283 Hitachi Review Vol. 63 (2014), No. 5 Featured Articles Managed Security Services to Address Increasingly Sophisticated Cyber-attacks Yoshitaka Narishima OVERVIEW: Companies and organizations have been facing increasingly Shinichi Kasai severe security risks in recent years as cyber-attacks have grown more Takayuki Sato complicated and sophisticated. Also, as cloud services have spread, the connection of information appliances and control system devices to the Masaki Mori Internet has added to the complexity of the information systems that must Akihiko Fujita be protected. Managed security services are a group of integrated services that provide everything from consulting to operations and the application of security measures. These services include technical assistance in the handling of incidents by applying Hitachi’s knowledge, and security event monitoring services that apply know-how in both construction and operations, thereby enabling the provision of solutions that are tailored to the information systems that are being protected and contributing to the safety and security of the social infrastructure. (PCs) and other such IT devices, information INTRODUCTION appliances, control system devices, and other INFORMATION technology (IT) is increasingly being devices are now being connected to the Internet. This utilized to achieve an advanced social infrastructure makes much larger number of system environments that provides greater user convenience. As the role of vulnerable to the cyber-attacks, making the scale of IT systems grows in this type of social infrastructure, the threats even greater. the importance of ensuring safety and security is Against the background of these threats, taking becoming more and more important. security measures based on defense in depth in order Companies and organizations have been facing to protect information systems from cyber-attacks, stark security risks in recent years as cyber-attacks the necessity is also growing for the immediate have grown more complex and sophisticated. This detection of incidents when an attack occurs, so that includes more advanced targeted e-mail attacks events can be handled rapidly to hold damage to a and larger distributed denial of service (DDoS) minimum. To this end, monitoring systems must be attacks, among others. Cyber-attacks target specifi c strengthened, with advanced log management systems organizations or individuals and relentlessly attempt that constantly monitor the complex IT systems, as to steal confi dential or personal information and to well as an organization comprised of engineering staff cripple IT system services, which even lead to exact with the technical skills required to take necessary money. measures quickly. Also, the necessity for outsourcing The information systems that must be protected security operations and security measures has been used to be set up within the organizations, but due to spreading as the operational burdens placed on the spread of cloud services, they can now be located information system departments has been increasing outside the organizations and on the Internet. With along with the required security expertise. internal corporate information systems sometimes This article discusses managed security services, linked to cloud services as well, the boundaries which are a set of comprehensive security measures between security regions are becoming less clear, designed to protect social infrastructures and and the administration of security increasingly information systems from more complicated and complicated. Also, in addition to personal computers sophisticated cyber-attacks. - 74 - Hitachi Review Vol. 63 (2014), No. 5 284 Achieving Dynamic Security Management MANAGED SECURITY SERVICES In order to strengthen measures against vulnerabilities Offerings from Hitachi include managed security in managed security services, in addition to services that oppose cyber-attacks and other threats. improvements based on the “PDCA cycle,” with These security solutions, everything from consulting planning that involves constructing cybersecurity to the application of security measures and operational incident readiness/response teams (CSIRT) within services, provide total support for companies in organizations and reviewing business continuity the social infrastructure fi eld and a variety of other plans (BCPs) (plan), measures and operations (do), industries and business categories, as well as for public inspections and audits (check), and improvements and agencies and local governments. corrections (act), the “OODA loop” concept is also These services manage security during the adopted in order to achieve decision making that is operational phases of IT systems with expanded needs both rapid and rational, through a series of steps that in outsourcing security measures and operations, and includes monitoring (observe), situational analysis not only do they “protect IT,” they offer an integrated (orient), decision making (decide), and action (act). set of security services designed for the “protection This method is used to strengthen dynamic security via IT.” Managed security services comprise three management in the operational stage, to establish categories: “managed security governance,” “managed information security policies based on the assumption channel security,” and “managed platform security,” that incidents will occur, and to implement stronger which can propose and provide the right solution for and more rapid security measures (see Fig. 2). the information system being protected, as well as the responsible offi ce and department in the organization Applying the Incident-handling Know-how (see Fig. 1). of a Team of Professionals The features of each of these three service The Hitachi Incident Response Team (HIRT), which categories are described below. acts as a CSIRT with responsibility for cyber-attack Managed security governance Category Service menu Feature overview Models of r3FWJFXPGQPMJDJFTBOE#$1T defended targets r4FDVSJUZQPMJDZGPSNVMBUJPOTVQQPSU suited to the cyber age ,OPXMFEHFBCPVU Security consulting r4FDVSJUZSJTLBOBMZTJTTVQQPSU r4JUVBUJPOBTTFTTNFOUCBTFEPO IPXUPQSPUFDU CISO/CIO service r#VTJOFTTDPOUJOVJUZNBOBHFNFOUGPSNVMBUJPO BXFBMUIPGJOUFMMJHFODF business operations support r3BQJEBOEBDDVSBUFJODJEFOU Security diagnosis r*5JOGSBTUSVDUVSFWVMOFSBCJMJUZEJBHOPTJT handling Information systems Managed service r.BMXBSFJOTQFDUJPO security governance r4ZTUFNWVMOFSBCJMJUZJOGPSNBUJPOQSPWJTJPO Intelligence service r)BSNGVMSVNPSTVSWFZTSFHBSEJOHTQFDJGJDTJUFT Managed channel security Business r*ODJEFOUSFTQPOTFTVQQPSU divisions r4FDVSFNFOUPGDVTUPNFS External cloud Customer CSIRT technical r$4*35PQFSBUJPOTVQQPSUXJUIJOPSHBOJ[BUJPOT service channel availability Sensor protection for service support service r5BSHFUFEBUUBDLNBJMUSBJOJOH OFUXPSLT r1SPUFDUJPOBHBJOTU services channels etc. r8FCBQQMJDBUJPOGJSFXBMMT VOBVUIPSJ[FEBDDFTT (Web) Website protection Managed service r8FCTJUF%%P4NFBTVSFT channel security Website check r8FCTZTUFNWVMOFSBCJMJUZEJBHOPTJT Managed platform security service r5BNQFSJOHEFUFDUJPO E-mail security r"OUJWJSVT BOUJTQBN Internal r,FFQJUPVU1SFWFOUJOHUIF Business service corporate r$POUFOUGJMUFSJOH JODVSTJPOPGNBMXBSF systems Monitoring and systems r63-GJMUFSJOHEVSJOH8FCCSPXTJOH r%POUMFUJUTQSFBE&BSMZ Web security service support system Managed r"OUJWJSVT detection and handling of for protecting incursions Information platform systems system Security event r*OUFHSBUFEMPHNBOBHFNFOU r%POUMFUJUMFBWF*GBO security departments monitoring service r-PHDPSSFMBUJPOBOBMZTJT JOGFDUJPOPDDVST QSFWFOU Control information leakage. systems Virtual server r7JSUVBM65.PQFSBUJPOTVQQPSU protection service BCP: business continuity plan CISO: Chief Information Security Offi cer CIO: Chief Information Offi cer IT: information technology CSIRT: cybersecurity incident readiness/response team DDoS: distributed denial of service URL: uniform resource locator UTM: unifi ed threat management Fig. 1—List of Menu Options for Managed Security Services. The systems defended by each category of managed security services are shown above. The table lists the service menu options available in each category. - 75 - 285 Managed Security Services to Address Increasingly Sophisticated Cyber-attacks Strengthened measures Operations based on assumption Security consultation Intelligence to avoid vulnerabilities that incidents will occur • Security policy and BCP formulation • Vulnerability information, including Construction of Review of Early detection Visualization support independently acquired information CSIRT within BCP, etc. of signs and of situation • ISMS/CSMS authentication • Information regarding new malware organization abnormalities acquisition support and other threats Plan Observe • Support for construction of • Global threat reports (planning) (monitoring) CSIRT/SOC within organizations Act Do Orient Strengthening of Act (improvements (measures and (situational security during (action) and corrections) operations) operational phase analysis) Plan Observe Check Decide (inspections (decision and audits) making) Act Do Act Orient Check Decide Implementation of Judgments based periodic diagnosis on information Security diagnosis CSIRT technical support Fig. 2—Relationship between PDCA Cycle and OODA Loop. • Vulnerability diagnosis • Distribution of intelligence affecting In addition to the continual improvements of the PDCA (plan, • Malware investigation customers do, check, act) cycle, operations based on the OODA (observe,