42
Why we decided on RSA Security Analytics for network visibility Yumiko Matsubara Manager, Security Architecture Group Cyber Security Consulting Department Recruit Technologies Co., Ltd.

Why we decided on RSA Security Analytics for network visibility

Embed Size (px)

Citation preview

Why we decided on RSA Security Analytics

for network visibility

Yumiko MatsubaraManager, Security Architecture Group

Cyber Security Consulting Department

Recruit Technologies Co., Ltd.

Bio

2

Yumiko Matsubara Planning, building and operating IT in Recruit

Technologies’ Internal IT Department

As of 2013, planning and building security

solutions

I like: Golf, motorbikes and wine

Agenda

• Company Info

• Organization Structure for Security

• Turning Point Issue and Related Incident

• Facing Challenges

• POC

• Security Analytics Usage for Speed-up Decision

• Additional Benefits

• Facing Difficulty Prepare for H/W failure

• Voice from Engineer

• Summary and Wish List

3

Company Info

4

5

Founded

Public/Private

1960

IPO 10/2014

Name Recruit Holdings Co., Ltd.

6

Sales JPY 1.299 tr.

EBITDA JPY 191.4 bn.

Websites

200Mobile applications

350

BUSINESS MODEL

Delivering Value to Clients and Users by Making Life Easier

and More Fulfilling through Optimized Matching

Matching Platform

Consumers

USER

Enterprise

CLIENT

Clients compensate Recruit for linking them to customers.

8

BUSINESS MODEL

Life event area Lifestyle Area

Travel

IT/ TrendLifestyle

Health & Beauty

Job Hunt

Marriage

Job Change

Home Purchase

Car Purchase

Child Birth

Education

Information services that support choice

9

Jobs

Housing

Travel

Dining

Beauty / Fashion

Used Cars

Bridal/Maternity/Baby

Education

Coupon / Daily Deals Online Shopping

BUSINESS MODEL

About Recruit Technologies

10

Strategic IT Company

11

Infrastructure

/SecurityProject

Management

UXD/SEO

Internet MarketingBig Data Solutions

Technology R&D

Systems

Development

Recruit

Holdings

Recruit Career

Recruit Sumai Company

Recruit Lifestyle

Recruit Jobs

Recruit Staffing

Recruit Marketing Partners

Staff Service Holdings

Recruit Technologies

Recruit Administration

Recruit Communications

Business/

Service

Function/

Support

Organization Structure

for Security

12

Entire Security Org Structure

13

Recruit Holdings

Recruit Technologies

Security Management OfficeBoard

Business securitySystem

security

Security

Architecture

Group

Strategy

Group

Consulting

GroupSOC IR QM

Security Org Structure in Recruit Technologies

14

Strategy Group

Consulting Group

Security

Architecture Group

Testing and introduction of advanced security

solutions, systems operation

Implementation of overall rules governing security

Review of security measures for new Web

development

SOC

IRG

QM

Security Operation Center

Incident Response

Quality Management

Insourced from

Recruit-CSIRT

Turning Point Issue and

Related Incident

15

16

Turning Point Issue

Facing Challenges

17

Our Implementation in the Past○ Commercial environment threat detection:

Mainly IDS and WAF

Internet

On a Private Cloud basis

attackattack

Our Implementation in the Past

19

○ Office environment threat detection: Sandbox

Internet

In addition to the usual sigunature-type detection,Use Sandbox appliance

20

・ Detected huge number of password list attacks and other

attacks that exploit vulnerabilities

・ Tons of application attack alerts (including false positives)

■ Needed to determine of severity level based on response code

■ Needed to determine the impact after application log investigation

○ Commercial environment threat detection: IDS and WAF

Challenges on Commercial Environment

Challenges on Office Environment

21

○ Office environment threat detection: Sandbox

・ Made C2 communication visible with risks (including false

positives)

■ Needed to Check malware detection log

■ Needed to Test on Aguse and VirusTotal to identify

malicious sites

■ Needed to Analyze Malware manually

■ Needed to do computer forensics in some cases

Needed to Accelerate Decision Speed

22

○ Commercial environment threat

detection: IDS and WAF

○ Office environment threat

detection: Sandbox

■ No way of checking impact on the detected communication (data leak or not)

or whether an attack was successful

■ Even if there was a way, investigations are time-consuming and expensive

■ To ascertain these impacts, we wanted to record all communications and

use them in our investigations

Examination of network forensic products launched

POC

23

FY2014: POC Tests Run on Multiple Products

24

○ Commercial

environment

○ Office

environment

RSA/SA

Product B

SA selected for both environments for superior searchability,

performance, and cost

Thanks for the good price, RSA!!

× 4 POC tests run on

two products in two

environments

Security Analytics Usage for

Speed-up Decision

25

Easy Deep Investigations

■ Traffic comes through TAP

■ SOC can determine escalation is

necessary

■ Monitoring Engineer can deep-investigate

as part of the monitoring process

26

Easy Deep Investigations

■IR: Full packet capture investigation by

analyst

Log starts only after sensor has raised the

alarm

SA traces back before that point, opening

the way for full packet capture investigations

27

Easy Deep Investigations

28

• Once an SQL injection has been detected

by the sensor, a deep investigation is

conducted using SA

• SA also detects sever-side backdoors

inside POST data.

API to Improve Searchbility

29

■ Automatic acquisition of packet data using API

■ Opens the way for more effective monitoring

and incident analysis

■ Correlation analysis with other logs can be used

to seek new threats

Additional Benefits

30

Compromised Sites Detection

31

• Recruit Technologies thanked for

discovering compromising of other

companies’ sites

Facing Difficulty

Prepare for H/W failure

32

Lack of Replacement Procedure

• DAC (HD) double failure in FY2015

• Long recovery time during which no capture was possible causes major damage

• Failures are unavoidable

• The key issue is being prepared to deal with them

33

Built Recovering Process

• Worked with EMC and maintenance

service company TechMatrix to strengthen

the maintenance frame

• Both sides gained more SA knowledge

• Fortunately, there have been no similar

failures since

34

35

Voice from Engineer

36

・ Documentation is posted on a public site with no user restrictions.

・ There is a Japanese version of the documentation.

・Being able to display communications data on the analyzer

GUI makes it very operator-friendly

→ Differs from FE-PX in this regard

(FE-PX must be downloaded and manually analyzed, so it is better

suited to experts)

・Metadata for the various types of field information can be easily

overviewed (IP, PORT, URL, etc.)

・Can be linked with other API functions

37

・The portrait view is hard to work with, requiring a scroll-down each time

・The parser is different and hard to customize. Make it easier to customize

by, for example, using an SPL like Splunk?

・The Pcap output file name is always InvestigationExtraction.pcap, so each

file has to be renamed for operation. Link the time and filter content to the file

name with an underscore to reduce the operating burden?

38

・ Lack of product maturity in Customer Support team. We

sometimes see un-matured responses from them. Improve with us!

・Because Web GUI items cannot be copied and pasted, transferring

settings, etc., requires writing them all out by hand, where it is easy

to mistakes.

・There are many strange specs compared to other devices.

snmp polling during the snmpd start-up process results in the loss

of Mib, etc.

・There is no detailed specification/setting documentation… Hope

we could have it soon.

Summary and Wish List

39

Summary

• Network Forensic reduces time to investigate advanced threats.

• Once a procedure is established, SA is not only for advanced skilled people.

• It is also useful for analysts

• As an invaluable tool, we would like to see greater device reliability and maintenance skills

• Minor changes are also effective in boosting productivity

40

Wish List

• Cloud, Cloud, Cloud!

• Please release a Cloud version as soon as

possible

• I ask RSA to collaborate w/ AWS more!

41

Thank you

42

Email: [email protected]

Fb: https://www.facebook.com/yumiko.matsubara.58

Recruit Technologies

Contact Information: