NAB 2019: Convergent Risks Stresses Importance of Central Incident Response Systems

LAS VEGAS – Media and entertainment organizations could save themselves a lot of headaches if they start using security incident response software within a secure central portal that would enable them to capture, collate, analyze and convert volumes of information and data into actionable intelligence and evidence, according to Convergent Risks.

Such a system can help an organization to respond to, communicate and recover more effectively when managing security incidents in real time, Mathew Gilliat-Smith, an advisor for the company, said April 7 during the Cybersecurity & Content Protection Summit session called “Reducing the Fog of Cyber Warfare” at NAB 2019. 

Convergent Risks did an anecdotal, informal survey of studios and vendors about the systems they were using for incident response, he said at the start of the session. “The consensus was that most people are using manual methods of getting data in and how they’re handling it,” he said.

Looking outside the media and entertainment sector, however, “it does seem that quite a lot of organizations are using more of a central management system,” he pointed out.

When studying the types of incidents that organizations face, “unsurprisingly, email phishing is kind of one of the most common” types of attack, he pointed out. Other common incidents, he highlighted, include: “Attrition attacks” on IP addresses and servers; “the freelancer getting overexcited” and leaking plot and other pre-release details of a movie or TV show; loss or theft, such as “potentially a laptop being stolen, [which] happens all the time”; improper usage, such as an ex-employee continuing to access a system after leaving a company; and Web/malware infections.

All these things “can be pretty stressful” for an organization and “the whole point about incident response is trying to log and draw patterns and try and prevent these things from happening,” he said.

Using a manual incident response system has limitations that include the sheer volume of info that must be dealt with including emails, Excel and Word files and screen shots, which are complex to assemble and include different versioning of data, he noted. Other limitations include blocked emails through filtering, the fact that they’re generally reliant on only one or two individuals for the information and IT ticketing systems that raise issues with internal confidentiality, he said.

There’s also often a scramble to assimilate, analyze, communicate and act, and key parts tend to be overlooked, he noted.

Central incident response management platforms with central servers tend to be much more effective because they give you a “full chain of custody” over all your data and “everything is encrypted and hashed,” which leaves an organization “much better equipped to handle a security incident,” he explained. Because “you’re less reliant on a few individuals,” you get “faster response times” also, he said.

And a “real important point” about central incident response management systems is that because you end up with fewer incidents by using them, they provide “cost savings,” he told attendees, adding: “You might need less people to manage a system like this.”

Another advantage to having a central incident response management platform is you gain the “ability to feed data from other systems, where you might get some additional intelligence that would be helpful,” Janice Pearson, VP of global content protection at Convergent Risks, told attendees.

One more major issue “that’s important to think about when you’re thinking about incident response is … control of the evidence,” she said, adding: “If you lose control of the evidence and you’re relying on email,” if there is a leak of content and you have multiple vendors working on it, trying to figure out who was responsible for that leak can be complicated.

“You’re getting data from many different sources and so it’s really important to keep all of that organized, and also to be able to use an internal intelligence to be able to start to notice patterns because you’re having to work very quickly,” she said.

If there is somebody within your organization who you suspect is guilty of doing something improper with your data, she warned: “You have to be very careful in how you handle that data and who has access to that because if you don’t handle that data in a way that you’re only keeping the people who need to know” informed about the investigation, “you open yourself up to legal risk.” Concluding, she stressed that if you don’t maintain complete custody of the evidence, “you have no legal recourse in court.”

Co-produced by the NAB Show and the Content Delivery & Security Association (CDSA), the Content Protection & Cybersecurity Summit was presented by SafeStream by SHIFT, Akamai, IBM Security, Microsoft Azure, Convergent Risks, the Digital Watermarking Alliance, the Trusted Partner Network, and produced by the Media & Entertainment Services Alliance (MESA) and the Content Delivery & Security Association (CDSA), in cooperation with the NAB Show.