for browsing the advice information.   7. The security monitoring method according to claim 6, wherein in the notifying step, information is notified to a predetermined destination with respect to the firewall. To a computer that monitors the security of security-monitored systems connected to the network through a firewall,
A function of collecting a log of communication through the firewall;
A program for realizing the function of analyzing the collected logs and detecting an event that actually causes damage in the security monitoring target system.   9. The program according to claim 8, wherein the detecting function detects the event by comparing the log with conditions for a plurality of items included in the log.

Images