CDSA

NAB 2022: CDSA Explores How M&E Companies are Securing Digital Workflows

The media and entertainment (M&E) industry shifted entirely to native digital workflows during the early days of the global COVID-19 pandemic. Those digital workflows have interdependencies between devices, networks and users that were impossible to predict or utilize more than a year ago.

On April 24, during the panel session “The Platform Approach to Securing a Remote Workforce” at the Intelligent Content Theatre during the NAB Show in Las Vegas, representatives from the Content Delivery & Security Association (CDSA) discussed how the current M&E ecosystem helps propel the industry into new workflows that leverage technologies including machine learning.

Noting that there are “a lot of sub sectors across media and entertainment, Richard Atkinson, CDSA president, said: “Of course, our roots really started in the film and TV space but we also have deep participation from [the] software side, game side, other folks and the broadcast side. So we’re really working laterally across all of M&E.”

The group’s focus is on business and technology, he said, explaining that, “across M&E,” it focuses on “secure creation, distribution and consumption, all forms of content, because depending on what part of M&E you are, you think about what content is differently.”

All of it is through the lens of “effective risk management,” he said. “Don’t think [just] security. Think how do we manage risk as a business? And that involves aspects of security and other things,” including “continuity, brand, financial risk, production risk [and] a number of other” risks, he explained.

Assessing and Quantifying Risks

Up next, Ben Schofield, CDSA technical director, focused on CDSA’s approach to assessment and quantification of those multiple types of risks.

“I don’t know how many people here read security controls [but], once you start reading through these standards, you realize there’s a lot of duplication,” Schofield pointed out.

“The problem is, after a couple of years of reading them, you start to understand, you start speaking the same language. And so what we’re trying to do here,” within the M&E sector, is “make sure that we have a common set of controls that’s the condensed set and absolutely right for the industry and they are a democratizer,” Schofield noted, adding: “They’re open so that people across all different roles in the M&E supply chain can understand them.

Security controls tend to be filled with “very deep technical jargon, and it’s very difficult to compare these controls,” he said, explaining: “You get gaps, you get overlaps. When you look at the people writing these controls, they tend to be subject matter experts. And they come from a certain perspective. But, when they read other control sets, they really do that in a very subjective way.”

So what CDSA has tried to do over the past couple of years is get a panel of experts together and looked at those controls and looked at what the “appropriate ones” are for the M&E sector, he noted.

When it comes to risk valuation, an “operations person will want to have a risk around how much diesel there is in the standby generator and then there’s cyber risk, which is what we’re looking at as well,” he said. But what’s important is “how you make sure that every business function takes that responsibility for managing that risk,” he noted.

Noting there are different types of audits, he said: “We want to make sure we don’t duplicate. If you look at the number of people in the supply chain, [there are about] 7,000 people” and, when you factor in the costs of that audit, “there isn’t the money there in media and entertainment for everyone to be audited all the time.”

There are three core standards to focus on, he said, pointing to the Cloud Security Alliance, which is “really about shared responsibility of how you manage cloud platforms;” the Center for Internet Security, “which is about configuration;” and the Open Web Application Security Project (OWASP), an open source group that is “very much about the software development lifecycle.”

He explained that when he looks at configuration, it’s “the same as whether I’m configuring my laptop, a server in a data center or a virtual server in the cloud,” he pointed out.

“We think by selecting the Cloud Security Alliance, Center for Internet Security and OWASP, we bracketed all the different roles and functions we need for the modern supply chain,” he added.

The studios, however, “obviously will always do something different,” he noted.

What’s good is that, because everyone is declaring their mapping, we can automate this mapping,” he said, explaining: [You can now] turn these narrative controls into a machine-readable language. So you can then exchange through” application programming interfaces (API)s. You can make sure these things line up.”

Currently, he noted, “I’m working on some projects with OWASP where they’re taking those controls and using them for compliance as code,” he said.

What’s the next stage? “[It’s] how you make this practical. So for a couple of major studios, what I’ve done is taken their printed ‘bible’” and its documentation and “break it into a filtered set and link that back to the controls,” he said. That “means you start to get a real time, up-to-date set of controls,” he noted.

Studios can then make changes and everybody on a set will know about those changes and sign off on them, then apply the changes, he added.

“We now have got a common stack,” he said, noting “everyone’s using this tech stack” that includes the “full participation of AWS, Azure, Alibaba, IBM, Google Cloud.”

One goal is to keep best practices and that “doesn’t involve buying into a big enterprise tool,” he said, explaining: “It will work with those big enterprise tools … but it means a small software development shop can very rapidly keep up to speed without having a security expert [also].”

He went on to say: “What we’re really trying to move towards is … a situation where everyone in the production is conscious of the risk … and what the impact of some incident would be.”

ME-ISAC’s Role

“An ISAC is a intelligence fusion center that focuses on the media and entertainment industry,” explained Chris Taylor, director of the Media and Entertainment Information Sharing and Analysis Center (ME-ISAC) that operates within CDSA, and director of information security at Santa Monica, California media company Skydance.

“The concept of an ISAC has been around for a couple of decades, started by a presidential directive,” he said, adding: “The government wanted a way to get threat information about people who were trying to harm our country out to industry so the companies could protect themselves. The government can’t go around and talk to thousands of companies. So they wanted a sector representative from each of the critical infrastructure sectors. The media and entertainment ISAC is that representative to the U S government for the media and entertainment industry. But we’re much bigger and broader.”

Because “we are a global international organization, we don’t work just with the U.S. government, even though the concept was born by them,” Taylor noted. “We also have that same level of partnership with the Canadian, the British Australian, and a couple of other governments,” he said.

Taylor explained: “The way we work is to pull in data from all over the internet from security vendors that are providing us paid feeds from our own membership and feeds that are brought in from the U.S. government. Bring all of that data into one central database de-duplicate it, and then share that data back out to all of our membership. And the data that we’re sharing out is related to all of the different risks and vulnerabilities that are important and curated down to what is related to the media and entertainment industry.”

The first step in the risk management process is that the inputs that go into that formula are easy to understand and signal what the threats are so that an organization can align with that threat and “design the appropriate control that aligns to that risk,” he said, adding: “The risks that are facing a broadcaster are different than what is facing a film studio or an advertising company. So the framework is going to be a broad encyclopedia of all of it. You need to cherry pick out the pieces that are pertinent to you…. You want to, in order to get the most return on investment….cherry pick out where am I actually getting attacked so that I know that this control is going to have an actual return on investment and the way you know which control is going to give you the most return is to understand the threats that are attacking you.”

That, he said, represents the “core of why the ISAC exists”: to share that threat data with everybody “so that you have a way to properly understand the threat landscape and the risks and the vulnerabilities that are out there and then design your controls with some knowledge and with some understanding of what the actual direction you’re trying to go is instead of just designing them in a vacuum in the dark.”

ME-ISAC representatives “bring all of that data from all these different data sources back together and provide it to you in the form of alerts and machine readable feeds that can plug right into your tools so that when one of your members gets attacked by a ransomware attack or a pirate trying to steal content from you, or whatever the attack is, you can share that data back up into the ISAC, “ he explained.

Then, he said, “it gets merged into the rest of our stream and now everybody else knows this is a known bad IP address, or this is a known bad email address that’s sending phishing and you can adjust your block filters at your tools so you can proactively block attacks before you become the next victim and the attacker has shifted over to target you.”

He added: “This is a way to enable you to build a proactive defense instead of a reactive defense…. I’m only the gardener, so what plants are growing in this garden is completely up to all of you.”