283 Hitachi Review Vol. 63 (2014), No. 5

Featured Articles Managed Security Services to Address Increasingly Sophisticated Cyber-attacks

Yoshitaka Narishima OVERVIEW: Companies and organizations have been facing increasingly Shinichi Kasai severe security risks in recent years as cyber-attacks have grown more Takayuki Sato complicated and sophisticated. Also, as cloud services have spread, the connection of information appliances and control system devices to the Masaki Mori Internet has added to the complexity of the information systems that must Akihiko Fujita be protected. Managed security services are a group of integrated services that provide everything from consulting to operations and the application of security measures. These services include technical assistance in the handling of incidents by applying Hitachi’s knowledge, and security event monitoring services that apply know-how in both construction and operations, thereby enabling the provision of solutions that are tailored to the information systems that are being protected and contributing to the safety and security of the social infrastructure.

(PCs) and other such IT devices, information INTRODUCTION appliances, control system devices, and other INFORMATION technology (IT) is increasingly being devices are now being connected to the Internet. This utilized to achieve an advanced social infrastructure makes much larger number of system environments that provides greater user convenience. As the role of vulnerable to the cyber-attacks, making the scale of IT systems grows in this type of social infrastructure, the threats even greater. the importance of ensuring safety and security is Against the background of these threats, taking becoming more and more important. security measures based on defense in depth in order Companies and organizations have been facing to protect information systems from cyber-attacks, stark security risks in recent years as cyber-attacks the necessity is also growing for the immediate have grown more complex and sophisticated. This detection of incidents when an attack occurs, so that includes more advanced targeted e-mail attacks events can be handled rapidly to hold damage to a and larger distributed denial of service (DDoS) minimum. To this end, monitoring systems must be attacks, among others. Cyber-attacks target specifi c strengthened, with advanced log management systems organizations or individuals and relentlessly attempt that constantly monitor the complex IT systems, as to steal confi dential or personal information and to well as an organization comprised of engineering staff cripple IT system services, which even lead to exact with the technical skills required to take necessary money. measures quickly. Also, the necessity for outsourcing The information systems that must be protected security operations and security measures has been used to be set up within the organizations, but due to spreading as the operational burdens placed on the spread of cloud services, they can now be located information system departments has been increasing outside the organizations and on the Internet. With along with the required security expertise. internal corporate information systems sometimes This article discusses managed security services, linked to cloud services as well, the boundaries which are a set of comprehensive security measures between security regions are becoming less clear, designed to protect social infrastructures and and the administration of security increasingly information systems from more complicated and complicated. Also, in addition to personal computers sophisticated cyber-attacks.

- 74 - Hitachi Review Vol. 63 (2014), No. 5 284

Achieving Dynamic Security Management MANAGED SECURITY SERVICES In order to strengthen measures against vulnerabilities Offerings from Hitachi include managed security in managed security services, in addition to services that oppose cyber-attacks and other threats. improvements based on the “PDCA cycle,” with These security solutions, everything from consulting planning that involves constructing cybersecurity to the application of security measures and operational incident readiness/response teams (CSIRT) within services, provide total support for companies in organizations and reviewing business continuity the social infrastructure fi eld and a variety of other plans (BCPs) (plan), measures and operations (do), industries and business categories, as well as for public inspections and audits (check), and improvements and agencies and local governments. corrections (act), the “OODA loop” concept is also These services manage security during the adopted in order to achieve decision making that is operational phases of IT systems with expanded needs both rapid and rational, through a series of steps that in outsourcing security measures and operations, and includes monitoring (observe), situational analysis not only do they “protect IT,” they offer an integrated (orient), decision making (decide), and action (act). set of security services designed for the “protection This method is used to strengthen dynamic security via IT.” Managed security services comprise three management in the operational stage, to establish categories: “managed security governance,” “managed information security policies based on the assumption channel security,” and “managed platform security,” that incidents will occur, and to implement stronger which can propose and provide the right solution for and more rapid security measures (see Fig. 2). the information system being protected, as well as the responsible offi ce and department in the organization Applying the Incident-handling Know-how (see Fig. 1). of a Team of Professionals The features of each of these three service The Hitachi Incident Response Team (HIRT), which categories are described below. acts as a CSIRT with responsibility for cyber-attack

Managed security governance Category Service menu Feature overview Models of r
3FWJFX
PG
QPMJDJFT
BOE
#$1T
defended targets r
4FDVSJUZ
QPMJDZ
GPSNVMBUJPO
TVQQPSU suited to the cyber age ,OPXMFEHF
BCPVU
Security consulting r
4FDVSJUZ
SJTL
BOBMZTJT
TVQQPSU r
4JUVBUJPO
BTTFTTNFOU
CBTFE
PO
IPX
UP
QSPUFDU
CISO/CIO service r
#VTJOFTT
DPOUJOVJUZ
NBOBHFNFOU
GPSNVMBUJPO
B
XFBMUI
PG
JOUFMMJHFODF business operations support r
3BQJE
BOE
BDDVSBUF
JODJEFOU
Security diagnosis r
*5
JOGSBTUSVDUVSF
WVMOFSBCJMJUZ
EJBHOPTJT handling Information systems Managed service r
.BMXBSF
JOTQFDUJPO security governance r
4ZTUFN
WVMOFSBCJMJUZ
JOGPSNBUJPO
QSPWJTJPO Intelligence service r
)BSNGVM
SVNPS
TVSWFZT
SFHBSEJOH
TQFDJGJD
TJUFT Managed channel security Business r
*ODJEFOU
SFTQPOTF
TVQQPSU divisions r
4FDVSFNFOU
PG
DVTUPNFS
External cloud Customer CSIRT technical r
$4*35
PQFSBUJPO
TVQQPSU
XJUIJO
PSHBOJ[BUJPOT service channel availability Sensor protection for service support service r
5BSHFUFE
BUUBDL
NBJM
USBJOJOH OFUXPSLT r
1SPUFDUJPO
BHBJOTU
services channels etc. r
8FC
BQQMJDBUJPO
GJSFXBMMT VOBVUIPSJ[FE
BDDFTT (Web) Website protection Managed service r
8FCTJUF
%%P4
NFBTVSFT channel security Website check r
8FC
TZTUFN
WVMOFSBCJMJUZ
EJBHOPTJT Managed platform security service r
5BNQFSJOH
EFUFDUJPO E-mail security r
"OUJWJSVT
BOUJTQBN Internal r
,FFQ
JU
PVU
1SFWFOUJOH
UIF
Business service corporate r
$POUFOU
GJMUFSJOH JODVSTJPO
PG
NBMXBSF systems Monitoring and systems r
63-
GJMUFSJOH
EVSJOH
8FC
CSPXTJOH r
%POU
MFU
JU
TQSFBE
&BSMZ
Web security service support system Managed r
"OUJWJSVT detection and handling of for protecting incursions Information platform systems system Security event r
*OUFHSBUFE
MPH
NBOBHFNFOU r
%POU
MFU
JU
MFBWF
*G
BO
security departments monitoring service r
-PH
DPSSFMBUJPO
BOBMZTJT JOGFDUJPO
PDDVST
QSFWFOU
Control information leakage. systems Virtual server r
7JSUVBM
65.
PQFSBUJPO
TVQQPSU protection service

BCP: business continuity plan CISO: Chief Information Security Offi cer CIO: Chief Information Offi cer IT: information technology CSIRT: cybersecurity incident readiness/response team DDoS: distributed denial of service URL: uniform resource locator UTM: unifi ed threat management Fig. 1—List of Menu Options for Managed Security Services. The systems defended by each category of managed security services are shown above. The table lists the service menu options available in each category.

- 75 - 285 Managed Security Services to Address Increasingly Sophisticated Cyber-attacks

Strengthened measures Operations based on assumption Security consultation Intelligence to avoid vulnerabilities that incidents will occur • Security policy and BCP formulation • Vulnerability information, including Construction of Review of Early detection Visualization support independently acquired information CSIRT within BCP, etc. of signs and of situation • ISMS/CSMS authentication • Information regarding new malware organization abnormalities acquisition support and other threats Plan Observe • Support for construction of • Global threat reports (planning) (monitoring) CSIRT/SOC within organizations Act Do Orient Strengthening of Act (improvements (measures and (situational security during (action) and corrections) operations) operational phase analysis) Plan Observe Check Decide (inspections (decision and audits) making) Act Do Act Orient

Check Decide Implementation of Judgments based periodic diagnosis on information

Security diagnosis CSIRT technical support Fig. 2—Relationship between PDCA Cycle and OODA Loop. • Vulnerability diagnosis • Distribution of intelligence affecting In addition to the continual improvements of the PDCA (plan, • Malware investigation customers do, check, act) cycle, operations based on the OODA (observe, • Security monitoring • Response to inquiries regarding intelligence orient, decide, act) loop are adopted in order to strengthen • Incident response support security in the operational (do) phase. ISMS: information security management system CSMS: cybersecurity management system SOC: security operation center measures, is a team of professionals within Hitachi Fig. 3—Managed Security Governance Menu Confi guration. with extensive know-how in handling incidents. HIRT This diagram shows the service menus provided for managed cooperates with global partners to analyze and monitor security governance, and the relationship between the menus intelligence on behalf of the customer’s internal and the PDCA cycle and OODA loop. CSIRT, while offering various services including a “CSIRT technical support service” that provides related information and necessary responses, as well accumulated as part of activities supporting customer as an extremely advanced security operation and businesses (see Fig. 3). management system that is active 24 hours a day and The process of continual improvement activities 365 days a year. through the PDCA cycle in information security management is an effective way to ensure information Flexible Support for Cloud Environments security in social infrastructures and IT systems. Complex security measures and operations are Security consulting services support the formulation of provided for multiple system environments including an organization’s security policies and the analysis of on-premises environments, cloud environments, security risks based on the ISO/IEC 27001 international distributed cloud environments, and others. Also, by standard for information security management. providing services such as “virtual server protection Organized and systematic security management is services” and “security event monitoring services” that promoted by providing and working to establish these enable detailed individual security measures that have types of security management efforts for customers. been diffi cult under cloud environments in the past, Mechanisms and systems that can rapidly handle fl exible support for cloud environments is achieved. incidents are necessary to deal with increasingly sophisticated cyber-attacks. By quickly acquiring valuable information such as newly discovered cyber- CATEGORIES AND SERVICE MENUS attack techniques and vulnerabilities, cyberterrorism Service menu options that warrant attention are information, and so on, it is possible to hold an described below for each of the three categories of advantage when it comes to implementing cyber- managed security services. attack measures as well. Intelligence services exist that gather this type of threat information using a Managed Security Governance global intelligence network, in order to provide the Managed security governance, which protects business information in a rapid and comprehensive manner. In operations, is comprised of professional consultation addition to technical information, the intention behind services and other services based on the knowledge each attack is also provided along with surrounding accumulated as part of Hitachi’s internal information conditions, so that the scale of the threat can be system management, in addition to knowledge determined with greater specifi city. Information such

- 76 - Hitachi Review Vol. 63 (2014), No. 5 286 as zero day vulnerabilities newly discovered in known or some other image, recently websites have been vulnerability information as well as vulnerability tampered with in ways that are not visible, with viruses information used to predict future threats is also injected in many cases. Users accessing such a site provided and added to the information content that are unknowingly infected with the virus, and personal corresponds to the organization’s system. information and other information is stolen as a result. Finally, based on the gathered threat information Not only is the organization with a website that has and the log management system described below, been tampered with a victim, it can also conceivably the way incidents are actually handled is key, and be seen as the party perpetrating the harm to its Web the CSIRT inside the organization is responsible users, and so the strengthening of security is an urgent for fulfi lling this role. The necessity of this type of issue. Website protection services continuously defend system has increased in recent years, and a variety of public websites with DDoS attack measure services different organizations including fi nancial institutions to protect websites from attacks coming from large- have been constructing systems. A CSIRT technical scale, globally distributed platforms, as well as Web support service provides operational support including Application Firewall (WAF) services. incident handling and cyber-attack analysis for newly launched organizations. In the future, as cyber-attacks Managed Platform Security evolve even further, it is expected that still higher Managed platform security is a service that defends levels of security expertise will be required, and the the customer’s information and control systems from need for these types of support services will increase. threats (see Fig. 4). Based on the “defense in depth” concept, multiple Managed Channel Security layers of defenses include “internal measures” Managed channel security is a service that protects designed to prevent incursions by malware, the customer’s services by defending public websites “proliferation measures” designed to quickly detect from threats in an external cloud. any incursions and prevent them from proliferating, This service has become indispensable for and “outbound measures” designed with goals that business, and due to the fact that the public websites include preventing information from leaking in the that are used in actual business involving the provision case of an infection. Although outbound measures of corporate information and various business deals that do not allow information leaks are also important, are always exposed to the Internet, they are ideal internal measures must act as the fi rst line of defense targets for attackers. There have been many cases by reducing the incursion of targeted attack e-mail and recently of vulnerabilities in websites being exploited other such threats inside the organization. The e-mail to tamper with the sites. Although in the past these security service is a Software as a Service (SaaS) type types of attacks mainly involved displaying a fl ag service that provides multiple functions, including highly accurate anti-spam functions, as well as anti- virus functions that combine multiple commercial Virtual server protection Security event monitoring virus scanners with a proprietary artifi cial intelligence Firewalls, IPSs, and other individual Events are detected early through engine. Each advanced detection function enables the security functions are added to correlation analysis of logs from virtual servers in the cloud. various types of devices in realtime. reduction of unwanted e-mail within the organization, thereby improving organizational work effi ciency. It is

Plan Observe also possible to take advantage of the SaaS features to

Act Do Act Orient reduce the time required to adopt security measures, cut costs, and decrease the burden of management. Check Decide The use of cloud solutions such as Hitachi Cloud

E-mail security Web security Computing Solutions is growing. Benefits to the • Anti-virus, anti-spam • Anti-virus adoption of cloud solutions include a reduction in • Content monitor • URL filtering both cost and development time. On the other hand, IPS: intrusion protection system concerns in the area of security are acting as an Fig. 4—Managed Platform Security Menu Confi guration. obstacle to usage. With a managed security service, This diagram shows the service menus provided for managed in addition to the security provided by each cloud platform security, and the relationship between the menus and platform, functions such as fi rewalls and intrusion the PDCA cycle and OODA loop. protection systems (IPSs) are also provided as virtual

- 77 - 287 Managed Security Services to Address Increasingly Sophisticated Cyber-attacks server protection services, with detailed settings and active 24 hours a day and 365 days a year, has been log analysis that are the same as for an on-premises given high marks for providing customer service for environment. incidents whenever they occur. Also, since the time In these types of systems as well, where on-premises required to adopt the services is short, there are even environments are mixed with cloud environments cases where the services are adopted as a measure utilizing virtualization technology, it is necessary while a targeted e-mail attack is already occurring. to monitor each type of device on a regular basis in Security event monitoring services used to be order to quickly detect security abnormalities, and to adopted with the goal of acquiring and storing logs tie this in to the handling of incidents. Security event in compliance with internal regulations and other monitoring services provide comprehensive monitoring such standards, but recently they have been adopted of systems in hybrid environments that include cloud with increasing frequency in order to proactively services, detecting incidents at an early stage while detect cyber-attacks. It is possible to detect suspected offering advanced and rapid incident handling support incidents essentially in realtime by applying optimal by a team of professionals, in collaboration with detection rules based on past results using large Hitachi’s Security Operation Center (SOC). amounts of collected logs. Also, by additionally using support services provided by expert engineers, not only is it possible to greatly reduce the time required CASE STUDIES AND EFFECTS OF to handle incidents after detection, the progression ADOPTION of damage can also be held in check. As a result, the Managed security services are provided as a set of effects of damage are either eliminated or minimized services offering comprehensive security measures. (see Fig. 5). Examples of adopted service menu options are described below. CONCLUSIONS E-mail security services are used by financial institutions as well as many other types of companies. This article discussed managed security services, A large number of customers have reported that the which are a set of comprehensive security measures internal workload placed on their companies was designed to protect social infrastructures and decreased after the services were adopted, due to the information systems from increasingly complicated high rate of detection. The support system, which is and sophisticated cyber-attacks.

On-premises environment Cloud environment

(1) Defense (1) Defense Virtual server Virtual server protection

Firewalls, IPS, etc. Various types Cloud platform of servers

(2) Monitoring (3) Measures (2) Monitoring (3) Measures

Hitachi Security Operation Center

Security event CSIRT monitoring technical support

Fig. 5—Security Event Monitoring Service Overview. These services can be provided for both on-premises and cloud environments. This diagram shows the relationship between defense, monitoring, and measure security operations available as outsourcing services.

- 78 - Hitachi Review Vol. 63 (2014), No. 5 288

Hitachi is itself dealing with a wide range of is strengthening security measures that can be applied security issues as a group of companies, from to social infrastructure systems including control diversifying system environments to cyber-attacks systems as well. that are growing more advanced. As part of this Hitachi will continue to work towards solutions on process, group members with specialized skills use all sorts of issues in partnership with its customers, their knowledge to select countermeasures, and the thereby contributing to the achievement of a safe and security measures that represent the best practices secure society. are implemented. Efforts to expand menu options for managed security services will continue through the utilization of know-how that has actually been REFERENCE applied and the latest technologies. These efforts are (1) “Information Security Advisory Board: Recommendations aimed at achieving social innovation, and are based on to the Ministry of Internal Affairs and Communications infrastructure technology that has been cultivated over Regarding the Promotion of Information Security Policies” many long years, advanced IT, and security measures. (Apr. 2013), http://www.soumu.go.jp/main_content/ This is why in addition to corporate systems, Hitachi 000217000.pdf in Japanese.

ABOUT THE AUTHORS

Yoshitaka Narishima Shinichi Kasai Systems Department1, Security Solution Operations, Systems Department1, Security Solution Operations, Services Creation Division, Information & Services Creation Division, Information & Telecommunication Systems Company, Hitachi, Telecommunication Systems Company, Hitachi, Ltd. He is currently engaged in proposal and Ltd. He is currently engaged in proposal and implementation of security services. implementation of security services.

Takayuki Sato Masaki Mori Systems Department1, Security Solution Operations, Secureplaza Business Promotion Department, Security Services Creation Division, Information & Solution Operations, Services Creation Division, Telecommunication Systems Company, Hitachi, Ltd. Information & Telecommunication Systems Company, He is currently engaged in development and proposal, Hitachi, Ltd. He is currently engaged in sales of and implementation of security services. security solutions, including security services.

Akihiko Fujita Network Services Division, Cloud ICT Service Business Group, Hitachi Systems, Ltd. He is currently engaged in development and proposal, and implementation of security services.

- 79 -