product
- Web application vulnerability diagnosis
- Integrated SOC service
- security advisory
- security assessment
- Website security monitoring service
- CrowdStrike Monitoring Operation Support Service
- Active Directory Diagnostic/Monitoring Service
- CSIRT enhancement exercise
- Suspicious email training service
- platform diagnostics
- CSIRT construction support
service
Macnica
Macnica
Website Importance
In recent years, websites have been used not only for company homepages and product introductions, but also as core systems for e-commerce such as B2C and B2B and rapidly increasing mobile sites.
On the other hand, a new type of attack known as a list-type attack has become common, using sophisticated methods to defraud personal information, points, etc. from websites using "normal" accounts.
Webサイトはその特性から情報が集約され、重要な情報が蓄積されていくものの、API連携によって自社以外のWebサイトと連携し、その境界線は曖昧になっています。
In addition, since there is a high possibility that attackers who use the confidentiality of the Internet can do a "good job", they are easy targets.
The Importance of Website Security Monitoring
On the other hand, when considering in-house systems, it is common for security devices to be monitored by MSSPs (Management Security Service Providers). Do you need website monitoring? Some of the reasons why websites are not monitored include:
- The mainstream idea was to focus on defense using security products such as WAF and IPS.
- In the first place, there was no mechanism to monitor website APIs and user behavior on applications = it was not necessary because there were no attacks like list-type attacks
- Depending on the company, internal systems are managed by the information system department, and websites are managed by the business department, so there was little awareness of security measures.
With the increasing importance of websites and the increasing sophistication of attacks targeting them, website security monitoring is becoming more important. For that purpose, it is necessary not only to monitor the security devices that protect the website, but also to monitor the API and applications of the web server.
- Monitoring using logs and alerts of website defense equipment (WAF/IPS)
- Monitoring for threats that cannot be prevented by website defense devices
Website security monitoring service menu
We have two menus depending on the importance of the website.
Web security device monitoring is for websites that want minimal monitoring. Web-related server monitoring is for websites that require a high level of countermeasures such as having a lot of personal information.
Web security device monitoring: Monitoring using website defense functions (WAF/IPS)
- <Prerequisites>
- WAF/IPS must be in blocking mode
- If the WAF function includes list-type attack detection, it will also be monitored.
- <Threats to be monitored and target logs>
- Major attacks against applications: WAF block logs or IPS alert logs
- Attacks on OS/middleware: IPS alert logs
- <Report content>
- Monitor and report on trends in attack content and attack sources.
Web-related server monitoring: Monitoring against threats that defense functions cannot prevent
- <Selected threat classification and monitored log>
- Attack monitoring after unauthorized login (unauthorized point transfer, etc.): Application log
・Monitoring content: Define behavior that is not normal and monitor for illegal behavior - Internal fraud monitoring (privilege usage history): DB log (SQL)
・Monitoring content: Aggregate privilege usage history once a day and report the next day - List type attack monitoring Select one of the logs listed below. The order in which they are listed increases the monitoring accuracy.
1. App log (authentication): Monitor the number of authentication failures
・Monitoring for failures exceeding the threshold in one minute
2. Access log (Apache, IIS, etc.): Monitor the number of accesses to a specific URL (login)
・Monitoring for failures exceeding the threshold in one hour
- Attack monitoring after unauthorized login (unauthorized point transfer, etc.): Application log
- <Discussion items>
- Regarding the masking of personal information contained in the log, it will be discussed whether to do it before transfer
Website security monitoring service Monitoring configuration image
Image of operation flow of website security monitoring service
Inquiry/Document request
In charge of Macnica Security Service Co., Ltd.
- TEL:045-476-2010
- E-mail:sec-service@macnica.co.jp
Mon-Fri 8:45-17:30
