GRIMM: A Tailored Approach to M&E Security and Risk Assessments


Piracy and other cybercrimes continue to present major challenges for the media and entertainment (M&E) industry.

For the past six years, GRIMM has been offering security engineering and consulting services to government and commercial clients, including companies in the M&E and automotive sectors. GRIMM also develops and teaches advanced custom courseware and training programs in software and embedded system security.

The Media & Entertainment Services Alliance (MESA) recently discussed GRIMM’s strategies with Bryson Bort, founder of the Washington, D.C.-based company.

“At GRIMM, we believe the best way to thoroughly assess and remediate risk is to get to know a client: their business and culture along with the technical,” he told MESA. “In reality, the largest surface area vulnerable to cyberattack is the people working in a company. Without this focus, a vendor simply won’t get the necessary feel for each organization’s unique culture, internal norms and behaviors to prioritize support and provide tailored recommendations that speak to that business,” he said.

There’s also the need to assess the business itself, he said, explaining: “A security vendor can’t simply start hacking client systems; to do the job correctly, they need to first assess the practical constraints and business rules for each client’s situation because the violation of those is what matters. While other vendors offer technical prowess, it’s just not the same as truly understanding and supporting the business to this depth.”

That level of partnership that GRIMM forges with clients is “what sets us apart” from rivals, he said.

R&D and Experience

GRIMM offers security engineering and consulting services that are “backed by research and development in delivering what we refer to as the art of the possible in cybersecurity,” he said.

The company’s team is made up of leaders who have “deep cyber expertise in application security, software testing, embedded systems and industrial controls, consulting and training,” he noted, adding: 
“Within each of those domains, we offer penetration (pen) testing, red team emulation, customized data protections and development, and data identification and recovery. Our work is supported by a unique tool, called TRIKE, which enables us to codify business rules and assets. That’s really the definition of what’s interesting in a vulnerability assessment: to put things in the context of the business and its rule sets, so security can be strengthened in a practical, business-supportive way.”

With its many clients, GRIMM has worked with several relevant technologies, including content delivery management/networks, data storage, streaming, networking technologies, mobile applications and encryption.

“We can help M&E companies protect data and prevent piracy of intellectual property,” Bort said, pointing out GRIMM “recently worked with a major automotive manufacturer to up-level their security program and posture.”

The automotive sector faces “an interesting challenge in that the complexity and volume of systems included in a new vehicle requires the work of multiple internal teams and external suppliers, which often happens in silos,” he said, adding: “Given some internal constraints with our client, we needed to independently research information to perform our work. In that process, we discovered that six-and-a-half gigabytes of the company’s firmware available on a Russian server. Another example was a client in the management consulting sector. Concerned with improving the rigor of their internal security, we were brought in to help them harden their enterprise. Within the first two hours of starting work, we found 14,000 instances of client data spillage on the dark web. Both of these examples of tracking down lost data are applicable to the interests of M&E companies, such as, for instance, film producers.”

Content Protection Approach

Another need is encryption to protect and control content, and GRIMM offers “deep expertise in this area, having performed numerous encryption implementations and reviews for enterprise, mobile and embedded systems,” he said, noting the company provided security services for Cardano Ada cryptocurrency.

GRIMM began as a small start-up working on high-end government security projects.

Since then, it has “grown a substantial commercial practice serving a diverse range of industries,” Bort said, adding: “Because reliable, repeatable process is essential to our work, we recognized the need for a trustworthy tool to facilitate it. We use the TRIKE system that provides the key foundation of understanding a business. We’ve also built numerous penetration testing tools and release open source projects for the community. Because red teaming is so important to our clients’ success, we developed CROSSBOW in cooperation with a Fortune 50 company, an automated cybersecurity platform that enables organizations to quickly and easily validate their defenses. This technology was so powerful, with such promise, we spun it out into SCYTHE, where CROSSBOW is commercially available.”

The ability to control the movement of content — whether that is rapid streaming, preventing ransomware or theft, or managing access globally — is crucial in the media business today, he also said, explaining: “The sheer scale and speed are exponentially higher, as are the stakes, than even five years ago. High-profile exploits like those against Netflix and HBO reinforce the importance of managing risk in the content supply chain.”

Supply Chain Concerns

The supply chain provides a “significant challenge that M&E companies are still grappling with today,” he went on to say, adding: “Content developers depend on and have to entrust numerous third parties with their content, all the way to and through its distribution. Content distribution has changed dramatically in the age of 24/7 streaming to highly-targeted audiences. And, while massive amounts of content exist, the legacy of disparate computer systems housing it across the supply chain means most M&E companies don’t have a single, trusted view of it. That’s not only inefficient for the business, it increases vulnerability. Today’s digital format is unfortunately more susceptible to leakage; and the expanded volume of content produced increases the costs of associated risks exponentially. Thus, there’s a growing need for security among content distributors and others in the ecosystem.”

GRIMM helps address that challenge via third-party vendor security assessments across the supply chain, and by integrating technical protections for content such as source attribution and data tracking and retrieval, he said.

The company “helps pinpoint threat areas, assess and develop vendor management ecosystems and refine data resiliency programs, including access management,” he noted, adding GRIMM “saves on time, effort and loss by managing risks to data throughout its lifecycle.”

Top M&E Concerns

Data protection and piracy are “clearly leading concerns for M&E companies” today and will likely continue to be concerns in the future as well, he told MESA. “No one wants to be the next big breach headline,” he noted, adding: “There is still a long way to go in solving these problems since the size, speed and scope of threats continually evolves. While in the past it was common for specific companies or individuals to be directly targeted, we are now in a threat environment where this is risk of accidental ‘collateral’ damage. The open dissemination of powerful nation state-level computer exploits greatly contributes to today’s threat environment. Attacker access to this unprecedented knowledge led to blockbuster cyberattacks like WannaCry and NotPetya, which caused billions of dollars in collateral damage.”

Bort went on to predict: “More nation-state and military-grade capabilities and exploits will be exposed and released, especially as the cost of cybercrime continues to drop and the skills can be easily hired on the dark web. The rapid spread, scale and breadth of these attacks heralds a future where this is the new norm.” As examples, he noted that the big threat news in 2016-2017 was ransomware, but now it’s crypto-jacking.

“Because of the high value of crypto currencies, more attackers are stealing your computer cycles to silently mine cryptocurrency,” he said, concluding: “Such attacks extend from computers to mobile to smart Internet-of-Things (IoT) devices – they go everywhere and apply to everyone. This paradigm shift should be a wake-up call for M&E organizations, and prompt different thinking about risk. The first step is recognizing that today we are all in this together. Basic security practices are not enough. Our mission is to work with clients to deeply assess and understand their business realities, then help strengthen their security environment to the hardened level appropriate for today’s threats.”