With the advancement of corporate digital transformation such as the spread of IoT devices and blend of IT and OT (Operational Technology), the importance of security measures including response to cyber attacks is increasing. Innovation can accelerate only when sufficient security measures are taken and things and data flow are protected in the connected world. This report introduces Fujitsu's security strategy on tackling this difficult issue.
[Fujitsu Insight 2017 Security Keynote Speech Report]
Cyber Attacks Increasing in Number and Sophistication
There is no need to stress again that the environment surrounding security is full of challenges, with cyber attacks increasing and becoming more sophisticated. 40 percent of companies experienced serious damage due to cyber attacks and the average amount of damage including opportunity loss is said to have reached 230 million yen per incident. Additionally, the sophistication of attack methods is unpredictable, with ransomware, zero-day attacks and large-scale DDoS attacks exploiting vulnerable IoT devices. As digitization progresses, connecting everything, the risk from cyber attacks will increase further.
While the need for cyber security increases, securing security personnel is also an urgent task. Japan's Ministry of Economy, Trade and Industry (METI) calculates that the shortage of security personnel will reach approximately 200,000 by 2020. Meanwhile, companies have an average of 6 to 7 security devices installed, and are not able to operate them sufficiently. Therefore, 10 to 15 percent of the alerts that the sensors issue may be missed. While the global average time it takes for a threat to be detected after entering an organization is 99 days, the attacker can seize administrative access rights in three days. Closing this gap is an urgent task.
What is Required of Security Vendors
Due to such circumstances, security vendors are required to tackle various challenges such as reducing the time between intrusion of a threat to detection/recovery, responding to excessive alerts, and developing and utilizing security personnel. Additionally, contributing to total security risk management for the continuation of the customer's business by expanding the scope of security measures to areas of IoT/OT and data protection is also an important role for security vendors.
However, Fujitsu believes security is not only about protecting against threats. Security technology is vital element in supporting the business continuation of customers, and eventually for advancing the value creation cycle using ICT.
Therefore, by incorporating security in customers' businesses, we hope to support them in "achieving something that was previously not possible" and "realizing an unprecedented user experience." In other words, Fujitsu's vision is to realize a "co-creation society" by providing an environment in which customers can focus on innovative activities that lead to resolving social issues and creating the future without having to be aware of cyber attacks, the negative aspect of cyberspace.
Two Directions for Protecting Customers
Fujitsu offers a broad security solution ranging from drafting policies to implementing and operating measures, under the SafetyValue brand. We want to develop this and propose recommended patterns for each security measure angle in the form of a SafetyValue solution set, incorporating products from other companies, to respond to the concerns of customers who "do not know what to choose."
Additionally, to offer total protection for customers, we will focus our efforts in two directions--increasing our partners and expanding the scope of protection.
In terms of increasing our partners, we will spread among Fujitsu Group's system engineers the concept of Security by Design, which incorporates security upstream, such as defining the requirements and designing the system. We will also prepare templates for constructing systems that enable high quality and highly secure integration in a shorter time. At the same time, we have begun integrating security features into cloud services and network services, as well as providing security services to a wider range of customers with our partner companies.
Previously we offered solutions around protecting the IT infrastructure. In terms of expanding the scope, we would like to expand into additional areas of IoT/OT and protection of sensitive data.
In the areas of IoT/OT, our aim is to realize the concept Trustworthiness called for by the Industrial Internet Consortium. From upstream processes such as making assessments and formulating policy, we will provide solutions for design/implementation including device authentication and white list, as well as regular penetration tests in the operational/maintenance phase throughout the life cycle. We will apply managed security services that support daily operations in the areas of IoT/OT. We will also secure resiliency, which enables prompt recovery in the case of an emergency, as well as privacy of sensitive data.
To protect data further, there are many things to be done in terms of IT to comply with laws and regulations such as Europe's GDPR and industry standards. We will provide support to respond to requests such as improving the system/governance including appointing a Data Protection Officer (DPO), sorting out personal data, conducting privacy influence surveys and timely reporting when accidents occur.
The point of security Fujitsu offers is that assessment, design/construction, and operation are offered all in one place. Assessment results are tied to product selection and system integration, infrastructure configuration is reviewed as needed to boost the system security. We will offer security measures throughout the life cycle including monitoring of the improved system using managed security service, responding to incidents and regular assessment of the level of security measures.
Global Management with Support for IoT/OT Areas in View
There are no borders in cyberspace. Therefore, Fujitsu is globally developing solutions for security issues as well as the Global Managed Security Service (GMSS), which supports the operation of such solutions, to provide total support for our customers' security measures. We have already built Security Operation Centers (SOCs) and support sites around the world, providing services to approximately 1,400+ customers. We monitor roughly 6,400 network sensors, with end points amounting to 193,000.
We can also offer services not only through centrally monitoring from a single location, the sensors installed around the world at customer sites, but also in various forms that meet customer conditions and needs. Examples include, monitoring/supporting the nearest customer sites from our SOCs in Japan, U.S. or Europe, and having Fujitsu's technology installed in customer's own SOCs established/operated by themselves and providing technical support only.
We will extend this further to include EDR (Endpoint Detection and Response) and UEBA (User Entity Behavior Analytics), and collect events and logs from sensors installed in the customer's environment and analyze/visualize them using technology such as AI, and advance the GMSS using external intelligence information as well. In doing so, we plan to expand the managed area to IoT/OT and data protection. We will also deepen our collaboration and support with customer's CSIRT.
Contribute Through Development of New Technology and Practical Human Resources Development to Make Up for Security Workforce Shortages
As a manufacturer, Fujitsu is involved in R&D in various fields and is focused on R&D and leveraging advanced technology in the field of security. Such technologies are incorporated in our products and services to deliver to customers after their effects and operability have been examined by actually testing in our internal environment.
Practicing Unique Technology In-house and Putting to Use
One example is the Malicious Intrusion Process Scan, which discovers unknown attacks by comparing the network traffic with the behavior characteristics of the attacker. We have actually installed it in an environment with tens of thousands of devices with a certain level of security measures applied, and discovered over 300 unknown attacks in one month. Additionally, Advanced Analysis technology detects behaviors that are difficult to spot with general security sensors such as promotion to privilege ID, by analyzing the Active Directory and proxy server logs. By utilizing unique technology such as high-speed forensic technology, which analyzes the communication flowing between end points on the intranet and significantly reduces the time spent on intrusion investigation, we are offering services with higher added value.
Going forward, we will advance the application of AI technology and improve the accuracy of decisions on whether detected events are proper operations by the administrator, or fraudulent operations by attackers. Such efforts will enable engineers without advanced analytical skills to make appropriate decisions, which will contribute to resolving the social issue of security personnel shortages.
Fujitsu's Security Personnel Exceeding 2,700
Along with developing technologies, we are also focusing on developing human resources. Fujitsu launched its Security Master Certification System three years ago and has already developed/certified over 2,700 Masters in the Fujitsu Group. We plan to increase this to 10,000 by the end of FY2019, so that each SI project has a Master involved. This will allow us to provide a more secure system to our customers. We also provide a cyber-range that we developed in-house to customers to help them develop security personnel within their organization.
Security measures are a management issue that should be considered an investment rather than a cost, and managers should take the initiative to lead the efforts. It is an important issue that can result in not being able to enter the market if laws, regulations and industry standards are not met. Fujitsu not only bolsters customers' business continuity, but also contributes to the creating innovation by offering services that meet various customer needs and challenges.
- Junichi Iijima
Head of Cyber Security Business Strategy Unit