Efficient infrastructure for log analysis is needed in security field surveys

Rakuten Securities, Inc., Inc. (head office: Setagaya-ku, Tokyo; President: Yuji Kusunoki; hereinafter referred to as "Rakuten Securities, Inc.") is a wholly-owned subsidiary of Rakuten Group, Inc. and was established in June 1999 as Japan's first securities company specializing in Internet trading. Founded in As of October 2016, assets under custody are about 3.5 trillion yen, and the number of accounts exceeds 2 million, making it one of the major players in the industry.

The company operates two networks: a "commercial service network" for customer service and an intranet "internal system network" that supports back-end operations.

“These networks contain various servers and security devices, and in order to conduct prompt investigations in the event of a security incident, we collect several gigabytes of log data generated by each server per day. We needed centralized control,” says Kazuyuki Yoshida, Information Security Department, Business Management Headquarters, Rakuten Securities, Inc.. He said that an efficient foundation for log centralization and log analysis is necessary for conducting security fact-finding investigations such as investigating unauthorized logins, unauthorized access from outside, and monitoring unauthorized access to the Internet. He said he felt

Significantly reduce the time and effort spent building a Splunk-optimized Gemini Appliance

To address this issue, we turned to Splunk Enterprise (hereinafter referred to as Splunk), a machine data analysis platform that has a reputation for analyzing security logs both inside and outside the industry. However, because there was a limited deadline from consideration to completion of implementation, it was difficult to procure a general-purpose server and general-purpose OS and perform setup such as sizing. Therefore, Macnica, the company that provides Splunk, introduced the Gemini Appliance, a dedicated Splunk appliance that had not yet arrived in Japan at the time.

"Since the Gemini Appliance is a dedicated appliance optimized for Splunk, basic implementation can be completed with simple settings and racking work, so the time and effort spent building a server can be greatly reduced. I can use it for designing Splunk and considering how to use it.I felt that it was very rational because maintenance can be done from the Web GU (I management screen) even after installation,” says Mr. Yoshida, looking back on his impression at the time.

In addition, since it was necessary to obtain the consent of the management when hiring, the Gemini Appliance, a Splunk-dedicated appliance, can detect, investigate, and analyze incidents, monitor IT systems, and investigate the cause of failures. In addition to being easy to take advantage of the multifunctionality of the system, it also has major advantages in terms of ease of daily maintenance and reduced maintenance costs. In addition, compared to using a general-purpose server, there was no need for performance verification or tuning at the time of installation, and it was a great advantage that the work load such as patch management could be greatly reduced even after installation.

The adoption was officially approved in October 2015, half a year after the start of consideration of Splunk and Gemini Appliance, and the construction work was completed from the end of November to the end of December. If it were built with a general-purpose server, it would take two to three weeks to set up the OS and applications, but the Gemini Appliance completed it in just one day. Full-scale log monitoring soon began, and Rakuten Securities, Inc. became the first domestic user company of Gemini Appliance.

Deploying Splunk and the Gemini Appliance enables incident preparedness

Currently, Splunk and Gemini Appliance collect over 10 types of logs such as various servers, security devices, databases, and applications held by commercial service networks and internal system networks, and the information security department monitors and analyzes them on the dashboard.

"By introducing Splunk and Gemini Appliance, it has become possible to collect, accumulate, monitor and analyze a large amount of logs from various servers and security devices, which could not be done in the past. I believe that we were able to create a system that can handle this,” says Yoshida.

The dashboard is also used for different purposes. On the commercial service network side, we conduct trend analysis of attacks and unauthorized access, reports on attacks and unauthorized access status for management, drill-down analysis of detected attacks, etc., and on the internal system network side, we confirm access to unauthorized IPs and domains. , targeted attack investigations, external access investigations, etc.

The Gemini Appliance is jointly managed by both the information security department and the infrastructure staff. Normally, the information security department is the side that uses Splunk, and the infrastructure manager uses the Gemini Appliance web GUI to maintain and manage Splunk from the standpoint of the server administrator. By making it possible to use the GUI, even if a sudden setting change is required, the information security department can directly change the configuration file without requesting the work to the person in charge of the infrastructure. became. Mr. Yoshida says that this is very helpful.

On the other hand, Mr. Tamaki Nanba, who was in charge of infrastructure at the time of installation, is responsible for managing the operation status of Gemini Appliance as needed using the Web GUI. “Because the Gemini Appliance is a dedicated appliance, we expect to be able to reduce infrastructure TCO (Total Cost of Ownership) by more than 1/3 over the next five years compared to general-purpose servers.” Since Gemini Appliance is a proprietary OS, it is less susceptible to vulnerabilities than general-purpose OSs, and as a result, there are few cases where patches are applied.

“the Company, we had a rule to test the effect of the patch on the system in our environment, and it took a lot of effort and a running period of about two weeks to a month. The frequency of patching is also low, and the burden and time required for operation can be greatly reduced,” says Mr. Nanba.

The combination of Splunk and Gemini Appliance is the best choice for the demands of the times

Rakuten Securities, Inc. analyzes the logs of target devices individually, but in the future, the goal is to integrate them to understand the overall movement of users in a cross-sectional manner. For example, we are considering using Splunk to implement operations to precisely grasp information that can visualize employee behavior. In addition, the Gemini Appliance has collected about 20 billion event logs in 6 months, mainly from web servers and firewalls, and we are satisfied with the performance that allows us to search and analyze them almost without stress. is expected to increase.

In addition, compliance departments and IT departments are also required to expand various areas of monitoring, and Splunk and Gemini Appliance can easily expand these areas and improve efficiency by introducing them. In the future, we plan to explore ways to expand the scope of log collection to include all security devices.

Mr. Nanba says, "In the future, Gemini Appliance will dramatically reduce the man-hours required to build and operate infrastructure, and will bring the great advantage of being able to use it whenever you want."

Looking back on this project, Mr. Yoshida highly appreciates that Splunk and Gemini Appliance have made a significant contribution to improving internal security. “I think the introduction has been extremely effective in terms of speed of introduction, ease of management, and high performance when searching logs. The combination of Splunk and Gemini Appliance is the best choice for that request, and we have great expectations for that possibility going forward.”

Rakuten Securities, Inc. is always ahead of the industry in taking on new challenges. Splunk and the Gemini Appliance will continue to support the company's growth and innovation with its collaboration of versatility and availability.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials