Renewal of information system network to strengthen response to targeted cyberattacks

Located at the northern end of Tokyo's 23 wards and bordering Saitama Prefecture across the Arakawa River, Kita Ward is blessed with abundant water resources from the Sumida River, Shakujii River, and other four rivers that flow through the ward. It was a cultural city with a developed industry. Starting with the construction of the Takinogawa Reverberatory Furnace at the end of the Edo Shogunate, from the Meiji period to the mid-Showa period, the spinning industry, paper manufacturing industry, food manufacturing industry, etc. developed by taking advantage of the geographic location where water can be supplied. Based on the history and cultural heritage that supported Japan's modern industrial development, there are still many creative small and medium-sized enterprises that are responsible for cutting-edge technology and next-generation product development. In addition, the spirit of originality and ingenuity has much in common with the IT strategy of the Kita Ward Office, which is responsible for the administration of the ward.

Ms. Akiko Kikuchi, Citizen Information Chief, Citizen Information Division, Citizens Department, Kita Ward, Tokyo, talks about the background and challenges of IT as follows. “Kita Ward has a history of promoting the introduction of IT relatively early compared to other local governments.In regards to information security, we have taken the lead in introducing biometric authentication when logging in and preventing information leaks by controlling items taken out of the city. We have implemented strong security measures.Recently, there has been a rapid increase in targeted cyber-attacks targeting local governments, and how to prevent them has become a major issue.Therefore, we have completely renewed the information system network within the government building. We decided to use this as an opportunity to further strengthen our response to targeted cyberattacks.”

The Kita Ward Office has two systems: a core system that manages and operates information such as resident records and taxes, an integrated administrative network (LGWAN), and an information network that connects to the Internet. In 2015, the department underwent a major renewal of its information network. Yoshikazu Sugita, chief secretary of the Citizens Information Division (Electronic Ward Office), Kita Ward, Tokyo, said he was concerned about the increasingly sophisticated and diversified cyberattacks of recent years.

“With the threat of zero-day attacks increasing day by day, we have been considering countermeasures against targeted cyberattacks since the summer of 2014 due to concerns about information leaks that have been becoming apparent in the market for some time. The anti-virus software we have introduced has unclear detection details, and the heuristic scanning function in particular has a high rate of false positives. I decided to select a new security product by emphasizing points.”

Effectiveness of unknown anti-malware Box device shown by Ministry of Internal Affairs and Communications

Initially, we were considering next-generation firewalls and IPS products, but what attracted the most attention was the “Design and development of intermediate server software related to information collaboration platforms for local governments” issued by the Ministry of Internal Affairs and Communications in conjunction with the enforcement of the My Number system at the time. It was a security measure when using a shared environment network, which was indicated in the work contract "system design document" (guideline). There, the effectiveness of the "Box device" as an unknown malware countermeasure was advertised.

Mr. Sugita says, "Zero-day attacks have a problem that cannot be detected by signatures. Box products can detect threats by executing suspicious behavior in a simulated environment. I thought it was possible," he said.

We focused on three criteria for selecting a Box: 1) ease of operation, 2) visualization of threats, and 3) ease of initial response. Mr. Sugita says that he wanted a product that would be easy for the vendor stationed to operate the system and the system staff in Kita Ward to easily understand what was detected. Therefore, we focused on two representative products and conducted a practical evaluation. One of these was the "FireEye NX series" (hereinafter referred to as "FireEye") provided by Macnica.
In October 2014, actual machines for both products were ordered for verification, and evaluations were conducted for two weeks under the same conditions and in the same position in a form similar to a production environment. After considering the trial operation and considering the specific operation, FireEye was ultimately selected.
"We detected several threats during the trial run. Another product received over 1,000 alerts in two weeks, and we had to start by checking the contents. On the other hand, FireEye only received 10 alerts. Moreover, it dynamically analyzes how malware behaves in a unique virtual execution environment and narrows it down to only those that truly pose a threat, making it easy to determine the priority of response and reducing the need for time-consuming attacks. We thought that it would also be effective against targeted cyber-attacks," says Sugita.
On the management screen, summary information and detailed information about the analysis results are displayed in chronological order, and the types of intrusion methods attempted are visualized in an organized manner, making it easy for administrators to understand. "The PoV (Proof of Value) report was clear, and any questions I had during the verification process were explained step by step by Macnica 's SE, and the content was logical and reliable. I felt it.'' (Mr. Sugita)

Monitor communication traffic with FireEye and respond to web-based attacks that are difficult to defend against

We introduced FireEye in June 2015 and started full-scale operation in July 2015. FireEye protects a total of about 3,400 terminals connected to the school affairs support system used by the staff of the Kita Ward Office and the school staff.

Specifically, FireEye constantly monitors web communication traffic, and when a threat is detected, an alert is sent to the administrator, quickly understanding what is happening on which device, and using the device. Contact User. On the other hand, in order to prevent similar infections and to prevent callback communication to the C&C server of infected terminals, network equipment blocks communication based on communication destination information obtained from logs. Terminals that are suspected of being infected are immediately isolated from the network, investigated, and dealt with. In addition, the suspicious communication is actually reproduced in the MVX (virtual execution engine), and while analyzing the event in detail, the incident is confirmed and reported in detail on the FireEye management screen. It is also possible to combine the log information of each device and identify the website that was the source of the detection. In addition, the terminal replaces the disk itself regardless of whether it is infected with malware.

Since 2015, the Kita Ward Office has been conducting drills against targeted e-mail attacks on a regular basis. do not have. However, after FireEye went live, it detected about 1-2 attacks per month. All attacks are web-based.

According to Mr. Kikuchi, "Thanks to our training, our employees are highly vigilant against targeted email attacks, but it is not easy to consciously prevent malware infection through web browsing. With the introduction of FireEye, It is now possible to prevent targeted cyber-attacks via the web, which are difficult to defend against."

Mr. Sugita pays attention to the effect of FireEye. "Since it is easy to understand which terminals are being attacked, when and from where, and which terminals are infected and communicating with the C&C server, we are satisfied that we have achieved the results we have evaluated. increase"

FireEye helps raise the security level of society as a whole

Regarding the significance of introducing FireEye, Mr. Kikuchi said, "If malware is detected, we can alert the administrator of the website that has been altered. By raising the security level, we can improve the security level of society as a whole. I think it will also lead to giving,” he says.

From FY 2017, it will be necessary to connect the information system network that connects to the backbone network and the general administrative network (LGWAN) and perform the necessary cooperation for My Number operation. In addition, the Ministry of Internal Affairs and Communications has requested the restructuring of the network within the agency based on the "Local government information system resilience improvement model."

Looking back on this project, Mr. Kikuchi said, `` Macnica provided accurate support from the evaluation stage of FireEye to our questions and operational concerns, and I felt that they had a deep knowledge.'' Mr. Sugita said, ``In the future, we will I look forward to continued professional advice as the city takes on new challenges to strengthen security."

In order to respond to this desire, Macnica will mobilize its knowledge and support Kita Ward's efforts to make continuous improvements.

User Profile

*Information at the time of interview.