Introduce integrated SOC internally and utilize knowledge for cyber BCP other than natural disasters

In 1996, Hitachi Systems, Ltd. (Hitachi Systems) opened Japan's first security center. For more than 20 years since then, we have continued to provide a total of more than 10,000 advanced security services to Hitachi Group companies, major financial institutions, local governments, manufacturing industries, distribution industries, etc. Based on that know-how and experience, the SHIELD Integrated SOC (Security Operation Center) (hereinafter referred to as the Integrated SOC) was established in October 2017. Providing SOC functions as a managed service 24 hours a day, 365 days a year to support early detection, analysis, and rapid resolution of security incidents and business continuity on a global scale in various environments such as IT, OT (control systems), and IoT. is doing.

At Hitachi Systems, the integrated SOC is also utilized within the company, and the security of the IT infrastructure has been strengthened. For this purpose, we utilized the machine data analysis platform "SplunkEnterprise" (hereafter referred to as Splunk). “The trigger for strengthening internal IT security was the impact of the worm-type ransomware that raged in Japan in 2017. the Company also actively utilize the analysis capabilities of security analysts possessed by the integrated SOC for internal use. By doing so, we decided to strengthen our BCP (Business Continuity Plan) against cyber-attacks other than natural disasters,” says Shinichi Iijima, Chief Engineer, Network Security Group, Global Infrastructure Service Department, IT Headquarters. is.

According to Mr. Iijima, log diversity was important to fully utilize the capabilities of the integrated SOC. It is necessary to collect and organize as many logs of systems scattered throughout the company as possible so that the correlation between logs can be analyzed easily. Although we collected network and security logs, we considered Active Directory (AD) event logs to be particularly important. However, Windows-based log collection was complicated, and log collection from multiple AD servers was a burden on the person in charge, and how to make it more efficient was a major issue.

Expected support for various machine data The business department responsible for external sales also supports the introduction

Meanwhile, Hitachi Systems and Macnica signed a formal partnership agreement for Splunk products, and since April 2018, the company has been fully preparing its sales structure, which has brought Splunk into the spotlight within the company. Masato Ueda of the Network Security Group, Global Infrastructure Services Department, IT Headquarters, participated in the "Splunk Consultation" held for in-house use in May to learn more about Splunk's capabilities. "We were excited about the ease of use, as it can handle not only AD logs but all kinds of machine data, and does not require prior schema configuration or redefinition of analysis perspectives. In addition, when introducing Splunk, it was also reassuring to know that the Network Security Services Division, which is responsible for external sales, would support the introduction and use of Splunk," Ueda recalls.

Mr. Ms.Chin, Engineer of Group 1, Cyber Security Service Headquarters, Network Security Service Division, said, "Splunk has a high reputation in the Japanese market, and many of the Company customers have been using Splunk. Splunk is often used for security purposes, but recently there has been a gradual increase in the number of customers who want to use Splunk for purposes other than security, such as work style reforms.”

The IT headquarters verified the operation of Splunk in July 2018 and decided to officially introduce it. After that, an introduction plan was drawn up, and for the time being it specialized in AD log collection, and the actual operation started in August. Mr. Iijima emphasizes the support of the Network Security Service Division as the reason why the system was able to start operation in just three months after the consultation meeting. "The fact that we were able to get a speedy and accurate response regarding the specifications of the virtual server for running Splunk was also very helpful in implementing it in a short period of time."

Kayoko Akishima, Group 1, Department 3, Cyber Security Services Headquarters, Network Security Services Division, who was in charge of support, said, ``As for the server specs, the implementation support toolkit provided by Macnica was helpful in investigating and solving the problem. Macnica 's staff quickly provided support for the parts that we were unable to do, so we were able to quickly provide feedback to the IT headquarters."

The importance of log collection became clear, and the daily use of Splunk was explored

The following three are the main effects of combining Splunk with the integrated SOC. The first is to improve the efficiency of AD log collection work. At Hitachi Systems, multiple AD servers are currently in operation, and in the past, the person in charge manually collected logs individually and aggregated them into an integrated SOC, but now Splunk collects logs from multiple servers. Batch collection and automatic handing over has greatly reduced the work burden. Unauthorized access such as mass logins can now be quickly checked.

The second is speeding up the response to inquiries from users. In the past, when a device forgot to update its password or a device with an account locked out, it was necessary to check the AD servers one by one to investigate the cause, but now it is possible to search all at once using Splunk. As a result, the labor and time required for investigation can be greatly reduced.

The third is the visualization of the extent of impact in the event of a network failure. Even if an access failure occurs in a wide area, Splunk can be used to quickly understand the extent of the impact of the failure, as it is possible to visualize which user group is unable to log in by investigating the AD log. ing. “Previously, when examining the extent of impact, operators manually picked up AD logs in batches and examined them, which took one to two hours to identify, but now, thanks to Splunk, investigations The number of paths has increased, and the work time has been greatly reduced, making it possible to identify them,” says Mr. Iijima.

Mr. Ueda also points out the effectiveness of Splunk's search screen. "When examining user access logs with Splunk, the number of logs is displayed in a simple histogram along with the search results, so if there is a sudden rise, you can intuitively know that something happened. Insights from the integrated SOC analyst. It is important to collect a large number of high-quality logs in order to make full use of this, so I think Splunk's simple graph function is extremely effective."

The IT Headquarters is considering incorporating SQL server and ERP logs into Splunk in the future, and is planning to proceed with discussions with the department in charge.

Regarding the changes within the company after the introduction of Splunk, Mr. Ueda said, "By clarifying the importance of log collection, there is an awareness that it may be possible to use it more widely. We are also exploring daily use of Splunk. I want to do it,” he says.

Looking back on the project, Mr. Iijima said, "I am very satisfied with the ability to provide Splunk with the appropriate functions for the proposition of strengthening security using the integrated SOC, and I highly evaluate it as a product. As an effective method for thoroughly examining logs of systems and internal infrastructure, it seems that it will be used more and more in the future."

Splunk recognized by Hitachi Systems for covering the entire IT life cycle. More and more companies will realize this possibility in the future.

The photo shows Hitachi Systems' SHIELD integrated SOC (Security Operation Center) opened in October 2017. In addition to the know-how that security analysts have cultivated over many years, we utilize security intelligence information from external organizations to achieve advanced analysis. We support early detection of security incidents in the customer environment, prompt resolution, and business continuity.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials