CDSA

The future is mobile and most companies don’t own many of the smartphones and other devices they allow their employees to use to access corporate data, which causes many unique challenges, according to Sean Kalinich, senior security architect at Richey May.

There are several options as potential solutions, including a managed detection and response (MDR) approach, he said April 23 at the Anti-Piracy and Content Protection Summit in Las Vegas, during the session “A Moving Target: Richey May’s MDR Approach.”

“Security is a moving target. But not necessarily from the direction that you might think,” he told viewers. “Everyone knows that the threat landscape changes but what a lot of people miss is that the services side of this also change. As everyone’s looking for the next new, big thing, and looking at the new big companies or small companies that are coming out, the names may stay the same for the services, but the definitions of services tend to change over time.”

It is crucial for companies to “understand what those changes look like and how they impact your ability to ensure that your environments are safe,” he said.

What’s important to figure out right off the bat is: “Are you looking to be secure or are you looking to be compliant? [Because] the two aren’t necessarily the same,” he pointed out. “If you are looking to be compliant, it doesn’t mean that you’re secure.”

Conversely, “if you’re looking to be secure, you tend to roll in that compliance automatically into it,” he noted. “And then, of course, we get into the services that you need in order to meet compliance or to ensure the security that your security controls are actually in place and that they’re actually working.”

As an example, “when you’re looking at getting a pen test, are you actually getting a pen test?” he asked, referring to penetration tests. “Just because it’s actually called that doesn’t necessarily mean that you’re getting in reality a full pen test. There are a lot of companies, a lot of services out there that will tell you you’re getting” a penetration test “but, in reality, what you’re getting is a vulnerability assessment [and] there might not be any follow-on activity,” he explained.

Along with that, there is typically “no attempt to check and see if any of the controls around a web application or even the perimeter of your environment, such as a cloud service … work to keep an attacker out,” he said, adding: “They’re just looking to see if there’s a port open, if there’s a vulnerability that they can see, and then they may check to determine if the vulnerability is a true or a false positive. But, that in itself, doesn’t necessarily give you what you need to know to make the changes to your environment, to prevent attackers.”

Therefore, “when you’re looking at those pen tests and you’re looking at the scope of it and that detail of what’s being done, ensure that it’s looking at it from” the position of how “an attacker would look at your environment and not just making sure that you can check a checkbox on a compliance sheet or some sort of assessment form,” he added.

He stressed “that’s going to be critical as we move forward,” noting, “attackers aren’t always looking to check the front door; sometimes they’re looking to see if they can follow somebody in through the front door who has keys.”

It is also important to “make sure that your pen test” doesn’t consist of “just walking up, jiggling the front door, and then walking away,” he said. “They need to see if they can open the door and how far can they get into the building. Of course, if you have service providers such as an MSP or an MSSP, you want to make sure that you understand what they’re actually providing.”

He warned viewers: “In many cases, a managed service provider or a managed security service provider, they have a limited responsibility to you. Are they only there to report to you that something happened? Do they extend that further and assist you in remediating an issue? Do they extend it further in determining if a detection is a false positive, a true positive, and provide you guidance for the next steps? What do they look at? Are they only looking at your cloud? Are they only looking at your end points? Are they also rolling in mobile devices like tablets and phones?”

Meanwhile, the “security vendor environment has changed in order to meet the evolving landscape” in the sector, he noted. “If you look at what’s happening, there are new companies coming out every single day. They say that they’re offering the exact same thing that everybody else is. But you look at their price. You have to wonder how are they keeping up with that price point? And what is the true cost of goods and services?”

Therefore, it’s “always important to do an assessment of the people you’re willing to trust with the security of your environment, who you’re willing to trust in to your environment,” he said.

Another piece of advice: “Make sure you align those services with your goals. If all you’re looking for is to be compliant and to make sure you check those … boxes so you can move on, there are a ton of vendors out there who are capable of doing that.”

But he added: “If instead, you’re looking to make sure that your environment is secure, then you’re going to want to make sure that you’re aligning with vendors and aligning your goals with that particular facet of security.” His final warning: “It’s not always the cheapest” option.

Luckily, “there is a happy middle ground in all of it, making sure you get good service [and] making sure you’re not paying an arm and a leg,” he explained, adding: “If you have the right controls and the right security functions, processes, procedures, and policies in place, you tend to be in the center of the bubble that way when compliance shrinks, as we’ve watched it do over many years, and we see additional compliance functions or additional reporting requirements. You’re inside of that bubble and the closer you are to the center of the bubble with your security efforts the more likely you are to be inside compliance.”

A significant benefit of that is that your organization is then “not going to be hit with any kind of extraneous fines,” he said.

Additionally, “no one wants to have an incident and then suddenly discover that your cybersecurity insurance isn’t going to cover it because you didn’t have” one particular thing in place to achieve compliance, he noted.

He urged organizations to “go out and get the real pen tests [and] make sure that they’re going to do more than jiggle the door; make sure if they can get the door open or if the door is loose, they’re going to try and pry it open and take that next step inside.”

Even if that means that “something goes down for a little bit while they’re trying to get in” during that penetration test, it’s “still better to have that happen now during a test than actually have that happen during an actual breach,” he pointed out, adding: “I can tell you from experience, when you’re in the middle of something such as a ransomware incident or even an attempted breach where they take out your firewall and bring down systems … recovering from it in the event of a pen test, where they identify that potential is a much different game and it’s a much different landscape as far as how you recover from that [vs.] the loss of reputation, the loss of revenue and so on” that could come as the result of an actual breach.

He also advised organizations to ask companies performing tests to show them what their sample reports look like “so you can see exactly what they’re providing to other customers and you can understand how that fits the context of your business.”

Last, he said: “Just take the time to ensure that what your goals [for] security are aligned – not only with the tools in your tool belt, inside your organization, but with the vendors that you allow access to your organization or who test those security controls.”

The 2022 Anti-Piracy and Content Protection Summit was presented by Richey May Technology Solutions, with sponsorship by Convergent Risks, NAGRA, Verimatix, BuyDRM, EZDRM and Vision Media. Produced by MESA, in association with the Content Delivery and Security Association (CDSA), the media partner for the show was Piracy Monitor.

To learn more about CDSA visit: https://CDSAonline.org

To find out more about upcoming MESA events or to get involved as a sponsor please contact Evie Silvers at [email protected].