CDSA

CPS 2021: Code42 Exec Examines Insider Best Risk Best Practices for M&E Companies

Amid rising insider risk in 2021, media and entertainment organizations have struggled to keep ahead of data exfiltration events using existing security controls and strategies that often fell short, according to Minneapolis cybersecurity software company Code42.

Sixty-three percent of employees are now “using unsanctioned or unauthorized applications every week, if not every day, to get their jobs done,” Vijay Ramanathan, the company’s SVP of product innovation, said Dec. 16 at the Content Protection Summit (CPS) event, during the Ransomware & Risk breakout session “Stop the Leaks, Not the Collaboration: Insider Risk Best Practices for M&E.

“This is just going to continue,” he warned. “This is not going to stop because that’s how people are working now to get their jobs done. And security and IT teams are driving more and more blind in their day-to-day jobs.”

He pointed to data showing that 55% of security teams are blind to users moving files to untrusted domains. At the same time, the applications employees are using differ by generation.

“One way for us to think about this is actually to look at it from the perspective of a traditional value chain and ask ourselves the question: Where are all the insider risks?” Ramanathan said.

He pointed to the M&E production value chain and told attendees: “What we do today when we think about that value chain is actually something very simple in my opinion. And what we do is, first and foremost, we use paper-based legal coverage.” In other words, vendors, employees and others sign documents in which they promise not to do “something bad” because, if they do, they will face legal consequences. “That’s good. It’s good to have that coverage,” he said.

Meanwhile, “for other types of content or stages of production, we rely a lot on encryption,” digital rights management (DRM) and watermarking, he noted.

Those are all “very important [and] very valuable to make sure that data stays protected at those stages at that time,” he said.

A third strategy that many organizations use is just blocking a user and stopping them from doing something potentially costly, such as using a personal cloud system or moving data to removable media, he pointed out.

Then, after employing those strategies, “we think we’ve done as good as we can” to protect the data,” he said.

However, “that isn’t sufficient because fundamentally that’s not a holistic approach to this problem,” he explained.

And there is much more of such exfiltration activity going on across the enterprise now than a few years ago.

“That’s because we have incomplete visibility,” according to Ramanathan. “We choose to focus only on the things that we think truly matter, and we’re blind to so many things. And, because we’re blind, we have insufficient controls and we don’t know what’s happening. So, when something bad does happen, we’re completely surprised by it.”

Because organizations tend to have incomplete visibility and controls are not sufficient across the entire value chain, “we start encouraging shadow or mirror IT, where people then try to subvert the blocks and the hurdles to try to get their job done because that’s what they’re going to get measured on,” he said.

As a result, “in an indirect way, we’re actually impeding collaboration” and “that’s a really bad thing,” he noted.

“So, what can we do about all this?”

“The Three T’s”

For Ramanathan, the answer is to turn to insider risk management, which he said uses a “three T’s approach” made up of transparency, training and technology.

“Transparency is all about culture,” he explained. “It’s how you develop a security-aware culture across your whole company, in your security team, amongst your stakeholders, in legal and compliance and HR.”

Training, meanwhile, is a “foundational element” that requires training your employees, stakeholders and your security team on how to manage risks, be aware of them and avoid them, he told attendees and those viewing virtually online.

“We need to have data-driven and tailored training specific to insider risks that employees or stakeholders might encounter, and this has to be something that can be done proactively, situationally and responsibly,” he said.

What works best, he has found, is sticking to three “core principles: Presume positive intent, focus on teaching not preaching,” and look at it holistically by educating proactively, situationally and responsively,” he explained.

Therefore, he went on to stress: “When something goes wrong or when a user does something wrong… don’t assume that they did it on purpose. Don’t assume that they’re idiots. Don’t assume that they had any kind of negative intent. Always [approach] the situation with empathy” and try to help figure out what happened together.

However, “if there are clear signals that it was malicious, of course, you have to deal with it separately,” he told viewers.

Ramanathan has seen many insider events happen because the user was just trying to get his or her job done and didn’t realize it would cause a security issue, he noted.

“Teach, don’t preach,” he said. It’s hard to imagine people don’t know something we know but the reality is that “we have to help our employees because, today, there’s an information overload and they’re having trouble,” he said, adding: “Our employees, our stakeholders are just burdened with information and retaining that information, if they’re only trained on something once or twice a year,” is difficult and “they’re not going to remember that.”

Organizations must guide employees to do the right thing: Proactively, situationally and responsively, he said.

Proactive lessons include going beyond annual compliance-focused training and should be done in smaller modules that are contextual and relevant to employees’ job roles, he explained.

Situational lessons can be taught when there is a job/role change, such as when an employee gives two weeks notice of leaving a company, so you remind them of rules including what they can and can’t take with them, he said. Access to a company’s network is a crucial issue that must be taken into account.

Responsive lessons tend be ones that are “just in time” and may be focused on common mistakes, are user-friendly and contextual, “bite-sized” and job/role-specific, according to Ramanathan.

Last, technology enables the “holistic management of insider risk across the whole value chain,” he told attendees. The tech “augments or helps you beyond the training and the transparency,” he noted.

The “pillars” of a technology strategy should include: the trust sphere that identifies where untrusted data exposure exists; risk indicators that help security define what risk matters and prioritizes risk for security analysts; and a right-sized response that he said enables right-sized response controls.

Focus on risky situations first and figure out if software can help you do that, he suggested. One risky situation is an employee who is departing the company, he said, pointing to data indicating 22% of employees still have activity on the company network after they leave it.

Also, focus on monitoring activity, not security, and focus on all activity, not the user, he suggested.

Other factors include the vectors (endpoints and the cloud), destinations (trusted vs. untrusted places data is being moved to), and behaviors including risk indicators and context, such as unusual work hours and file type mismatch, which could be the sign of an attempt to cover something up, he explained.

A good insider risk management strategy includes five key steps, he went on to say: Identify where the data is at risk, define what data risk matters, prioritizing when risk requires a human, how to remediate using a right-sized response, and improving an organization’s risk posture, he said.

Summing Up

In conclusion, he summed up the session’s main points, starting with: “Insider risk management is a lot more than just managing” and preventing piracy. “Focus on the risk. Think about the whole value chain, not just on specific pockets of it so that you can manage risk holistically. And the way to do that is [through] the three T’s.”

Also, he said: “Develop a transparent culture…. Train [employees] to make sure they understand what risk exists, how they can do a better job of preventing it themselves so that security and IT aren’t just playing traffic cop.”

Then, he said: “Use technology… that will help you support that training and transparency culture, and look at risk as a whole. And, when using that technology, strive for visibility across all activity. Why? So that you can then quickly derive what’s trusted and untrusted using risk indicators that give you contextual information to decide and prioritize which risks need investigation.”

And then, “finally, develop right-sized response strategies so that you know which ones need to be handled which way,” such as what needs training, investigation, etc. It can all be done through software, including the use of automation, he added.”

To view the full presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.