Security information for secure digital utilization delivered by Canon MJ What is ESET UTM, Cyber ​​Security Information Bureau? Can it be a countermeasure against aggravating cyber attacks?

UTM as a comprehensive cyber attack countermeasure

UTM (Unified Threat Management) is a security product translated as "Unified Threat Management". As you can imagine from the name, the merit is that one product can take comprehensive measures. Specifically, it includes functions such as anti-malware, intrusion prevention, and VPN, and provides multiple security functions in a unified manner.

UTMs are installed at gateways in corporate and organizational networks so that they can monitor communications in and out of the network. Since it is a single product, it has the advantage of reducing management costs and labor compared to installing security products individually.

Behind the attention of UTM is the evolution of cyber attacks that are becoming more sophisticated and worse. There is a limit to network monitoring with conventional firewalls alone. Therefore, the merit of using UTM, which can monitor a wider area, has been increasing. In addition, many small and medium-sized enterprises have limited budgets and personnel, and it is highly evaluated that one product can enhance security.

Key features included in UTM

Typical UTM products include the following features:

1) Firewall

When there is an access from the outside, the source address, destination address, port number, etc. included in the sent data are verified to block unauthorized access.

2) Anti-virus measures

It monitors files flowing over the network and detects those that match the pattern of known viruses. Also, if infection with the virus is found, remove it.

3) Anti-spam mail

Detects emails sent from outside that are suspected to be junk emails or phishing emails, and issues a warning.

4) IDS / IPS

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) detect and block unauthorized access such as DDoS attacks that send a large number of requests and data. Some detect known patterns and some detect suspicious movements, and can respond to attacks that cannot be prevented by firewalls alone.

5) Web filtering

Restrict browsing of websites based on pre-registered rules to prevent users in your company from accessing malicious sites.

6) VPN

Some UTMs have a VPN (Virtual Private Network) function, and even when accessed from outside the company, they protect communications so that they can connect to the network as securely as inside the company.

UTMs can be divided into two types, "appliance type" and "cloud type", depending on the form of provision. The appliance type is a mechanism to install a device that integrates security functions into one unit at the gateway. If there are multiple bases to be protected by UTM, equipment will be installed at each base. On the other hand, in the cloud type, UTM functions can be used without physically installing equipment. Since the provider updates the equipment, the man-hours required for management can be reduced.

The idea of ​​zero trust that arose from the rise of digital utilization

UTM has been attracting attention as a solution that can easily realize "defense in depth". Defense in depth is the idea of ​​taking multiple security measures in multiple layers to minimize damage. The purpose is to detect and deal with sophisticated cyber attacks at the right time on the premise that it is difficult to completely prevent them with a single security measure.

The elements that make up defense in depth include entrance measures to prevent attacks from the outside and exit measures to prevent information leakage when intrusion into the inside is permitted. UTM mainly provides functions such as anti-virus measures and anti-spam mail measures as entrance measures. In addition, as an exit measure, we will monitor unauthorized communication by malware to reduce the risk of information leakage.

There is a growing tendency to emphasize detection and countermeasures rather than complete defense, which is difficult to realize, and in recent years, attention has been focused on the concept of "zero trust." Zero Trust is an attempt to ensure the safety of all communications that occur in corporate activities, without simply trusting them, without failing to constantly verify and monitor them. In order to protect diversified communication routes and information assets, it is necessary to monitor all communications inside and outside the company.

Zero trust is required because of the sophistication of cyber attacks and the increasing complexity of IT environments due to the spread of digital technology. For example, as the use of cloud-based services has increased, there are increasing opportunities to store and share business-related information in internal and external storage. In addition, due to the Korona-ka, telework has spread rapidly, and there are many cases where external terminals are connected to internal systems.

Due to major changes in the environment, it is no longer sufficient to protect the corporate network with a firewall as in the past. Security measures must be continuously updated as the IT environment changes.

In order to realize security measures premised on zero trust, it is necessary to take comprehensive measures from the viewpoint of defense in depth as described above. So-called next-generation solutions such as EDR (Endpoint Detection and Response) and NGEPP (Next Generation Endpoint Protection Platform) have also appeared to meet new needs. An increasing number of companies are adopting these products in line with the trend of zero trust.

Options for maximizing the benefits of UTM

If UTM is introduced, a certain effect can be obtained from its various functions, but if the operation system is not sufficient, the effect will have to be limited. This is because communication is monitored and prompt response is required when an incident is detected.

For example, to detect targeted attacks, you must monitor your UTM logs and detect any signs of them. In other words, when UTM is introduced, security personnel who are in charge of log monitoring and incident analysis are also required.

In addition, it is difficult to prevent damage unless the report output from UTM can be analyzed at the right time. If you can't master the various functions included in UTM, your investment will be wasted. In order to maximize the benefits of UTM, it is essential to secure human resources who can master it.

However, there is a chronic shortage of security personnel in Japan. In particular, it is not realistic for small and medium-sized enterprises to hire and train full-time security personnel. For such companies that have difficulty in securing security personnel, there is also an option to outsource operations. For example, in a service called managed UTM or SOC (Security Operation Center), UTM alerts and logs are monitored and analyzed, and notifications are sent to the person in charge as necessary. Many of them include services such as monitoring policy settings and software updates, which contributes to reducing the operational load.

UTM, which is a comprehensive security product that includes entrance and exit measures, seems to have great benefits for companies. In addition, UTM's VPN and other functions are easy to feel as a merit for small and medium-sized enterprises that have introduced telework. However, as mentioned earlier, UTMs with full functionality can become a treasure trove if not operated properly. I would like you to take security measures while optimizing the cost of operation management, with an option of outsourcing operations in mind.