"Zero Major Accident" track record and ongoing security measure enhancement

Toshiba Digital Solutions' company-wide information security measures date back 13 years. In 2005, the entire company acquired ISO27001 certification, an international information security management system (ISMS) standard.

In our ISMS basic policy, we have declared our dedication to satisfying our social responsibility by building a security management system that sustains continuous, uninterrupted business operation by thoroughly managing customer confidential information and the personal information of customers and employees.

Based on this policy, we have rigorously defined and are implementing requirements for ensuring the security of the information assets the organization is responsible for protecting. These include the management of off-premise removal of computers and recording media such as USB flash drives, thorough practice of operation rules such as accidental email transmission prevention measures, and awareness-raising through the issuing of warning information. Through our ISMS and the use of PDCA cycles, we have been working company-wide for years to protect information assets, and have achieved the tremendous accomplishment of having zero major accidents (Fig. 1).

However, new threats, such as targeted attacks, are constantly arising, and security measures must be continuously reviewed, revised, and reinforced. The concept of "defense in depth," which applies security measures not only to entry points to internal networks, but also their interiors and their exit points, has been of tremendous assistance in realizing effective security countermeasures against these new threats. We are confident that we have been able to maintain our track record of zero major accidents by applying the PDCA cycle to our security measures, which are based on defense in depth, to periodically review security threats and check for insufficiencies in our countermeasures, and continuously enhance our security measures, guided by the philosophy that "security threats are constantly changing and growing."

Our primary business activity is software development, so, needless to say, we have strictly managed our development areas, including outsourcing contractors. We have been also a forerunner in reducing security risks in our development deliverables ? our products and services. We have been at the forefront in establishing product security, a precursor to the Product Security Incident Response Team (PSIRT) functions that were created when Toshiba's Cyber-Security Center was launched.

Advanced cyber-security measures and operation efficiency improvements

The Cyber-Security Center directs the Group-wide cyber-security measures that have become vital for Toshiba, and we work with the Center to implement advanced initiatives.

Cyber-attacks could happen at any time, so we perform monitor internal network end-points such as servers and computers 24 hours a day, 356 days a year. We have created a system that prevents security incidents from occurring by constantly monitoring a wide range of security risks. These include monitoring and analyzing firewall control logs and server and storage usage logs, as well as identifying unauthorized transmissions and unauthorized use of storage media such as USB flash drives in specific projects based on computer usage logs and other information.

In addition to preventing attacks by ransomware* and unknown malware by monitoring information devices and storage media, and detecting unauthorized access, we also coordinate with the Cyber-Security Center's PSIRT to build an environment that makes it possible to maintain quality levels when shipping products and to rapidly share information regarding vulnerabilities around the world within the company.

* Ransomware: This new form of malware has become widespread in recent years. It locks up infected computers or encrypts files, making them unusable, and then demands a ransom to return them to their former state.

Needless to say, going overboard with efforts to achieve rock-solid security can impede the productivity of employees, ultimately negatively impacting the level of service provided to customers. To avoid this, We have been introducing thin-client environment companywide, which manages computing resources such as software and data centrally on the server side, and allows only basic function of the client devices operated by the employees. We have created a workplace which offers security against cyber-attacks while maintaining productivity. Our over 3,500 employees work securely and efficiently, anytime, anywhere.

Internal Practice Case 1: Using the power of AI to detect unknown threats in advance

In order to develop solutions that support customer business continuity and the creation of corporate value, our information security measures are first called on to be implemented within the company. As with Toshiba itself, our role is to create precedents for the application of measures throughout the Toshiba Group, and we implement and practice a wide range of initiatives.

We take the initiative in leveraging new technologies, ascertaining their functions and usability. We use our resulting knowledge and expertise to combine products and services to meet the needs of customers. We believe that this makes it possible for customers to feel secure introducing highly reliable security measures whose effectiveness has been proven. Through our internal implementation and practice activities, we have created numerous security products, services, and solutions that are protecting and supporting the business activities of customers.

Even now, we are internally implementing the latest security solutions to counter increasingly advanced cyber-attacks. Let us introduce two measures we are actively working on.

The first is the use of "Cylance," next-generation anti-malware software that uses AI technology to improve protection against unknown threats. Cylance's most notable feature is its ability to detect the threat of unknown malware which has never before been identified by analyzing its similarity to past threats, and to block that malware on end-point devices before it is executed. We deployed Cylance, which has drawn significant attention, in our internal environment in June 2016. It is now protecting over 15,000 devices. We are currently verifying its high level of detection capabilities and investigating effective operation methods in order to acquire the know-how needed to deploy it in government organizations that handle confidential information. For example, it functioned effectively against the "WannaCry" ransomware that became rampant in 2017, and as a result we suffered zero infections.
These overwhelming detection capabilities have tremendous promise for use in countermeasures against unknown malware. However, merely deploying a tool is not enough to elicit the desired level of performance; we believe the following are also important.

Tools must be tuned both before and after being put into operation. Cylance determines the level of similarity between potential threats and past threats, so, for example, remote desktop software, commonly used in companies, will be blocked. This is because it behaves in the same way as malware designed to be controlled remotely. Cylance may detect and block software such as this, whose use is permitted by companies. This is called false-positive, and a key point in ensuring that systems operate smoothly is minimizing this false-positive in advance.

It is also important to have structure set up to quickly analyze, once system operation has begun, whether software detected as potential malware is actually malware, or whether it is a false positive. For example, when a programming tool is used for the first time, it could be recognized and blocked as malware due to its similarity to past malware. Failing to address this could have a negative impact on programming work. In other words, day-to-day security monitoring operations require capability of quick analysis of whether detected and blocked software is an actual threat or a false-positive. In our regular security monitoring operation, we use a unique threat database containing the expertise collected by our security monitoring teams in their day-to-day operations to make these analysis within minutes.

Internal Practice Case 2: Linking human risks and IT risks through integrated log management

The second case of our internal practice is the use of "Splunk," an evolution of the 24 hour a day, 365 day a year security monitoring (end-point monitoring) we have implemented through the years. Splunk performs real-time collection and storage of a wide range of data, such as logs and packet data from servers, applications, and network devices, and the results of command execution. It flexibly handles the complex searches and analyses required for IT management, and recently security functions have also been added to it. While we use Splunk to handle false-positive by Cylance, we also use it to constantly accrue data on human activity, such as room access to work areas, file access, wireless LAN use, the writing of data to various media, email sending, and the use of multifunction printers. We have begun linking this data with a threat database used to manage threat information and performing correlation analysis on their contents, identifying relationships between human risks and IT risks. If believe that if we discover logical correlations, we can identify risks that follow specific behavior or actions, which was not previously apparent, and can use this knowledge to implement countermeasures against both outside and inside threats before they occur. We are currently iteratively implementing measures while applying the PDCA cycle to our efforts, to determine how to effectively generate logical formulas that apply to human risks and IT risks (Fig. 2).

Through these efforts, we are steadily building up experience and operation know-how that we can provide to customers in the future.

Regardless of the industry, members of information system departments struggle with how to respond to and prevent increasingly advanced cyber-attacks. As Toshiba Digital Solutions’ information security department, this is true for us as well. To continue to protect our management and business, Toshiba Digital Solutions will work as one with all Group companies to implement advanced security measures. We will provide customers facing these same challenges with the wealth of knowledge we have gained from our steady efforts and urgent measures aimed at solving information security problems. Through this, we will protect our customers' business and management, and the safety and security of society itself.