1. Overcome the hurdles of setting up a CSIRT by creating a virtual organization like a fire brigade

Q: Although the public and private sectors are calling for the establishment of a CSIRT, I imagine that there must have been various difficulties in establishing it within the company. How did you work on creating systems and rules?

A: It is true that the hurdles to setting up a CSIRT office with investigative authority are high. the Company had a track record of CSIRT-like initiatives, even if they weren't organized, so the technical and practical issues weren't that big of an issue. On the other hand, there was a lot of discussion about whether the leader who participated in the CSIRT room had a title and what kind of authority they had. Therefore, T-SIRT is not a fixed organization like a “fire department” but a virtual organization like a “fire brigade”. In normal times, it was decided that the highest authority would be transferred to the president or CRO, and that in normal times, T-SIRT would have the right to investigate by virtually transferring that authority. I made it clear that I will be active.

In addition, we initially considered CSIRT regulations to be limited to emergencies, but as we proceeded with the survey, it was pointed out that efforts during normal times were also important, so we decided to add the establishment of systems and improvement activities during normal times to the regulations. became.

Q: How did you convince management of the need for a CSIRT and gain their understanding?

A: It took about a month and a half to explain the establishment of the CSIRT to the Board Director in order to incorporate the establishment of the CSIRT into the internal regulations. At that time, the Cabinet Secretariat's Information Security Policy Council requested the establishment of a CSIRT, and in the government general procurement, the conditions of the contract included the CSIRT, and the involvement and responsibilities of the top management should be clarified. I explained what I was proposing and emphasized that we should not be left behind in the flow of such national measures, and they were understood.

2. Adopting Splunk for information security big data that performs integrated search and analysis of multiple logs

Q: In your presentation at Macnica Networks DAY 2014, you emphasized the roles of T-SIRT, such as the disruption of the cyber kill chain (*), the visualization of cyberattacks through log analysis, and the clarification of events that can or cannot be detected in information security big data. It was done.

A: Firewalls, antiviruses, IPS, etc. exist to cut off the cyber kill chain. ” and “zero-day attacks”, and it is very difficult to protect 100%. It is important to detect and discover objects that have entered inside as soon as possible.

In addition to direct incident reports, T-SIRT has a help desk that receives 150 to 200 reports per day, and also discovers security incidents through alerts escalated from monitoring machines. Logs are the basis. However, since logs are buried if the timing is missed, it is necessary to analyze information security big data that integrates multiple log sources, searches at high speed, and tracks the footprints of attackers by performing time series analysis and correlation analysis. becomes.

In the past, it was said that the basic method was to dig up logs by searching for strings in files, or so-called “grep,” but if a single grep took several tens of minutes, it would be difficult to catch up with the speed of the attacker. can not. That's when I came across Splunk, a machine data analysis platform provided by Macnica.

* Cyber kill chain: Each step of the U.S. military attack sequence “kill chain” (discovery → fixation → pursuit → targeting → engagement → assessment) is transformed into “reconnaissance” → “weaponization” performed in targeted cyber attacks. → "Delivery" → "Exploit" → "Install" → "C2" → "Intended Execution"

3. Splunk's greatest strength is ultra-high-speed search and diverse analysis capabilities through drill-down

Q: Please tell us why you chose Splunk and what technical advantages were the deciding factors.

A: I had heard of Splunk for some time, but I had assumed it was just a type of log management product and hadn't paid much attention to it. However, when I visited Macnica 's booth at the "Information Security Expo Spring" held in May 2013, I was given a detailed demo of Splunk's functions, and for the first time I learned that it was also an extremely useful log analysis tool.

Until then, the Company hadn't started log analysis, we had set up a log server, stored logs in one place, and performed only grep. However, as a result of comparing Splunk with SIEM and log management products, we found that it is possible to manage and visualize logs in various ways, search much faster than grep, and analyze various evaluation axes by drilling down. When I discovered it, I was shocked at what I had done up until now (laughs).

In particular, the search function shows where the attacks are coming from in a graph, and I noticed that it can be visualized in real time. With other companies' products, they are not displayed unless all results are obtained, but Splunk displays the logs that are captured by the search, so as soon as you find the target log, you can move on to the next search, which is very efficient. In addition, since SOC (Security Control Center) operations such as server monitoring and log extraction are outsourced to an external partner company, I felt the benefit of being able to significantly reduce the work hours and personnel costs on the SOC side.

4. Utilizing "Splunk introduction support and construction service" to realize early operation start

Q: Please tell us about the schedule from the meeting at Information Security Expo Spring to the introduction and the current concrete operation method.

A: After experiencing the demo, I and other members immediately attended Macnica 's hands-on seminar to learn more about Splunk's unique features and features. I remember that it was at that hands-on seminar that I learned that Splunk was capable of collecting, searching, and analyzing data generated not only from security devices but also from various IT systems.

Then, around November 2013, we put out an RFP, received proposals from multiple vendors including Macnica, conducted a verification demo using actual log input, and based on the verification results, officially introduced Splunk in March 2014. It has been decided. Utilizing Macnica 's "Splunk implementation support and construction service," full-scale operation began in June after a POC (proof of concept).

In addition to building an environment for Splunk operations, Macnica also customized and incorporated about eight of the Company own monitoring items into the dashboard menu, and provided support to the Information Planning Department, Taisei Information Systems Co., Ltd. (TAIS), and SOC outsourcers. We made sure that everyone involved was familiar with Splunk.

We are currently doing correlation analysis of all logs from networks and security devices. The number is about 10-20. We analyze events and indicators when they are discovered, and periodically when they are caught by our content filters.

5. To take advantage of Splunk, which can do anything

Q: It's only been a short time since the introduction, but please explain the effects of using Splunk.

A: I am once again surprised by the high versatility of being able to freely search the logs of not only security devices but also all IT devices and drill down to track them. If you want to check the current situation on a qualitative screen or perform statistical analysis, SIEM is sufficient, but if you want to deeply trace the cause of an event or incident, you can use a general company that is not an expert. The person in charge may not be able to use SIEM well. Considering that alerts are coming from each and every part of the cyber kill chain, I think Splunk is the best because we can see them all.

Q: After Splunk went into full operation, were there any cases discovered as a result of analysis triggered by some kind of alert?

A: Fortunately, there have been no incidents due to external cyberattacks, but we are trying to detect and correct any misuse within the company. However, keywords such as “gambling” and “games”, which are prohibited by ordinary companies, are also involved in the construction of public racetracks and amusement facilities, so we have a wide variety of knowledge and information from around the world. It is the current situation that it is necessary to collect information in order to know, and it is not possible to regulate it. Therefore, we are planning to make full use of Splunk, which has high flexibility.

However, in addition to security incident investigations, Splunk can easily be used to conduct investigations for stable system operation and business utilization. (laughs)

Q: Please tell us about your future plans for Splunk operations.

A: We are starting to see opportunities to use Splunk for strategic analysis by inputting management information into it, and we are hoping that it will be able to be used in ways that are different from conventional methods.

6. Consider all security countermeasure activities as actions necessary to realize business

Q: What did Macnica contribute to through this Splunk implementation project?

A: The "Recommendations for Promoting Information Security Policy" announced by the Ministry of Internal Affairs and Communications on April 5, 2013, states that information security risks are always present and that it is necessary to establish a CSIRT to respond quickly to cyber attacks, but what was proposed to realize incident handling (emergency response) was a response system that assumes an accident will occur, called the "OODA (observe, assess, decide, act) loop." Since there was little knowledge about the OODA loop, we are gradually starting to put it together with advice from Macnica 's Security Research Center.

Splunk is the key point for monitoring and event monitoring, visualization and triage to judge the situation in the first stage of the OODA loop. I think it will be easier to explain how to deal with the cyber kill chain if there is

I hope that Macnica will continue to utilize its multi-vendor strengths to provide a wide range of information on the latest domestic and international technology.

Q: Lastly, the slogan "Information security as business enabler" that was mentioned at the end of the lecture reflects Mr. Kitamura's belief that information security contributes to business. I feel like I can understand you, but please tell us what you entrusted to these words.

A: In April 2002, the Company distributed one-time password generators to all employees, and by implementing two-factor authentication in-house, we started using electronic information as official documents within the company. This was only possible because security was ensured, and when considering what security measures are for, all of them should be actions necessary to realize business or something. Therefore, I would like all of you involved in information security to carry out your daily work with the pride that information security is what accelerates your business.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials