Large volume of log collection and analysis from multiple devices is a major issue

MITSUBISHI ELECTRIC INFORMATION SYSTEMS CORPORATION, Ltd. (MDIS) is a group of advanced IT professionals responsible for MITSUBISHI ELECTRIC Corporation 's IT business strategy. In order to strengthen and promote MITSUBISHI ELECTRIC Corporation 's information systems business, we will maximize the "comprehensive strength of the Mitsubishi Electric Corp.", conduct business development in close cooperation with research laboratories and group companies, and provide consulting services to client companies. We support the entire system life cycle from design, construction, operation, and maintenance.

The Production Technology Division, which is responsible for quality assurance and production system development at MDIS, has introduced firewalls, web filters, anti-virus software, network forensics systems, behavior detection devices, etc. in stages as conventional information security measures. By combining these functions, it prevents unauthorized access to the company due to targeted cyberattacks, removes viruses and malware, and implements measures against information leaks. It continues even now. However, when malware intrusion into company terminals is detected by behavior detection equipment or anti-virus software, etc., a large amount of logs generated from related equipment was manually collected by the person in charge of each equipment, so it is difficult to consolidate the logs. It took a lot of time and effort to analyze and investigate.

For example, when unauthorized access is discovered, Internet communication logs are analyzed using a proxy, etc., but the proxy alone generates several gigabytes of logs per day. In many cases, several persons in charge had to collect and search the logs of their respective devices, compare them, and analyze them comprehensively.

Analyzing each incident took several hours at the earliest, and a whole day at the longest. Delays in search time and an increase in human workload have been major issues.

In addition, since log analysis is a post-incident countermeasure, the need for a mechanism to detect signs of attacks in real time or in advance and raise alerts was also discussed.

Therefore, there was an urgent need to introduce a system that could centrally collect and integrate logs from multiple security systems with different purposes, and quickly search and analyze them.

Selected Splunk for its speedy search technology for large volumes of various types of logs and flexibility and maintainability of operations

As we continued our research from mid-2013, several log analysis products came up as candidates, but after a detailed comparison and verification of their functions, we found that "Splunk Enterprise" (hereinafter referred to as Splunk) provided by Macnica was the most suitable for MDIS. judged to be the most appropriate for the job.

Splunk is equipped with unique technology that can quickly search a wide variety of large volumes of logs, and is also advantageous in terms of ease of defining data formats, high flexibility in queries (processing requests), and operational maintainability (ease of version upgrades and comprehensive online manuals).Furthermore, it allows for a small start and has the flexibility to expand the scope of use while assessing the effectiveness, and the one-stop support service provided by Macnica was judged to be useful for smooth operation after implementation, which was also a major factor in the selection.

MDIS officially decided to introduce Splunk in January 2014.

We started importing logs in March 2014, and developed search formulas for log analysis using Splunk commands from May to August. After repeated verification and simulation of the search formula on the Splunk server, we were able to confirm the required performance.

At the beginning of operation, we will focus on investigations of communications suspected to be malware communications, communications trend surveys to determine the presence or absence of suspicious communications (abnormally large requests, etc.), and surveys when alerts are generated by behavior detection equipment. Logs from the security system are searched on Splunk, and the policy is to gradually expand the scope of log collection while accumulating operational experience.

Combined use of Splunk and original search formulas improves efficiency and strengthens security

Since the introduction of Splunk, it has become possible to centrally manage and visualize logs generated by multiple distributed security devices, enabling multifaceted analysis of communication logs from terminals. The log search work that used to take several hours to a day prior to its introduction has been reduced to just a few minutes, making it possible to quickly investigate and analyze security incidents.

In the past, to investigate the spread of infection, all logs had to be collected manually and the person in charge had to spend time visually checking them, but now search formulas are applied to the logs collected by Splunk. Since the check is completed just by applying it, it can be said that the investigation can be literally automatic, and the efficiency of work and the enhancement of security have been realized at the same time.

By using search formulas, it is possible to go back and search for similar Internet communications in the past when an incident occurred, greatly reducing the burden of investigation work.

In addition, by applying advanced search formulas, it will be possible to detect the occurrence of abnormal events in advance, so proactive checks of incidents can be expected in the future. In the future, we will further improve search accuracy by tuning parameters, increase search variations while working on research and development of new search formulas, and realize the construction of a stronger security infrastructure that can respond to new threats that change daily. plan to continue

Furthermore, since Splunk can realize various functions other than security, they are also considering exploring effective utilization methods in the direction of big data analysis.

MDIS' Production Technology Division highly values Macnica 's prompt support and accurate advice as being extremely helpful during the Splunk implementation and operation phase. In addition, in order to further utilize Splunk, we plan to accumulate skills and experience by taking advantage of Splunk certified training and free hands-on seminars, which are only provided by Macnica in Japan.

Much attention will be paid to how MDIS, as MITSUBISHI ELECTRIC Corporation 's strategic IT company, will expand the possibilities of its IT business and create advanced solutions for society through its proactive efforts.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials