Attackers Target the Weakest Link, So Build an Optimal Security System Through “Selection” and “Concentration”

Given this reality, Yamashita explained, “In the security world, there are no goals; there are only effective concepts.”

Continuing, Yamashita said, “Attackers target the weakest link in the security chain. Typically, these are overseas offices, newly acquired affiliated companies, business units that operate on a network, supply chains, and business partners. They use the weakest link as a foothold to get to a bigger objective.”

So, how should attacks on the weakest link be handled? Yamashita advised that a three-step approach is effective: (1) visualization (2) governance and (3) selection and concentration.

The first step is to visualize and identify your company’s weakest link. Next is “governance,” which means that the organization needs to adopt a unified approach to management and action, rather than leaving things to each location or department. It is difficult, however, to ensure a high level of security in every department, from head office to branch offices. In some cases, there is also a risk of over-investment. So, the key requirements for security measures are “selection and concentration.”

The importance of assets that need to be protected will vary from one department to another. Each department should therefore appropriately “select” the measures it needs to implement. At the same time, the organization (as a whole) should “concentrate” its resources by promoting the minimum necessary level of overall security. This approach enables companies to increase the overall security level of the organization, by avoiding excessive investment and selectively spending more time and effort where the needs are greatest.

Looking back at past incidents, it is not uncommon to find that problems have occurred precisely because different locations or departments introduced their own countermeasures as and when needed under a decentralized approach to security.

Consider, for example, Company A, a manufacturer with 50,000 employees and overseas offices in over 20 countries, which adopted a decentralized approach to security governance. The company consulted with IBM after an incident at one of its overseas sites. Yamashita recounted what the company reported to IBM. “When we tried to investigate what happened from head office, we couldn’t even get in touch with the overseas site, because they were too busy responding to the security incident. Even as the story was being reported in the media, we were unable to collect the information we wanted.”

The company decided it needed to create a unified company-wide system. “So, it deployed a common asset management system for the entire world,” recalled Yamashita. Furthermore, the company deployed EDR products to be operated and managed by head office. While the new system enabled head office to monitor the security situation across the company, it also allowed each location the autonomy to implement its own security.

Yamashita describes another case, of Company B, operating in a regulated industry, with approximately 50,000 employees. “It too had a decentralized governance system, with each location focused on complying with local regulations. Unsurprisingly, when a security incident occurred at an overseas site, the details did not make it to head office.”

In this case, IBM recommended a decentralized security system that could be operated autonomously in each country. Due to the wide range of countries and regions in which this company does business, IBM decided that a system that was centrally managed from head office would not necessarily offer much benefit. “We aimed to create a system that could enable each country to determine what security measures it needed,” comments Yamashita.

Even with the usual countermeasures and systems in place, it is very difficult to respond to a real-world cyberattack. “Which is why IBM’s security consulting services can be a big help,” stressed Yamashita. “The most important thing for us is to put in place a system that really empowers customers to strengthen their security. If the ecosystem needs a certain function, we will happily use non-IBM products to provide it. Together with the client, we will study a security solution with a good balance of ‘selection’ and ‘concentration’.”

• Deloitte Tohmatsu Group Deloitte Tohmatsu’s Emphasis on “Business Compatibility”
  The Importance of Cybersecurity Strategy
• IBM Japan Attackers Target the Weakest Link, So Build an Optimal Security System Through “Selection” and “Concentration”
• Trend Micro “Know the Enemy”: The First Step in Protecting Your Organization
  Understanding the Intention of Attacks for Effective Defense
• NTT Security Holdings Organizational Strength of Research Teams Help Protect Japanese Companies from Targeted Attacks
• BlackBerry Japan AI Mathematical Models for Better Detection and Protection than Existing EPPs
• Secureworks A New XDR Method to Protect Organizations from Evolving Ransomware Threats
• Sateraito Office Offering Versatile Security Products and Know-How Cultivated from Working with Over 60,000 Companies
• ZenmuTech Two Technologies for Digital Transformation: “Secret Sharing” and “Secure Computation”
• ServiceNow Japan Visualizing IT Systems Using a Configuration Management Database: Asset Management is the First Step to Security
• Darktrace Japan Visualizing Vulnerabilities and Risks with AI to “Autonomously Prevent” Attacks