(19)
(11)EP 2 648 384 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
06.05.2020 Bulletin 2020/19

(21)Application number: 13161774.8

(22)Date of filing:  28.03.2013
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)

(54)

INFORMATION SECURITY MANAGEMENT

INFORMATIONSSICHERHEITSVERWALTUNG

GESTION DE LA SÉCURITÉ D'INFORMATIONS


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 02.04.2012 US 201261619348 P
10.08.2012 US 201213572298

(43)Date of publication of application:
09.10.2013 Bulletin 2013/41

(73)Proprietor: The Boeing Company
Chicago, IL 60606-1596 (US)

(72)Inventors:
  • Freeman, Roland N
    Tukwila, WA 98108 (US)
  • Patel, Depti
    El Segundo, CA 90245 (US)
  • Vinuelas, Luis A
    Tukwila, WA 98108 (US)
  • Rencher, Robert J
    Renton, WA 98057 (US)
  • Francy, Faye I
    Annapolis Junction, MD 20701 (US)

(74)Representative: Boult Wade Tennant LLP 
Salisbury Square House 8 Salisbury Square
London EC4Y 8AP
London EC4Y 8AP (GB)


(56)References cited: : 
EP-A1- 1 650 930
US-A1- 2010 192 223
US-A1- 2005 050 336
US-A1- 2011 131 648
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    BACKGROUND INFORMATION



    [0001] The present disclosure relates generally to systems and methods for information security management by detecting and responding to threats to data processing environments that may include a number of data processing systems connected to a network. More particularly, the present disclosure relates to identifying a data processing system that is the target of a threat to a data processing environment and responding to the threat in a manner that reduces disruption to the data processing environment.

    [0002] A variety of commercial, governmental, and other entities may perform numerous functions in a data processing environment. The data processing environment may include a number of data processing systems. For example, a data processing environment may include a host data processing system and a number of guest data processing systems associated with the host data processing system. The data processing environment may be configured to receive network traffic from a variety of sources via a network connection. Received network traffic may be directed by the host data processing system to the number of guest data processing systems as appropriate.

    [0003] A data processing environment connected to a network may be subject to a number of threats. For example, such a threat may include an attempt to affect the performance of the data processing environment in undesired ways. A threat against a data processing system in the data processing environment may be recognized by detecting an anomaly in the network traffic directed to the data processing system.

    [0004] Information security management is a common problem faced by various economic sectors employing network-centric operations where a safety-first principal is central. An air traffic control system is an example of such a system including a data processing environment that may be subject to a number of threats. Information systems for air traffic control may include networked ground systems and satellite systems, air-to-ground, air-to-satellite and air-to-air interfaces, and stakeholder organizations and authorized personnel and processes.

    [0005] A fundamental difference between safety and information security management in air traffic control systems is that existing safety guidelines may not consider malicious activities that may emerge with the use of computer network capabilities in the national airspace system. Safety and information security management, however, may have commonalities in consequences of dangers and incidents in the air traffic control systems. Therefore, a safety management system framework may be applicable to information security management. However, a safety management system framework also may have major gaps with respect to information security management. Processes and approaches that can potentially bridge these gaps are desirable. Considerations for assessing information security risks from any changes to the national airspace system and defining information security controls for risk mitigation also are desirable.

    [0006] A safety management system may cover safety hazards and not the cause of these hazards. Hence, if a malicious activity causes a safety hazard, the impact such as danger, incident, or harm to the asset of the malicious activity may be covered by the safety management system. It is desirable, however, that an information security management system is configured to assess and evaluate the likelihood of this malicious activity, other potential consequences of this malicious activity that may not be covered by the safety management system, design security assurance functions that lower the likelihood, and promote the security assurance functions.

    [0007] Information security measures are desirable for air traffic control systems to ensure that no hazard or incident can be introduced through intended system operation, unanticipated errors in applications, unexpected environmental conditions, or deliberate malicious attack. Additionally, security measures may be desirable to ensure that organizations involved in developing, operating, and servicing the air traffic control system and supporting the air traffic control mission of efficiently, safely, and securely managing air traffic in the national airspace system, may operate their businesses effectively and in fulfillment of legal requirements and business objectives.

    [0008] It is desirable to respond to the detection of a threat against a data processing environment in a manner that protects the data processing environment, including the data being processed in the data processing environment, from the potential threat. However, responding to a detected threat may itself disrupt operation of the data processing environment.

    [0009] Accordingly, it would be beneficial to have a method and apparatus that takes into account one or more of the issues discussed above as well as possibly other issues.

    [0010] US 2010/6192233 discloses a system for identifying malicious network content based on the behaviour of one or more virtual environment components.

    SUMMARY



    [0011] The present invention resides in a method according to claim 1 and an apparatus according to claim 6.

    [0012] An illustrative embodiment of the present disclosure provides a method for information security management. An anomaly in data traffic directed to a data processing environment is identified. The anomaly indicates a threat to the data processing environment. The data processing environment comprises a number of data processing systems. A threatened data processing system is identified. The threatened data processing system is one of the number of data processing systems to which the threat is directed. The threatened data processing system is isolated. The threatened data processing system is monitored after isolating the threatened data processing system. The threatened data processing system is replicated to form a replicated data processing system.

    [0013] Another illustrative embodiment of the present disclosure provides an apparatus comprising an information security management system implemented in a data processing environment. The data processing environment comprises a number of data processing systems. The information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment, identify a threatened data processing system, wherein the threatened data processing system is one of the number of data processing systems to which the threat is directed, isolate the threatened data processing system, monitor the threatened data processing system after the threatened data processing system is isolated, and replicate the threatened data processing system to form a replicated data processing system.

    [0014] According to still another illustrative embodiment of the present disclosure a method for information security management is provided. An anomaly in data traffic directed to a data processing environment is identified. The anomaly indicates a threat to the data processing environment. The data processing environment comprises a threatened host data processing system and a number of guest data processing systems associated with the threatened host data processing system. Responsive to identifying the threat being directed to the threatened host data processing system, the number of guest data processing systems are moved from the threatened host data processing system to a new host data processing system. A portion of the data traffic that is verified not to include anomalies is directed to the new host data processing system. The data traffic is directed to the threatened host data processing system after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system. The threatened host data processing system is monitored after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system.

    [0015] In another illustrative embodiment of the present disclosure an apparatus comprising an information security management system implemented in a data processing environment is provided. The data processing environment comprises a threatened host data processing system and a number of guest data processing systems associated with the threatened host data processing system. The information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment, move the number of guest data processing systems from the threatened host data processing system to a new host data processing system responsive to identifying the threat being directed to the threatened host data processing system, direct a portion of the data traffic that is verified not to include anomalies to the new host data processing system, direct the data traffic to the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system to the new host data processing system, and monitor the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system to the new host data processing system.

    [0016] In still another illustrative embodiment of the present disclosure a method for information security management is provided. An anomaly in data traffic directed to a data processing environment is identified. The anomaly indicates a threat to the data processing environment. The data processing environment comprises a host data processing system and a number of guest data processing systems associated with the host data processing system. Responsive to identifying the threat being directed to a threatened guest data processing system, wherein the threatened guest data processing system is one of the number of guest data processing systems, the threatened guest data processing system is replicated to form a replicated guest data processing system associated with the host data processing system. A portion of the data traffic that is verified not to include anomalies is directed to the replicated guest data processing system. The threatened guest data processing system is moved to an isolation host data processing system. The data traffic is directed to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system. The threatened guest data processing system is monitored after moving the threatened guest data processing system to the isolation host data processing system.

    [0017] Another illustrative embodiment of the present disclosure provides an apparatus comprising an information security management system implemented in a data processing environment. The data processing environment comprises a host data processing system and a number of guest data processing systems associated with the host data processing system. The information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment, replicate a threatened guest data processing system to form a replicated guest data processing system associated with the host data processing system responsive to the threat being directed to the threatened guest data processing system, wherein the threatened guest data processing system is one of the number of guest data processing systems, direct a portion of the data traffic that is verified not to include anomalies to the replicated guest data processing system, move the threatened guest data processing system to an isolation host data processing system, direct the data traffic to the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system, and monitor the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system.

    [0018] According to an aspect of the present disclosure, there is provided a method for information security management, comprising identifying an anomaly in data traffic directed to a data processing environment, wherein the anomaly indicates a threat to the data processing environment and the data processing environment comprises a number of data processing systems; identifying a threatened data processing system, wherein the threatened data processing system is one of the number of data processing systems to which the threat is directed; isolating the threatened data processing system; monitoring the threatened data processing system after isolating the threatened data processing system; and replicating the threatened data processing system to form a replicated data processing system.

    [0019] Advantageously, the method further comprises directing the data traffic to the threatened data processing system after isolating the threatened data processing system; and monitoring the data traffic directed to the threatened data processing system after isolating the threatened data processing system.

    [0020] Advantageously the data traffic is directed to the threatened data processing system after isolating the threatened data processing system comprises the data traffic indicating the threat and further comprising identifying a profile of the data traffic indicating the threat.

    [0021] Advantageously, the method further comprises directing a portion of the data traffic that is verified not to include anomalies to the replicated data processing system.

    [0022] Advantageously the number of data processing systems comprises a host data processing system and a number of guest data processing systems associated with the host data processing system, the threatened data processing system is the host data processing system, and the replicated data processing system comprises a new host data processing system and further comprising moving the number of guest data processing systems from the threatened data processing system to the new host data processing system.

    [0023] Advantageously, isolating the threatened data processing system comprises moving the threatened data processing system to an isolation host data processing system, wherein the number of data processing systems comprises a host data processing system and a number of guest data processing systems associated with the host data processing system; the threatened data processing system is one of the number of guest data processing systems; and the replicated data processing system comprises a replicated guest data processing system associated with the host data processing system.

    [0024] According to an aspect of the present disclosure, there is provided an apparatus comprising an information security management system implemented in a data processing environment, the data processing environment comprising a number of data processing systems, wherein the information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment; identify a threatened data processing system, wherein the threatened data processing system is one of the number of data processing systems to which the threat is directed; isolate the threatened data processing system; monitor the threatened data processing system after the threatened data processing system is isolated; and replicate the threatened data processing system to form a replicated data processing system.

    [0025] Advantageously the information security management system is further configured to direct the data traffic to the threatened data processing system after the threatened data processing system is isolated and monitor the data traffic directed to the threatened data processing system after the threatened data processing system is isolated.

    [0026] Advantageously the data traffic directed to the threatened data processing system after the threatened data processing system is isolated comprises the data traffic indicating the threat; and the information security management system is further configured to identify a profile of the data traffic indicating the threat.

    [0027] Advantageously the information security management system is further configured to direct a portion of the data traffic that is verified not to include anomalies to the replicated data processing system.

    [0028] Advantageously the number of data processing systems comprises a host data processing system and a number of guest data processing systems associated with the host data processing system; the threatened data processing system is the host data processing system; the replicated data processing system comprises a new host data processing system; and the information security management system is further configured to move the number of guest data processing systems from the threatened data processing system to the new host data processing system.

    [0029] Advantageously the number of data processing systems comprises a host data processing system and a number of guest data processing systems associated with the host data processing system; the threatened data processing system is one of the number of guest data processing systems; the information security management system is configured to move the threatened data processing system to an isolation host data processing system to isolate the threatened data processing system; and the replicated data processing system comprises a replicated guest data processing system associated with the host data processing system.

    [0030] According to an aspect of the present disclosure, there is provided a method for information security management, comprising identifying an anomaly in data traffic directed to a data processing environment, wherein the anomaly indicates a threat to the data processing environment and the data processing environment comprises a threatened host data processing system and a number of guest data processing systems associated with the threatened host data processing system; responsive to identifying the threat being directed to the threatened host data processing system, moving the number of guest data processing systems from the threatened host data processing system to a new host data processing system; directing a portion of the data traffic that is verified not to include anomalies to the new host data processing system; directing the data traffic to the threatened host data processing system after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system; and monitoring the threatened host data processing system after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system.

    [0031] Advantageously monitoring the threatened host data processing system comprises monitoring the data traffic directed to the threatened host data processing system after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system.

    [0032] Advantageously the data traffic directed to the threatened host data processing system after moving the number of guest data processing systems from the threatened host data processing system to the new host data processing system comprises the data traffic indicating the threat and further comprising identifying a profile of the data traffic indicating the threat.

    [0033] According to an aspect of the present disclosure, there is provided an apparatus comprising an information security management system implemented in a data processing environment, the data processing environment comprising a threatened host data processing system and a number of guest data processing systems associated with the threatened host data processing system, wherein the information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment; move the number of guest data processing systems from the threatened host data processing system to a new host data processing system responsive to identifying the threat being directed to the threatened host data processing system; direct a portion of the data traffic that is verified not to include anomalies to the new host data processing system; direct the data traffic to the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system to the new host data processing system; and monitor the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system to the new host data processing system.

    [0034] Advantageously the information security management system is configured to monitor the data traffic directed to the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system to the new host data processing system.

    [0035] Advantageously the data traffic directed to the threatened host data processing system after the number of guest data processing systems are moved from the threatened host data processing system comprises data traffic indicating the threat and wherein the information security management system is further configured to identify a profile of the data traffic indicating the threat.

    [0036] According to an aspect of the present disclosure, there is provided a method for information security management, comprising identifying an anomaly in data traffic directed to a data processing environment, wherein the anomaly indicates a threat to the data processing environment and the data processing environment comprises a host data processing system and a number of guest data processing systems associated with the host data processing system; responsive to identifying the threat being directed to a threatened guest data processing system, wherein the threatened guest data processing system is one of the number of guest data processing systems, replicating the threatened guest data processing system to form a replicated guest data processing system associated with the host data processing system; directing a portion of the data traffic that is verified not to include anomalies to the replicated guest data processing system; moving the threatened guest data processing system to an isolation host data processing system; directing the data traffic to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system; and monitoring the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system.

    [0037] Advantageously monitoring the threatened guest data processing system comprises monitoring the data traffic directed to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system.

    [0038] Advantageously the data traffic directed to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system comprises data traffic indicating the threat and further comprising identifying a profile of the data traffic indicating the threat.

    [0039] According to an aspect of the present disclosure, there is provided an apparatus, comprising an information security management system implemented in a data processing environment, the data processing environment comprising a host data processing system and a number of guest data processing systems associated with the host data processing system, wherein the information security management system is configured to identify an anomaly in data traffic directed to the data processing environment, wherein the anomaly indicates a threat to the data processing environment; replicate a threatened guest data processing system to form a replicated guest data processing system associated with the host data processing system responsive to the threat being directed to the threatened guest data processing system, wherein the threatened guest data processing system is one of the number of guest data processing systems; direct a portion of the data traffic that is verified not to include anomalies to the replicated guest data processing system; move the threatened guest data processing system to an isolation host data processing system; direct the data traffic to the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system; and monitor the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system.

    [0040] Advantageously the information security management system is configured to monitor the data traffic directed to the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system.

    [0041] Advantageously the data traffic directed to the threatened guest data processing system after the threatened guest data processing system is moved to the isolation host data processing system comprises data traffic indicating the threat and wherein the information security management system is configured to identify a profile of the data traffic indicating the threat. The features, functions, and benefits may be achieved independently in various embodiments of the present disclosure or may be combined in yet other embodiments in which further details can be seen with reference to the following description and drawings.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0042] The novel features believed characteristic of the illustrative embodiments are set forth in the appended claims. The illustrative embodiments, however, as well as a preferred mode of use, further objectives, and features thereof will best be understood by reference to the following detailed description of illustrative embodiments of the present disclosure when read in conjunction with the accompanying drawings, wherein:

    Figure 1 is a pictorial representation of a network of data processing systems in accordance with an illustrative embodiment;

    Figure 2 is a block diagram of a data processing environment in accordance with an illustrative embodiment;

    Figure 3 is a block diagram of a data processing environment that has been reconfigured in response to a threat to a host data processing system in accordance with an illustrative embodiment;

    Figure 4 is a block diagram of a data processing environment that has been reconfigured in response to a threat to a guest data processing system in accordance with an illustrative embodiment;

    Figure 5 is a flowchart of a general process for information security management in accordance with an illustrative embodiment;

    Figure 6 is a more detailed flowchart of a process for information security management in accordance with an illustrative embodiment; and

    Figure 7 is an illustration of a block diagram of a data processing system in accordance with an illustrative embodiment.


    DETAILED DESCRIPTION



    [0043] The different illustrative embodiments recognize and take into account a number of different considerations. "A number", as used herein with reference to items, means one or more items. For example, "a number of different considerations" means one or more different considerations.

    [0044] The illustrative embodiments recognize and take into account that current systems and methods for responding to a potential threat to a data processing environment may affect operation of the data processing environment in undesired ways. For example, in response to a detected threat directed against a host data processing system over a network connection, the entire data processing environment associated with the host data processing system may be disconnected from the network and isolated to prevent intrusions and corruptions. Guest data processing systems associated with the host data processing system also may be secured to prevent transitive corruptions. In this case, activity by the guest data processing systems is disrupted in response to a threat to the host system.

    [0045] When an anomaly in network traffic is determined to be a threat to a guest data processing system, the current response may be to shut down the entire data processing environment, including the host data processing system, to prevent cross contamination of the threat to other guest systems associated with the host system. In this case, activity by all of the guest data processing systems in the data processing environment may be disrupted in response to a threat to only one of the guest systems. This type of response to a perceived threat to the data processing environment is purely reactive and may result in an undesirable impact to the operations of business units or other entities using the data processing environment.

    [0046] Illustrative embodiments provide a system and method for responding to a threat to a data processing environment in a manner that protects the data processing environment from the threat while reducing undesirable disruptions to operation of the data processing environment. In accordance with an illustrative embodiment, detecting an anomaly in network data traffic to the data processing environment may indicate a potential threat to the data processing environment. Particular data processing systems in the data processing environment that may be the target of the threat are identified. For example, the threat may be identified as being directed to the host data processing system or to a guest data processing system.

    [0047] The data processing system that is identified as the target of the threat may be isolated. Data traffic may continue to be directed to the isolated system. The isolated system and network traffic may be monitored and analyzed, for example, to identify more detail about the threat, such as the intent of the threat.

    [0048] The data processing system that is the target of the threat may be replicated in the data processing environment. Data traffic that is verified to have no anomalies may be directed to the replicated data processing system. In this manner, the operation of the threatened data processing system may be restored with reduced impact on operation of other data processing systems in the data processing environment.

    [0049] With reference now to the figures and, in particular, with reference to Figure 1, an illustrative diagram of a data processing environment that may include a number of data processing systems is provided in which illustrative embodiments may be implemented. It should be appreciated that Figure 1 is only provided as an illustration of one implementation and is not intended to imply any limitation with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environments may be made.

    [0050] Turning now to Figure 1, a pictorial representation of a network of data processing systems is depicted in accordance with an illustrative embodiment. In this example, network data processing system 100 is an example of one implementation of a network of computers in which illustrative embodiments may be implemented. Network data processing system 100 contains network 102, which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100. Network 102 may include connections, such as wires, wireless communication links, or fiber optic cables.

    [0051] In the depicted example, server computer 104 and server computer 106 connect to network 102 along with storage unit 108. In addition, client computers 110, 112, and 114 connect to network 102. Client computers 110, 112, and 114 may be, for example, personal computing devices or network computers. In the depicted example, server computer 104 provides information, such as boot files, operating system images, and applications to client computers 110, 112, and 114. Client computers 110, 112, and 114 are clients to server computer 104 in this example. Network data processing system 100 may include additional server computers, client computers, and other devices not shown.

    [0052] Program code located in network data processing system 100 may be stored on a computer-recordable storage medium and downloaded to a data processing system or other device for use. For example, program code may be stored on a computer-recordable storage medium on server computer 104 and downloaded to client computer 110 over network 102 for use on client computer 110.

    [0053] In the depicted example, network data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers consisting of thousands of commercial, governmental, educational and other computer systems that route data and messages. Network data processing system 100 also may be implemented as a number of different types of networks, such as, for example, an intranet, a local area network (LAN), or a wide area network (WAN). Figure 1 is intended as an example, and not as an architectural limitation for the different illustrative embodiments.

    [0054] Turning now to Figure 2, a block diagram of a data processing environment is depicted in accordance with an illustrative embodiment. In this example, data processing environment 200 is an example of one implementation of network data processing system 100 in Figure 1.

    [0055] Data processing environment 200 may include host data processing system 202 and number of guest data processing systems 204. In this example, host data processing system 202 may be an example of one implementation of server computer 104 or server computer 106 in Figure 1. Host data processing system 202 may include host server 206. Host server 206 may be part of host network 208. Host server 206 may be in communication with number of guest data processing systems 204 via host network 208. Host network 208 may be configured using any appropriate communications media and protocols for providing the communication of data between host server 206 and number of guest data processing systems 204.

    [0056] Number of guest data processing systems 204 may include any number of data processing systems associated as guests with host data processing system 202. In this example, number of guest data processing systems 204 includes guest system 210, guest system 212, and guest system 214. Number of guest data processing systems 204 may include more or fewer than three guest systems. In this example, guest system 210, guest system 212, and guest system 214 may be examples of implementations of client computer 110, client computer 112, and client computer 114 in Figure 1.

    [0057] Host data processing system 202 may be configured to receive data traffic 216 via network connection 218. Data traffic 216 also may be referred to as network traffic. Network connection 218 may provide a connection to a wide area network, a local area network, the Internet, or any other network or combination of networks. Network connection 218 may be a wireless connection, a wired connection, a fiber optic connection, or a connection using any other medium or combinations of media for the communication of data. The communication of data via network connection 218 may use any appropriate protocol or combinations of protocols for data communications. Data traffic 216 received by host data processing system 202 may be directed by host server 206 to number of guest data processing systems 204 via host network 208.

    [0058] Data traffic 216 may be received via network connection 218 from a variety of sources. Firewall 220 may be provided in combination with network connection 218 to keep data processing environment 200 secure. Firewall 220 may be configured to control the incoming and outgoing of data traffic 216 by analyzing data traffic 216 and determining whether it should be allowed through. For example, without limitation, firewall 220 may be configured to analyze data packets in data traffic 216 or other characteristics of data traffic 216 based on a predetermined rule set to identify anomaly 222 in data traffic 216. Firewall 220 may be implemented in hardware or in software in combination with hardware.

    [0059] Anomaly 222 in data traffic 216 may include any characteristic of data traffic 216 that indicates threat 224. Threat 224 may represent any unauthorized attempt to affect data processing environment 200. In particular, threat 224 may include any attempt to affect any part of data processing environment 200 in an undesired way. Data processing environment 200 may include any data that may be stored or processed in data processing environment 200. Therefore, threat 224 may include any unauthorized attempt to affect any data associated with data processing environment 200 or any attempt to affect any data associated with data processing environment 200 in an undesired way.

    [0060] Threat 224 may be an intentional attempt to affect data processing environment 200 in an undesired way. In some cases, however, threat 224 may be unintentional. Although the presence of anomaly 222 in data traffic 216 may indicate threat 224, anomaly 222 itself may or may not be capable of affecting data processing environment 200 in an undesired way.

    [0061] Information security management system 226 may be implemented in data processing environment 200 to protect data processing environment 200 from threat 224. Information security management system 226 may be configured to perform a variety of functions for identifying threat 224 and responding to threat 224 to protect data processing environment 200 from threat 224 while reducing disruptions to operations of data processing environment 200. For example, without limitation, information security management system 226 may be configured to provide anomaly detection 228, threat target identification 230, targeted system isolation 232, threat analysis 233, and targeted system replication 234. The various functions of information security management system 226 may be implemented in one location in data processing environment 200 or may be distributed at various locations in data processing environment 200.

    [0062] Anomaly detection 228 may include detecting anomaly 222 in data traffic 216. Anomaly 222 may indicate threat 224 to data processing environment 200.

    [0063] Threat target identification 230 may include identifying the part of data processing environment 200 to which threat 224 may be directed. For example, threat 224 may be directed to host data processing system 202 or to one of number of guest data processing systems 204. For example, without limitation, threat target identification 230 may identify the target of threat 224 from characteristics of anomaly 222 itself, from other information, or from characteristics of anomaly 222 in combination with other information.

    [0064] Targeted system isolation 232 includes isolating the data processing system in data processing environment 200 that is the target of threat 224. The data processing system that is the target of threat 224 may be isolated in any appropriate manner to protect data processing environment 200 from threat 224. Data traffic 216 may continue to be directed to the isolated data processing system. The isolated data processing system and data traffic 216 directed thereto may be monitored.

    [0065] Data traffic 216 directed to the isolated data processing system may include anomaly 222 indicating threat 224. Data traffic 216 directed to the isolated data processing system may be analyzed by threat analysis 233 to identify additional characteristics of threat 224, such as the intent of threat 224. For example, data traffic 216 directed to the isolated data processing system may be analyzed by threat analysis 233 to identify profile 235 of data traffic 216 indicating threat 224. For example, without limitation, profile 235 may include an identified pattern of data packets in data traffic 216, network transitions a given packet is taking, or other characteristics or combinations of characteristics of data traffic 216 to identify threat 224. Profile 235 may be used by information security management system 226 for more rapid and accurate identification and handling of threat 224 in the future.

    [0066] Targeted system replication 234 may replicate the data processing system in data processing environment 200 that is the target of threat 224 to restore the functionality of the threatened data processing system in data processing environment 200. Data traffic 216 that has been verified not to contain any anomalies may be directed to the replicated data processing system in data processing environment 200.

    [0067] The illustration of Figure 2 is not meant to imply physical or architectural limitations to the manner in which different illustrative embodiments may be implemented. Other components in addition to, in place of, or both in addition to and in place of the ones illustrated may be used. Some components may be unnecessary in some illustrative embodiments. Also, the blocks are presented to illustrate some functional components. One or more of these blocks may be combined or divided into different blocks when implemented in different illustrative embodiments.

    [0068] For example, without limitation, data processing environment 200 may be implemented, in whole or in part, in a cloud computing environment. In this case, one or more of host data processing system 202 and number of guest data processing systems 204 may be implemented using data processing resources that are provided as a service by a provider of data processing resources.

    [0069] Turning now to Figure 3, a block diagram of a data processing environment that has been reconfigured in response to a threat to a host data processing system is depicted in accordance with an illustrative embodiment. In this example, data processing environment 300 is an example of data processing environment 200 in Figure 2 after information security management system 226 in Figure 2 has identified and responded to threat 224 directed to host data processing system 202 in data processing environment 200. In this example, therefore, threatened host data processing system 302 corresponds to host data processing system 202 in Figure 2.

    [0070] In response to identifying a threat to threatened host data processing system 302, threatened host data processing system 302 is isolated and new host data processing system 303 is started. New host data processing system 303 replicates the functionality of threatened host data processing system 302. New host data processing system 303 may include new host server 304 and new host network 306. Number of guest data processing systems 308 may be moved from threatened host data processing system 302 to new host data processing system 303. In this example, number of guest data processing systems 308 corresponds to number of guest data processing systems 204 in Figure 2. Verified good traffic 310 may be directed to number of guest data processing systems 308 from data traffic 216 by new host server 304 via new host network 306. Verified good traffic 310 may include a portion of data traffic 216 that has been verified to contain no anomalies.

    [0071] Data traffic 216 may continue to be directed to threatened host data processing system 302. Threatened host data processing system 302 is now isolated. Threatened host data processing system 302 and data traffic 216 directed thereto may be monitored under controlled conditions. Data traffic 216 directed to threatened host data processing system 302 may be analyzed to identity, for example, a profile of the threat to threatened host data processing system 302.

    [0072] Turning now to Figure 4, a block diagram of a data processing environment that has been reconfigured in response to a threat to a guest data processing system is depicted in accordance with an illustrative embodiment. In this example, data processing environment 400 is an example of data processing environment 200 in Figure 2 after information security management system 226 in Figure 2 has identified and responded to threat 224 to data processing environment 200. In particular, data processing environment 400 is an example of data processing environment 200 of Figure 2 after information security management system 226 in Figure 2 has identified threat 224 directed to guest system 210 in Figure 2. In this example, therefore, threatened guest data processing system 402 corresponds to guest system 210 in Figure 2. In response to identifying a threat to threatened guest data processing system 402, threatened guest data processing system 402 is isolated. Isolation host data processing system 404 may be started. Isolation host data processing system 404 may be an isolated host data processing system configured to host threatened guest data processing system 402. Threatened guest data processing system 402 may be moved from host data processing system 202 to isolation host data processing system 404.

    [0073] Data traffic 216 may be directed to threatened guest data processing system 402 via isolation host data processing system 404. Threatened guest data processing system 402 and data traffic 216 directed thereto may be monitored and profiled.

    [0074] Replicated guest data processing system 406 may be started and associated with host data processing system 202. Replicated guest data processing system 406 replicates and replaces the functionality of threatened guest data processing system 402 as one of number of guest data processing systems 408 associated with host data processing system 202. Verified good traffic 410 from data traffic 216 may be directed to replicated guest data processing system 406 by host server 206 via host network 208.

    [0075] Turning now to Figure 5, a flowchart of a general process for information security management is depicted in accordance with an illustrative embodiment. This process may be implemented, for example, by information security management system 226 in data processing environment 200 in Figure 2.

    [0076] The process begins by determining whether an anomaly is detected in data traffic directed to a data processing environment (operation 502). An anomaly detected in the data traffic may indicate a threat to the data processing environment. If an anomaly is not detected in the data traffic, operation 502 may be repeated until an anomaly is detected in the data traffic.

    [0077] If an anomaly is detected in the data traffic, the target of the threat may be identified (operation 504). For example, operation 504 may include identifying whether the threat is directed at the host data processing system or a guest data processing system in the data processing environment.

    [0078] After the target of the threat is identified, the target of the threat may be isolated (operation 506). Network traffic may continue to be directed to the isolated system that is the target of the threat. The target system and traffic directed thereto may be monitored and analyzed (operation 508), with the process terminating thereafter.

    [0079] At the same time that operations 506 and 508 are performed, the targeted system may be replicated (operation 510). For example, the replicated system may be a new host data processing system or a replicated guest data processing system. A portion of the data traffic that is verified not to include anomalies then may be directed to the replicated system (operation 512) with the process terminating thereafter.

    [0080] Turning now Figure 6, a more detailed flowchart of a process for information security management is depicted in accordance with an illustrative embodiment. This process may be implemented, for example, by information security management system 226 in data processing environment 200 in Figure 2.

    [0081] The process begins by determining whether an anomaly is detected in data traffic directed to a data processing environment (operation 602). An anomaly detected in the data traffic may indicate a threat to the data processing environment. If an anomaly is not detected in the data traffic, operation 602 may be repeated until an anomaly is detected in the data traffic. If an anomaly is detected in the data traffic, the target of the threat may be identified (operation 604).

    [0082] If the threat is identified at operation 604 as being directed against a host data processing system in the data processing environment, a new host data processing system may be started (operation 608). Guest data processing systems associated with the threatened host data processing system may be moved to the new host data processing system (operation 610). Data traffic verified not to include anomalies may be directed to the new host data processing system (operation 612). Data traffic may continue to be directed to the original threatened host data processing system. The original threatened host data processing system may be monitored under controlled conditions to identify a profile of the threat (operation 614), with the process terminating thereafter.

    [0083] Returning to operation 604, if it is determined that the threat is directed against a guest data processing system, the guest data processing system that is the target of the threat may be isolated (operation 618). An isolation host data processing system may be started (operation 620). The threatened guest data processing system may be moved to the isolation host data processing system and data traffic directed to the threatened guest data processing system via the isolation host (operation 622). The moved guest data processing system and network traffic directed thereto may be monitored to identify a profile of the threat (operation 624), with the process terminating thereafter.

    [0084] At the same time as operations 618, 620, 622, and 624 are performed, in response to a determination that the threat is directed against a guest data processing system, the guest data processing system that is the target of the threat may be replicated in the host data processing system (operation 626). Portions of the data traffic verified not to include anomalies may be directed to the replicated guest data processing system (operation 628), with the process terminating thereafter.

    [0085] Turning now to Figure 7, an illustration of a block diagram of a data processing system is depicted in accordance with an illustrative embodiment. In this example, data processing system 700 is an example of one implementation of a data processing system for implementing host data processing system 202, number of guest data processing systems 204, or information security management system 226 in Figure 2.

    [0086] In this illustrative example, data processing system 700 includes communications fabric 702. Communications fabric 702 provides communications between processor unit 704, memory 706, persistent storage 708, communications unit 710, input/output unit 712, and display 714. Memory 706, persistent storage 708, communications unit 710, input/output unit 712, and display 714 are examples of resources accessible by processor unit 704 via communications fabric 702.

    [0087] Processor unit 704 serves to run instructions for software that may be loaded into memory 706. Processor unit 704 may be a number of processors, a multi-processor core, or some other type of processor, depending on the particular implementation. Further, processor unit 704 may be implemented using a number of heterogeneous processor systems in which a main processor is present with secondary processors on a single chip. As another illustrative example, processor unit 704 may be a symmetric multi-processor system containing multiple processors of the same type.

    [0088] Memory 706 and persistent storage 708 are examples of storage devices 716. A storage device is any piece of hardware that is capable of storing information, such as, for example, without limitation, data, program code in functional form, and other suitable information either on a temporary basis or a permanent basis. Storage devices 716 also may be referred to as computer readable storage devices in these examples. Memory 706, in these examples, may be, for example, a random access memory or any other suitable volatile or non-volatile storage device. Persistent storage 708 may take various forms, depending on the particular implementation.

    [0089] For example, persistent storage 708 may contain one or more components or devices. For example, persistent storage 708 may be a hard drive, a flash memory, a rewritable optical disk, a rewritable magnetic tape, or some combination of the above. The media used by persistent storage 708 also may be removable. For example, a removable hard drive may be used for persistent storage 708.

    [0090] Communications unit 710, in these examples, provides for communications with other data processing systems or devices. In these examples, communications unit 710 is a network interface card. Communications unit 710 may provide communications through the use of either or both physical and wireless communications links.

    [0091] Input/output unit 712 allows for input and output of data with other devices that may be connected to data processing system 700. For example, input/output unit 712 may provide a connection for user input through a keyboard, a mouse, and/or some other suitable input device. Further, input/output unit 712 may send output to a printer. Display 714 provides a mechanism to display information to a user.

    [0092] Instructions for the operating system, applications, and/or programs may be located in storage devices 716, which are in communication with processor unit 704 through communications fabric 702. In these illustrative examples, the instructions are in a functional form on persistent storage 708. These instructions may be loaded into memory 706 for execution by processor unit 704. The processes of the different embodiments may be performed by processor unit 704 using computer-implemented instructions, which may be located in a memory, such as memory 706.

    [0093] These instructions are referred to as program instructions, program code, computer usable program code, or computer readable program code that may be read and executed by a processor in processor unit 704. The program code in the different embodiments may be embodied on different physical or computer readable storage media, such as memory 706 or persistent storage 708.

    [0094] Program code 718 is located in a functional form on computer readable media 720 that is selectively removable and may be loaded onto or transferred to data processing system 700 for execution by processor unit 704. Program code 718 and computer readable media 720 form computer program product 722 in these examples. In one example, computer readable media 720 may be computer readable storage media 724 or computer readable signal media 726.

    [0095] Computer readable storage media 724 may include, for example, an optical or magnetic disk that is inserted or placed into a drive or other device that is part of persistent storage 708 for transfer onto a storage device, such as a hard drive, that is part of persistent storage 708. Computer readable storage media 724 also may take the form of a persistent storage, such as a hard drive, a thumb drive, or a flash memory, that is connected to data processing system 700. In some instances, computer readable storage media 724 may not be removable from data processing system 700.

    [0096] In these examples, computer readable storage media 724 is a physical or tangible storage device used to store program code 718 rather than a medium that propagates or transmits program code 718. Computer readable storage media 724 is also referred to as a computer readable tangible storage device or a computer readable physical storage device. In other words, computer readable storage media 724 is a media that can be touched by a person.

    [0097] Alternatively, program code 718 may be transferred to data processing system 700 using computer readable signal media 726. Computer readable signal media 726 may be, for example, a propagated data signal containing program code 718. For example, computer readable signal media 726 may be an electromagnetic signal, an optical signal, and/or any other suitable type of signal. These signals may be transmitted over communications links, such as wireless communications links, optical fiber cable, coaxial cable, a wire, and/or any other suitable type of communications link. In other words, the communications link and/or the connection may be physical or wireless in the illustrative examples.

    [0098] In some illustrative embodiments, program code 718 may be downloaded over a network to persistent storage 708 from another device or data processing system through computer readable signal media 726 for use within data processing system 700. For instance, program code stored in a computer readable storage medium in a server data processing system may be downloaded over a network from the server to data processing system 700. The data processing system providing program code 718 may be a server computer, a client computer, or some other device capable of storing and transmitting program code 718. The different components illustrated for data processing system 700 are not meant to provide architectural limitations to the manner in which different embodiments may be implemented. The different illustrative embodiments may be implemented in a data processing system including components in addition to and/or in place of those illustrated for data processing system 700. Other components shown in Figure 7 can be varied from the illustrative examples shown. The different embodiments may be implemented using any hardware device or system capable of running program code. As one example, data processing system 700 may include organic components integrated with inorganic components and/or may be comprised entirely of organic components excluding a human being. For example, a storage device may be comprised of an organic semiconductor.

    [0099] In another illustrative example, processor unit 704 may take the form of a hardware unit that has circuits that are manufactured or configured for a particular use. This type of hardware may perform operations without needing program code to be loaded into a memory from a storage device to be configured to perform the operations.

    [0100] For example, when processor unit 704 takes the form of a hardware unit, processor unit 704 may be a circuit system, an application specific integrated circuit (ASIC), a programmable logic device, or some other suitable type of hardware configured to perform a number of operations. With a programmable logic device, the device is configured to perform the number of operations. The device may be reconfigured at a later time or may be permanently configured to perform the number of operations. Examples of programmable logic devices include, for example, a programmable logic array, a programmable array logic, a field programmable logic array, a field programmable gate array, and other suitable hardware devices. With this type of implementation, program code 718 may be omitted, because the processes for the different embodiments are implemented in a hardware unit.

    [0101] In still another illustrative example, processor unit 704 may be implemented using a combination of processors found in computers and hardware units. Processor unit 704 may have a number of hardware units and a number of processors that are configured to run program code 718. With this depicted example, some of the processes may be implemented in the number of hardware units, while other processes may be implemented in the number of processors.

    [0102] In another example, a bus system may be used to implement communications fabric 702 and may be comprised of one or more buses, such as a system bus or an input/output bus. Of course, the bus system may be implemented using any suitable type of architecture that provides for a transfer of data between different components or devices attached to the bus system.

    [0103] Additionally, communications unit 710 may include a number of devices that transmit data, receive data, or both transmit and receive data. Communications unit 710 may be, for example, a modem or a network adapter, two network adapters, or some combination thereof. Further, a memory may be, for example, memory 706, or a cache, such as that found in an interface and memory controller hub that may be present in communications fabric 702.

    [0104] The flowcharts and block diagrams described herein illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various illustrative embodiments. In this regard, each block in the flowcharts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function or functions. It should also be noted that, in some alternative implementations, the functions noted in a block may occur out of the order noted in the figures. For example, the functions of two blocks shown in succession may be executed substantially concurrently, or the functions of the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

    [0105] The description of the different illustrative embodiments has been presented for purposes of illustration and description and is not intended to be exhaustive or to limit the embodiments in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. Further, different illustrative embodiments may provide different benefits as compared to other illustrative embodiments. The embodiment or embodiments selected are chosen and described in order to best explain the principles of the embodiments, the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.


    Claims

    1. A method for information security management, comprising:

    identifying an anomaly (222) in data traffic (216) directed to a data processing environment (200, 300), wherein the anomaly (222) indicates a threat to the data processing environment (200, 300) and the data processing environment (200, 300) comprises a plurality of data processing systems (202, 204, 210, 212, 214, 302, 303, 308, 402, 404, 406, 408);

    identifying a threatened data processing system (302, 402), wherein the threatened data processing system (302, 402) is one of the plurality of data processing systems to which the threat is directed;

    isolating the threatened data processing system (302, 402) ;

    monitoring and analyzing the threatened data processing system (302, 402) after isolating the threatened data processing system; and

    replicating the threatened data processing system to form a replicated data processing system (303, 406)

    directing a portion of the data traffic (216) that is verified to have no anomalies to the replicated data processing system (303, 406); wherein

    the plurality of data processing systems comprises a host data processing system (202, 302, 303, 402, 404) and a plurality of guest data processing systems (204, 210, 212, 214, 308, 406, 408) associated with the host data processing system;

    the threatened data processing system (302, 402) is one of the plurality of guest data processing systems;

    the threatened data processing system (302, 402) is replicated to form a replicated guest data processing system associated with the host data processing system;

    the portion of the data traffic that is verified to have no anomalies is directed to the replicated guest data system;

    the threatened guest data processing system is moved to an isolation host data processing system (404);

    data traffic is directed to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system; and

    the threatened guest data processing system is monitored after moving the threatened guest data processing system to the isolation host data processing system.


     
    2. The method of claim 1, wherein the data traffic (216) directed to the threatened data processing system (302, 402) after isolating the threatened data processing system comprises the data traffic indicating the threat and further comprising:
    identifying a profile of the data traffic (216) indicating the threat.
     
    3. An apparatus comprising:
    an information security management system (226) implemented in a data processing environment (200, 300, 400), the data processing environment comprising a plurality of data processing systems (202, 302, 303, 402, 404, 204, 210, 212, 214, 308, 406, 408), wherein the information security management system is configured to:

    identify an anomaly (222) in data traffic (216) directed to the data processing environment, wherein the anomaly indicates a threat (224) to the data processing environment;

    identify a threatened data processing system (302, 402), wherein the threatened data processing system is one of the plurality of data processing systems to which the threat is directed;

    isolate the threatened data processing system;

    monitor and analyze the threatened data processing system after the threatened data processing system is isolated; and

    replicate the threatened data processing system to form a replicated data processing system (303, 406) wherein the information security management system (226) is further configured to direct a portion of the data traffic (216) that is verified to have no anomalies (222) to the replicated data processing system; wherein

    the plurality of data processing systems comprises a host data processing system and a plurality of guest data processing systems associated with the host data processing system;

    the threatened data processing system is one of the plurality of guest data processing systems; and

    the information security management system is further configured to:

    direct the portion of the data traffic that is verified to have no anomalies to the replicated guest data system;

    move the threatened guest data processing system to an isolation host data processing system (404);

    direct data traffic to the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system; and

    monitor the threatened guest data processing system after moving the threatened guest data processing system to the isolation host data processing system.


     
    4. The apparatus of claim 3, wherein:

    the data traffic (216) directed to the threatened data processing system (302, 402) after the threatened data processing system is isolated comprises the data traffic indicating the threat (224); and

    the information security management system (226) is further configured to identify a profile of the data traffic indicating the threat.


     


    Ansprüche

    1. Informationssicherheitsmanagement-Verfahren, umfassend:

    Identifizieren einer Anomalie (222) im Datenverkehr (216) zu einer Datenverarbeitungsumgebung (200, 300), wobei die Anomalie (222) eine Gefährdung der Datenverarbeitungsumgebung (200, 300) bedeutet und die Datenverarbeitungsumgebung (200, 300) eine Mehrzahl von Datenverarbeitungssystemen (202, 204, 210, 212, 214, 302, 303, 308, 402, 404, 406, 408) umfasst;

    Identifizieren eines gefährdeten Datenverarbeitungssystems (302, 402), wobei das gefährdete Datenverarbeitungssystem (302, 402) eines der Mehrzahl von Datenverarbeitungssystemen ist, auf das die Gefährdung gerichtet ist;

    Isolieren des gefährdeten Datenverarbeitungssystems (302, 402);

    Überwachen und Analysieren des gefährdeten Datenverarbeitungssystems (302, 402) nach dem Isolieren des gefährdeten Datenverarbeitungssystems; und

    Replizieren des gefährdeten Datenverarbeitungssystems, um ein repliziertes Datenverarbeitungssystem zu schaffen (303, 406);

    Leiten eines Teils des Datenverkehrs (216), der dahingehend überprüft wurde, dass er keine Anomalien aufweist, zu dem replizierten Datenverarbeitungssystem (303, 406); wobei

    die Mehrzahl von Datenverarbeitungssystemen ein Host-Datenverarbeitungssystem (202, 302, 303, 402, 404) und eine Mehrzahl von Gast-Datenverarbeitungssystemen (204, 210, 212, 214, 308, 406, 408) umfasst, die mit dem Host-Datenverarbeitungssystem verknüpft sind;

    das gefährdete Datenverarbeitungssystem (302, 402) eines der mehreren Gast-Datenverarbeitungssysteme ist;

    das gefährdete Datenverarbeitungssystem (302, 402) repliziert wird, um ein repliziertes Gast-Datenverarbeitungssystem zu bilden, das mit dem Host-Datenverarbeitungssystem verknüpft ist;

    der Teil des Datenverkehrs, bei dem überprüft wurde, dass er keine Anomalien aufweist, an das replizierte Gast-Datensystem weitergeleitet wird;

    das gefährdete Gast-Datenverarbeitungssystem auf ein isoliertes Host-Datenverarbeitungssystem verschoben wird (404);

    der Datenverkehr auf das gefährdete Gast-Datenverarbeitungssystem geleitet wird, nachdem das gefährdete Gast-Datenverarbeitungssystem auf das isolierte Host-Datenverarbeitungssystem verschoben wurde; und

    das gefährdete Gast-Datenverarbeitungssystem nach dem Verschieben des gefährdeten Gast-Datenverarbeitungssystems in das isolierte Host-Datenverarbeitungssystem überwacht wird.


     
    2. Verfahren nach Anspruch 1, wobei der Datenverkehr (216), der nach dem Isolieren des gefährdeten Datenverarbeitungssystems zu dem gefährdeten Datenverarbeitungssystem (302, 402) geleitet wird, den Datenverkehr umfasst, der die Gefährdung anzeigt, und ferner umfassend:
    Identifizieren eines Profils des Datenverkehrs (216), das die Gefährdung anzeigt.
     
    3. Vorrichtung, umfassend:
    ein Informationssicherheitsmanagementsystem (226), das in einer Datenverarbeitungsumgebung (200, 300, 400) implementiert ist, wobei die Datenverarbeitungsumgebung eine Mehrzahl von Datenverarbeitungssystemen (202, 302, 303, 402, 404, 204, 210, 212, 214, 308, 406, 408) umfasst, wobei das Informationssicherheitsmanagementsystem konfiguriert ist, um:

    eine Anomalie (222) im Datenverkehr (216) zu der Datenverarbeitungsumgebung zu identifizieren, wobei die Anomalie eine Gefährdung (224) für die Datenverarbeitungsumgebung anzeigt;

    ein gefährdetes Datenverarbeitungssystem (302, 402) zu identifizieren, wobei das gefährdete Datenverarbeitungssystem eines der Mehrzahl von Datenverarbeitungssystemen ist, auf das die Gefährdung gerichtet ist;

    das gefährdete Datenverarbeitungssystem zu isolieren;

    das gefährdete Datenverarbeitungssystem zu überwachen und zu analysieren, nachdem das gefährdete Datenverarbeitungssystem isoliert wurde; und

    das gefährdete Datenverarbeitungssystem zu replizieren, um ein repliziertes Datenverarbeitungssystem (303, 406) zu bilden, wobei das Informationssicherheitsmanagementsystem (226) ferner konfiguriert ist, um einen Teil des Datenverkehrs (216), der überprüft wurde, dass er keine Anomalien (222) aufweist, an das replizierte Datenverarbeitungssystem zu leiten; wobei

    die Mehrzahl von Datenverarbeitungssystemen ein Host-Datenverarbeitungssystem und eine Mehrzahl von Gast-Datenverarbeitungssystemen umfasst, die mit dem Host-Datenverarbeitungssystem verknüpft sind;

    das gefährdete Datenverarbeitungssystem eines der Mehrzahl von Gast-Datenverarbeitungssystemen ist; und

    das Informationssicherheitsmanagementsystem weiter konfiguriert ist:

    den Teil des Datenverkehrs, bei dem überprüft wurde, dass er keine Anomalien aufweist, an das replizierte Gast-Datensystem weiterzuleiten;

    das gefährdete Gastdatenverarbeitungssystem zu einem isolierten Host-Datenverarbeitungssystem zu verschieben (404);

    den Datenverkehr zum gefährdeten Gast-Datenverarbeitungssystem zu leiten, nachdem das gefährdete Gast-Datenverarbeitungssystem auf das isolierte Host-Datenverarbeitungssystem verschoben wurde; und

    das gefährdete Gast-Datenverarbeitungssystem zu überwachen, nachdem das gefährdete Gast-Datenverarbeitungssystem auf das isolierte Host-Datenverarbeitungssystem verschoben wurde.


     
    4. Vorrichtung nach Anspruch 3, wobei:

    der Datenverkehr (216), der zu dem gefährdeten Datenverarbeitungssystem (302, 402) geleitet wird, nachdem das gefährdete Datenverarbeitungssystem isoliert wurde, den Datenverkehr umfasst, der die Gefährdung (224) anzeigt; und

    das Informationssicherheits-Managementsystem (226) ferner konfiguriert ist, um ein Profil des Datenverkehrs zu identifizieren.


     


    Revendications

    1. Procédé de gestion de sécurité d'informations, comprenant les étapes consistant à :

    identifier une anomalie (222) dans un trafic de données (216) dirigé vers un environnement de traitement de données (200, 300), dans lequel l'anomalie (222) indique une menace pour l'environnement de traitement de données (200, 300) et l'environnement de traitement de données (200, 300) comprend une pluralité de systèmes de traitement de données (202, 204, 210, 212, 214, 302, 303, 308, 402, 404, 406, 408) ;

    identifier un système de traitement de données menacé (302, 402), dans lequel le système de traitement de données menacé (302, 402) est l'un de la pluralité de systèmes de traitement de données vers lequel la menace est dirigée ;

    isoler le système de traitement de données menacé (302, 402) ;

    surveiller et analyser le système de traitement de données menacé (302, 402) après avoir isolé le système de traitement de données menacé ; et

    répliquer le système de traitement de données menacé pour former un système de traitement de données répliqué (303, 406)

    diriger une partie du trafic de données (216) qui est vérifiée comme n'ayant aucune anomalie vers le système de traitement de données répliqué (303, 406) ; dans lequel

    la pluralité de systèmes de traitement de données comprend un système de traitement de données hôte (202, 302, 303, 402, 404) et une pluralité de systèmes de traitement de données invité (204, 210, 212, 214, 308, 406, 408) associé au système de traitement des données hôte ;

    le système de traitement de données menacé (302, 402) est l'un de la pluralité de systèmes de traitement de données invités ;

    le système de traitement de données menacé (302, 402) est répliqué pour former un système de traitement de données invité répliqué associé au système de traitement de données hôte ;

    la partie du trafic de données qui est vérifiée comme n'ayant aucune anomalie est dirigée vers le système de données d'invité répliqué ;

    le système de traitement de données invité menacé est déplacé vers un système de traitement de données hôte d'isolement (404) ;

    un trafic de données est dirigé vers le système de traitement de données invité menacé après avoir déplacé le système de traitement de données invité menacé vers le système de traitement de données hôte d'isolement ; et

    le système de traitement de données invité menacé est surveillé après le déplacement du système de traitement de données invité menacé vers le système de traitement de données hôte d'isolement.


     
    2. Procédé selon la revendication 1, dans lequel le trafic de données (216) dirigé vers le système de traitement de données menacé (302, 402) après avoir isolé le système de traitement de données menacé comprend le trafic de données indiquant la menace, et comprenant en outre l'étape consistant à :
    identifier un profil du trafic de données (216) indiquant la menace.
     
    3. Appareil comprenant :
    un système de gestion de sécurité d'informations (226) mis en Ĺ“uvre dans un environnement de traitement de données (200, 300, 400), l'environnement de traitement de données comprenant une pluralité de systèmes de traitement de données (202, 302, 303, 402, 404, 204, 210, 212, 214, 308, 406, 408), dans lequel le système de gestion de sécurité d'informations est configuré pour :

    identifier une anomalie (222) dans un trafic de données (216) dirigé vers un environnement de traitement de données, dans lequel l'anomalie indique une menace (224) pour l'environnement de traitement de données ;

    identifier un système de traitement de données menacé (302, 402), dans lequel le système de traitement de données menacé est l'un de la pluralité de systèmes de traitement de données vers lequel la menace est dirigée ;

    isoler le système de traitement de données menacé ;

    surveiller et analyser le système de traitement de données menacé après avoir isolé le système de traitement de données menacé ; et

    répliquer le système de traitement de données menacé pour former un système de traitement de données répliqué (303, 406), dans lequel le système de gestion de sécurité d'informations (226) est en outre configuré pour diriger une partie du trafic de données (216) qui est vérifiée comme n'ayant aucune anomalie (222) vers le système de traitement de données répliqué ; dans lequel

    la pluralité de systèmes de traitement de données comprend un système de traitement de données hôte et une pluralité de systèmes de traitement de données invités associés au système de traitement de données hôte ;

    le système de traitement de données menacé est l'un de la pluralité de systèmes de traitement de données invités ; et

    le système de gestion de la sécurité de l'information est en outre configuré pour :

    diriger la partie du trafic de données qui est vérifiée comme n'ayant aucune anomalie vers le système de données d'invité répliqué ;

    déplacer le système de traitement de données invité menacé vers un système de traitement de données hôte d'isolement (404) ;

    diriger un trafic de données vers le système de traitement de données invité menacé après avoir déplacé le système de traitement de données invité menacé vers le système de traitement de données d'hôte d'isolement ; et

    surveiller le système de traitement de données invité menacé après avoir déplacé le système de traitement de données invité menacé vers le système de traitement de données d'hôte d'isolement.


     
    4. Appareil selon la revendication 3, dans lequel :

    le trafic de données (216) dirigé vers le système de traitement de données menacé (302, 402) après que le système de traitement de données menacé ait été isolé comprend le trafic de données indiquant la menace (224) ; et

    le système de gestion de sécurité d'informations (226) est en outre configuré pour identifier un profil du trafic de données indiquant la menace.


     




    Drawing


























    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description