Month: May 2016

In May 2015, 1.25 million pieces of personal information were stolen by cyber thieves from the Japan Pension Service (JPS). The news of the event reverberated throughout Japan similar to the headlines created after the Office of Personnel Management hacking a month later in the United States. The JPS event, on top of a recent series of information leaks, was shocking enough to raise cybersecurity awareness among corporate executives in Japan and shape Japan’s cybersecurity posture.

Seven months later, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released an impactful document: Cybersecurity Guidelines for Business Leadership Version 1.0 (this is a Japanese link; English press release is here). The 36-page document is aimed squarely at business executives, written in plain Japanese and eschewing technical terminology. The two organizations were alarmed by PwC statistics showing that only 27 percent of Japanese companies have business executives proactively instituting cybersecurity measures, compared to 59 percent globally.

Since their release, the guidelines have struck a chord with the business community, with executives in Japan becoming increasingly keen to learn which cybersecurity measures their companies should take. Seminars about the guidelines have proliferated around Tokyo and other major cities, attracting audiences from management and the executive level—quite different from the typically technical audiences that, until now, have attended most cybersecurity events. And some key Japanese players have reacted with major initiatives. Keidanren, the Japanese Business Federation (akin to the U.S. Chamber of Commerce), responded immediately in January 2016 in its second set of cybersecurity recommendations to the government, noting that industry is committed to reforming business leadership awareness and ensuring that cybersecurity is an important pillar of business risk management.

Keidanren blazed a trail. This April, Fujitsu Ltd., the Japanese multinational IT and services company, published a company-wide cybersecurity policy based on the guidelines: Fujitsu Group Information Security Policy, which applies to the company’s operations globally. We expect other major Japanese companies will follow suit with similar efforts, as Japanese companies culturally prefer to act in a uniform manner.

For the non-Japanese reading audience, what does the document say? The Japanese government gets to the point in the Cybersecurity Guidelines introduction: cybersecurity is an integral part of business operations and a priority for leadership, thus businesses must make decisions on their IT and cybersecurity investments to ensure business continuity and protect the company’s intellectual property and other assets. The document then provides three principles about which business executives should be aware, and 10 action items they should require their CISO and security teams to complete.

The three principles are that executive leadership should:

• Take the leadership to invest in cybersecurity, based on the level of risk they deem acceptable to their business operations;
• Enact cybersecurity measures for their own company, and promote measures in affiliated companies and business partners to mitigate potential information breaches; and
• Communicate their cybersecurity measures to stakeholders, take accountability, and build confidence.

The 10 action items elucidate more specific measures to take and demand teamwork among executives, technical professionals, and non-technical people. Leadership should instruct CISOs to:

1. Craft a cybersecurity policy;
2. Establish an appropriate team and clarify the division of responsibilities;
3. Identify assets to protect, and potential risks to those assets, and craft a mitigation plan;
4. Implement the Plan-Do-Check-Act (PDCA) cycle;
5. Have subsidiaries and business partners also do a PDCA;
6. Ensure an appropriate budget and human resource allocation;
7. Categorize assets as those the company should protect on its own, versus those outsourced contractors should protect, given capacity and efficiency;
8. Actively participate in and contribute to cyber threat information sharing frameworks;
9. Establish an emergency response system and conduct cyber exercises; and
10. Identify in advance whom to notify about potential incidents.

Although not legally binding, the Cybersecurity Guidelines have presented a baseline expectation from the Japanese government to industry. And, in Japan, government expectations carry significant weight, as do the actions of one’s contemporaries. Couple these cultural norms with a growing realization among Japanese companies (similar to their global peers) of the need to improve cybersecurity, and there is strong foundation for change.

The timing of the release of the METI/IPA Cybersecurity Guidelines also was essential to the rapid comprehension among Japanese companies of their value. After the JPS case, Japan’srevised Personal Information Protection Act came into effect in September 2015, requiring all companies to take security measures to protect and prevent breaches of personal information. Finally, in January 2016 “My Number,” a new personal identification system for Social Security and taxation information, was launched.

This all was on top of new legal risks following the 2014 “Benesse Corporation” case in which a leading Japanese correspondence education services provider and publisher paid ¥20 billion(approximately $187 million) in a class-action customer lawsuit after a systems engineer working for its subsidiary sold 35 million pieces of customer information to name-list brokers. The case ran afoul of the Japanese Companies Act, which requires C-level people, such as Chief Information Officers and Chief Financial Officers, to ensure internal controls, including information security.

The guidelines have been a potent force over the last five months in encouraging Japanese companies to release or prepare new cybersecurity policies, many of which will impact both Japanese and non-Japanese business partners. Given the potential global influence, it would be beneficial for the METI/IPA Cybersecurity Guidelines to be translated into English. This also will enable a global audience to better understand the direction in which Japan’s cybersecurity is heading, share best practices and potentially comment on the guidelines, and maximize the chances that government efforts are aligned internationally.

We have seen this approach to send messages globally bear fruit very recently. When the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC), a governmental organization responsible for cybersecurity strategy and policy-crafting and international coordination, published Japan’s National Cybersecurity Strategy in 2015, it released Japanese and English versions at around the same time. This was a trial for the Japanese government, which traditionally has taken several months to release English translations of documents, if at all. This important move reflected Japan’s strong determination to make a globally impactful strategy rather than potentially limiting its influence to just within Japan.

No single country, sector or company can improve cybersecurity on its own. Teamwork and communication are essential. The METI/IPA Cybersecurity Guidelines are a very welcome addition to the mix. Many global companies including Palo Alto Networks have been strong advocates of government efforts to promote sound cybersecurity policies that enable entities to assess and manage their cyber risks, and that are based on public-private partnerships. Japan is the third largest economy in the world, and its efforts to improve cybersecurity are globally impactful. Japan’s new Cybersecurity Guidelines deserve a global audience.

This is the first in a series of blogs to be co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, the G7 Summit hosted by Japan in late May 2016, Japan’s role in global cybersecurity capacity-building, cyberthreat information-sharing and prospects for Japan, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.

Mihoko Matsubara and Danielle Kriz

[Palo Alto Networks Research Center]

Endpoint security is an essential element of any organization’s strategy for detecting and preventing damaging attacks. There has been a lot of discussion in the infosec world about how to use endpoint security tools to provide the best possible protection. At Palo Alto Networks, advanced endpoint protection is a core component of our strategy to provide a true next-generation security platform.

Traps, our endpoint security product, is a cornerstone of the automated breach prevention capabilities in our platform. Most endpoint security products are designed to detect and stop malware based on signatures or other known variables, but Traps instead focuses on preventing malicious programs from executing by detecting and preventing the exploitationtechniques leveraged by the attacker.

This means that Traps can block known and unknown (or “never before seen”) exploits. Tens of millions of individual exploits exist in the wild, but there are only two dozen or so known exploitation techniques. New exploitation techniques can take months, if not years of focused academic effort to develop. By focusing on these core techniques, Traps identifies the attacker’s path for exploitation, even when the exploit itself is not known. Combining Traps with our industry leading Next-Generation Firewall and WildFire’s unparalleled threat intelligence, we provide the most advanced, fully automated exploit and malware prevention capability available today.

Endpoint security technologies can appear similar, and recently there has been confusion around Traps functionality when compared with other exploit prevention software such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Both appear to share the same end goal of preventing exploits, but Traps prevention capabilities are far superior. Not only is the exploit prevention more effective, but it also applies to any application, whereas EMET addresses only a finite list of applications. We should also keep in mind that not every attack uses an exploit. Traps prevents both exploits and malware, known and unknown.

If you would like to see a side by side comparison of Traps and EMET in action, we’ve put together a short video highlighting our ability to detect and stop exploitation techniques where EMET falls short. Watch below:

For further reading, check out Advanced Endpoint Protection for Dummies, an ebook written specifically to educate newcomers on the core differences between legacy and next-generation endpoint protection. The book clears up common misunderstandings surrounding prevention of malware and exploit techniques.

You can also find additional information on Traps, as well as see a live demo, on our Traps resource page.

Sebastian Goodwin

[Palo Alto Networks Research Center]

At Ignite 2016, Joshua Hoffman, Vice President of Worldwide Inside Sales, and I sat down and recorded a video explaining one of our top global priorities: our commercial market strategy. It is abundantly clear to both Joshua and I that in order to win in the commercial segment we must work together with you, our partners, which is why we wanted to share the video with you.

Before you watch the video, allow us to provide you with a little bit of context. We define the commercial market segment as customers that spend less than $100,000 annually in the markets in which we compete. To put this opportunity into perspective, we believe this commercial market segment has more than 200,000 addressable customers worldwide. We have implemented this strategy in the United States, United Kingdom, Germany, Japan, Australia, New Zealand, and India and the early results are phenomenal as we are seeing better margins and higher services adoption. This is a massive opportunity for next-generation security innovators who can deliver solutions that address our mutual customer’s business needs.

This video highlights several of the key investments we have made in our Worldwide Inside Sales team to introduce you, our partners, to these mutual commercial customers so they can experience our combined value.

 

This is the first of many future commercial market segment communications, as it is our plan to continue to invest heavily in the commercial market in FY17. I encourage you to visit the campaigns portion of the Partner Portal on regular basis, as we will soon launch a new marketing campaigns page.

If you aren’t already please make sure you are working with our Territory Sales Representatives as alignment between partner and sales will be instrumental to our mutual success in the commercial market.

Good Selling,
Ron Myers and Joshua Hoffman

Ron Myers

[Palo Alto Networks Research Center]