NGAV products were introduced to eliminate overhead, but a large number of false positives occurred.

Cookpad was established in 1997. Planning and operation of cooking recipe posting and search service “Cookpad”, and wide development of related businesses. So far, about 3 million recipes have been posted on the service, and a total of 54 million people use it every month, and the number of paid premium service members has exceeded 2 million. In 2014, we started expanding overseas, and have already launched services in regions such as Europe, America, Asia, and the Middle East. It offers regional recipes in 26 languages and 71 countries (including Japan), and the number of monthly users has increased to 40 million.

The company's engineering department is responsible for the operation and management of the infrastructure that supports the company's services. The security group is in charge of designing and implementing security systems and diagnosing vulnerabilities in services, but they have faced many challenges so far. Kenichi Mito of the Engineering Department's Security Group explains, "As long as there are so many users using the Company service, ensuring security is one of the most important issues for our service." Regarding endpoint security, "We used to use signature-based anti-virus software, but the overhead gradually increased and it became a hindrance to our business. When searching on a local PC, we had to wait for several minutes and the work efficiency was greatly reduced.Therefore, in the summer of 2015, we switched to NGAV products that use machine learning.” Look back on the past.

While this implementation eliminated the overhead problem, it now introduced another problem: false positives. For example, a large number of alerts will occur when a binary file comes in that has never been seen before. If you enable memory monitoring, the database program will not start, and so on. As a result, it was impossible to operate unless the policy was set loosely. Masayoshi Mizutani, Group Manager of the Security Group of the Engineering Department, said, "The biggest problem was the frequent occurrence of false positives in the development environment. Moreover, due to the small amount of information contained in the alerts, it was not possible to follow up on the incident. , I often had to close in the middle,” he says of the situation at the time.

In addition, at that time, the company used the console of the product for management as it was, and there was no provision for linking between products with API, acquisition of various logs, long-term storage, etc. However, in recent years, as threats have become more and more sophisticated, it is no longer sufficient to simply detect and block events.
"Therefore, we thought that we needed a mechanism to monitor the activity on the terminal and track the communication with the outside" (Mr. Mizutani)

CrowdStrike Falcon that reliably acquires data and works with existing systems

In order to solve these issues, Cookpad has been considering introducing EDR products since May 2018. During that course, Macnica introduced him to CrowdStrike Holdings、Inc. 's NGAV (Falcon Prevent), EDR (FalconInsight), and threat hunting service (FalconOverWatch).
"Requirements for this installation included being able to reliably obtain the data we needed, including access from outside the company, and being able to link with existing systems such as security monitoring equipment.In the case of other products , there were problems that it was difficult to deal with alone and needed to be used in conjunction with incident response tools, and it was difficult to set up a business development environment smoothly, but CrowdStrike Holdings、Inc. products have solved these problems. There was no such thing.” (Mr. Mito)

After conducting a PoC of CrowdStrike Holdings、Inc. products, the company obtained the cooperation of engineers from each department within the company and implemented a test implementation in the actual development environment. CrowdStrike Falcon offers multiple functions in one agent. The company was considering introducing only EDR (FalconInsight) and a threat hunting service (FalconOverWatch), but NGAV (Falcon Prevent) was also able to confirm its functionality during verification.
“the Company is based on Mac OS, which accounts for 80% of the total environment, but we were able to introduce it without any problems.In the beginning, we only introduced EDR and threat hunting services, and integrated them with our internal systems through API linkage. However, we were able to determine through PoC that it would be possible to replace the existing NGAV product with Falcon Prevent, so we decided to adopt it at the same time. False positives have decreased dramatically, and it is good that the load on the client is small and it does not affect the work.” (Mr. Mizutani)

Enables detailed understanding of communication events Supports access from outside the company, such as business trips and remote work

With the introduction of Falcon Insight, the company was able to gain a deeper understanding of communication events, enabling deeper investigation. “For example, when a gateway detects communication to a suspicious destination, we had no choice but to ask the person in charge what they were doing. It has become possible to understand what is happening and what is happening, and it is now possible to investigate and make decisions without interviewing the person in charge.In addition, through system linkage, logs can be transferred to the company's environment for long-term monitoring. It can be saved, and it is possible to track not only the route, but also the presence or absence of access with the outside, etc. It is great to be able to grasp the chronological order and check the movement of the process. The screen is also graphical and the situation is clear at a glance." (Mr. Mito)

In addition, as the amount of information has increased, the number of options for response has also increased. It is now possible to clearly judge the difference between false positives and false positives. "In the past, we used to block communications that should not have been blocked. However, after installing CrowdStrikeFalcon, we no longer receive inquiries from users about PC problems caused by security software." (Mr. Mizutani)

We also appreciate the ability to handle access from outside the company, such as business trips and remote work. "the Company, we allow remote work at the discretion of each department, but we can also follow up on terminals outside the company, so we can approve their use with peace of mind." (Mr. Mizutani)

The company also places importance on linking EDR logs with existing log management systems. It is integrated with the system and used. As a result of verifying log transfer using these functions from the verification stage, it was determined that the functions provided by CrowdStrikeFalcon are substantial and effective.
“In the case of a service that transfers logs via Syslog, there were problems with the operational load, such as when logs were lost in the middle. We link alert information generated by CrowdStrike Falcon and normal events such as process movement and communication movement with our own log management system." (Mr. Mizutani)

Not only that, CrowdStrike Falcon has a managed threat hunting service, Falcon OverWatch, which detects and investigates behaviors that indicate attacks 24/7. "It gives us a great sense of security in the sense that it reliably detects behaviors that are difficult for us to detect," said Mr. Mito.

Considering overseas deployment Considering process automation and SSO linkage

Now that Cookpad has completed the introduction of CrowdStrikeFalcon in Japan, it is considering expanding overseas as the next step. In addition, the company aims to automate processing, such as classifying cases as false positives when certain conditions are met, and promote single sign-on (SSO) collaboration.
"This time, Macnica provided us with appropriate support from the contract side, even though the period from consideration to implementation was short. Also, from the technical side, they responded in detail to our requests, which was very helpful in the future. We are considering establishing a unified management system both domestically and internationally, and we look forward to your continued support when it is introduced overseas.'' (Mr. Mito)

User Profile