Introduced new next-generation anti-virus measures to deal with non-malware attacks and zero-day attacks

CRESCO Ltd. (hereafter, Cresco), whose name means "to grow" in Latin, is an independent system integrator (SIer) with a history of over 30 years. With strengths in infrastructure construction and embedded software development, the business application business, infrastructure business, embedded business, and service business are the four pillars.

About 90% of the approximately 900 projects that it receives each year are mainly repeat orders, and the company is highly trusted by major corporations for its careful handling of various confidential information and strict information management. . Regarding information security in particular, we have established an internal control committee and an information security committee, have established various policies and regulations, and are constantly renewing our information infrastructure and strengthening our management system.

As part of this, the company has been using McAfee products since 2000, and has gone through several transitions until recently, using McAfee ePolicy Orchestrator on-premises (hereafter, McAfee ePO), an on-premises management server, and McAfee VirusScan Enterprise. (hereafter referred to as VSE)”. From September 2019, the SaaS-based security management console McAfee MVISION ePO (hereafter MVISION ePO) and VSE's successor McAfee Endpoint Security (hereafter ENS) have been renewed, and furthermore, it cannot be detected by the signature method. McAfee Endpoint Security Adaptive Threat Protect (ENS ATP), a next-generation antivirus module that detects unknown threats, has also been introduced.

There were two main goals behind modernizing McAfee products. One is the shift from on-premises operations to cloud operations using SaaS. For McAfee ePO, installing, managing, and operating a server was a heavy burden. In addition, Cresco often brings a PC into the customer environment as an SIer, but McAfee ePO communicates with the PC agent, so we are concerned about the impact on the customer environment and install the agent on some terminals. I couldn't do it. Therefore, even if malware was detected and an alert was raised, it could not be confirmed immediately, which was a major management issue.

Mr. Yoshitaka Hara, Director of Cresco's Digital Transformation Promotion Office, said, "MVISION ePO is a subscription license format, which is in line with the Company 's policy of moving to the cloud. I thought it would be a big advantage to be able to grasp the situation at all times.”

The other is the introduction of next-generation virus countermeasures. As cyberattack methods evolve day by day, it has become an urgent issue to prepare for new threats such as non-malware attacks and zero-day attacks. Shinnichi Kojima, Advanced General Specialist in Cresco's Digital Transformation Promotion Office, said, "We investigated various methods such as EDR (endpoint threat detection and response support) and endpoint security products from other companies, but we found that adding more depending on the number of terminals Cost was a big obstacle.When considering MVISION this time, in addition to strengthening the anti-virus measures that were supported by the old VSE with ENS, next-generation anti-virus measures that deal with non-malware attacks and zero-day attacks can be used. I paid a lot of attention to," he said.

Renewal to MVISION ePO was completed in a short time Remaining issue is ENS ATP tuning

In April 2019, we started switching between the old and new at the time of the update. When migrating users in the VSE environment to the new ENS, by overwriting the existing PC with the agent software for MVISON ePO, migration was completed in a short time without any problems.

According to Mr. Kojima, "the Company originally had a McAfee Endpoint Threat Protection (ETP) license. Even after switching to an MVISION license, one year of ETP maintenance was free of charge during the transition period. Since there are a large number of users within the company and the scope of coverage is wide, including those who work outside the company, there is a time lag before the transition to ENS is made known through the portal. It gave me a lot of peace of mind,” he said.

However, setting thresholds for next-generation virus countermeasures remained an issue. Cresco has a variety of proprietary applications for development and management within the company, and all of them were falsely detected as ``suspicious,'' resulting in a large number of alerts. "Originally, we should whitelist every time we create a new application, but there were so many that it was difficult to cover them all. Therefore, we got advice from Macnica and proceeded with tuning, grouping them by function and using known whitelists. We plan to continue to carefully search for the optimal value, such as whitelisting certain items.'' (Mr. Kojima)

Change from on-premises operation to SaaS use and promote the target of cloud first

In September 2019, MVISION ePO, ENS, and ENS ATP began full-scale operation. As a result, the following three changes were realized. The first is to improve the efficiency of operation and management. Mr. Hara said, "By changing from on-premises operation to using SaaS, we were able to significantly reduce the burden of server operation and management, and we were able to promote the 'cloud first' approach of migrating all infrastructure to the cloud. As a result, it contributes to cost reduction in no small way.It is also a big point that terminal management is now possible from the cloud, so it is very easy to operate."

Secondly, update anti-virus measures. In recent years, as the number of attacks on supply chains that deal with major companies such as Cresco has increased, the use of ENS and ENS ATP has increased the sense of security by preparing against unknown viruses and responding to zero-day attacks. Mr. Kojima said, "Although we have relatively strong security measures with multi-layered and multi-layered defenses for Internet entrances and e-mails, the final bastion is still the endpoint. Although the system has been further strengthened, we believe that it is desirable for in-house security not to let the real thing go through even if there are 100 false positives, so we will continue to operate strictly.”

And the third is visualization of all terminals. When VSE was in operation, there was a mixture of terminals with agents and terminals that could not, and it was managed manually, but with MVISION ePO management, all terminals can be managed via agents. became. He believes that making it possible to see devices that were previously difficult to see is a big step toward eliminating vulnerabilities. Based on the premise that the number of employees and business partners will continue to increase in the future, Cresco is considering additional license agreements. In addition, assuming that there will be more opportunities for teleworking and working from home, we plan to explore the possibility of using a home PC for business using the MVISION ePO license. Furthermore, although smartphones are currently used in business, the use of "MVISION Mobile Advanced", which realizes a safer usage environment, will also be considered.

Looking back on this project, Mr. Hara said, ``By introducing MVISION ePO, ENS, and ENS ATP, we were able to simultaneously improve the efficiency of operational management by shifting to the cloud, take measures against unknown malware, and reduce total costs, which we highly value.'' The migration was a success thanks to the close support we received from Macnica tuning of the next-generation virus countermeasures remains an issue, we look forward to continued accumulation of knowledge and support regarding McAfee products in the future. "I'm doing it," he says.

User Profile

*Information at the time of interview.