Insights from Japan: The Role of Naoshi Matsushita in NRI Secure's Management of Global Cybersecurity Threats

Summary:

The presentation "CSN24: Managing Global CyberSecurity Threats: Insights from Japan" by Naoshi Matsushita of NRI Secure Technologies, Ltd., discussed cybersecurity trends and challenges in Japan, particularly focusing on managed security services and the ArcSight solution for managing cyber threats. Key findings included network layer threats like Conficker and SQL Slammer, SMTP spam reduction due to botnet takedowns, and web application vulnerabilities through IDS/IPS and WAF devices. The presentation also highlighted geographical-specific challenges such as attacks targeting critical infrastructure via SCADA manipulations and the effectiveness of NRI's ArcSight solution in managing over 80 million events daily across various customer networks.

Details:

The presentation titled "CSN24: Managing Global CyberSecurity Threats: Insights from Japan" was delivered by Naoshi Matsushita of NRI Secure Technologies, Ltd., during September 2011. The primary focus of the presentation was to discuss cybersecurity trends and challenges within Japan, as well as introduce their ArcSight solution for managing global cyber threats. **Introduction:**

• **About NRI SecureTechnologies**: The company provides a range of services including managed security services (MSS), such as firewall management, intrusion prevention system (IPS), antivirus (AV), incident monitoring and response, security assessment services for platforms, web applications, and websites, and other security consulting solutions. They operate both on the internet (Intranet) and within private networks (Intranet).

• **ArcSight Solution**: NRI Secure Technologies utilizes ArcSight Enterprise Security Manager (ESM) to manage approximately 80 million events daily across various customer networks including sensitive areas like online stock trading sites, online banking websites, corporate web sites, and e-commerce platforms. The solution includes an ArcSight Connector, Log Servers, and security devices such as firewalls, IDS, IPS, and WAF.

• **ArcSight Dashboard**: This tool is used for incident analysis and response by visually picking up only important events from the vast amount of data received. Examples include traffic logs from/to blacklisted IP addresses and alerts related to web application vulnerabilities detected by IDS/IPS and WAF devices.

**Cyber Security Trends in Japan:**

• The presentation highlighted specific trends, challenges faced by Japanese organizations due to their geographical location and the increasing sophistication of cyber threats.

• Japan has been facing a rise in attacks targeting critical infrastructure sectors such as utilities and transportation systems through manipulated SCADA (Supervisory Control And Data Acquisition) devices. These attacks pose significant risks including potential physical damage and safety hazards.

**Summary:** The presentation concluded with Q&A session addressing various cybersecurity concerns and demonstrating the effectiveness of NRI Secure Technologies' ArcSight solution in managing global cyber threats, particularly in Japan where organizations must grapple with both regional specific challenges and broader international threats. This research focused on understanding cyber threats and vulnerabilities in Japanese organizations, examining various aspects including managed security services, security assessment services, and corporate system status. The study covered a period from April 1st, 2010 to March 31st, 2011 and identified several key threats originating from the internet:

• **Network Layer Threats**: Worms like Conficker (active on tcp/udp 137, tcp 445) and SQL Slammer (on tcp 1433, tcp 1434) were still active. Additionally, RDP attacks on tcp 3389 could occur if WTS servers are mistakenly opened.

• **SMTP Threats**: The study noted a decrease in spam emails due to botnet takedowns and the ineffectiveness of spam email businesses.

• **Web Application Threats**: Most attacks were exploiting vulnerabilities in web applications, as indicated by IDS findings (95% of attacks were related to such vulnerabilities).

These threats necessitate various security measures including managed security services with features like e-mail gateways (anti-virus and anti-spam), proxy servers (URL-filtering and anti-virus), firewalls, and web application firewalls. The research highlights the ongoing importance of platform assessment for identifying vulnerable software versions susceptible to remote execution commands and SQL injection vulnerabilities. The provided information discusses cybersecurity trends in Japan as observed through corporate system status, specifically focusing on web applications. Key findings include: 1. **Web Application Firewall (WAF) and Intrusion Detection Systems (IDS):** WAF detected 39% of attacks aimed at illegal access to parameters, often attempting SQL injection. IDS picked up these attacks targeting specific websites. 2. **Decreasing Risk Levels:** Over five years, the risk levels for websites showed a downward trend, with fewer instances of SQL injection (SQLI) and cross-site scripting (XSS) flaws being detected. 3. **Blind SQL Injection (BSQLI):** A significant portion of SQLI flaws in FY2010 were blind SQL injection attacks. This type of attack remains a concern, as its percentage has not significantly changed over the years. 4. **Malware and Intrane ct Threats:** There was an increase in malware detections on March 30-31, primarily due to the "LizaMoon" attack which used SQL injection to spread malicious scripts across multiple websites. The attacks resulted in a high failure rate (85% failed attempts), indicating robust security measures were in place by that time. 5. **Protection Cycle:** The article mentions a cycle of protection involving log analysis, identification of new trends and threats, deployment of new security devices to counter these threats, and ongoing monitoring to ensure ongoing security. This summary highlights the evolving nature of web application vulnerabilities and the effectiveness of defense mechanisms against such threats in Japanese corporate environments. The summary highlights the importance of incident monitoring and response in cybersecurity, emphasizing that it's crucial to focus on only the most important events for analysis and visualization. This is particularly pertinent given the rise in malware detections through proxy servers and the spread of a new type of malware infecting numerous web sites. To combat this, an advanced web crawling and malware detection solution was deployed as a new security device. The goal here is to not only detect but also visualize these malware incidents effectively. Additionally, the document touches on several key findings about cybersecurity trends in Japan: 1. Servers are susceptible to internal attacks and continue to rely heavily on firewalls for protection. 2. Web applications still face SQL injection (SQLI) vulnerabilities that can be mitigated using web application firewalls (WAF). 3. A new type of malware has been identified, which not only infects websites but also spreads to users. These insights underscore the ongoing challenges in cybersecurity and the proactive measures needed to address them effectively.