Japanese firm showcases malware detection 'nerve-center'

Operating round the clock by group of senior security researchers, Little Earth Corporation touts ability to provide up-to-date proactive detection of viruses, keeping clients such as Japan's defense ministry safe.
Written by Tyler Thia, Contributor

TOKYO--When it comes to tackling security threats, Japan's numerous government agencies and financial organizations are in good hands due to the resources of IT security services provider, Little Earth Corporation (LAC), says company spokesperson Masahiko Iimura.

While relatively unknown outside of the country, the Japanese company was first set up in 1986 to provide local network security solutions--something which "no one thought could make money", Iimura quipped.

Today, the company has grown into a 352-man team comprising 224 systems engineers and 56 researchers who in three different arms of security research, namely, the Japan Security Operation Center (JSOC), Risk Research Institute of Cyber Space (RRIS) and Cyber Emergency Center (CEC).

More than 60 researchers sit in JSOC's office located in central Tokyo, where senior analysts and analysts take turns to monitor looming security threats from all over the world, he said. The company's clients include the Japanese defense ministry and Bank of Tokyo-Mitsubishi UFJ.

Analysts on shift duty are assigned to five groups, each looking after specific duties such as analyzing the approximately 300 million logs that come in through LAC's intrusion detection systems (IDS) and clients' firewalls, as well as logs processed by a correlation analysis system where clients will be notified if threats are detected.

The company has developed its own threat detection system but also leverages Symantec's tools to carry out the second step in its workflow, which is the correlation analysis of the logs.

According to Iimura, JSOC researchers found that the all-rounded multi-vendor support which Symantec's products were capable of, are effective in sieving out threats. "Even if the threat is captured by other security vendors, Symantec tools have the capability to process the information," he added.

Since 2000, JSOC has also implemented its own signature-based threat detection system, he added.

After collecting information of the latest threat attacks, researchers then work on designing signatures for each IDS and IPS (intrusion protection system), followed by a round of internal verification of signatures. Once approved, these signatures are then applied to monitoring devices which will run in the IDS mode, followed by another round of verification, he explained.

In his presentation, Iimura highlighted that there is currently a huge volume of stolen credit card and personal information flowing through the "black market", and LAC's focus is to block any Trojans and malware before they have the ability to infect clients' systems.

Powering the "command center"
Besides positioning the security analysts in a "command center" setting, the nerve center of JSOC also has huge screens showing constant updates on the detection of malware, powered by a HoneyWhales system. This system randomly shows viruses detected by 960 sensors placed worldwide, with a revolving Google map that pinpoints the location of each threat detection. It also ranks the frequency of detection by different security vendors, ranging from 33.5 percent to 15 percent.

When quizzed to provide further statistics, Iimura explained that the results collated over 24 hours do not represent the number of malware detected by each vendor. Instead, it is an indication of the detection of "new" malware that has yet to surface, he said, adding that even a 33.5 percent figure indicates the strength of the security tool.

Interestingly, the research laboratory also had screens broadcasting NHK and BBC News.

Iimura said: "From our experience, it seems that whenever some major event is happening, there tends to be opposing cybercriminals and some will make use of these opportunities to design viruses and launch cyber attacks." With news channels running in the center, the LAC team will be able to proactively look out for such criminal intent in the security channels, he added.

However, he was unable to provide examples of such events.

Iimura was quick to point out that while the JSOC is a threat-detection facility, it is the CEC that carries out the response work when needed. For example, when clients suffer attacks and data breach, the CEC team will move in to investigate.

He explained that while the center operates 24 by 7, if emergency threats are discovered overnight and the client fails to react, then data loss and other consequences may be inevitable.

Tyler Thia of ZDNet Asia reported from the JSOC as part of Symantec's media briefing in Toyko, Japan.



Editorial standards