Yumiko Matsubara presented on why Recruit Technologies chose RSA Security Analytics for network visibility. They were facing challenges with slow investigation speeds and a lack of network context in their previous security tools. A proof of concept found RSA SA provided superior searchability, performance, and cost over other products. RSA SA has since helped accelerate incident response and investigations. While generally satisfied, Recruit Technologies hopes to see improvements in reliability, customization options, and the release of a cloud version of RSA SA.
Boost PC performance: How more available memory can improve productivity
Â
Why we decided on RSA Security Analytics for network visibility
1. Why we decided on RSA Security Analytics
for network visibility
Yumiko Matsubara
Manager, Security Architecture Group
Cyber Security Consulting Department
Recruit Technologies Co., Ltd.
2. Bio
2
Yumiko Matsubara
ï” Planning, building and operating IT in Recruit
Technologiesâ Internal IT Department
ï” As of 2013, planning and building security
solutions
I like: Golf, motorbikes and wine
3. Agenda
âą Company Info
âą Organization Structure for Security
âą Turning Point Issue and Related Incident
âą Facing Challenges
âą POC
âą Security Analytics Usage for Speed-up Decision
âą Additional Benefits
âą Facing Difficulty Prepare for H/W failure
âą Voice from Engineer
âą Summary and Wish List
3
6. 6
Sales JPY 1.299 tr.
EBITDA JPY 191.4 bn.
Websites
200
Mobile applications
350
7. BUSINESS MODEL
Delivering Value to Clients and Users by Making Life Easier
and More Fulfilling through Optimized Matching
Matching
Platform
Consumers
USER
Enterprise
CLIENT
Clients compensate Recruit for linking them to customers.
8. 8
BUSINESS MODEL
Life event area Lifestyle Area
Travel
IT/ TrendLifestyle
Health & Beauty
Job Hunt
Marriage
Job Change
Home Purchase
Car Purchase
Child Birth
Education
Information services that support choice
11. Strategic IT Company
11
Infrastructure
/Security
Project
Management
UXD/SEO
Internet Marketing
Big Data Solutions
Technology R&D
Systems
Development
Recruit
Holdings
Recruit Career
Recruit Sumai Company
Recruit Lifestyle
Recruit Jobs
Recruit Staffing
Recruit Marketing Partners
Staff Service Holdings
Recruit Technologies
Recruit Administration
Recruit Communications
Business/
Service
Function/
Support
14. Security Org Structure in Recruit Technologies
14
Strategy Group
Consulting Group
Security
Architecture Group
Testing and introduction of advanced security
solutions, systems operation
Implementation of overall rules governing security
Review of security measures for new eb
development
SOC
IRG
QM
Security Operation Center
Incident Response
Quality Management
Insourced from
Recruit-CSIRT
18. Our Implementation in the Past
â Commercial environment threat detection:
Mainly IDS and WAF
Internet
On a Private Cloud basis
attackattack
19. Our Implementation in the Past
19
â Office environment threat detection: Sandbox
Internet
In addition to the usual
sigunature-type detection,
Use Sandbox appliance
20. 20
ă» Detected huge number of password list attacks and other
attacks that exploit vulnerabilities
ă» Tons of application attack alerts (including false positives)
â Needed to determine of severity level based on response code
â Needed to determine the impact after application log investigation
â Commercial environment threat detection: IDS and WAF
Challenges on Commercial Environment
21. Challenges on Office Environment
21
â Office environment threat detection: Sandbox
ă» Made C2 communication visible with risks (including false
positives)
â Needed to Check malware detection log
â Needed to Test on Aguse and VirusTotal to identify
malicious sites
â Needed to Analyze Malware manually
â Needed to do computer forensics in some cases
22. Needed to Accelerate Decision Speed
22
â Commercial environment threat
detection: IDS and WAF
â Office environment threat
detection: Sandbox
â No way of checking impact on the detected communication (data leak or not)
or whether an attack was successful
â Even if there was a way, investigations are time-consuming and expensive
â To ascertain these impacts, we wanted to record all communications and
use them in our investigations
Examination of network forensic products launched
24. FY2014: POC Tests Run on Multiple Products
24
â Commercial
environment
â Office
environment
RSA/SA
Product B
SA selected for both environments for superior searchability,
performance, and cost
Thanks for the good price, RSA!!
Ă 4 POC tests run on
two products in two
environments
26. Easy Deep Investigations
â Traffic comes through TAP
â SOC can determine escalation is
necessary
â Monitoring Engineer can deep-investigate
as part of the monitoring process
26
27. Easy Deep Investigations
â IR: Full packet capture investigation by
analyst
Log starts only after sensor has raised the
alarm
SA traces back before that point, opening
the way for full packet capture investigations
27
28. Easy Deep Investigations
28
âą Once an SQL injection has been detected
by the sensor, a deep investigation is
conducted using SA
âą SA also detects sever-side backdoors
inside POST data.
29. API to Improve Searchbility
29
â Automatic acquisition of packet data using API
â Opens the way for more effective monitoring
and incident analysis
â Correlation analysis with other logs can be used
to seek new threats
33. Lack of Replacement Procedure
âą DAC (HD) double failure in FY2015
âą Long recovery time during which no
capture was possible causes major
damage
âą Failures are unavoidable
âą The key issue is being prepared to deal
with them
33
34. Built Recovering Process
âą Worked with EMC and maintenance
service company TechMatrix to strengthen
the maintenance frame
âą Both sides gained more SA knowledge
âą Fortunately, there have been no similar
failures since
34
36. 36
ă» Documentation is posted on a public site with no user restrictions.
ă» There is a Japanese version of the documentation.
ă»Being able to display communications data on the analyzer
GUI makes it very operator-friendly
â Differs from FE-PX in this regard
(FE-PX must be downloaded and manually analyzed, so it is better
suited to experts)
ă»Metadata for the various types of field information can be easily
overviewed (IP, PORT, URL, etc.)
ă»Can be linked with other API functions
37. 37
ă»The portrait view is hard to work with, requiring a scroll-down each time
ă»The parser is different and hard to customize. Make it easier to customize
by, for example, using an SPL like Splunk?
ă»The Pcap output file name is always InvestigationExtraction.pcap, so each
file has to be renamed for operation. Link the time and filter content to the file
name with an underscore to reduce the operating burden?
38. 38
ă» Lack of product maturity in Customer Support team. We
sometimes see un-matured responses from them. Improve with us!
ă»Because Web GUI items cannot be copied and pasted, transferring
settings, etc., requires writing them all out by hand, where it is easy
to mistakes.
ă»There are many strange specs compared to other devices.
snmp polling during the snmpd start-up process results in the loss
of Mib, etc.
ă»There is no detailed specification/setting documentation⊠Hope
we could have it soon.
40. Summary
âą Network Forensic reduces time to investigate
advanced threats.
âą Once a procedure is established, SA is not only for
advanced skilled people.
âą It is also useful for analysts
âą As an invaluable tool, we would like to see greater
device reliability and maintenance skills
âą Minor changes are also effective in boosting
productivity
40
41. Wish List
âą Cloud, Cloud, Cloud!
âą Please release a Cloud version as soon as
possible
âą I ask RSA to collaborate w/ AWS more!
41