Aiming to realize a collaborative defense platform across multiple organizations to combat more frequent and sophisticated cyberattacks
June 17, 2022
Hitachi, Ltd. has developed technology in partnership with Keio University and Chubu Electric Power Co., Inc. (hereinafter “Chubu Electric Power”) to maintain confidentiality while promptly sharing response measure data with experts across multiple organizations during cyberattacks. This technology can further the effectiveness and efficiency of incident response through collaboration with multiple organizations and minimize the damage caused by a cyberattack.
An organization under a cyberattack uses this technology to create an incident ticket (hereinafter “ticket”) describing the progress of their response and notify other organizations participating in the collaborative defense. Conventional approaches generally provide a notification describing the response measures after the response to a cyberattack has already taken place. However, due to the time it takes to anonymize confidential information when creating this ticket, it has limited the effectiveness of a collaborative defense. Hitachi, Keio University, and Chubu Electric Power developed this new technology as a system (dynamic access control function) to process the ticket data describing the response measures based on the trustworthiness of confidential information management of each participating organization and the expected benefit of sharing various information for the organization under attack. Organizations can use this technology to share tickets with other organizations that have success in addressing similar cyberattacks and gain effective feedback in order to smoothly tackle their own cyberattack.
On March 15, 2021, Hitachi announced a new technology to enhance cyberattack detection accuracy via cooperation with other organizations. In the future, the hope is to further the social implementation of a collaborative defense platform that integrates technologies to share information about incident response, which will contribute to a safe and secure digital society.
Hitachi, Keio University, and Chubu Electric Power joined forces in April 2017 to research and develop a Decentralized Security Operation concept.
Fig. 1. Technology to share incident response information
As cyberattacks become more frequent and sophisticated in recent years, organizations struggle to respond effectively when under an attack using only their own staff and knowledge. However, other organizations are tackling or have tackled the same cyberattacks in the past as well. Therefore, all these organizations would benefit from a collaborative defense platform that could rapidly share response measures when under an attack in order to gain outside knowledge and experienced feedback.
Hitachi and Keio University began a collaborative research project for IT security management and personal information protection against cyberattacks in February 2016. With a long history in the security operations for information technology and operational technology systems, Chubu Electric Power joined this project in April 2017 to advance research and development toward greater incident response in the demonstration field.
Hitachi alongside Keio University and Chubu Electric Power developed this technology as a way to automatically set the scope for disclosing sensitive and confidential information for each participating organization based on the trustworthiness of their confidential information management as well as the expected benefits of sharing various information with other participating organizations via tickets describing response measures against cyberattacks.
・Trial testing that shared tickets outlining response measures between three organizations when under an actual cyberattack have verified a quick incident response rate. This success was achieved by completing the process to automatically anonymize and share ticket data between organizations in roughly 180 seconds according to the trustworthiness of confidential information management at each organization and the expected benefits of sharing various information for the organization under attack.
・Cybersecurity is becoming an important management challenge to enhancing the resiliency of corporate activities as all modern industries progress with rapid digital transformations. Hitachi plans to further the social implementation of a collaborative defense platform integrating the technology to detect cyberattacks it announced on March 15, 2021 and this technology developed to share an incident response to cyberattacks, which will contribute to the realization of a safe and secure digital society.
Some of the results of this research were announced at the 84th National Convention of Information Processing Society of Japan held from March 3 to March 5, 2022.
As shown in Figure 1, this access control function quantifies the trustworthiness in the handling of sensitive and confidential information at other organizations and the benefits that can be expected from sharing information to use as the value to determine the level to anonymize data. In other words, this function shares a non-anonymized ticket with organization that have a high trustworthiness and benefit value but a ticket anonymizing IP address, system configuration data, and other sensitive and confidential information with organizations that have a low trustworthiness and benefit value. Anonymizing and abstracting sensitive and confidential information according to the level determined to process the data realizes both a safe and efficient means to share incident response data. The trustworthiness above is also determined based on the skill of the security administrator and security systems of the organization to disclose information. Moreover, the expected value of benefit is determined based on the function to calculate the benefits of sharing tickets below.
The expected benefit value uses a model to provide a high potential of receiving valuable feedback from an organization which has dealt with the same cyberattack. This function compares identifiers of the cyberattack included in the ticket and the identifiers of the cyberattack at participating organizations, such as IP addresses of the cyberattack source, malicious domain names, and suspicious email content, to provide a higher expected benefit value when there are more common traits of the cyberattack. The process comparing the identifiers of cyberattacks is done confidentially and not disclosed as is in tickets to other organizations. This feature uses secure computing technology to identify the common traits of identifiers between each organization with the data in an encrypted state. The expected benefit value is specifically obtained by calculating the percentage of identifiers in the ticket that are the same as those recorded in the security network log of the organization receiving the ticket.
For more information, use the enquiry form below to contact the Research & Development Group, Hitachi, Ltd. Please make sure to include the title of the article.
