Sumitomo Rubber's Incident Response Time Reduced by 130 Hours - Accelerating Damage Analysis and Response Policy Formulation at Overseas Bases -

The Sumitomo Rubber Industries Group has nearly 40,000 employees worldwide, centered on the tire, sports, and industrial products businesses. This time, we asked Mr. Shuhei Matsumoto, the manager of the Digital Planning Department, about his response to cyber incidents.

Sumitomo Rubber's incident response history dates back to 2014. In 2014, we launched the CSIRT "Computer Security Incident Response Team" after receiving a DDoS attack that had a large impact on our business. At the time of its establishment, the target was the IT of domestic affiliates, but now it has expanded to cover the IT and OT areas of domestic and overseas affiliates. We are actively exchanging information with people outside the company, and CSIRT activities are evolving, such as working to collect knowledge that will lead to strengthening our own security.

However, although we have become able to handle POC and incident handling in-house, there are functions that we think are lacking in skills. It is the incident situation analysis. From 2014 to the present, incidents have occurred in Japan and overseas, and it was important for CSIRT to improve its analysis capabilities.

Mpression Cyber Security Service was effective during the incident

Since the establishment of CSIRT in 2014, we have used external forensics companies to check the infection status of each terminal when an incident occurs. However, when an incident occurs at an overseas base, it may take time to identify the extent of infection due to cultural differences and communication problems. Therefore, the problem was that forensics took a lot of time.

Therefore, at the end of 2018, we started using the Mpression Cyber Security ServiveTM threat hunting service provided by Macnica.

This service is a cloud-based security service in which Macnica 's security analysts conduct comprehensive investigations and support, including detection, investigation, response, and prevention. By simply running the investigation tool from TeamT5 with Asian threat intelligence, on the PC/server being investigated, it provides monitoring services during normal times, investigation services when incidents occur, and reports on investigation results and countermeasures.

When an incident occurred at Sumitomo Rubber Industries last year, this threat hunting service was effective in confirming the infection status of employee PCs. By using this service, the incident response time has been dramatically reduced. In the past, it took a lot of time to extract and transmit data, but now the minimum amount of data necessary for analysis can be sent directly from the site to analysts, which can significantly reduce the time and effort involved. became.

In addition, since it is now possible to obtain highly accurate analysis results at a very early stage, it has become possible to easily confirm the extent of the impact and determine the possibility of derivation to other terminals, and improve the overall incident response. Speeding up is now possible.

Significantly reduced incident response time and enabled comprehensive investigations

With the introduction of Mpression, forensics that used to take nearly 157 hours have been reduced to just 27 hours. It means that it can be compressed for up to 130 hours.

Also, when an incident occurred, I was able to get a report in just three days, which made up for my lack of situational analysis skills.

In terms of cost, since it is an annual contract based on the number of IPs, the cost is a fixed amount, making it easier to budget compared to traditional forensics. In terms of usability, in addition to being used as a diagnostic tool during normal operations, when an incident occurs, it can be used in both online and offline environments, making it suitable for control system (OT) clients and enabling comprehensive investigations. became. I also feel that the ability to check detailed analysis results on the console and the extremely quick QA response from Macnica engineers are factors that make it easier to use.

We are currently working on strengthening endpoint security. With Macnica 's support, we have been working on a remote recovery system since August that uses a combination of EDR and managed security services (MSS) so that people working from home do not have to come to the office to recover their PCs if they become infected.