Mpression Cyber Security Service™ -Threat hunting service developed by ITOCHU Corp. CSIRT at overseas bases
POINT
- Advanced targeted attacks designed to bypass existing security products are detected by unique sensors using AI technology and analysis by analysts.
- Investigate 20,000 terminals and establish a diagnosis life cycle from information collection to detection and response
- Visualize the safety of terminals at overseas bases without IT administrators
ITOCHU Corp. Corporation IT Planning Department Technology Management Office ITCCERT
Senior Cyber Security Analyst
Mr. Motohiko Sato
Experienced security consulting, information security audits, information system audits, and incident response for government agencies and major private companies at a system integrator company. After that, he joined ITCCERT, the CSIRT team of ITOCHU Corp. Corporation, and worked on the planning, execution, and operation of cybersecurity measures for the company/group as a whole. At the same time, he also serves as an associate professor at the Information Environment Division of the National University Corporation Chiba University Management Infrastructure, operating the C-csirt, the CSIRT team within the university, creating systems and mechanisms, providing practical support, triage support, and providing information. ing.
ITOCHU Corp. 's ITCCERT Focuses on Incident Prevention
In recent years, cyberattacks have become more sophisticated and sophisticated due to the industrialization of criminal purposes, and attacks targeting companies and organizations have become a major management risk.
In addition, financially motivated attacks such as ransomware and business email compromise are familiar threats to many companies.
Therefore, recently, there is a growing movement to establish a CSIRT (Computer Security Incident Response Team), which is an organization for dealing with computer security incidents.
It was in 2012 that ITOCHU Corp. Corporation (hereafter, ITOCHU Corp.) launched CSIRT. The company's CSIRT is called ITCCERT. The “R” includes three elements: readiness, response, and recovery. "ITCCERT is a virtual organization created within the IT Planning Department that manages and operates the company-wide network. ITCCERT specializes in cyber security operations, and focuses on incident prevention, response, analysis, and recurrence prevention. We will also provide direct support to more than 300 ITOCHU group companies if they request support,” says Motohiko Sato, Senior Cyber Security Analyst at ITOCHU Corp., IT Planning Department, IT Planning Department. is.
ITOCHU Corp. adopts an in-house company system, and each in-house company has its own information system division, but when a cyber security incident occurs, ITCCERT plays a central role in responding to it.
In addition, ITCCERT constantly monitors network communications and e-mails sent from outside the company. By setting its own detection rules based on the knowledge it has accumulated in-house, it understands features that cannot be detected by existing security products, and constantly creates rules that can detect similar attacks in the unlikely event that they do occur.
Information such as malware communication destinations and hashes obtained through its own intelligence activities is used to protect ITOCHU Corp. and prevent the company's security incidents from occurring. "ITCCERT focuses on incident prevention, and we work every day with the belief that it is important not to cause incidents," emphasizes Mr. Sato.
ITOCHU group 's Threat Hunting Service
On the other hand, the ITOCHU group and its overseas bases use a network different from that of the ITOCHU Corp. headquarters, so these defenses do not have a direct effect.
For this reason, ITCCERT has developed a special cyber security program "I" series for group companies and overseas bases.
The content is wide-ranging, including URL filtering services, business email fraud countermeasure tools, risk assessments specializing in cyber security, and workshops that are immediately useful in actual work.
One of the menus, "I" Discovery, is an endpoint security that inspects malware latent in terminals, and has a track record of threat inspection for more than 20,000 terminals since the service started in October 2017. The core technology is the hunting tool "ThreatSonar" developed by Team T5 in Taiwan.
Forensic technology that collects essential information for hunting
ThreatSonar quickly gathers information about a device's running processes, deleted files, memory data, and other information necessary for computer forensics. By analyzing the collected information with its own engine, it is possible to precisely extract suspicious files. A unique AI-assisted behavioral model detects suspicious behavior, enabling a thorough investigation that signature-based antiviruses can't detect. The collected information is analyzed by ITCCERT staff with specialized knowledge, making it possible to detect latent malware that cannot be detected by existing antivirus software. In addition, ITCCERT and the information system departments of each group company jointly analyze the detection results, making it possible to determine the appropriate response at an early stage.
Discover threats that your existing endpoint security can't detect
Among the various endpoint security methods available, Mr. Sato cites the reasons for choosing ThreatSonar because its basic technology is not antivirus, and because it is excellent software that can greatly improve security levels.
The ITOCHU group has more than 300 subsidiaries and employs approximately 100,000 people. Furthermore, from the perspective of a trading company, the establishment of joint ventures and capital and business alliances are active. Therefore, the ITOCHU group does not mandate the introduction of specific endpoint security products, and the most suitable products are introduced based on the requirements of each company. The only thing these companies have in common is that they use antivirus products. “Next-generation antivirus products are an extension of antivirus. Antivirus vendors have technical strengths and weaknesses, and it is difficult to exhaustively eliminate all ThreatSonar was very attractive as a security product that can detect threats that have slipped through with its unique functions while utilizing viruses.”
When we started offering “I” Discovery, more than 50 group companies raised their hands to use the service. More than half of the companies that applied for one-shot scans, and some companies began to perform regular scans. Information system departments of companies that regularly run “I” Discovery are satisfied with the fact that they can confirm that their devices have not been compromised by unknown attacks that cannot be detected by existing security products or attacks that avoid detection. It is said that
Ease of introduction is the decisive factor for deployment to group companies
"ThreatSonar doesn't require any installation, just distribute and run a lightweight scanner, it doesn't require any knowledge or operational skills on the part of the user and everything runs silently in the background.
In addition, since the amount of communication during operation is small, the burden on the network is small, and problems such as conflicts with the OS and applications and environmental dependence do not occur." (Mr. Sato)
Building a monitoring system even at overseas bases with limited resources
There have also been reports of banking malware that had been hidden in legitimate processes for many years by conducting “I” Discovery. In addition, Mr. Sato evaluates that it is encouraging to detect not only active malware, but also latent malware and software that contains risks installed by users.
“I” Discovery is also used by users at overseas bases. Some overseas offices do not have IT administrators, and there are cases where there is only one expatriate. In addition, the terminals used at overseas bases have various Windows OS versions and languages. One of the advantages of ThreatSonar is that it can be easily deployed in such an environment and there are no operational problems.
Finally, Mr. Sato said that ITCCERT is considering applying custom signatures to “I” Discovery in the future, and will work to further strengthen the ITOCHU group 's security.
Introducing Mpression Cyber Security Service™ Threat Hunting Service
-
Macnica offers a "Threat Hunting Service" in which our security analysts analyze ThreatSonar scan results and perform threat hunting on your behalf. Additionally, by incorporating custom signatures created based on the threat intelligence we have accumulated, we aim to improve the detection rate of targeted attacks targeting Japan.
The threat hunting service is available in two menus: "one-shot" use and "yearly" use.
User Profile
| ITOCHU Corp. Corporation | |
|---|---|
|
URLs |
|
|
In 1858 (Ansei 5), Chubei Itoh, who was an Omi merchant, founded the company as a linen peddler. After that, he built the foundation of the business by running a kimono heavy goods dealer in Osaka. Currently, as a major general trading company with approximately 130 bases in 65 countries around the world, including Japan, we are engaged in the fields of textiles, machinery, metals, energy, chemicals, food, housing, information, insurance, logistics, construction, and finance. , import/export and trilateral transactions, as well as business investment in Japan and overseas. |
|
Inquiry/Document request
In charge of Macnica Security Service Co., Ltd.
- TEL:045-476-2010
- E-mail:sec-service@macnica.co.jp
Mon-Fri 8:45-17:30
