Embed Size (px)
Citation preview
NEC's approach to the threat of cyber attack and points of security incident response
30th January 2017
NEC Corporation
Table of Contents
1. NEC’s Activity for Safer-City
2. NEC’s Cyber Security Solution
- Cyber Training / Cyber Range
- Security Operation Center Development
- Operation supporting of SOC
3. Collaboration with Global scope
1. NEC’s Activity for Safer-City
5 © NEC Corporation 2017 CICC2017 Cambodia
Profile
Leading Social Value Innovator
Provides telecommunications, IT and Enterprise business solutions
More than 100,000 employees
worldwide
USD 25.2 billion net sales
217 consolidated subsidiaries
Headquarters: Tokyo, Japan
117 years of brand success
World's Top 100 Most Innovative Organizations
Fortune Global 500 company
Nobuhiro Endo(Chariman of the Board)
Takashi Niino(CEO, President)
6 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s Widespread ICT Solutions for social infrastructures
NEC’s focusarea
Cybersecurity
Cloud Big data SDN
))))))
))))))
)))
)))
)))
)))
Seafloor
Airports
Ports
Factories
Rail
Roads
Banks
Companies Broadcasting
towers
Broadcasters
Important
facilities
Hospital
Government
Communications
Retail
stores
Energy
Dams/Water
supply
Space
Seafloor optical cables
Seafloor
seismographs
Air traffic control
Fingerprint
recognition
Bank ATMs
Diverse business systems
Digital TV transmission
TV studios
Electronic records
Electronic
government
Water
management
Leak detectionPOS
Harbor
surveillance
Underwater
surveillance
Production
management
Factory
management
Rail
communications
Traffic
managementFacility
surveillance Logistics
Firefighting systems
Communications
systems
Smart energy
Satellite communications /
Earth observation
Fire
departments
Distribution
centersPost
offices
Next-generation network technologies
High-performance, high-reliability core IT technologies
Diverse sensor and human interface technologies
Telecom
carriers Public Enterprise
Smart
EnergyResponsible
BU:
NEC ICT supporting social infrastructure and systems
Post
sorting
machines
7 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s approach for Cyber Security Solution Development
▌NEC has launched professional organization of Cyber Security, and started to strengthen the solutions based on recent changes in security needs.
▌NEC established professional organization “Global Safety Division " in Singapore (April 2013).NEC driving force
Cyber Security StrategyDivision
Strategic Partners
subsidiaries
Strategy
• Achievements in monitoring of operations for central government agencies
NECs’ OtherDivisions
Global Safety
Division
NECAPAC
National SecuritySolutions Division
Govern-ment
Military
Telecom
Police
BankingEnergy
Globalcustomers
SolutionDevelopment
SystemIntegration
8 © NEC Corporation 2017 CICC2017 Cambodia
Tokyo Cyber Security Factory Overview
▌NEC provides security incident monitoring system, operation supporting and training services that based on the security operation know-how.
Top level white hackers group.NEC acquired 100% shares from Itochu Corp. in 2013.
InfosecCorporation
Cyber Defense Institute
National Security
Solutions Division
High level security operation company.NEC acquired 60% stake from Mitsubishi Corp. in 2014.
- Managed Security Service- SOC System Integration- Penetration Testing
- Cyber System Integration(Design & Implementation)
Many supply records regarding cyber security system to national security agencies over three decades.
- Penetration Testing- Malware Analysis- High level intelligence through rich experience of incident response
9 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s Cyber Security Factory
▌NEC started the operation of “Cyber Security Factory” on June 2, 2014. The factory is operated by 50 specialists. In cooperation with security companies, top-level technical resources, knowledge are assembled in Cyber Security Factory.
CyberTraining
Cyber Intelligence
Human AssetDevelopment
Technology Development
Cyber Security Operations
10 © NEC Corporation 2017 CICC2017 Cambodia
Tokyo Cyber Security Factory Overview
▌ NEC has established NEC Security operation Center in June 2014 to accumulate the incident response, malware analysis by cooperating with Japanese specialized security companies.
Active Cyber Defense Direction Center Security log monitoring Incident response instructions
CyberSecurity
Operation
Cyber RangeCyber
Intelligence
Technology Development
Human Asset
DevelopmentBase of cyber exercise and training
Utilizing operation tools
Cyber SecurityFactory
Emergency Response Digital forensics Products evaluation
11 © NEC Corporation 2017 CICC2017 Cambodia
Singapore Cyber Security Factory Overview
Professional Services
Managed SecurityService
Security As AService
2. NEC’s Cyber Security Solution
13 © NEC Corporation 2017 CICC2017 Cambodia
Trend of cyber attack
▌ The mainstream has expanded from the conventional "visible“ attacks (DDosattack,etc) to sophisticated attacks targeting the vulnerability of a specific system.
▌ The damages has been confirmed is part of the total. Not able to recognized the real circumstances by the sophisticated attack
Year 2010 2011 2012 2013 2014 2015 2016
DoS/DDoS
SPAM E-Mail
Virus/Malware Infection
WebsiteDefacement
Targeted Attack
Internal Information leakage
APT
Lack of systematic response Attacks are invisible Lack of information Shortage of personnel
Issue
Issues to be addressed
14 © NEC Corporation 2017 CICC2017 Cambodia
Changing cyber attacks
▌Professional cyber crime groups have appeared
▌Cyber crimes are getting more atrocious and cyber security is considered as social challenges
2005-2015 Crimes getting organized and globalized• Sophisticated methods (target attack, 0-day attack, etc.)• Cyber terrorism (e.g. attacked aimed at nuclear facility in Iraq)• Black market for buying and selling vulnerability information and /or
attack codes (hundreds of billions of yen business)
2020 Tokyo Olympic London Olympic official website has been attacked
two hundred million times Government said Tokyo Olympic in 2020 might be
attacked thousand times more than London Olympic
Damages: 160million yen/Information leaking(assumed damages in 2013, 72% increase over the previous year)
(Ref. NISC “Regarding enhancement of cyber security framework” Oct. 2014)
Era of cyber war
2000 Amateur period (individual crime for pleasure) • Diffusion of Warm, Virus (Nimda, Code Red)
15 © NEC Corporation 2017 CICC2017 Cambodia
Recent incidents and used vulnerabilities in JPN
▌Attacks exploiting vulnerabilities have occurred ignoring vulnerabilities cause the enterprise crisis
Periods Business type Outline of incidents Used vulnerabilities Impacts
2002~ Any
Since 2002, targeted cyber attacks have recognized and attack to all business types. In 2011, confidential information leaking has occurred at a heavy industrial company M.
Vulnerabilities of Adobe Reader/Acrobat, and so on.
• Reported cyber incidents in 2013 are about 27,850 cases
• Since 2011, annual increase rate is 100%
2011 Information
Illegally accessed to the Internet delivery services. customer information: 77,000,000, Credit card information :10,000,000 are possibility leaked.
Non-disclosure(Considered Known server vulnerability)
• Reported globally• 14 billion yen expenditure for backward incidence and customers
2013~ FinancialMalicious code was buried on online banking website to make users illegal money transfer.
Site side: Non-disclosureUser side: IE vulnerability
• Domestic illegal money transfer occurred in 2014
-Cases: 1,876-Damage: about 3 billion yen
2014 FinancialIllegally accessed to the members Web site. About 900 members information may be viewed illegally.
Open SSL ・Reported nationwide
Ref.(2014)
Government office
Found high risk vulnerabilities on Web site. voluntarily stopped servicing.
Apache Struts・Voluntarily stopped servicing
until security measures are completed.
16 © NEC Corporation 2017 CICC2017 Cambodia
Our continuous support for Customer
2. Security Operation CenterSupport of development of SOC
1. TrainingSkill development for operators and analysts
Development of operation teamAnd support the operation process
• Expansion of practical exercises scenario • Training and exercise of free scenario (Cyber range)
3. OperationSupport of operation with our know-how
17 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s Cyber Security Training Service menu
Security Basic
ICT Basic Application BasicOperator Response
Network SecurityEquipment Operation
Incident ResponseHacking
Implementation and operation of Firewall
Implementation and operation of DDoS Detector
OS/Network operation and management
Network Protocol
Operator Response
Software Programming/DB Access
Malware analysisWeb Application/Network Hacking
Security AssessmentMobile Device Hacking
Analyst ResponseAnalyst Response
Operator Response
Analyst Operator Response
Hacking Technology
Internet Security Technology (Training)
Implementation and operation of IDS Secure Web Server Development
Cyber ExercisesAnalyst Operator Response
APT countermeasure
Network /Computer Forensics
Incident Response
Incident Handling
18 © NEC Corporation 2017 CICC2017 Cambodia
Cyber exercise training program “CYDER”
▌NEC‘s cyber exercise is based on the public and private sectorscollaboration practice and platform in Japan.
▌ Correspondence to the latest cyber attack Providing scenario contents in procedure of actual correspondence.
Select from the several types of pre-order attack scenarios.
Experiencing the appropriate corresponding, in addition to
understanding the latest attack method.
▌ Providing the original step up program Based on the trainee's skill and the purpose of the exercise,
select the menu of "Advanced course for analyst" and
"Basic course for engineer".
The result of evaluating-list checks diagnose each trainee's skill.
▌ Supporting the procedures needed for actual incident response. The most suitable trainee's correspondence is experienced
under the support of the tutor directly.
19 © NEC Corporation 2017 CICC2017 Cambodia
The activity of Cyber Security Response Training
▌ NEC joined Japanese Ministry of Internal Affairs and Communications’ Project "CYber Defense Exercise with Recurrence(CYDER)", cooperating with government, industry and academia, to train security operator and analyst in JAPAN.
▌ This Cyber Exercise provides government and industry IT administrators with Cyber Security Training.
ObjectivesPersonnel training of highly integrated Information
System administrator
PeriodFrom July, 2013 to June, 2016
DetailsTeams of 2-4 people
Experience Targeted Attacks under Simulated large networks
2 day training (Lectures on first day morning, the rest is exercise)
Practice Scene
20 © NEC Corporation 2017 CICC2017 Cambodia
The activity of Cyber Security Response Training
▌ Providing the cyber exercise program that is based on the actual corresponding procedure to the Thailand CERT officials.
Based on the exercise program case in Japan, set of the grasp of the latest developments and the actual exercises
ObjectivesPersonnel training of middle skill assert analysts and operator
and government system administrator. 2Teams of 4people
PeriodFrom 23 to 27 November, 2015
Practice Scene
Content (Daft)
Team 11st day
Exercise1: Orientation for Trainee and Practice against APT
2nd day Exercise2: Practice & Exercise Reviews
Preparation of training enviroment
Team 21st day
Exercise1: Orientation for Trainee and Practice against ATP
2nd day Exercise2: Practice & Exercise Reviews
21 © NEC Corporation 2017 CICC2017 Cambodia
The activity of Cyber Security Response Training
▌ Provide a platform for participants to hone their skills and knowledge in a safe and controlled environment as part of continued education and awareness
▌ Simulate latest attack scenarios, techniques and threat vectors to keep the officers updated of the latest cyber-security trends
▌ Increase the level of awareness and competency of the participants in their broader effort to protect the IT systems against cyber-attacks via hands-on exercises
Singapore Government Tender awarded: January 2014
•Scope of Project:
•Provision of CR
•Provision of training syllabus and contents
•Conduct of Instructor-led training sessions
•5 year comprehensive maintenance
22 © NEC Corporation 2017 CICC2017 Cambodia
3. OperationSupport of operation with our know-how
Our continuous support for Customer
1. TrainingSkill development for operators and analysts
Development of operation teamAnd support the operation process
• Expansion of practical exercises scenario • Training and exercise of free scenario (Cyber range)
2. Security Operation CenterSupport of development of SOC
23 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s Cyber Security Solution Concept
▌Considering the evolution of cyber attack,
Realize the hierarchy mechanism of threat mitigation by prevention and protection
Realize the incident management focusing the system monitoring and response.
Network
Internet
SecurityManageme
nt
Observe Orient
DecideAction
Cyber Security Factory
Operation data(System Log)
Critical infrastructure
Government / Enterprise
Offer service・Consulting・Education
Senior Analyst
Cracker
Threat mitigation mechanism
System monitoring and response
24 © NEC Corporation 2017 CICC2017 Cambodia
NEC’s Cyber Security Solutions
▌Overall Cyber Security support services are provided end-to-end from the installation through the operation monitoring and the emergency responses in 24/7.
Comprehensive Cyber Security Support Services
• Security consulting• Vulnerability assessment• Penetration testing • Security system implementation
Installation Services
Step1
OperationMonitoring
Step2
• Security log monitoring • Network packet monitoring &
analysis • Web based malware detection• Events unified helpdesk
• PC forensic analysis • Network forensic analysis • Malware analysis Detailed
Analysis
IncidentRecovery
Step5
Emergency Response
• Immediate on-site service against cyber incident
Step4
PeriodicInspection • Security Operations
Management
Step3Improvement Support
• Improvement support
Step6
25 © NEC Corporation 2017 CICC2017 Cambodia
Solution category for targeted attack protection
▌NEC provide four types of counter-measures against targeted attacks.
Entry counter-measure to prevent access to the internal system
Exit counter-measure to protect exploitation of internal-data files.
Counter-measure against information leaks to prevent browsing of information.
Visualize the ongoing system operations to detect and remove the malware.
① Entry counter-measure
② Exit counter-measure
③ Counter-measure
against information leaks.
File Encryption
Right Management
Malware visualization agent
Access enclosure
④ Status Visualization
Targeted attack analysis
Data WareHouse appliance
Targeted e-Mail attack detection sensor
26 © NEC Corporation 2017 CICC2017 Cambodia26 © NEC Corporation 2016 NEC Group Internal Use OnlyPage 26
Solution category for targeted attack protection
▌ NEC provide four types of counter-measures against targeted attacks.
Entry counter-measure to prevent access to the internal system
Exit counter-measure to protect exploitation of internal-data files.
Counter-measure against information leaks to prevent browsing of information.
Visualize the ongoing system operations to detect and remove the malware.
① Entry counter-measure
② Exit counter-measure
③ Counter-measure
against information leaks.
File Encryption
Right Management
Malware visualization agent
Access enclosure
④ Status Visualization
Targeted attack analysis
Data WareHouse appliance
Targeted e-Mail attack detection sensor
27 © NEC Corporation 2017 CICC2017 Cambodia27 © NEC Corporation 2016 NEC Group Internal Use Only
Provide security audit services
Provide network and system vulnerability scanning
Provide web application vulnerability scanning
Provide gap analysis and reports
Provide penetration testing services
Recommend mitigation measures
Utilities, Singapore
• Tender awarded: November 2013
• Scope of project: security audit, network and application vulnerability scanning, gap analysis, reports
Welfare Group, Singapore
• Tender awarded: January 2014
• Scope of project: network and application vulnerability scanning, gap analysis, penetration testing, reports
Use Cases
Security Consultancy/Professional Services
28 © NEC Corporation 2017 CICC2017 Cambodia
Overview of NEC’s Security Operation Center Solution
▌ NEC provides high-level environment to analyze the threat, that based on the system Integration experience to Japanese government agencies.
Monitoring the network of each organization unit/Firewall, and internal network by the security sensor constantly.
Monitoring the state of the software and adaption patch which implemented on personal computers and servers constantly.
Minimizing the damages by the threat analysis from various security management and incident information.
Alert/Logs
Wide area
Network/VPN
Agency A
Department a
FW/IDS
IDS/FW
FW/IDS
Malware/Virus Detection
Security Asset Management
Log ManagementServer
Internet
Security Operation Center
Network Gateway
Security Log CollectingServer
Threat Analysis Server
Operator (Event Management)
Analyst
Collecting Concerned Info.
Agency B
Agency n
Departmentb
Department n
29 © NEC Corporation 2017 CICC2017 Cambodia
SOC Design & Development
▌NEC covers all the range of cyber security products and services.
NEC Group can offer many cyber security products based on the rich and advanced knowledge / know-how accumulated past / on-going programs
30 © NEC Corporation 2017 CICC2017 Cambodia
Enforcement of Intelligence
▌Collect “Regional Intelligence” by collaborating with SNS and domestic intelligence vendors and other partners
Firewall
Endpoint
IDS/IPS
Internet
Domestic Partners
VPN
DeepAnalysis
Collect /Analysis
Know-how / Proactive
Intelligence
・Web reputation・File reputation
・IP reputation・vulnerability info・Malware information・Criminal information
etc..
GlobalIntelligence
CustomerNW
Cyber Security Factory (NEC SOC)
Analysts
NEC Internal knowledge
RegionalIntelligence
NEC-CSIRT, NEC Group company
Collaboration with Uni & Gov
JC3・Telecom-ISAC Japan・JPCERT/CC etc
Collect ・Analysis server
CyberIntelligence
SNS Monitoring and Analysis
Monitor SNS and analysis by NEC original engine with rapidly increased keywords in order to realize Attack trends as early as possible
31 © NEC Corporation 2017 CICC2017 Cambodia
Cyber Intelligence support service
▌In order to detect cyber threats, intelligence contributes to SOC operation enhancement.
NEC can provide both of its private intelligence (obtained through SOC operations in Japan) and third party intelligence (worldwide collective knowledge).
In addition, process to collect regional intelligence will be essential.
IPS/IDS
Firewall
Sensor Devices
SIEM(Correlation)
Logs
OtherSensors
:
NEC Group(Private)Intelligence
Logs
Logs
Third Party(Public)
Intelligence
SOC Intelligence
Vendor Intelligence(Vendor Signatures)
CustomSignatures
Blacklist
AnalyticRules
Regional Intelligence
To be prepared and maintained
32 © NEC Corporation 2017 CICC2017 Cambodia
Planning and implementing measures (Planning remediation and supporting implementation)
▌Working with security intelligence and offering remediation against PC and servers with vulnerabilities
▌By providing remediation if patch can not be applied immediately, supporting introduction and implementation of feasible security management
• JPCert
• Microsoft
• Adobe
• Redhat
• Open source
etc.
Vulnerability
information
• Investigation
method of
vulnerability
• Script to
investigate
etc.
NEC Know-
how
Security
intelligence
Customer’s environment
PC001
Server001Agent
Agent1. Downloading the latest
intelligence information
Agent Server002
Vulnerable device
2. Security administrator checks offered
remediation based on risk analysis and
order to implement remediation
Security
administrator
<Examples of remediation>
• Applying patches forcibly (including rebooting
servers
• Communication limitation (quarantine, port
limitation)
• Changing Operating System policies (e.g.
changing FireWall settings, etc.)
• Uninstalling middleware
Manager
server
33 © NEC Corporation 2017 CICC2017 Cambodia
Risk analysis (On demand investigation in emergencies)
▌ NEC rapidly collects visible vulnerability information and delivers them to customers
Automatically investigating the presence of vulnerabilities based on the delivered vulnerability information
Security administrators rapidly know the machine in which vulnerabilities remain.
• JPCert
• Microsoft
• Adobe
• Redhat
• Open source
etc.
Vulnerability
information
• Investigation
method of
vulnerability
• Script to
investigate
etc.
NEC Know-how
Security
intelligence
Customer’s environment
2. - Delivering investigation
method including intelligence
to Agents.
- Investigating the presence of
vulnerabilities on demand.
Agent
Client PC
Windows Server Agent
Agent
Linux Server*1
1. Downloading the latest
intelligence information.
*1: Linux is scheduled to support from miner version-upgrade in FY2015.
Manager
server
3. - Counting vulnerabilities with
manager server.
- Visualizing risk situation.
vulnerableapplication
vulnerable settings
vulnerable DDL
Investigationin details
Tools of asset management or vulnerability audit can not identify
3. Collaboration with Global scope
35 © NEC Corporation 2017 CICC2017 Cambodia
Strengthen the Cyber Intelligence Collaboration
JC3
Academic
Police
IndustrialSecurity related
Industrialend-user
Control System Security Center (CSSC)
Participation to Public/Private project led by Japan Ministry of Economy, Trade and Industry. Activity to secure critical infrastructure and control system. (November 2013)
Japan Cybercrime Control Center (JC3)
Japanese version of US led National Cyber-Forensics & Training Alliance (NC-FTA) Public/private and academia joins forces to neutralize the cyber threats and crimes
NEC Executive VP is the JC3 Representative Director. NEC leads this effort. (Established/Joined November, 2014)
Collaboration with Cyber Attack information service companies
Collaboration with Cyber Attack Information Service company “Norse” in order to reinforce proactive cyber security focusing on information and speed. (December. 2014)
36 © NEC Corporation 2017 CICC2017 Cambodia
Partnership and Collaboration with INTERPOL
▌INTERPOL and NEC signed partnership agreement to enhance Global Cyber Security.
The INTERPOL Digital Crime Centre is the driving force of the IGCI. Its activities cover a wide range of areas essential to the assistance of national authorities: cybercrime investigation support, research and development in the area of digital crime, and digital security.
NEC has delivered a digital forensic platform and various other technical resources to help INTERPOL establish the new center.
37 © NEC Corporation 2017 CICC2017 Cambodia
NEC provision to support Interpol with technical and human resources at Interpol Global Complex for Innovation (IGCI) in Singapore
INTERPOL Project Overview
2. Digital Forensic Lab
Interpol Global Complex for Innovation (IGCI)
1. Capacity Building and Training・Web Application Hacking・Network Hacking
・Basic Incident Handling
3. Cyber Fusion Centre・Collection of information ・Real-time network monitoring・Information Sharing
