Visualizing an Internal System Environment that Was a Black Box

1. Increasing Importance of Information Leakage Countermeasures

In recent years, there have been frequent leaks of confidential information due to advanced cyber-attacks and the removal of confidential information by employees, making information leakage countermeasures increasingly important. To detect information leakage, it is necessary to implement advanced security measures and collect and analyze the logs required for detection. However, there are many cases where logs are insufficient or not properly analyzed, leading to undetected information leakage despite signs.
This article introduces an example of NTT DATA using its expertise to develop countermeasures for detecting the leakage of confidential information from customer environments and protecting these environments from advanced cyber-attacks. NTT DATA supports the construction of an environment capable of detecting information leakage and the removal of confidential information by providing a comprehensive response from requirement definition to operation.

2. Employee behavior that was a black box

A customer asked us to support security measures, including information leakage countermeasures. The customer's environment lacked unified security measures. Although AD (Active Directory) and asset management products were introduced at some sites, accounts and terminals were not controlled at most sites, and management books were primarily used. As a result, employee behavior was opaque, and internal improprieties were not adequately monitored or addressed.
Additionally, while antivirus software was installed at each site, EDR (Endpoint Detection and Response) had not been implemented, leaving the environment vulnerable to advanced external threats (*1). Therefore, it was necessary to first consider what measures should be implemented to support comprehensive security measures.

• (*1) EDR: What is "EDR"? Overview, functions, and differences from EPP - Microsoft for business (Japanese)

3. Understanding the current situation and prioritizing measures

Understanding the current situation

When implementing customer security measures, NTT DATA first identified the configuration of the customer's systems. Since the systems are built according to each client's specifications, we identified where customer information is stored and the access routes in each system, managing the overall configuration.
Additionally, when understanding the system overview, we focused not only on areas needing strengthened security measures but also on users' normal operations. This approach was taken to avoid placing too much emphasis on security measures, which could significantly impact business operations. By understanding how business is usually conducted, we considered security measures that would not burden users while maintaining a certain level of security quality.

Planning Prioritized Measures

After understanding the current situation, we developed measures based on the identified areas that needed to be strengthened.

The basic concept is as follows:

• Consolidate and limit the information outlets, and then take measures against possible risks.
• Strengthen access authentication for privileged accounts that can access personal information and manage work history.
• Detect inappropriate behavior of employees that may leak confidential information.

Specific measures included the following:

• Restricting the use of USB memory devices by IT asset management products
• Controlling connected PCs by strengthening terminal authentication
• Centralized management of attacks from outside and inappropriate access from inside with proxies and firewalls
• Access control through appropriate authorization and access authentication through AD management and privilege management
• Log collection and detection of inappropriate behavior through SIEM/UEBA (*2)

• (*2) SIEM: Security Information and Event Management Technology and tools for collecting, analyzing, and reporting logs generated on the network/UEBA: User and Entity Behavior Analytics Technology and tools for analyzing behavior of users and entities (devices, systems, etc.)

A wide range of measures were planned, including the establishment of AD, support for the introduction of IT asset management products, selection of EDR products, introduction of SIEM/UEBA, and redesign and reconstruction of a secure closed network environment.
The highest priority was given to the introduction of IT asset management products for restricting the use of USB memories and the establishment of AD for account management. Additionally, the introduction of SIEM/UEBA was prioritized for centralized log monitoring to prevent internal unauthorized outflows.
SIEM/UEBA uses AI to learn the normal status of each user from various logs (unsupervised learning). Based on this learning, SIEM/UEBA can detect and track internal improprieties and targeted attacks by scoring actions that deviate from the normal status (Figure 1). For customers with thousands of terminals and various working and operating patterns, setting, adjusting, and monitoring a baseline requires significant effort. However, AI can significantly reduce this burden.

Figure 1: Functional overview of the SIEM/UEBA solution introduced

4. Strengthening the security of existing systems through a wide range of measures

As a countermeasure, we took the following multifaceted measures:

• Terminal control using the functions of IT asset management products
• Account and terminal control using the functions of AD
• Anti-malware measures for terminals and server groups using the functions of EDR products
• External communication control using the functions of NW security products
• Privileged account management using a privileged ID management solution
• Reconstruction of the base network environment to deny NW connections and logins to unmanaged terminals and users
• Monitoring employee behavior and illegal behavior and detecting suspicious behavior in advance by introducing SIEM/UEBA.

This was not a new system, but an introduction to an existing system that was running 24 hours a day, 365 days a year. Therefore, it was difficult to implement countermeasures, but we successfully implemented countermeasures by utilizing NTT DATA's expertise in the installation and operation of security products.

5. Collecting all kinds of logs to detect suspicious behavior leading to internal impropriety

Various security products were installed in the customer's system, enabling USB usage control and account management. Additionally, the SIEM/UEBA products introduced allowed employees to learn their normal behavior, set a baseline, and receive alerts when they deviate from that baseline.
While installing the latest security products is important, the most crucial aspect is collecting the logs output by these products and analyzing them from multiple perspectives to detect signs of an attack. Centralized collection and analysis of logs by a single security monitoring platform not only enables detection but also accelerates investigation and response in the event of an actual attack.
In the customer's environment, the introduction of SIEM/UEBA, alongside the latest security products, has created a security monitoring platform capable of detecting and responding to internal improprieties by employees and external attacks.

6. Conclusion

In cybersecurity, while the introduction of security products is important, it is equally crucial to consolidate and analyze the logs output by these products into SIEM/UEBA for appropriate operation and monitoring. In this case, we succeeded in visualizing employee behavior, which had previously been a black box, by introducing security products and collecting and analyzing logs.