Existing countermeasures are insufficient to counter the latest threats

In addition to Internet services such as games, shopping, auctions, SNS, and payments, DeNA is developing its business in a wide range of fields, including sports, automotive, and healthcare. In 2011, he entered the professional baseball field and nearly doubled the number of spectators at the Yokohama DeNA BayStars in seven years.

Until now, the company has introduced security measures such as signature-based antivirus products, vulnerability management, WAF, asset management tools, and log storage as a responsibility of a company with many users. However, when the company commissioned an external organization to conduct a penetration test, the damage was allowed to spread to some extent. Mr. Takashi Matsumoto of the Security Department of the System Headquarters said, "the Company were proud to have taken all possible measures, but looking at the results, we can see that in order to counter the increasingly sophisticated and sophisticated threats We decided that our antivirus products weren't enough, so we thought we needed EDR as a measure to quickly detect and isolate hidden threats and protect our company."

In addition, from the perspective of enhancing the reputation of companies, a policy was announced to proactively implement security investments against information leaks and protection of personal information. Encouraged by this, it was decided to establish a SOC and introduce EDR, which has a high priority, as part of improving security.

Adopted based on low false positive rate and ease of operation

At DeNA, when introducing EDR, we picked up 5 products and compared them. At this time, it was essential to support Windows, Mac, and Linux because of the product specifications and desktop function comparison, and because Macs account for half of the terminals in the company.

The company narrowed down the candidates to two products, including CrowdStrike Holdings、Inc. 's "CrowdStrikeFalcon Insight", and conducted verification over a month from June 2018. Uya Akasaka, System Development the Company, IT Strategy Department, Planning Section, Corporate Planning Headquarters, said, "We focused on checking how many false positives occurred. Because of this, I was afraid that there would be a lot of unusual behavior, and that normal behavior would be judged suspicious and false positives would occur out of nowhere. In this regard, CrowdStrike Falcon had very few false positives even with the Company unique development tools, and I felt that the detection accuracy was high. There were a lot of things that caused trouble for the target users."

Another point of the company's selection was the ease of operation, specifically the ability to intuitively understand, and the ability to see what is happening as a whole.
“When I had an SOC operator actually use it, CrowdStrike Falcon Insight was well received for being able to intuitively grasp the overall situation and for being able to easily search for events across the board. It was not easy to see the connection of the incidents as a whole.Considering these points, we thought that CrowdStrike Falcon would suit the operations the Company were aiming for." (Mr. Matsumoto)

The company decided to adopt CrowdStrike Falcon in August 2018. From September to November, the installation work was carried out remotely using an asset management tool, and it was gradually expanded to 100, 200, and 400 units while confirming that there were no problems. "I was worried that the introduction would slow down the operation, but I had no such concerns at all." (Mr. Akasaka)

Significantly reduced SOC operation load Easy to grasp the situation

The first effect of DeNA's introduction of CrowdStrike Falcon is that the SOC operation load has been greatly reduced. Regarding this point, Mr. Hidefumi Hoshimoto of the Security Technology Group, Security Department, Systems Headquarters, said, "For example, operators start responding to security alerts, but from the alert information generated by anti-virus products, it is difficult to identify alerts that should be investigated in detail. The task of narrowing down was difficult.In this regard, the Company Falcon ranks threats such as Critical / High / Medium among them, so it becomes clear which targets should be prioritized.We basically check Medium or higher. We are able to deal with Critical and High in real time.”

Also, in the past, there was the problem of not knowing which process was running in the terminal or from which process the communication was generated, but we were able to solve this as well.
“Until now, we had searched logs and conducted forensics with a certain degree of accuracy, but we could only understand fragmentary information, and it took a considerable amount of time to analyze. I was able to grasp the situation immediately.” (Mr. Matsumoto)

Another convenient feature that the company appreciates is the implementation of a remote real-time response function. It is now possible to remotely repair infected devices, such as deleting files, stopping processes, and using PowerShell.

In addition, the company has also adopted the option "Falcon Discover" that enables asset management at the time of this introduction. The asset management tool was introduced as a separate product, but the operator did not have access rights, which made it difficult to link with the EDR. However, since "Falcon Discover" can check asset information on the same management console, it is now possible to easily grasp the version of the application immediately, and to quickly respond to risks such as vulnerabilities.

Regarding Macnica 's response to this installation, Mr. Akasaka said, ``I am very satisfied with the fact that they understood the Company environment, understood our intentions, and responded quickly with support. I felt very reassured by the speed of response.We will continue to pay attention to the expansion of CrowdStrike's product functionality in the future, so please continue to support us.''

User Profile