Evasion of Threats by Signature Antivirus Products and Response to Huge Volume of Alerts are Challenges

BANDAI NAMCO business arc is a company that provides management headquarters functions and shared services for group companies in the BANDAI NAMCO Group, which operates globally in a variety of entertainment fields such as toys and games. The role of the company's information system department is wide-ranging, from planning and promoting IT strategies and governance to system development, operation, maintenance, and security measures for 22 domestic group companies (approximately 8,500 employees). .

The group had been using a signature antivirus (AV) product as an endpoint security measure for some time, but around 2014, it began to feel that its functionality was limited. “Amidst the rapid increase in unknown malware and fileless attacks, AV products were becoming unable to detect even subspecies of malware. could not catch up, and as a result, we were in a situation where we could not do anything about the alerts.” (Mr. Nakamura)

As one of Japan's leading entertainment companies, the leakage of confidential information, including personal information, is absolutely unacceptable. Therefore, the company solicited proposals from vendors to expand security measures for endpoints, but many of them had high hurdles for introduction and could not be expected to be cost-effective. It is said that it was dealt with by applying a security patch to the OS.

Functions can be expanded from a small start Level classification clarifies events that should be prioritized

However, cyber-attacks are becoming more sophisticated and malicious with each passing day. BANDAI NAMCO business arc, fearing that the group would be exposed to a crisis if things continued as they were, decided to implement drastic countermeasures, and began considering them at the beginning of 2018. Specifically, we picked up 6 endpoint countermeasures and compared them. We narrowed it down to 3 products, and from there we spent another 3 months evaluating them. Mr. Kazu Yoshimura of the IT Environment Strategy Team, IT Infrastructure Strategy Section, Information Systems Department said, "The requirement was to be able to deal effectively with unknown and known malware, ransomware, and fileless attacks. CrowdStrike is an AI/machine learning-based You can start small by purchasing only "Falcon Prevent (next-generation antivirus)", which has a function to detect and block malware, and a function to block malicious behavior from the correlation and relevance of each process, and if necessary, " It was possible to gradually expand functions such as "Falcon Insight (EDR)" and "Falcon Overwatch (threat hunting service)". However, the intrusion route can be traced from the process tree, and the behavior of each related process (information on external communication, file writing, etc.) can also be easily grasped.The same applies to other products with the EDR function. Although it is possible to check the information, the license price did not fit the budget because it was necessary to purchase a set of AV and EDR."
“In terms of operational changes, until now, we had to send samples detected by AV products to the vendor for analysis, otherwise we would not know what happened. With 100 alerts, it was difficult to know which alert to respond to first.In that regard, Falcon Prevent raises alerts in five levels, such as Critical, High, and Medium, so we can prioritize them. I appreciate the clarification of the alerts that need to be dealt with.” (Mr. Nakamura)

Evaluating these features, the company decided to adopt Falcon Prevent in June 2018.

There were no false positives or performance impacts after the introduction Visualization of threats gave us a great sense of security

In July 2018, BANDAI NAMCO business arc began implementing Falcon Prevent on a business unit basis. First of all, the company and related companies have started introducing it as a test, and it is expanding to the amusement facility system and the toy/hobby system. "Currently, we are in the process of introducing it to a game development company. Development sites use special tools and perform special operations, and developers are sensitive to changes in the system environment. So, I was worried that there would be a backlash, but there have been no false positives or performance deterioration, and we are proceeding smoothly.” (Mr. Nakamura)

Falcon Prevent was first introduced in detection mode coexisting with existing AV products, and then moved to block mode and removed the existing AV products when completed. During the coexistence period, there were cases where Falcon Prevent detected malware that existing AV products could not detect, and I feel that the introduction is very effective. After starting the operation of Falcon Prevent, so far there has been no Critical alerts, 1 or 2 High alerts per month, and about 10 Medium alerts.
“The most important effect is that threats are visualized, which gives us a great sense of security. I am now able to give a clear explanation, and I am considering submitting a report on a regular basis in the future.” (Mr. Nakamura)

In addition, because Falcon Prevent is a cloud service, it eliminates the need for servers for existing AV products that were previously operated on-premises, greatly reducing the cost and effort required for maintenance management.

Continue deployment to remaining clients and servers

BANDAI NAMCO business arc will continue to introduce FalconPrevent, and after dealing with the 10,000 affected clients, plans to deploy it on servers as well. Ooba Makio of the IT Environment Strategy Team, IT Infrastructure Strategy Section, Information Systems Department, said, "Macnica responded quickly and accurately to our inquiries regarding this implementation, and we are very grateful for their response. Also, by interacting with them at user meetings and learning about other companies' approaches to security, we are greatly inspired."

Finally, regarding the future, Mr. Nakamura said, ``Management has told us to take countermeasures based on the assumption that our group is constantly being targeted and infiltrated. The key will be how quickly we can respond to these issues.I hope Macnica will continue to provide suggestions and support from this aspect."

User Profile