As the dependency of system on the ICT (Information and Communication Technology) technique increases, the importance of information security is further increasing. Consequently, various security tools have been put into practical use in recent years, and a multiplicity of organizations keep implementing the security tools. On the other hand, it is not easy to operate and manage various security tools and maintain the system security. This is a major problem in security management for a multiplicity of organizations.
An object of the security management is to carry out a countermeasure to vulnerability of security in accordance with the degree of risk. The vulnerability herein includes not only the vulnerability of software (for example, bugs) operated in the system, but also includes all incidents that bring about threats to the security. For example, for a threat “data leakage”, an incident that a PC (Personal Computer) can be easily carried (the PC is a note PC) is also one of the vulnerabilities.
Security management needs to be carried out not only during designing and implementation of the system, but also during operation. Security management carried out also during operation will be called security operation management to distinguish the management from the security management carried out only during designing and implementation.
In relation to security operation management, a method of defining the association between the vulnerability of security and countermeasures to perform the security operation management based on the association is proposed in, for example, JP 2003-242112A (hereinafter, called Patent Document 1) and JP 2005-515541A (hereinafter, called Patent Document 2).
A security operation management system described in Patent Document 1 comprises: a device setting information DB that holds setting information of a network server; a security information DB that holds diagnostic items for detecting a security problem and handling information of the security problem; and a diagnostic module that verifies the security problem of the network server based on the setting information held in the device setting information DB to deliver a security countermeasure. The diagnostic module disclosed in Patent Document 1 acquires diagnostic items for detecting a security problem from the security information DB and verifies whether there is a security problem in a network server based on the setting information in relation to the diagnostic items. The diagnostic module then acquires handling information from the security information DB, if there is a security problem, and compares the handling information with the setting information to deliver a security countermeasure.
Patent Document 2 discloses a method of delivering, for an incidence (hereinafter, called event) discovered by acquiring information related to a managed system, a process (hereinafter, called action) executed for the managed system to maintain the security based not on a simple correspondence table, but on “a series of logic rules (specifically, logic rules worked out by associating parameter values with bit patterns)”. Hereinafter, a method of delivering a security countermeasure based on a predetermined correspondence between events and actions as described in Patent Document 1 and Patent Document 2 will be called Related Art 1.
Furthermore, a method of generating an optimal combination of security countermeasures during designing of system by using and describing rules associating security risks with countermeasures that need to be carried out in a fault tree or a chart showing weights is described, for example, in JP 2004-133634A (hereinafter, called Patent Document 3), Nagai, et al., “Proposition of Optimal Determination Technique of Security Countermeasure Target”, Information Processing Society of Japan Journal, 2000, Vol. 41, No. 8 (hereinafter, called Non-Patent Document 1), and Hyodo, et al., “Modeling of Security Countermeasure Selection Problem”, The Institute of Electronics, Information, and Communications Engineers Technique, ISEC 2003-46, July 2003 (hereinafter, called Non-Patent Document 2). Hereinafter, a method of generating a combination of optimal security countermeasures during system setting using a rule describing the relationship between security risks and countermeasures as described in Patent Document 3 and Non-Patent Documents 1 and 2 will be called Related Art 2.
A major object of Related Arts 1 and 2 is to irreversibly apply corrective measures to vulnerability. However, in the actual security operation management, the security countermeasures often need to be switched in accordance with the changes in the system, in consideration of the balance between the security risk and the operational efficiency.
For example, the security countermeasures that need to be carried out are switched between when a PC is used in an intranet that is protected in terms of security and when the PC is connected to the public Internet for use. This is because a security threat that can be ignored when a PC is used in an intranet needs to be handled when the PC is connected to the public Internet, since there may be attacks from malicious third parties around the world. Conversely, the possibility of being attacked is low when the PC is connected to the intranet, and there is a demand for prioritizing the operational efficiency to execute a network service and the like (for example, file sharing function).
Therefore, to deliver security countermeasures applied to a portable PC such as a note PC, it is desirable to be able to handle which item is a threat and to switch what kind of countermeasure to take for the threat, depending on the state of the system, such as whether the PC is connected to the Internet or to an intranet.
However, in general, a system has a multiplicity of states. Therefore, in the method of delivering security countermeasures based on the predetermined association between the events and the actions, as in Related Art 1, it is difficult to describe a definition (definition of association between events and actions) for delivering an optimal countermeasure for each state. For example, when predetermined corrective measures are just irreversibly applied to individual vulnerabilities, if the current state is not in a target state, which is a state in which all predetermined corrective measures are carried out, such as when a new definition of vulnerability is added, only a state change for moving to the target state exists, and as shown in FIG. 1a, the number of state changes and the number of states are equivalent. However, when the security countermeasures are mutually switched in accordance with the changes in the system, the number of state changes is far greater than the number of states as shown in FIG. 1b. FIG. 1b shows an example when the condition of the system can be expressed by four states, in which the state changes to different target states in accordance with changes in the system under the condition. For example, under the condition corresponding to state 1, state 2 is the target state when a certain change occurs. State 3 or state 4 may be the target state depending on the change that occurred. When an attempt is made to realize the execution of reversible countermeasures, such as switching the security countermeasures in accordance with the changes in the system, by the method describing actions for events as in Related Art 1, conditions need to be set in accordance with the states. It is difficult to comprehensively and consistently describe the definition of the association between the events and the actions including conditioning in accordance with the states.
As compared to Related Art 1, in which the association between the events and the actions are fully described in accordance with the states, Related Art 2 describes the relationship between the security risks and the countermeasures as a rule. Therefore, it is easy to make a comprehensive and consistent description. However, an object of Related Art 2 is to support the system design taking into consideration the security risks, and detecting in which condition the current system is and determining a security countermeasure based on the content of the detection are not taken into consideration. Therefore, a formulation method and the like of rules that anticipate situations in which the optimal security countermeasures change depending on the states are not mentioned, and automatic switching of optimal security countermeasures cannot be carried out during operation of the managed system.