We introduce at three measures for extending P. The first is maintaining the health of systems. To IT, regular updates and timely patching are applied OS and software. To OT, periodic maintenance is performed, furthermore, the health of systems is kept by visualizing a risk and continuous monitoring. The second is reinforcing preventive capabilities and defensive measures. This includes using defense in depth at the border between IT and OT, introducing systems for protecting OT legacy devices, and providing systems with redundancy. The third is using threat intelligence to predict risk. Detecting discussions and actions by attackers and implementing countermeasures before being attacked are important elements of proactive response.
There are two main means of decreasing M. The first is real-time incident detection. It is important to detect irregularities and to analyze the correlation between initial attacks and the continuous attacks that often follow them. This can be effectively achieved by deploying Intrusion Detection Systems (IDS), establishing Security Operation Centers (SOCs) that continuously monitor IT and OT, using Security Information and Event Management tools to analyze correlations between incidents and event log contents, and implementing Security Orchestration, Automation and Response (SOAR) solutions for visualizing incidents and automating response. Impact is localized and minimized through zoning -- systems are segmented, or zoned, in units of networks and functions, and monitoring is performed of the states within zones and connection points, or conduits, between zones to detect any abnormalities.
* Zoning is introduced in detail in the fourth article of Vol. 25.
Lastly, to shorten R, it is important to make incident response more efficient by using a playbook approach and automation. It is also important that using logs and preparing the forensic team. The knowledge and experience of individuals are codified (turned into playbooks) and used in SOAR to respond to incidents. Some parts of this response are automated, improving overall incident handling efficiency. For attacks similar to past logs, correlation analysis between response logs and incidents is useful for an immediate response. On the other hand, for novel attacks, it is essential to prepare the system that can make detail (forensic) investigations in order to restore systems rapidly. Of course, to achieve this, it is vital that incident response knowledge be continuously accrued.
At Toshiba, SOC, CSIRT(Computer Security Incident Response Team), and PSIRT(Product Security Incident Response Team) work together to operate the life cycle management of responding Prepare, Mitigate, Response & Recovery on an ongoing basis. Through this, we are increasing the maturity of our cyber resilience. To automate and improve the efficiency of this lifecycle, we collect threat intelligence and asset logs in SOAR, and we have used them to create a cyber resilience operation platform.