Author: Aaron Wells

4 Takeaways from the 2023 Gartner® Market Guide for CNAPP

In an ongoing effort to help security organizations gain greater visibility into risk, we're pleased to offer this complimentary Gartner research, and share our 4 Takeaways from the 2023 Gartner® Market Guide for CNAPP. This critical research can help security leaders take an in-depth look into cloud-native application protection platforms (CNAPPs), and evaluate potential solutions that best fit their specific environments.

Takeaway #1: Attack surfaces are increasing

There's nothing minor about misconfigurations. If a cloud resource or service is misconfigured, attackers will target and exploit it. It may not even be a misconfiguration in your cloud network, but one found in a supply chain partner that puts everyone's infrastructure at risk. Application programming interfaces (APIs) are at risk as well, and are being increasingly targeted by threat actors because they're such a critical component of the build process. The report states:

“CNAPP offerings bring together multiple disparate security and protection capabilities into a single platform that most importantly is able to identify, prioritize, enable collaboration and help remediate excessive risk across the extremely complex logical boundary of a modern cloud-native application."

Takeaway #2: Developer scope is expanding

As organizations increasingly look to shift left, developers are being asked to take on a more active role in ensuring their applications and the supporting cloud infrastructure are secure and compliant. We feel the report reiterates this point, stating:

“Shifting risk visibility left requires a deep understanding of the development pipeline and artifacts and extending vulnerability scanning earlier into the development pipeline as these artifacts are being created."

However, the report also states that developers are increasingly responsible for operational tasks, such as addressing vulnerabilities, deploying infrastructure as code, and deploying and tearing down implementations in production, thus requiring tools that address this expanded scope

Extra tooling is needed to address these concerns, with the very real possibility that tooling will be fragmented if it's coming from different vendors and addressing different parts of the application development process. As far as recommendations, the report states:

“Reduce complexity and improve the developer experience by choosing integrated CNAPP offerings that provide complete life cycle visibility and protection of cloud-native applications across development and staging and into runtime operation."

Takeaway #3: Context around risk is needed

Developers simply do not want the process to be slowed. Security is important, but if developers are constantly tripped up in their workflows, it's almost inevitable that adoption of security practices and tooling will become a struggle. Therefore, it's critical to prioritize security tasks and provide the context needed to remediate the issue as quickly as possible.

That can, however, be easier said than done when collecting disparate information and trying to gain as much visibility as possible into an environment. Let's look at a few ways to understand context in security data:

  • Set VM processes to detect more than just vulnerabilities in the cloud. It's also key to be able to see misconfigurations and issues with IAM permissions as well as understand resource/service configurations, permissions and privileges, which applications are running and what data is stored inside. These processes help to contextualize and action on the highest-priority risks.
  • Identify if a vulnerable instance is publicly accessible and the nature of its business application — this will help you determine the scope of the vulnerability.
  • Simply saying developers need to find and fix vulnerabilities in production or pre-production by shifting security left is generally an oversimplification. It's critical to communicate with developers about why a vulnerability is being prioritized and specific actions they can take to remediate.

Takeaway #4: Depth of functionality is critical

Gartner states that “multiple providers market CNAPP capabilities — some starting with runtime expertise and some starting with development expertise. Few offer the required breadth and depth of functionality with integration between all components across development and operations." Each customer's situation will be specific; therefore, there will be no one-size-fits-all solution. Ideally, though, a provider should be able to offer runtime risk visibility, cloud risk visibility, and development artifact risk visibility.

As customer feedback helps to refine the offerings of CNAPP providers, Gartner shares that one of the reasons for moving towards consolidation to a CNAPP offering is to eliminate redundant capabilities. Moving forward, there is a strong customer preference to consolidate vendors.

To secure and protect

That's the name of the game: to secure and protect cloud-native applications across the development and production lifecycle. Unknown risks can appear anywhere in the process, but it's possible to mitigate many of these vulnerabilities and blockers. Learn how CNAPP offerings deliver an integrated set of capabilities spanning runtime visibility and control, CSPM capabilities, software composition analysis (SCA) capabilities and container scanning. Download and read the full Market Guide now.

Gartner, “Market Guide for Cloud-Native Application Protection Platforms" Neil MacDonald, Charlie Winckless, Dale Koeppen. 14 March 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

CIEM is Required for Cloud Security and IAM Providers to Compete: Gartner® Report

In an ongoing effort to help security organizations stay competitive, we’re pleased to offer this complimentary Gartner® report, Emerging Tech: CIEM Is Required for Cloud Security and IAM Providers to Compete. The research in the report demonstrates the need for Cloud Infrastructure Entitlement Management (CIEM) product leaders to adopt trends that can help deliver value across Cloud Security and Identity and Access Management (IAM) enterprises.

CIEM product leaders looking to remain competitive in Cloud Security and IAM practices should consider prioritizing specific capabilities in their planning in order to address new and emerging threats and, as Gartner says:                            

  • Gain a further competitive edge in the CIEM market by investing in more-advanced guided remediation capabilities, such as automated downsizing of over-privileged accounts.
  • Appeal to a larger audience beyond cloud security teams by positioning CIEM as part of broader enterprise security controls.

Businesses not currently prioritizing CIEM capabilities, however, can’t simply “do a 180” and expect to be successful. Managing entitlements in the current sophisticated age of attacks and digital espionage can feel impossible. It is imperative for security organizations to adopt updated access practices though, not only to remain competitive but to remain secure.

Least Privileged Access (LPA) approaches lacking in effectiveness can find support in CIEM tools that provide advanced enforcement and remediation of ineffective LPA methods. Gartner says:

“The anomaly-detection capabilities leveraged by CIEM tools can be extended to analyze the misconfigurations and vulnerabilities in the IAM stack. With overprivileged account discovery, and some guided remediation, CIEM tools can help organizations move toward a security posture where identities have at least privileges.”

Broadening the portfolio

Within cloud security, identity-verification practices are more critical than ever. Companies developing and leveraging SaaS applications must constantly grapple with varying business priorities, thus identity permissions across these applications can become inconsistent. This can leave applications — and the business — open to vulnerabilities and other challenges.

When it comes to dynamic multi- and hybrid-cloud environments, it can become prohibitively difficult to monitor identity administration and governance. Challenges can include:

  • Prevention of misuse from privileged accounts
  • Poor visibility for performing compliance and oversight
  • Added complexity from short-term cloud entitlements
  • Inconsistency across multiple cloud infrastructures
  • Accounts with excessive access permissions

Multi-cloud IAM requires a more refined approach, and CIEM tools can capably address the challenges above, which is why they must be adopted as part of a suite of broader enterprise security controls.

Accelerating cloud adoption

Technology and service providers fulfilling IAM services are in critical need of capabilities that can address specific cloud use cases. Gartner says:

“It is a natural extension to assist existing customers in their digital transformation and cloud adoption journey. These solutions are able to bridge both on-premises identity implementations and cloud to support hybrid use cases. This will also translate existing IAM policies and apply relevant elements for the cloud while adding additional use cases unique to the cloud environment.”

In fact, a key finding from the report is that “visibility of entitlements and rightsizing of permissions are quickly becoming ‘table stakes’ features in the CIEM market.”

Mature CIEM vendors can typically be expected to also offer additional capabilities like cloud security posture management (CSPM). InsightCloudSec from Rapid7 is a CIEM solution that also offers CSPM capabilities to effectively manage the perpetual shift, adoption, and innovation of cloud infrastructure. Businesses and security organizations can more effectively compete when they offer strong solutions that support and aid existing CIEM capabilities.

Download the report

Rapid7 is pleased to continually offer leading research to help you gain clarity into ways you can stand out in this ultra-competitive landscape. Read the entire complimentary Gartner report now to better understand just how in-demand CIEM capabilities are becoming and how product leaders can tailor strategies to Cloud Security and IAM enterprises.

Gartner, “Emerging Tech: CIEM Is Required for Cloud Security and IAM Providers to Compete”

Swati Rakheja, Mark Wah. 13 July 2022.

Gartner is registered trademark and servicemark of Gartner, Inc and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response: Gartner® Report

In an ongoing effort to help security organizations gain greater visibility into risk, we’re pleased to offer this complimentary Gartner® report, 3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response. This insightful research can help a security organization realize what its exposure to risk could be at a given time.

Have you measured risk recently?

This is a critical question, but there may be an even more important one: How would you go about implementing a security program to mitigate risk? A tech stack opens itself to all kinds of ongoing vulnerabilities as it expands in more directions, so hopefully its also innovating and driving profits on behalf of the business.

Therefore, a security operations center (SOC) must constantly contort itself to keep that growing attack surface secure via a threat detection, investigation, and response program. According to Gartner, a SOC should:

  • Break through silos and open dialogue by establishing a quorum of business leaders to openly discuss cybersecurity and its requirements.
  • Reduce unnecessary delays in investigation by ensuring threat detection use cases are fully enriched with internal business context at the point which alerts are generated.
  • Enable incident responders to make effective prioritization and response decisions by centrally recording asset-based and business-level risk information.

A binding factor for risk

Technology: It’s the solution to and cause of business risk and the many issues that follow. Relying on the internet means operations and deployments move faster while the attack surface is simultaneously expanding. As the speed of business increases, so does the “noise” security analysts must sift through to get to the real issue. Gartner says:

“Business-dependent technologies are a focal point for criminals moving into cyberspace, as anonymity is now a commodity, making the dash for profits an exceedingly easy gain. Therefore, SecOps must consider and understand business risk and the impact cyber elements have on these risks. However, the question remains: How do these inundated security technologists reduce the noise and achieve their objectives in an environment where time is a limiting factor?”

Faster risk-based prioritization

If time is indeed a limiting factor, then faster risk-based prioritization is a key step on the road to faster incident response, especially as organizations across all industries are migrating to the cloud at an unprecedented pace to support innovation, scale, and digital transformation. Uniting cloud risk and threat detection has been at the forefront of Rapid7’s effort to prioritize and respond to an incident faster.

Integrating multiple threat feeds and sources of telemetry while correlating that intelligence back to assets in your environment provides the visibility needed to target higher-risk areas. It also lends business context, depending on where those higher risk levels are, empowering security practitioners to quickly prioritize and mitigate risk. Gartner posits that, “risk is the sum of your assets, active threats, resident vulnerabilities, and potential organizational impact.”

In the report, Gartner highlights and dives deep into three key areas for enabling risk-based threat detection, investigation, and response:

  • Use risk-based prioritization for faster incident response: Once the incident responders receive the escalation from the SOC (L3s), they’re typically charged with establishing or validating infection boundaries, identifying the root cause of the infection and offering containment and remediation actions.
  • Enrich risk information into threat detection processes: Cyber risk varies in its measurement; to be effective, organizations must define at least four core areas to measure and collect data: sums of assets, resident vulnerabilities, active threats and organizational impact.
  • Break through silos and open the dialogue: To help executives make the most informed decisions, security risk management (SRM) leaders should cultivate relationships with key stakeholders and report effective risk-based metrics, promoting a business-integrated security capability.

For much more context on each of these areas, read the report linked below. Incident response teams need all the help they can get when attempting to work nearly round-the-clock, always-on, multiple incidents at a time.

A perpetual effort

This is also the fun of the job; attackers constantly evolve, which forces security practitioners to innovate, evolve, and outpace bad actors. When it comes to threat detection, investigation, and response, it is essential to pump up visibility and stay several steps ahead of attackers by unifying and transforming multiple telemetry sources.

We’re pleased to continually offer leading research to help you gain clarity into that risk and supercharge security efforts. Read the complimentary Gartner report to better understand how risk applies to your critical assets and how to mitigate the impact of a potential threat.

Gartner, “3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response” Jonathan Nunez, Andrew Davies, Pete Shoard, Al Price. 16 November 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Download the report

Tap. Eat. Repeat. Regret?

Trading Convenience for Credentials

Using food or grocery delivery apps is great. It really is. Sure, there’s a fee, but when you can’t bring yourself to leave the house, it’s a nice treat to get what you want delivered. As a result, adoption of food apps has been incredibly fast and they are now a ubiquitous part of everyday culture. However, the tradeoff for that convenience is risk. In the past few years, cybercriminals have turned their gaze upon food and grocery delivery apps.

According to McKinsey, food delivery has a global market worth of over $150 billion, more than tripling since 2017. That equates to a lot of people entering usernames, passwords, and credit card numbers into these apps. That’s a lot of growth at an extremely rapid pace, and presents the age-old challenge of security trying to keep pace with that growth. Oftentimes it’s not a successful venture; specifically, credential stuffing (no relation to Thanksgiving stuffing or simply stuffing one’s face) is one of the major attacks of choice for bad actors attempting to break into user accounts or deploy other nefarious attacks inside of these apps.

Sounding the alarm

The FBI, among its many other cybercrime worries, recently raised the alert on credential stuffing attacks on customer app accounts across many industries. The usual-suspect industries—like healthcare and media—are there, but now the report includes “restaurant groups and food-delivery,” as well. This is notable due to that sector’s rapid adoption of apps, their growth in popularity among global consumers, and the previously mentioned challenges of security keeping pace with development instead of slowing it down.

The FBI report notes that, “In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts.” Combine that with things like tutorial videos on hacker forums that make credential stuffing attacks relatively easy to learn, and it’s a (to continue with the food-centric puns) recipe for disaster.

Some background on credential stuffing

This OWASP cheat sheet describes credential stuffing as a situation when attackers test username/password pairs to gain access to one website or application after obtaining those credentials from the breach of another site or app. The pairs are often part of large lists of credentials sold on attacker forums and/or the dark web. Credential stuffing is typically part of a larger account takeover (ATO), targeting individual user accounts, of which there are so, so many on today’s popular delivery apps.  

To get a bit deeper into it, the FBI report goes on to detail how bad actors often opt for the proxy-less route when conducting credential stuffing attacks. This method actually requires less time and money to successfully execute, all without the use of proxies. And even when leveraging a proxy, many existing security protocols don’t regularly flag them. Add to that the recent rise in the use of bots when scaling credential stuffing attacks and the recipe for disaster becomes a dessert as well (the puns continue).  

All of these aspects contributing to the current state of vulnerability and security on grocery and food-delivery apps are worrying enough, but also creating concern is the fact that mobile apps (the primary method of interaction for food delivery services) typically permit a higher rate of login attempts for faster customer verification. In fairness, that can contribute to a better customer experience, but clearly leaves these types of services more vulnerable to attacks.

Cloud services like AWS and Google Cloud can help their clients fend off credential stuffing attacks with defenses like multifactor authentication (MFA) or a defense-in-depth approach that combines several layers of protection to prevent credential stuffing attacks. Enterprise customers can also take cloud security into their own hands—on behalf of their own customers actually using these apps—when it comes to operations in the cloud. Solutions like InsightCloudSec by Rapid7 help to further govern identity and access management (IAM) by implementing least-privilege access (LPA) for cloud workloads, services, and data.

Solutions to breed customer confidence

In addition to safeguards like MFA and LPA, the FBI report details a number of policies that food or grocery-delivery apps can leverage to make it harder for credential thieves to gain access to the app’s user-account base, such as:

  • Downloading publicly available credential lists and testing them against customer accounts to identify problems and gauge their severity.  
  • Leveraging fingerprinting to detect unusual activity, like attempts by a single address to log into several different accounts.
  • Identifying and monitoring for default user-agent strings leveraged by credential-stuffing attack tools.

Detection and response (D&R) solutions like InsightIDR from Rapid7 can also leverage the use of deception technology to lure attackers attempting to use stolen credentials. By deploying fake honey credentials onto your endpoints to deceive attackers, InsightIDR can automatically raise an alert if those credentials are used anywhere else on the network.

At the end of the day, a good meal is essential. It’s also essential to protect your organization against credential stuffing attacks. Our report, Good Passwords for Bad Bots, offers practical, actionable advice on how to reduce the risk of credential-related attacks to your organization.

Download Good Passwords for Bad Bots today.

Measuring against the right criteria

Gartner® Report: Questions to Ask When Selecting an MDR Provider

The “right” criteria is whatever works to further your security organization’s specific needs in detection and response (D&R). There’s only so much budget to go around—and successfully obtaining a significant year-over-year increase can be rare. The last thing anyone wants to be known for is depleting that budget on a service provider that doesn’t deliver.

At Rapid7, we’ve spoken extensively about how a security operations center (SOC) can evaluate its current D&R proficiency to determine if it would be beneficial to extend those capabilities with a managed detection and response (MDR) provider. In an ongoing effort to help security organizations thoughtfully consider potential providers, we’re pleased to offer this complimentary Gartner® report, Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?

This asset acts as a time-saving report for quick answers when vetting several potential providers. Key questions to ask yourself and your service providers include:

  • Yourself: Are we looking for providers that can improve our incident response capabilities?
  • Yourself: Do we have use cases specific to our environment that the MDR provider must accommodate?
  • Yourself: What functionality do we need from the provider’s portal?
  • Provider: How good are you at detecting threats that have bypassed existing, preventative controls?
  • Provider: How do you secure, and how long do you retain, the data you collect from customers?
  • Provider: What response types are provided as a component of the MDR service, and what is the limit of those response activities?

Before expecting any quick answers though, it’s crucial to consider…

Your criteria framework

Your organization might conduct a new audit of desired outcomes and team capabilities and discover it actually can handle the vast majority of D&R tasks. That’s why it’s crucial to go through that process of discovery of what you really need and determine if you can responsibly avoid spending money. Gartner says:

“Many buyers struggle to formulate effective RFPs that can solicit relevant information from providers to help in the initial evaluation and down-select process. Therefore, it is critical that buyers construct the must have, should have, could have and won’t have (MoSCoW) framework. Using these criteria will ensure they are able to effectively make selection choices based on genuine business needs.”

Also, what is the platform from which you are launching your evaluation process? Will this be the first engagement of an MDR service provider or are you changing providers for one reason or another? If the latter is true, then you’ll most likely have loads of existing data to inform your buying experience this time around. It’s also critical to get a strong sense of what the implementation process will look like after a service agreement has been signed. Gartner says:

“Selecting an MDR service provider to obtain modern SOC services can be a challenging process that requires the appropriate planning and evaluation processes before, during and after an agreement. Gartner clients face several unique challenges when evaluating and implementing MDR services.”

An urgent need

The need for additional or enhanced threat monitoring creeps ever upward, thus the need for regular re-evaluation of your D&R capabilities. Rather than ramping up the evaluation and MDR engagement process at a faster pace each time out, taking the time to think through and document desired outcomes with key stakeholders will ultimately save your security organization headaches…and money. Gartner says:

“The process for scoping use cases and requirements, and assessing MDR service offerings, often includes a negotiation and evaluation exercise where a “best match” and “ideal partner” is identified. Prior to starting any outsourcing initiative, requirements need to be documented and ratified (and continuously updated post onboarding), or else the old adage of “garbage in, garbage out” is likely to be realized.”

Take the time

It can be a rigorous evaluation process when determining your organization’s capacity for effective D&R. If your team is stretched too thin, a managed services provider could help. For a deeper dive into the MDR evaluation process, check out the complimentary Gartner report.

Gartner, “Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?” John Collins, Andrew Davies, Craig Lawson, 10 November 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

How Crown Media protects its crown jewel

Hallmark Channel: Securing the Season

It’s that time of year again…chestnuts roasting on an open-fire, kids making wish-lists, and company holiday parties where you can showcase your most outlandish ugly sweater. It’s also the time of year we all get a little bit less cynical and take in a cheesy holiday movie or two. Enter Crown Media Family Networks and its holiday hitmaker, Hallmark Channel.

Hallmark Channel—and its streaming counterparts like Hallmark Movies Now—are unique in the entertainment world. The company provides year-round programming and has many fans the world over, but the end-of-the-year holiday season is when its content really pops off. Holiday-season die-hards show up for cheesily-wistful-yet-earnest films that have become a cottage industry and an annual jingle-bell juggernaut.

In 2021, Hallmark Channel finished as the number one network among “women 18 and above”, which led to $147.8 million in revenue generated from holiday programming alone. It’s safe to assume the company doesn’t want intellectual property (IP) theft cutting into those kinds of returns.

Cloud-based content delivery

Here’s a scary-sounding sentence for those wary of vulnerabilities: Hallmark Channel’s entire content library is managed in the cloud. Cloud has obvious advantages for any organization, like quick-scaling and not having to build on-prem systems from the ground up. However, it can also increase risk to intellectual property:

  • High-risk resources open to the public internet: If a particular cloud instance becomes accessible by anyone on the internet, revenue-generating IP may be compromised.
  • Increased complexity: IP can be spread across multiple clouds in multiple locations. This makes identity management critical—who has access? Why do they need access? Where are they located?
  • Delayed remediation: So the risk has been identified. But, how old is the data on which the remediation workflow is based? 6 hours? 12 hours? More? This significantly detracts from the efficiency of the remediation.

Action!

Holidays are a particularly busy time for threat actors. So, how do media companies like Hallmark Channel (or any organization) protect their intellectual property?  

  • Create a cybersecurity IP legal and strategic framework: According to the American Bar Association, film and TV studios should avoid single-event approaches to IP theft and create a framework that prioritizes strategic management of risk in the long term. Treating the risk of IP theft as systemic will yield benefits like faster mean time to detect (MTTD) and mean time to respond (MTTR).  
  • Address supply chain issues: Creating big-budget Hollywood content can involve hundreds of vendors and partnerships. Obviously, not everything can be taken in-house. Therefore it’s critical that a company like Hallmark Channel creates a process whereby each outside vendor’s IT and security is thoroughly vetted prior to engagement of services.
  • Implement a disaster recovery solution: Modern cloud playout to streaming services must continue uninterrupted, so media organizations must build redundancy into their content delivery systems. A disaster recovery solution that protects data, enables rapid restore, and offers failover capability is critical.
  • Keep clouds confidential: When the people that need to approve a cut of an in-progress TV show or film are scattered all over the world, a digital copy is uploaded onto what is essentially a public-facing cloud so they can access it, just like digital collaboration in any number of other industries. For holiday event films driving ratings and subscriber numbers however, that sort of collaboration can leave highly valuable content open to vulnerabilities and theft. Solutions like InsightCloudSec by Rapid7 can help to lock down identity and access management (IAM) protocols, as well as manage risk with real-time context across infrastructure, orchestration, workload, and data tiers.  

Making film and TV projects is a painstaking, long, and laborious process. All of the hard work by hundreds of people that goes into each project can be devalued by attackers in the blink of an eye. So to all cybersecurity professionals who are also major fans of holiday films and TV shows, let’s take up the call: Protect the IP!

You can read the previous entry in this blog series here.

Securing intellectual property in the age of consolidation

Spoiler Alert: Your Favorite Content Might Not Be Secure

Rapid7, of course, is not in the entertainment industry. However, we have worked with some clients out there in that golden land of dreams and enchantment—also known as Hollywood. Case in point: the company formerly known as Discovery, Inc. A few years back, Rapid7 helped the entertainment conglomerate transform itself into a cloud-first company. Discovery’s IT team leveraged InsightCloudSec to facilitate the company’s strategic shift.

In the time since, the company has undergone some, shall we say, changes. Now known as Warner Bros. Discovery following a merger of the two legacy media companies, there’s a new CEO at the helm who is likely feeling pressure to offset the billions of dollars in debt the company currently holds.

From an intellectual property (IP) security standpoint, there are a number of factors that could put the company in a potentially vulnerable position, as we’ve seen with other entertainment giants. In this blog, the first of a two part series, we’ll look at the macro issue of the entertainment business shifting to a streaming-first focus, and the increasingly loud alerts of cybersecurity professionals to the fact that content and IP must be better secured—especially prior to its release.

The big content-distribution shift

Direct-to-consumer services and maximum choice are at the center of the content-distribution shift of the past decade. Netflix kicked off their streaming project with little fanfare back in the early 2010s, but quickly became the gold standard for popular, on-demand content from Hollywood’s biggest studios. And nothing accelerates a seismic shift in any industry like competition. Like dominoes falling, Paramount, Universal, Disney, Warner Bros., and Apple launched their own proprietary streaming services—all in the past few years. Try to picture the digital earthquake that resulted as cloud operations at all of those companies scaled up with blazing speed, challenging their security teams to keep pace.

A few years back, Netflix was one of the first to experience an IP theft of the type we now see in the current age of streaming-service proliferation. A vendor vulnerability exploited by an attacker became a supply-chain issue that saw an entire unreleased season of the popular Netflix series Orange is the New Black dumped online before it could premiere. This was especially disconcerting due to the nature of Netflix’s binge model dictating that all episodes of a series are completely finished prior to release—in the can, as they say in Hollywood. This meant all episodes were stolen as opposed to one or two.  

That breach occurred just as the other previously mentioned streaming services were being prepped but prior to market entry, perhaps suggesting that cybersecurity naiveté on Netflix’s part could have been to blame. It seemed they simply weren’t ready for this next stage in digital theft that attackers were about to unleash upon the world.

Since then, companies have begun to realize the education and actions they must undertake—not to mention the talent they must hire—to secure not just finished TV shows and movies, but all forms of valuable IP that exist under a production company or studio’s purview: scripts, unfinished edits of completed footage, the musical score of a piece of content, and much more.

Warner Bros. Discovery IP security

We, of course, have no inside knowledge of Warner Bros. Discovery’s actual current security posture. However, from an outside perspective, there are a few factors that could potentially increase its IP security risk:  

  1. The skip-hop of Warner Bros. from one conglomerate to another: The legacy Hollywood studio was formerly owned by AT&T and then departed that relationship to merge with Discovery, Inc. As cybersecurity professionals know, a time of mergers and acquisitions (M&A) can be quite joyous for attackers and put the cloud security of organizations at severe risk. Without taking the proper steps to keep environments secure during that time of change, companies leave themselves open to massive financial, regulatory, and reputational risk.
  2. The race to make their streaming service competitive in an extremely crowded market: Warner Bros. Discovery’s streaming service is stuffed with a legacy Hollywood studio’s back catalog, original series, and all sorts of additional content. In the race to be competitive by getting as much of that content as possible up on the service, are they leaving the door more open to attackers? Everyone knows that as soon as a film goes live on any sort of digital service, it’s almost immediately pirated and disseminated globally, cutting into the profits of streaming services.
  3. The axing of high-profile projects in favor of tax write-offs: In some cases, content was complete—or nearly so—when the decision was made to cancel the release. In the high-profile case of Batgirl, the filmmakers made public their attempt to save a copy of the film from its digital storage before they were locked out and the project forever shelved.

As we can see from that last point, the moves the company is making are decisive and have little mercy for talent or content. As a recent mega-merged conglomerate, the new company has its work cut out for it in several areas. Combining the content catalogs of the two previously separate companies is most certainly the largest and most critical challenge facing the current business. Protecting those decades worth of valuable IP from attackers should be just as much of a priority as the creation of the next Batman or Harry Potter film.

Making film and TV projects is a painstaking, long, and laborious process. All of the hard work by hundreds of people that goes into each project can be devalued by attackers in the blink of an eye. Plus, there’s nothing bad actors love more than a high-profile Hollywood hack. So, to all cybersecurity professionals who are also major film and TV fans, let’s take up the call to Hollywood studios: Protect the IP!

Next week, in the second part of this blog series, we’ll look at cloud-based content delivery systems for Hallmark Channel’s holiday programming as well as actionable steps studios (and other organizations) can take to protect their valuable IP.

Setting your own standard

Cloud Audit: Compliance + Automation

Today’s regulatory environment is incredibly fractured and extensive. Depending on the industry—and the part of the world your business and/or security organization resides in—you may be subject to several regulatory compliance standards. Adding to the complexity, there is overlap among many of the standards, and they all require considerable resources to implement properly.

This can be a difficult endeavor, to say the least. That’s why many companies have dedicated compliance personnel to (as much as possible) push workloads and resources to adherence to cloud security standards. It’s important to build a plan to keep up with changing regulations and determine what exactly they mean for your environment.

From there, you can specify how to incorporate those changes and automate cloud posture management processes so you can act fast in the wake of an incident or breach. Deploying a cloud security posture management (CSPM) can ease the administrative burden associated with staying in compliance.

Complex compliance frameworks

There’s no reason to think your organization needs to go about all this compliance confusion on its own, even with skilled in-house personnel. There are regulations you’ll need to adhere to explicitly, but oftentimes regulatory bodies don’t offer a solution to track and enforce adherence to standards. It can be difficult to build that compliance framework from scratch.

That’s why it’s important to engage a CSPM tool that can be used to build in checks/compliance standards that align to one or more regulations—as noted above, it's often a combination of many. It's also likely you’ll want to supplement with additional checks not covered in the regulatory frameworks. A capable solution like InsightCloudSec can help you accomplish that.

For example, The European Union's General Data Protection Regulation (GDPR) requires organizations to incorporate data protection by design, including default security features. To this point, InsightCloudSec can help to enforce security rules throughout the CI/CD build process to prevent misconfigurations from ever happening and govern IaC security.

A pre-configured solution can erase the complexity of setting up your own compliance framework and alert system, and help you keep up with the speed of this type of regulatory pace. The key is knowing if the solution you’re getting is up to date with the current standard in the location in which it’s required.

When choosing a solution, look for one that delivers out-of-the-box policies that hold cloud security to high standards, so your controls are tight and contain failsafes. For example, a standard like the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) helps you create and fortify those checks so that your customers or users have confidence that you’re putting cloud security at the forefront. The InsightCloudSec CSA CCM compliance pack provides:  

  • Detailed guidance of security concepts across 13 domains—all of which follow Cloud Security Alliance best practices.
  • Alignment with many other security standards like PCI DSS, NIST, and NERC CIP.
  • Dozens of out-of-the-box policies that map back to specific directives within CSA CCM, all of which are available to use right away so you can remediate violations in real time.

A few questions to keep in mind when considering a solution that aligns to the above criteria:

  • Does the solution allow you to export and/or easily report on compliance data?
  • Does the solution offer the ability to customize frameworks or build custom policies?
  • Does the solution allow you to exempt certain resources from compliance requirements to minimize false positives?

Automating enforcement

Real-time visibility is the key to automating with confidence, which is a critical factor in staying compliant. Given the complexity of today’s hybrid and multi-cloud environments, keeping up with the sheer number of risk signals is nearly impossible without automation. Automation can help you safeguard customer data and avoid risk by catching misconfigurations before they go live and continuously auditing your environment.

As aptly noted in Rapid7’s Trust in the Cloud report, automation must be tuned to internal risk factors like trustworthiness of developers and engineers in day-to-day maintenance, trust in automation to set guardrails in your environments, and your organization’s ability to consistently and securely configure cloud environments. Continuous monitoring, enforcement, reporting—and, oh yeah, flexibility—are keys to success in  the automated-compliance game.

Automated cloud compliance with InsightCloudSec

It can be very easy for things to fall between the cracks when your team is attempting to both innovate and manually catch and investigate each alert. Implementing automation with a solution like InsightCloudSec, which offers more than 30 pre-built compliance packs available out-of-the-box, allows your teams to establish standards and policies around cloud access and resource configuration. By establishing a common definition of “good” and automating enforcement with your organizational standards, InsightCloudSec frees your teams to focus on eliminating risk in your cloud environments.

Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. In this guide, you’ll learn more about tactics to help you make your case for more cloud security at your company. Plus, you’ll get a handy checklist to use when looking into a potential solution.

You can also read the previous entry in this blog series here.

A bigger piece of the meal

Can Cloud Security Be Easier Than Complex?

For those in the United States and certain parts of the world, it’s time for end-of-year holidays. That means lots and lots of big meals to celebrate these special occasions. Each dish created becomes part of that larger meal.  

Another important event that occurs around this time each year is budget planning for next year. Cloud security is one dish in the larger meal of the company’s entire budget, and you can bet that meal will be eaten quickly. Fighting for scraps of budget at the end of the meal won’t do. It’s important to identify exactly what you need so that you can get organized and get funding that will best secure cloud operations.  

The patchwork of tools that make up an effective cloud security solution shouldn’t be too complex or become siloed. In fact, if it can come from one provider offering a suite of out-of-the box solutions that operate from one platform, that would make things even simpler. And in the process of searching out that package of solutions – ideally from that single, trusted provider – and customizing it to your needs, you’ve gone through a similar process of preparing the dish that gets added to the larger meal.    

Impossible to secure?

In the new Rapid7 eBook 13 Tips for Overcoming the Cybersecurity Talent Shortage, we detail how Gartner® says the unique nature of cloud-native applications makes them impossible to secure without a complex set of overlapping tools spanning development and production. Admittedly, this sounds pretty dire. However, there are solutions – like InsightCloudSec from Rapid7 – that incorporate multiple capabilities into one, unified platform in order to remove the previously mentioned complexity. Let’s take a look at some of those different parts that can make up your ideal solution:

  • Cloud Security Posture Management (CSPM): Detects and reports on issues ranging from cloud misconfigurations to security settings.
  • Cloud Infrastructure Entitlement Management (CIEM): Provides identity and access controls to reduce excessive permissions and streamline LPA controls across dynamic cloud environments.
  • Cloud Workload Protection Platform (CWPP): Protects the unique capabilities or workloads running in a cloud instance.  
  • Cloud-Native Application Protection Platform (CNAPP): Provides instrumental data context across CSPM and CWPP archetypes to better protect workloads.

The ultimate goal would be to secure the entire lifecycle of your cloud-native applications, regularly scanning code throughout development and runtime. This ultimately enables a holistic security process that uncovers and remediates issues quickly and can be automated according to your burgeoning best practices.

What does easier cloud security look like?

Those best practices that will surface over time will tell you exactly what easier cloud security looks like for your organization. Customizing practices specific to your operations is technically the hard part, with the easier part to follow. Once automation protocols have been implemented, those protective and reactive controls help you innovate at the speed enabled by cloud environments. But even in the hard part of cloud setup, there are vendors providing platforms for unified solutions to make it easier out of the box.

InsightCloudSec from Rapid7

InsightCloudSec helps teams secure even the most complex cloud environments by surfacing and applying context to risk signals to understand and prioritize them based on potential impact. The solution significantly reduces mean time to respond (MTTR) by utilizing real-time detections and native automation to detect and remediate misconfigurations, vulnerabilities, policy violations, and overly-permissive roles.

  • Get agentless, real-time visibility into every resource and service running across your cloud environment.
  • Simplify cloud risk assessment with rich contextual insight into every layer of your environment.
  • Enforce organizational standards without human intervention with native, no-code automation.

More efficient cloud security solutions create happier teams. And that helps you to gain savings in multiple areas like time, money, and satisfaction.

More resources

Whatever your ultimate cloud operational needs are or whatever your multi-cloud environment looks like, you can now learn more about tactics to help you make your case for more – or any – cloud security at your company. Plus, get a handy checklist to use when looking into a potential solution. Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. You can also read the previous entry in this blog series here.

Stretching what you’re given

Better Cloud Security Shouldn’t Require Bigger Budgets

How can you do more when you’re constantly being given the same or less? When security budgets don’t match the pace of the cloud operations they’re tasked with securing, the only thing to do is become an expert in the stretch. It’s hard, and you might currently be under increasing stress to pull it all off.

While total overall budgets will indeed decrease, Gartner recently forecast that spending on cybersecurity and risk management would increase by 11.3% in 2023, driven in large part by a shift to cloud platforms. And what was a big factor in the increase in cloud adoption? You guessed it: the switch to remote or hybrid work models during the height of pandemic mitigation measures. These days you might have more to back up your argument for an increase in funding.

In the 2020 scramble to keep people safe by urging them to both stay home and stay employed, workforces quickly became virtual, more distributed, and incredibly reliant on cloud platforms to enable connectivity to each other. Businesses that might have dipped their toes in pre-pandemic are now taking the full cloud plunge post-pandemic.

The promise of the cloud is an interesting point to discuss. It can be cheaper to scale into the cloud, but depending on how it’s done and in what industry, it might actually require a bigger piece of the budget. But it can still be empowering and flexible. In other words, budgets will most likely keep increasing for cloud adoption. With all that said, if you’re still having trouble acquiring more budget for security, what should you do?

Finding the right fit

We’re not talking about a doomsday scenario where you’ll never see another increase in your budget. Cybersecurity and cloud security are top-of-mind topics for companies and nations around the world. However, solutions have evolved to address security organizations’ budgetary concerns. And there are reputable providers who have created offerings that can do more without asking more of your budget. This more-with-less scenario has the potential to satisfy across the board by helping you to:

  • Focus on use cases – What kind of cloud security do you need? Needlessly spending money on solutions you don’t need is tantamount to criminal behavior in the current global economic crisis. Make sure you know exactly what you need to protect, how far your perimeters extend, and the general types of available security (CSPM, CWPP, etc.). InsightCloudSec from Rapid7 is a unified platform that incorporates multiple use cases and types of cloud security.  
  • Extrapolate potential costs and prove security’s worth – Once you know what you need and the type(s) of solutions that can address it, it’s a good idea to partner with whomever controls your security budgets. Because it’s less about the costs or subscription fees you see today and more about extrapolating cost savings as cloud environments, data transfer, storage, and other aspects of that adoption grow. Then you’ll know how much or little you’ll need to engage in budget-stretching heroics.
  • Pinpoint under-one-umbrella solutions – Do you want to deal with one vendor or multiple? In the latter scenario, keep in mind the multiple support teams you’ll juggle as well as the different platforms on which those solutions will operate. There is no one-size-fits-all solution, but there are vendors that can provide a suite of broad-range capabilities so you have one point of contact and can better operationalize your cloud security.

About that whole “proving security’s worth” thing…

In this day and age, you really shouldn’t have to prove your organization’s worth. But you most likely feel that way every time you have to fight for a bigger piece of the budgetary pie. Sure, you can engage in stretching heroics, but should you have to engage in those heroics day in and day out, for years on end? Hopefully not now, when ransomware is still all the rage and nation-state-sponsored attacks are becoming more legitimate business in many parts of the world.  

Timing is everything, however, and now – at the end of the year – would be the time to pull off some of those heroics and make your case for more budget. This will enable your exploration into a solution that can do more for less. InsightCloudSec from Rapid7 is a cloud risk and compliance management platform that enables organizations to securely accelerate cloud adoption with continuous security and compliance throughout the entire software development lifecycle (SDLC).

It provides a comprehensive solution to manage and mitigate risk across even the most complex cloud environments. The platform detects risk signals in real-time and in complete context, allowing your teams to focus on the issues that present the most risk to your business based on potential impact and likelihood of exploitation.

And speaking of making things easier

Whatever your ultimate cloud security needs are, you can now learn more about tactics to help you make your case for more – or any – cloud security at your company. Plus, get a handy checklist to use when looking into a potential solution. Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. You can also read the previous entry in this blog series here.