Independent Security Evaluators: Holding Applications to a Higher Standard

Baltimore-based Independent Security Evaluators (ISE) has a unique perspective among security firms: the aggressive defense strategies needed to thwart attacks today must be centered around advanced scientific approaches.

In the media and entertainment space, ISE’s team of analysts and developers take scientific approaches to tackle clients’ overall security postures, protect their digital assets, secure infrastructures, and work with development teams before anything is deployed.  They provide elite-caliber security assessments of applications, networks, and the digital supply chain.

Ted Harrington, Executive Partner with ISE, spoke with the Media & Entertainment Services Alliance (MESA) about the threats facing the M&E industry today, how ISE goes about confronting them, why vendors are proving especially problematic in the security space, and what’s next for the firm.

MESA: 2016 wasn’t exactly the kindest year to companies’ security. What do the media and entertainment companies need to be especially mindful of in cyber security? What are you seeing?

Harrington: I think that it’s important for media and entertainment companies to understand how modern adversaries operate, because the modern attack paradigm from an attacker’s perspective works very well in media and entertainment.

Modern adversaries like to pursue stepping stone attacks.  In this model, attackers don’t go directly at the ultimate victim; they first target a trusted partner, victimize that trusted partner, and then use tHarrington Headshothat partner’s trust or access in order to pivot the attack in the ultimate pursuit of the end victim. This is especially relevant for media and entertainment, considering the highly integrated manner in which content is produced across a wide range of trusted third parties.  Hundreds of different companies using myriad applications touch most films, and all those elements need to access assets. Production sets are scattered across multiple – often very remote – locations all over the globe, and each of those locations often need to have custom, single-use network infrastructure set up for a short period of time that utilize a highly diverse subcontracted workforce in order to actually produce.

All of these factors combine to create a highly diverse attack surface, and there’s no single entity who can control all of that. This creates a very difficult defense paradigm, as well as a very appealing landscape for an attacker. Furthermore, consider that all the different major attacker types all would be interested in stealing content assets, all for different reasons.   And that makes for a very, very complex defense scenario, which is ultimately what drew us to this industry. . And, so that’s why we are here, as opposed to the other places.

MESA: To your point about stepping stone attacks against the digital supply chain, where attackers are not necessarily going directly at the studio per se, but rather at the vendors along the way: how does ISE address that situation? How do you tackle that problem? It seems a bit unwieldy.

Harrington: Fundamentally, we approach this problem the same way as the attackers do.  We adopt an adversarial perspective and think about the ways in which a system would be attacked, and why an attacker would be motivated to invest effort in that pursuit.  We essentially go through an exercise of complex problem solving where we identify weaknesses, and then develop remediations from there.

The most effective way to do this is through manual white box security assessment, which is the approach for which we advocate strongly.  In this methodology, we collaborate with our customers to consider things like the unique characteristics of this particular system; the workflows of how the system is used; how the system interacts with other workflows; who the users are; how those users are provisioned; and what types of assets the system provides access to.  Then we determine how the system can be exploited.

MESA: I like the terminology ISE uses to describe itself: virtual information security officer.  That’s how ISE likes to define itself for this space. Could you expand on that a little bit?  What does that mean for the companies that employ your services?  What can they expect right at the start when you guys come in?

Harrington: Well to clarify, there’s two primary services that we provide in media and entertainment. There are others that are sort of subsets or extensions of these two, but for sake of simplicity, there are two primary ones.

One is the manual white box security assessment that I alluded to before. The other is this idea of the vISO system. And a lot of times, they are actually interwoven. So what’s happening in the assessment is we’re adopting that adversarial perspective. We’re helping customers understand how an attacker would compromise the system, and how to remediate vulnerabilities.

In vISO, basically what we’re doing is we’re enhancing the existing security programs for a company. Or, if they don’t have a security program, we are functioning as it in an external capacity.  What we do with this offering is connect the dots between the strategic mission of the security program and the tactical execution of the security mission.

So vISO is essentially a fractional use model. Consider something like Uber: you get access to this nice car when you need it, but then you don’t have pay all the costs associated with owning the car when you don’t need it. It’s similar with vISO, where companies have a really hard time of finding the level of security talent that are attracted to a security research company like ours. When they do find them, they have a hard time of attracting them. And, if they are successful in hiring that type of person, they have a really hard time keeping them. If they are successful at keeping them, then they have this really expensive technical resource that they might not need for full-time capacity.

For instance, most companies don’t need a cryptographic expert on staff at all the time, but occasionally they do. We have those people. So the idea is vISO enables you to have access to the cryptographer when you need him without needing to pay his full-time salary for when you don’t.

MESA: How do you evaluate employee risks?

Harrington: Most organizations today are cognizant that the insider threat is a very real and very formidable type of adversary.  However, most organizations today do not actually understand the nature of what the insider threat is. They think of it as one type of adversary, when in fact, the insider’s threat is actually a collection of four different types of adversaries.

Each have different motivations, and you defend against them in different ways.  It is not effective to simply have a uniform insider defense strategy.

For instance, to defend against the accidental insider, you do things to make it harder for that person to do dumb things. As an example, you require encryption on laptops, so when that person loses their laptop, whoever finds it has meaningless data. Basically, what you do against that type of attacker is prevention.

What you do against the opportunist is deterrence. There is extensive use in this industry of things like watermarking and fingerprinting — basically things that enhance the forensic ability to find out who was the source of the leak — and that makes the opportunist think twice. If they think, ‘Oh, my name is going to be splashed all over this thing that I steal and post online. I’m going to get fired for that. Maybe I won’t do this.’ So deterrence is how you fight that type of adversary.

And with the most dangerous insider adversary types— the disgruntled insider and the determined, malicious insider — you fight them through mitigation, where you assume a breach has or will happen, and the approach is to minimize damage. You implement approaches such as defense in depth in order to minimize the likelihood of widespread compromise.

MESA: Lastly, you guys have been at this for a while, but I assume there is more work to do.  What’s next for you guys? What’s down the line? What would you guys like to be doing that you aren’t doing yet?

Harrington: One of the things that seem to be coming next in this industry is more training. Many of our customers are saying to us that they’re seeing meaningful improvement in the security posture of their product, and now they want to figure out how to leverage those gains to help their people better implement secure design principles through the development process.