"From the Frontlines of Cyber Security": A Discussion among Security Experts
Cyber attacks, particularly Advanced Persistent Threats (APTs), have been occurring frequently in Japan. In many cases, these attacks have a serious effect on their organizations. What kinds of issues are involved and what kinds of measures are being taken on the front lines of security? How do security experts fight against invisible enemies and adversaries? NEC gathered together some of its top domestic and foreign security experts who have a deep and unique understanding of cyber security to talk about the frontline issues they are facing. (Moderator: Jun Goto, Senior Expert, Cyber Security Strategy Division. Panelists: CSIRT supervisor; malware analysis manager; IR (Incident Response) manager; SOC (Security Operation Center) manager; forensics manager; web diagnosis manager; and secure development and operations manager. The discussion was conducted in October 2015.)
Theme 1. What are some of the current threats to security and what are the issues faced by the CSIRT?
More companies and organizations are establishing a Computer Security Incident Response Team (CSIRT) to handle problems that conventional IT departments cannot solve. Once a security incident occurs, top management and staff on the front lines must work together to take measures to handle media fallout and any legal ramifications. However, although many companies are establishing CSIRT units, in reality, members of these units also often have regular work responsibilities, which can cause problems with the functionality of the CSIRT. How are security threats changing and what kinds of issues are there with CSIRT?
Security threats are becoming more complex and sophisticated.
Goto: Targeted attacks on companies and government agencies are becoming more complex and sophisticated every year. What do the members of the roundtable think about these changes?
CSIRT supervisor: Since 2011, NEC also has been the target of intermittent attacks. Over the last year in particular, the number of attacks by unknown malware that are not caught by conventional virus definition databases has increased. For instance, it is very difficult to detect malware in password protected zip files that are attached to e-mail. Even if we take countermeasures, the attackers will immediately change their attack patterns, so it is like chasing your tail.
Malware analysis manager: In June 2015, damage caused by the remotely operated virus "Emdivi" was a big story in Japan. The infamous information leak from a government organization was one of the incidents traced to this attack, but the number of industries targeted by this virus keeps growing, and today it has become a widespread problem in all types of companies of every size. The feature of Emdivi is that it can be remotely operated from the outside, so that once it is inside an organization's network, it will search the information on the computers within the organization and send the internal data of the targeted company to the external attack server. There are cases in which all data was stolen in hours, and other cases in which the virus resided within a system for over a year in multiple computers while conducting these illegal searches. NEC has been exchanging information with government-related external organizations and various security vendors, and we are working day and night to prevent damage to our customers.
CSIRT supervisor: When unknown malware is detected, for example a targeted e-mail attack, we not only depend on sandbox products; our security staff also try to determine the nature of the attack from past attack trends and know-how based on analysis of changing attack methods. The IT departments at regular companies simply do not have the human resources to defend against these types of attacks.
SOC manager: There are some customers who say, "Our company does not have the kind of information assets that will be targeted." This, however, is a big mistake. In the past few years, targeted attacks known as watering hole attacks have been on the increase. The web sites of regular companies in Japan have been used as illegal stepping stones to gain access to the actual target companies, and even though these regular companies are also victims, they are sometimes treated as the perpetrators. In these cases, even if security measures were taken, unless those companies can prove that there were illicit activities of which they were unaware, they are likely to lose the trust of their customers and incur damage to their brand image. Because any company can become involved in a serious security incident, activities to protect your own company are very important, and are even one of your social responsibilities.
CSIRTS need to be operated properly.
Goto: CSIRT units monitor and improve internal environments when things are normal, and once an incident occurs, they play a central role in implementing countermeasures. However, many companies and organizations seem to have problems operating their CSIRTs.
CSIRT supervisor: It is a good trend for us that people are paying attention to CSIRT, but in many regular companies, CSIRT staff are selected from various departments and asked to double as members of CSIRT. There are even cases when a single individual is given all the responsibility. Even if an expert is designated, that person needs a human network within the organization who should be trained on a regular basis, otherwise things will not go smoothly if an incident occurs and the damage will spread.
SOC manager: SOC staff provide incident information to the CSIRT or IT department. The department that was contacted takes initial action to respond to the incident and coordinates with related departments. However, this is often the area that is not working. Specifically, we once had a case where a customer left decision-making completely up to us saying, "We will leave all security work up to you," with the result that even though our job was only monitoring the equipment, we were forced to do the subsequent investigative work. There have also been cases in which even though a CSIRT was established, the logs necessary for investigative analysis were not stored appropriately, so investigative analysis could not be conducted.
Goto: In other words, it's not just a matter of making a CSIRT and then forgetting about it.
SOC manager: That is correct. Security threats are evolving on a daily basis and attackers use one new attack method after another. Therefore, the people in CSIRTs must watch the attack trends and gain the expertise and know-how to handle sudden incidents.
It is vital to make frontline risks visible in companies and organizations, and for top management to understand the issues involved.
CSIRT supervisor: With respect to protecting internal business information from security threats, NEC is in the same boat as its customers. That is why NEC has been researching advanced security technology since the 1990s and developing and improving its internal organization. We also have a long history of operating a CSIRT since we first established one in 2002. We have been building a database that will allow us to take immediate action by comprehensively collecting and storing new incident information, and information about threats and vulnerabilities. We also have an organization that will allow immediate use of the tens of thousands of pieces of information collected so far if necessary.
IR manager: It is important to get top management to better understand the risks involved in information security. It is said that the cost effectiveness of security measures is hard to see; however, by visualizing the impact on management when certain kinds of incidents occur, it will be easier for top management to make investment decisions. It is necessary for top management to recognize the minimum human resources required to prevent or minimize damage. In addition, if an incident should occur, top management should cooperate with the CSIRT to make important corporate activity decisions and to demonstrate leadership.
Goto: So, it is important that top management accurately understands current problems in the work place.
Column: What are the roles of SOC and CSIRT?
Currently, the number of companies establishing or considering establishing a SOC or CSIRT is growing. At the same time, there are also many companies that have established these centers/teams but are not operating them effectively. SOC (Security Operation Center) is a generic term for an organization that monitors security appliance products and server logs to discover incidents, and it acts as a guard. CSIRT (Computer Security Incident Response Team) is a generic term for an organization that handles any discovered incidents, and it plays the role of an investigator that prevents damage from spreading.