[RakutenTechConf2013] [E-4] FUSION Forensics - A Critical Information Handling Method on Public...

1

FUSION Forensics- A Critical Information Handling Method on Public Clouds -

Isao OkazakiFUSION Communications CorporationOctober 26 2013

2

Agenda

1) What is FUSION?2) What are Digital Forensics?3) What are FUSION Forensics?4) FUSION Forensics Demo5) Conclusion

3


Agenda

Summary of this part: I would like to talk about our company overview and our services.

4

What is FUSION? – Corporate Overview

Name FUSION COMMUNICATIONSCorporation

Established March 13 2000President Takahito AikiBusiness in brief Telecommunications carrier

Major shareholders Rakuten Inc. (54.78%)Marubeni Corporation (38.00%)

Our company, FUSION Communications corporation (FUSION) was established in 2000 as an telecommunications carrier.Now FUSION is a subsidiary company of Rakuten and Marubeni, respectively.

5

What is FUSION? – Service Line-ups

Phone Service

FUSION has provided Phone Service since 2001.

6

Telephony Service

We have Broadened B2B Telephony Service.


7

Mobile Service

ISP Service

We have expanded service category to ISP and Mobile.


Telephony Service

8

Cloud Service

Cloud Service is the newest category of FUSION.


Mobile Service

ISP Service

Telephony Service

9

What is FUSION? – Cloud Service (IaaS)

We firstly started Public Cloud Service, “FUSION Cloud” (IaaS) in 2012. Carrier grade Service Quality of FUSION

IaaS (Apr.2012)

10

What is FUSION? – Broadening Cloud Service

We have launched New Cloud Services, PaaS & SaaS since October, 2012. Original and unique services

IaaS (Apr.2012)

PaaS for RMS (Oct.2012)

SaaS for File Sharing (Feb.2013)

SaaS for Log Audit (May,2013)

11


Agenda

Summary of this part: I have talked about our company overview and our services. We are one of the Rakuten group company and we launched unique

cloud services like FUSION Forensics.

12


Agenda

Summary of this part: I would like to talk about Digital Forensics and to show you how to

handle critical information on “systems” using Digital Forensics.

13

What are Digital Forensics? – ForensicsForensic science is generally defined as the application of science to the law (*).(*)NIST SP800-86 (http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf)For example, regarding criminal investigation, it is considered as follows:

ExamineData

AnalyzeInformation

ReportEvidence

Forensic science can find or deduce who did the crime.That’s why they contribute to deter crimes.

CollectMarks

Smell

FingerPrint

14

What are Digital Forensics? – Digital Forensics

The process of Digital Forensics is the same as in a criminal investigation.Generally, Digital Forensics is considered the application of science to the following process (*).(*)In reference to NIST SP800-86 (http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf), FUSION made this figure.

CollectMedia

ExamineData

AnalyzeInformation

ReportEvidence

Digital Forensics can find or deduce who operates the information.That’s why they contribute to suppress security incident including information leakage.

15

What happens if we don’t have the system for digital forensics and if security incident occurred?

In these cases, a lot of problems occur in the process of digital forensics.

C

RAE

There aren’t enough information to report.

Are there any Logs? Where are the Logs?

Which Log should I look at? Is the Log correct?

How to analyze the Logs? It takes for a long time.

SecurityIncident

What are Digital Forensics? – Handling Critical Information(1)

16


Therefore, we need the system for digital forensics to suppress security incident and to handle critical information on systems.

System for DigitalForensics

If we don’t have the system for digital forensics, security incident takes so much effort and time to solve the problem.Furthermore, the company would lose their customers’ trust.

SecurityIncident

System for DigitalForensics

17

Actually, IPA (Information-technology Promotion Agency, Japan) announced that regarding technical side introducing digital forensics is effective for attacking measures from inside the company (*).

(*)http://www.ipa.go.jp/security/fy23/reports/insider/documents/insider_report.pdf

Security Incidents

Secu

rity Incid

ents

fromOutsideCompany

fromInsideCompany

Conventional Information Security Confidentiality Availability integrity

Technical Side:Introducing Digital Forensics

Operation Side:Setting 　Appropriate Access Authority

Information Security Measures

IPA announced they are effective for attacking measures from inside the company.


18

Generally, there are 3 collecting methods on Digital Forensics.　① Jump Server　② Log Server　③ Network Traffic Capturing

Operators

②Log Server

Network ①Jump Server

③ Network TrafficCapturing

We adopted Jump Server ① because it can directory record all the commands and their responses of operations.

LogLog

LogLog


Servers

Log

19


Agenda

Summary of this part: I have talked about Digital Forensics and show you how to handle critical

information on “systems” using Digital Forensics.

20


Agenda

Summary of this part: I would like to talk about FUSION Forensics and show you how to handle

critical information on “public clouds” using FUSION Forensics.

21

What are FUSION Forensics? – Backgrounds(1)

On-premisesEnterpriseSystems

Advantages in- Cost Effectiveness- System Elasticity- BCP measuresmore…

Public Cloud

The trend from on-premises enterprise systems to public cloud has been growing sharply over the past few years.

22


Public Cloud

The demand of handling critical information on public cloud has been increasing as well as on-premises enterprise systems.

Demand of Handling Critical Information


Advantages- Cost Effectiveness- System Elasticity- BCP measuresmore…


23


Public Cloud

I will explain FUSION Forensics and show you how to handle critical information on “public clouds” using FUSION Forensics.


Advantages- Cost Effectiveness- System Elasticity- BCP measuresmore…



24

What are FUSION Forensics? – Introduction(1)

FUSION Forensics provide the environment to handle critical information.

Operation Log Capturing

Archiving original logs

Searching Logs on Management Console

Reporting Audit Evidence Automatically

FUSION developed and commercialized one of the solution for digital forensics.

C

RAE

25

What are FUSION Forensics? – Introduction(2)

Operators Servers

Log

FUSION Forensics adopted Jump Server for collecting method because it ①can directory record all the commands and their responses of operations.

①Jump Server

All the operation logs of the operators are captured in the jump server.

26

What are FUSION Forensics? – System Image(1)

VMs

VMs

PhysicalServers

On-premisesEnt. Systems

CloudsPublic

CloudFUSION

OperationSSH, etc.

AdminAudit

Operators

AuditorsAdministrators

Jump ServersLog Capturing

Log

Archive Servers

OperationSSH, etc.

Original

Priv

ate

Lin

es

Inte

rnet

VP

C, e

tc.

Collecting Servers

Key for UserKey for User Key for Server

Key for Server

LogUser Original

LogReferenc

e

Registration

Client SoftwareTeraTerm/

PuTTY

Supporting various systems.

Management ConsoleWeb Servers

27


VMs

VMs

PhysicalServers

On-premisesSystems

CloudsPublic

CloudFUSION

OperationSSH, etc.

AdminAudit



Log

Archive Servers

OperationSSH, etc.

Original

Priv

ate

Lin

es

Inte

rnet

VP

C, e

tc.

Collecting Servers

Key for User Key for Server

Key for Server

LogUser Original

LogReferenc

e

Registration

Supporting SSL and key pairs on both sides of users and serversfor secure access to public clouds..


Key for User


PuTTY

Operators

28


VMs

VMs

PhysicalServers

On-premisesSystems

CloudsPublic

CloudFUSION

OperationSSH, etc.

AdminAudit



Log

Archive Servers

OperationSSH, etc.

Original

Priv

ate

Lin

es

Inte

rnet

VP

C, e

tc.

Collecting Servers


Key for Server

LogUser Original

LogReferenc

e

Registration

Supporting various client software such as TeraTerm, PuTTY and more.So, operators don’t need to install specific software.


Key for User

Operators


PuTTY

29


VMs

VMs

PhysicalServers

On-premisesSystems

CloudsPublic

CloudFUSION

OperationSSH, etc.

AdminAudit




Log

Archive Servers

OperationSSH, etc.

Original

Priv

ate

Lin

es

Inte

rnet

VP

C, e

tc.

Collecting Servers


Key for Server

LogUser Original

LogReferenc

e

Registration

Supporting management console. So, administrators or auditorscan manage and audit operators.

Key for User


PuTTY

Operators

30

What are FUSION Forensics? – Features (1)

Capturing Protocol: SSH, Telnet, FTP, SCP, SFTP, RDP(Coming in Nov.)

Client Software: Tera Term, PuTTy, OpenSSH, WinSCP, FileZilla, SFTP

Connecting to: public clouds, on-premises systems, network equipment

SSH Authentication Method: 2 step, menu

C

Collection

(Media)

Examination

(Data)

Analysis

(Information)

Reporting

(Evidence)

31

What are FUSION Forensics? – Features(2)

User/Server Maintenance:User Maintenance, Server Maintenance,User/Server Access Control, Log Volume

Dashboard: Access Summary, Announcement Log Type: Command Line, Command Response

Log Search: Time Interval, User Name, Server Name,User/Server IP Address, Protocol,Commands, Searching Option

Log reporting for Audit:Periodical Reporting of the specific format

Log Download: Generating CSV formatted Log,Log Compression with Password

R

A

E

Collection

(Media)

Examination

(Data)

Analysis

(Information)

Reporting

(Evidence)

32

Internal operators access to their internal on-premises systems through FUSION Forensics.

What are FUSION Forensics? – Use Cases(1)

Operators

Log

From Internal to Internal connection

Internal Internal

CriticalInformation

①Access

②Manage andaudit operators


On-premisesSystems①Access

33


Internal operators access to their external servers on Public Clouds through FUSION Forensics.

From Internal to External connection

Operators

Log

Internal External

ServersPublic Clouds

CriticalInformation



①Access①Access

34


External Vendor Engineers access to customers’ internal on-premises servers through FUSION Forensics.

EngineersVendor

Log

From External to Internal connection

External Internal

CriticalInformation


On-premisesSystems


①Access①Access

35

What are FUSION Forensics? – Use Cases(4) From External to External connection

Log

External

ServersPublic CloudsEngineers

Vendor

External

External Vendor Engineers access to customers’ external servers on Public Clouds through FUSION Forensics.

CriticalInformation



①Access①Access

36


Agenda

Summary of this part: I have talked about FUSION Forensics and show you how to handle

critical information on “public clouds” using FUSION Forensics.

37


Agenda

38

FUSION Forensics Demo – SSH /w Key Pair

Operators

Log

Servers

CriticalInformation

①Access（ SSH and Key Pair ）



First, operators access to their external servers on FUSION Cloud through FUSION Forensics using SSH client and key pair.After that, administrators search and check the log through management console.

Internal External

Start Demo

Start Demo

①Access（ SSH and Key Pair ）

39

FUSION Forensics Demo – RDP

Operators

Log

Servers

CriticalInformation


Second, operators access to their external servers on FUSION Cloud through FUSION Forensics using RDP.After that, administrators search and check the log through management console.

Internal External

Start Demo

①Access（ RDP ）


①Access（ RDP ）

40


Agenda

Summary of this part: I talked about FUSION Forensics Demo using SSH and RDP.

41


Agenda

42

In this presentation, we will introduce FUSION Forensics and show you how to handle the critical information on public cloud using FUSION Forensics.

Conclusion

Collection

(Media)

Examination

(Data)

Analysis

(Information)

Reporting

(Evidence)

43

Thank you for listening!

44

For more information,

Booth: RT1 13F Cafeteria Web Site: www.fusioncom.co.jp/forensics/E-mail: [email protected]

Please visit and contact us!

http://www.fusioncom.co.jp/

mailto:[email protected]

[RakutenTechConf2013] [E-4] FUSION Forensics - A Critical Information Handling Method on Public...

Technology

Transcript of [RakutenTechConf2013] [E-4] FUSION Forensics - A Critical Information Handling Method on Public...