Cyberattacks surge and risks increase due to diversification and global expansion of services

SKY Perfect JSAT Holdings Inc. (hereafter, SKY Perfect JSAT) is a joint venture between SKY Perfect Entertainment Corporation., which launched Japan's first digital broadcast "PerfecTV" in 1996, and JSAT Corporation, which pioneered Japan's private space communications business. Established in April 2007 through management integration. After that, the satellite communication company Space Communications Corporation, Ltd. became a subsidiary, and the integrated company was born in June 2008. Currently, as the only platform operator in Japan that operates multi-channel satellite broadcasting, we operate SkyperfecTV which is viewed by approximately 3.7 million customers. It continues to grow as Asia's largest satellite communications operator with sales.

In the pay multi-channel business, we are actively working on the advancement of broadcasting such as 4K broadcasting, and we have started developing the Japanese content channel "WAKUWAKU JAPAN" for overseas. In the space and satellite business, we provide communication infrastructure for disaster response (DR) and business continuity planning (BCP) for local governments and companies, while providing satellite lines for Asia, Oceania, the Middle East, and Russia. We are working on global business development and expansion of new business areas.

The diversification of such services and the expansion of the overseas business ratio have plagued the company, but the increase in security risks such as information leakage due to the rapid increase in cyber attacks, including targeted attacks. “In recent years, attack methods have become more diversified and sophisticated, and there is a limit to the construction of defense measures. We thought it would be important to build a system that would detect it with high accuracy and prevent it from happening,” says Mr. Sugita, Assistant Manager of the OA Infrastructure Team, Information Systems Department, Management Strategy Headquarters, SKY Perfect JSAT.

The company has introduced various security products, collected logs generated from related servers and network equipment, etc., and performed steady work to compare them manually. However, the logs to be collected were enormous and the types were complex, and the log management work was a heavy burden to the extent that they had no choice but to ask for the cooperation of the SE of the outsourced SIer. “It was not uncommon for it to take several days to investigate a single event because we were comparing logs of several gigabytes or more. It took a long time, and I felt that there was a big problem in finding a quick solution.” (Mr. Sugita)

Choose Splunk for flexibility over SIEM with fixed log ingestion

Therefore, SKY Perfect JSAT decided to reduce the time spent on log analysis as much as possible and utilize a log analysis tool that enables quick investigation. From February 2013, we started researching products that can be used.

The criteria for selection were not only to be able to centrally collect all logs, but also to be able to automate the matching of logs and efficiently identify the necessary information. In addition, assuming that the types of logs to be analyzed will increase in the future, we compared multiple log analysis products, taking into consideration the flexibility of being able to handle all kinds of logs.

What caught our attention was the machine data analysis platform ``Splunk Enterprise'' (hereinafter referred to as Splunk) provided by Macnica.

Since various logs can be imported without defining the log format, the load at the time of introduction is light, and there is no need to decide analysis requirements in advance, allowing flexible analysis according to the situation, Mr. Sugita said. The operability of is also intuitive, and the necessary information can be extracted instantly and expressed graphically, so I felt that the difficulty level was very low,” recalls his first impression.

Unlike other products, Splunk does not require additional development or customization when the number of logs to be imported increases due to the introduction of a new product, or when analysis requirements other than those decided at the time of introduction are required. Another big advantage was that it didn't require a lot of man-hours. Mr. Sugita also noted that it has excellent real-time log search and graph aggregation functions, enabling even those in charge without specialized knowledge to perform advanced reports and analysis.

“Since log monitoring and operation were to be done in-house, it was an extremely important requirement that there was no need for additional development or training of specialists.”

Shortening the learning period of Splunk by utilizing the introduction support service

In June 2013, SKY Perfect JSAT conducted a performance evaluation and operation verification using raw logs using the free evaluation version of Splunk. As a result, the official introduction was decided in July.

Starting in August, we entered the full-scale implementation phase, using Macnica 's Splunk Implementation Support Service to shorten the construction period. Cutover was successfully achieved in November 2013.

"Thanks to Macnica 's implementation support service, which is certified by Splunk, we were able to shorten the learning curve to fully use Splunk, and were able to smoothly build the system for full-scale operation." (Mr. Sugita)

After introducing Splunk, there are three specific ways to use it. The first is the detection of unauthorized communications by monitoring the logs of network devices. The second is to understand the communication status by collecting logs of network equipment. The third is confirmation of server status by analyzing multiple server logs.

Logs from network equipment and servers installed at multiple locations are temporarily accumulated in the log server at the head office, and then imported into Splunk for analysis as needed. As a result, it has become possible to significantly reduce the time-consuming log matching work.

Analyzing and correlating many logs to gain insight from a different perspective than before

Mr. Sugita analyzes the changes since the introduction of Splunk from the following three aspects. The first is dealing with known threats. Until now, there was no mechanism to detect unauthorized communication, so it was possible that anomalies would only be noticed after the damage was discovered. , it has become possible to proactively detect unauthorized communications.

The second is dealing with unknown threats. Analyzing the number of accesses and traffic volume for each communication destination from the logs of network equipment, and graphing it, if an abnormality such as a rapid increase in the number of accesses or traffic is found, it is possible to identify the source of the communication. Therefore, it can be used for early detection of cyber-attacks.

And the third is the centralization of logs. In previous log investigations, we checked multiple security products and server logs one by one. It is said that quick investigation became possible by free and multifaceted analysis according to need.

“Since Splunk can visualize logs from various perspectives, for example, by analyzing the traffic volume of a specific location or logs for each application from a different perspective than before, there is a possibility that we can see things that we have not noticed before. I feel that the amount of logs I look at is relatively increasing because I can quickly extract the information I need.” (Mr. Sugita)

It was also effective in terms of IT infrastructure management. “When configuring the device or changing the network, it is possible that the person in charge made a mistake in the settings. It has also made it possible to immediately discover configuration errors,” says Sugita.

Going forward, SKY Perfect JSAT will enhance Splunk's dashboard and view functions to reduce the time required for log analysis, visualize communication status, and create an easy-to-use interface. We plan to strengthen security by further utilizing logs, such as strengthening correlation analysis.

“With general log management products, it is difficult to produce results unless you focus on what kind of logs you want to collect and what kind of analysis you want to do, but Splunk does not process various types of logs. Its strength lies in its ability to flexibly examine how it should be analyzed,” says Mr. Sugita, who believes that Splunk will lead to even more interesting discoveries in the future. have expectations.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials