Category: InsightCloudSec

The Center for Information Security (CIS) recently unveiled the latest version of their Azure Foundations Benchmark—Version 2.0.0. This is the first major release since the benchmark was originally released more than 4 years ago, which could lead you to believe that this update would come with a bunch of significant changes. However, this release actually brings fewer impactful changes than the minor releases that preceded it.

Instead of sweeping changes, the update includes a number of reconciled and renumbered sections along with some refreshed language and branding.

Rapid7 is actively reviewing the new recommendations and evaluating the need and potential of them being made into insights within InsightCloudSec.

So the changes were minor, but what were they?

Of the 10 sections that make up the benchmark, four sections were expanded with new recommendations:

• Section 1 (Identity and Access Management)
• This was also the only section that had a recommendation removed.
• Section 4 (Database Services)
• Section 5 (Logging and Monitoring)
• Section 7 (Virtual Machines)

Five sections had no changes:

• Section 3 (Storage Accounts)
• Section 6 (Networking)
• Section 8 (Key Vault)
• Section 9 (AppService)
• Section 10 (Miscellaneous)

Section 2 (Microsoft Defender) did not have any additions or subtractions, but did have some alterations related to numbering and categorization.

Section 1 (Identity and Access Management)

This section covers a wide range of recommendations centered around identity and access policies. For 2.0.0, there was one addition:

Recommendation: 1.3 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'

Why it Matters: It is best practice to only allow an administrator to create new tenants. This prevents users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.

As noted above, this was also the only section from which a recommendation was removed entirely:

Removed Recommendation: 1.5 - Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled (this recommendation has been replaced in v2.0.0)

Why it Was Removed: This recommendation was likely removed, as it is somewhat redundant to what is now recommendation 1.1.4 (Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is enabled). Essentially, the updated recommendation asserts you should not allow users to bypass MFA for any device.

Section 4 (Database Services)

This section focuses on securing database services within Azure environments—such as Azure SQL or Cosmos DB. CIS added a recommendation to this section, specifically for Cosmos DB, that guides users to leverage Active Directory and Azure RBAC whenever possible.

Recommendation: 4.5.3 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.

Why it Matters: Cosmos DB, Azure’s native NoSQL database service, can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and Azure RBAC is better integrated with the rest of Azure.

Section 5 (Logging and Monitoring)

The two new recommendations within this section are targeted toward ensuring you’ve properly configured your environment for log management, including collecting the necessary logs (flow logs, audit logs, activity logs, etc.) and also ensuring that the storage location for those logs is secure.

Recommendation: 5.3.1 - Ensure Application Insights are Configured

Why it Matters: Application Insights within Azure act as an application performance monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data, which provide organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.

Recommendation: 5.5 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored

Why it Matters: Basic or Free SKUs in Azure, while cost effective, have significant limitations in terms of what can be monitored and what support can be realized from the team at Microsoft. Typically, these SKU’s do not have service SLAs, and Microsoft generally refuses to provide support for them. Because of this, Basic/Free SKUs are not recommended for production workloads. While upgrading to the Standard tier may be a bit more expensive, you’ll receive more support from Microsoft, as well as the ability to generate and consume more detailed information via native monitoring services such as Azure Monitor.

Section 7 (Virtual Machines)

Section 7 is focused on securing virtual machines within your Azure environment. Recommendations in this section include ensuring that your VMs are utilizing managed disks and that OS and Data disks are encrypted with Customer Managed Keys (CMK), just to name a few. There was one new recommendation in this section.

Recommendation: 7.1 - Ensure an Azure Bastion Host Exists

Why it Matters: The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to them. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser. This is aimed at preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines.

Using InsightCloudSec to Implement and Enforce CIS Azure Foundations Benchmark 2.0.0

InsightCloudSec continuously assesses your entire cloud environment—whether single cloud or hosted across multiple platforms—for compliance with organizational standards. It detects noncompliant resources and unapproved changes within minutes. The platform continuously monitors your environment to ensure you’ve properly implemented the necessary controls as recommended by CIS for securing your cloud workloads running in Azure environments.

InsightCloudSec can instantly detect whenever an account or resource drifts from compliance. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for the CIS Azure Foundations Benchmark 2.0.0. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices.

As you can see in the screenshot below, InsightCloudSec has a host of checks and insights that directly align to recommendations within the CIS Azure Foundations Benchmark 2.0.0.

When you dive deeper into a given insight, you’re provided with detail into how many resources are in violation with a given check and a relative risk score to outline just how risky a given violation is.

Below is an example from CIS Azure Foundations Benchmark 2.0.0, specifically a set of resources that are in violation of the check ‘Storage Account Older than 90 Days Without Access Keys Rotated’. You’re provided with an overview of the insight, including why it’s important to implement and the risks associated with not doing so.

That platform doesn’t just stop there, however. You’re also provided with the necessary remediation steps as advised by CIS themselves, and if you so choose, the recommended automations that can be created using native bots within InsightCloudSec for folks that would prefer to completely remove the human effort involved in enforcing compliance with this policy.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!

Over the last 10 to 15 years, organizations have been migrating to the cloud to take advantage of the speed and scale it enables. During that time, we’ve all had to learn that new cloud infrastructure means new security challenges, and that many legacy tools and processes are unable to keep up with the new pace of innovation.

The greater scale, complexity, and rate of change associated with modern cloud environments means security teams need more control to effectively manage organizational risk. Traditional vulnerability management (VM) tools are not designed to keep pace with highly dynamic cloud environments, creating coverage gaps that increase risk and erode confidence.

In the report “Forecast Analysis: Cloud Infrastructure and Platform Services, Worldwide” Gartner® estimates that “By 2025, more than 90% of enterprise cloud infrastructure and platform environments will be based on a CIPS [cloud infrastructure and platform services] offering from one of the top four public cloud hyperscale providers, up from 75% to 80% in 2021.”

In the face of all this rapid change, how do you keep up?

Rapid7’s Cloud Risk Complete Is Here

The future of risk management is seamless coverage across your entire environment. That’s why our new offer, Cloud Risk Complete, is the most comprehensive solution to detect and manage risk across cloud environments, endpoints, on-premises infrastructure, and web applications.

With Cloud Risk Complete, you can:

• Gain unlimited risk coverage with a unified solution purpose-built for hybrid environments, providing continuous visibility into your on-prem infrastructure, cloud, and apps, all in a single subscription.
• Make context-driven decisions by intelligently prioritizing risk based on context from every layer of your attack surface, driven by a real risk score that ties risk to business impact.
• Enable practitioner-first collaboration with native, no-code automation to help teams work more efficiently and executive-level dashboards that provide visibility into your risk posture.

What makes this solution different is that we started with the outcome and worked backwards to bring to life a solution that meets the needs of your security program.

• While most solutions offer daily scans of your cloud environment, we deliver real-time visibility into everything running across your environment. So, you’re never working with stale data or running blind.
• While most solutions only provide insight into a small portion of your environment, we provide a unified view of risk across your entire estate, including your apps, both in the cloud and on-prem.
• While most solutions show you a risk signal and leave the analysis and remediation process up to you, we provide step-by-step guidance on how to remediate the issue, and can even take immediate action with automated workflows that remove manual effort and accelerate response times.

Risk Is Pervasive. Your Cloud Security Should Be Too

Cloud Risk Complete stands apart from the pack with best-in-class cloud vulnerability assessment and management, cloud security posture management, cloud detection and response, and automation—in a single subscription.

Unlimited ecosystem automation enables your team to collaborate more effectively, improve the efficiency of your risk management program, and save time. With all of this, you can eliminate multiple contracts and vendors that are stretching budgets and enjoy a higher return on investment.

Get comprehensive cloud risk coverage across your business—without compromise. Discover Cloud Risk Complete today.

As IT infrastructure has become more and more sophisticated, so too have the techniques and tactics used by bad actors to gain access to your environment and sensitive information. That’s why it's essential to implement robust security measures to protect your organization. One way to do this is to utilize the MITRE ATT&CK framework, which provides a comprehensive guide to understanding and defending against cyber threats.

Who is MITRE and what is the MITRE ATT&CK Framework?

MITRE is a non-profit organization supporting various U.S. government agencies across a variety of fields, but primarily focusing on defense and cybersecurity. The MITRE ATT&CK® Framework is a free knowledge base of adversarial tactics and techniques based on real-world observations.

It is a tremendous resource for any security practitioner, and can be used as a foundational resource for developing specific threat models and methodologies in both the public and private sectors. The framework is curated by the folks at MITRE, but anyone is able to contribute information or findings for review, as they look to crowdsource as much intelligence as humanly possible to better serve the broader community.

The ATT&CK Framework is intended to provide insights into the goals of hackers as well as the techniques and tactics they are likely to use. These insights provide organizations and the security teams that protect them with a detailed roadmap to plan, detect, and mitigate risk and detect threats. Once an organization has identified potential attack vectors, it can implement the appropriate mitigations.

Wait, but what are Mitigations?

Under each technique outlined within the ATT&CK Framework is a section on relevant mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed. It is a large and comprehensive list, so MITRE has broken these mitigations into two primary groups: “Enterprise,” focusing on mitigations that prevent hackers from breaching a corporate network, and “Mobile,” which—as you might have guessed—is dedicated to protecting against attacks targeting mobile devices.

While these mitigations can not guarantee that you won’t be breached, they serve as a great baseline for teams looking to do whatever they can to avoid an attacker gaining access to their sensitive data.

Example mitigations and what they entail

As noted above, MITRE provides a wide range of mitigations. For the purpose of this post, let’s look at a few example mitigations to give a sense of what they entail.

Before we dive in, a quick note: It’s very important to select and implement mitigations based on your organization's specific threat landscape and unique aspects of your environment. You’ll want to prioritize the mitigations that address the most significant risks to business operations and data first to effectively mitigate risk and the likelihood of a breach.

Mitigation: Data Backup (ID: M1053)

Backing up data from end-user systems and servers is critical to ensure you’re not at risk of attack types that center around deletion or defacement of sensitive organizational and customer data, such as Data Destruction (T1485) and Disk Wipe (T1561). The only recourse to these types of attacks is to have a solid disaster recovery plan. Security teams should regularly back up data and store backups in a secure location that is separate from the rest of the corporate network to avoid them being compromised. This way, you’ll have the ability to quickly recover lost data and restore your systems to a steady state should a bad actor delete your data or hold it as ransom.

Mitigation: Account Use Policies (ID: M1036)

This mitigation is geared toward preventing unwanted or malicious access to your network via attack types such as brute force (T1110) and multi-factor authentication request generation (T1621). By establishing policies such as limiting the number of attempts a user has to properly enter their credentials and passwords before being locked out of their account, you can thwart bad actors that are simply repeatedly guessing your passwords until they gain access. This control needs to be configured in such a way that effectively prevents these types of attacks, but without being so strict that legitimate users within your organization are denied access to systems or data they need to perform their jobs.

Mitigation: Encrypt Sensitive Information (ID: M1041)

As you can probably guess from the name, this mitigation focuses on implementing strong data encryption hygiene. Given that the end goal of many breaches is to gain access to sensitive information, it will come as no surprise that this mitigation plays a critical role in protecting against a wide range of attack techniques, including adversary-in-the-middle (T1557), improper access of data within misconfigured cloud storage buckets (T1530), and network sniffing (T1040), just to name a few. Properly encrypting data—both at rest and in transit—is a critical step in fortifying against these types of attacks.

There are several MITRE tactics and techniques, such as those highlighted above, where the only mitigation for an attack is to ensure your organization’s security policies and controls are configured properly. While it can be a daunting task to ensure you maintain compliance with all policies and controls across your entire environment, InsightCloudSec offers out-of-the-box insights that are mapped directly to each mitigation.

Leveraging InsightCloudSec to implement and track performance against MITRE ATT&CK Mitigations

With this new pack, InsightCloudSec you can easily audit and assess your entire environment against the recommended mitigations provided by MITRE, and ensure you are taking every step possible to stop bad actors from gaining unauthorized access to your network and accessing sensitive information.

InsightCloudSec continuously assesses your entire cloud environment — whether single cloud or hosted across multiple platforms — for compliance with organizational standards. It detects noncompliant resources and unapproved changes within minutes. The platform continuously monitors your environment to ensure you’ve properly implemented the necessary controls as recommended by MITRE for thwarting attackers, regardless of which technique or sub-technique they utilize.

InsightCloudSec can instantly detect whenever an account or resource drifts from compliance. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for MITRE Mitigations. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!

As IT infrastructure has become more and more sophisticated, so too have the techniques and tactics used by bad actors to gain access to your environment and sensitive information. That’s why it's essential to implement robust security measures to protect your organization. One way to do this is to utilize the MITRE ATT&CK framework, which provides a comprehensive guide to understanding and defending against cyber threats.

Who is MITRE and what is the MITRE ATT&CK Framework?

MITRE is a non-profit organization supporting various U.S. government agencies across a variety of fields, but primarily focusing on defense and cybersecurity. The MITRE ATT&CK® Framework is a free knowledge base of adversarial tactics and techniques based on real-world observations.

It is a tremendous resource for any security practitioner, and can be used as a foundational resource for developing specific threat models and methodologies in both the public and private sectors. The framework is curated by the folks at MITRE, but anyone is able to contribute information or findings for review, as they look to crowdsource as much intelligence as humanly possible to better serve the broader community.

The ATT&CK Framework is intended to provide insights into the goals of hackers as well as the techniques and tactics they are likely to use. These insights provide organizations and the security teams that protect them with a detailed roadmap to plan, detect, and mitigate risk and detect threats. Once an organization has identified potential attack vectors, it can implement the appropriate mitigations.

Wait, but what are Mitigations?

Under each technique outlined within the ATT&CK Framework is a section on relevant mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed. It is a large and comprehensive list, so MITRE has broken these mitigations into two primary groups: “Enterprise,” focusing on mitigations that prevent hackers from breaching a corporate network, and “Mobile,” which—as you might have guessed—is dedicated to protecting against attacks targeting mobile devices.

While these mitigations can not guarantee that you won’t be breached, they serve as a great baseline for teams looking to do whatever they can to avoid an attacker gaining access to their sensitive data.

Example mitigations and what they entail

As noted above, MITRE provides a wide range of mitigations. For the purpose of this post, let’s look at a few example mitigations to give a sense of what they entail.

Before we dive in, a quick note: It’s very important to select and implement mitigations based on your organization's specific threat landscape and unique aspects of your environment. You’ll want to prioritize the mitigations that address the most significant risks to business operations and data first to effectively mitigate risk and the likelihood of a breach.

Mitigation: Data Backup (ID: M1053)

Backing up data from end-user systems and servers is critical to ensure you’re not at risk of attack types that center around deletion or defacement of sensitive organizational and customer data, such as Data Destruction (T1485) and Disk Wipe (T1561). The only recourse to these types of attacks is to have a solid disaster recovery plan. Security teams should regularly back up data and store backups in a secure location that is separate from the rest of the corporate network to avoid them being compromised. This way, you’ll have the ability to quickly recover lost data and restore your systems to a steady state should a bad actor delete your data or hold it as ransom.

Mitigation: Account Use Policies (ID: M1036)

This mitigation is geared toward preventing unwanted or malicious access to your network via attack types such as brute force (T1110) and multi-factor authentication request generation (T1621). By establishing policies such as limiting the number of attempts a user has to properly enter their credentials and passwords before being locked out of their account, you can thwart bad actors that are simply repeatedly guessing your passwords until they gain access. This control needs to be configured in such a way that effectively prevents these types of attacks, but without being so strict that legitimate users within your organization are denied access to systems or data they need to perform their jobs.

Mitigation: Encrypt Sensitive Information (ID: M1041)

As you can probably guess from the name, this mitigation focuses on implementing strong data encryption hygiene. Given that the end goal of many breaches is to gain access to sensitive information, it will come as no surprise that this mitigation plays a critical role in protecting against a wide range of attack techniques, including adversary-in-the-middle (T1557), improper access of data within misconfigured cloud storage buckets (T1530), and network sniffing (T1040), just to name a few. Properly encrypting data—both at rest and in transit—is a critical step in fortifying against these types of attacks.

There are several MITRE tactics and techniques, such as those highlighted above, where the only mitigation for an attack is to ensure your organization’s security policies and controls are configured properly. While it can be a daunting task to ensure you maintain compliance with all policies and controls across your entire environment, InsightCloudSec offers out-of-the-box insights that are mapped directly to each mitigation.

Leveraging InsightCloudSec to implement and track performance against MITRE ATT&CK Mitigations

With this new pack, InsightCloudSec you can easily audit and assess your entire environment against the recommended mitigations provided by MITRE, and ensure you are taking every step possible to stop bad actors from gaining unauthorized access to your network and accessing sensitive information.

InsightCloudSec continuously assesses your entire cloud environment — whether single cloud or hosted across multiple platforms — for compliance with organizational standards. It detects noncompliant resources and unapproved changes within minutes. The platform continuously monitors your environment to ensure you’ve properly implemented the necessary controls as recommended by MITRE for thwarting attackers, regardless of which technique or sub-technique they utilize.

InsightCloudSec can instantly detect whenever an account or resource drifts from compliance. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for MITRE Mitigations. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!

Implementing the proper security policies and controls to keep cloud environments, and the applications and sensitive data they host secure, is a daunting task for anyone. It’s even more of a challenge for folks that are just getting started on their journey to the cloud, and for teams that lack hands-on experience securing dynamic, highly-ephemeral cloud environments.

To reduce the learning curve for teams ramping up their cloud security programs, cloud providers have curated sets of security controls, including recommended resource configurations and access policies to provide some clarity. While these frameworks may not be the be-all-end-all—because let’s face it, there is no silver bullet when it comes to securing these environments—they are a really great place to start as you define and implement the standards that are right for your business. In a recent post, we covered some highlights within the AWS Foundational Security Best Practices, so be sure to check that out in case you missed it.

Today, we’re going to dive into the new Azure Security Benchmark V3, and identify some of the controls that we view as particularly impactful. Let's dig in.

How does Azure Security Benchmark V3 differ from AWS Foundational Security Best Practices?

Before we get started with some specifics from the Azure Security Benchmark, it’s probably worthwhile to highlight some key similarities and differences between the Microsoft and AWS benchmarks.

The AWS Foundational Security Best Practices are, as one might intuitively expect, focused solely on AWS environments. These best practices provide prescriptive guidance around how a given resource or service should be configured to mitigate the risks of security incidents. Because the recommendations are so prescriptive and targeted, users are able to leverage AWS Config—a native service provided by AWS to assess resource configurations—to ensure the recommended configuration is utilized.

Much like the AWS Foundational Security Best Practices, the Azure Security Benchmark is a set of guidelines and recommendations provided by Microsoft to help organizations establish a baseline for what “good” looks like in terms of effective cloud security controls and configurations. However, where AWS’s guidelines are laser-focused on AWS environments, Microsoft has taken a cloud-agnostic approach, with higher-level security principles that can be applied regardless of which platform you select to run your mission-critical workloads. This approach makes quite a bit of sense given AWS and Microsoft’s respective go-to-market strategies and target customer bases. It also means implementation of these recommendations requires a slightly different approach.

As noted above, the guidance in the Azure Security Benchmark isn’t tied to Azure specifically, it’s more broad in nature and speaks to general approaches and themes. For example,it recommends that you use encryption and proper key management hygiene, as opposed to specifying a granular resource or service configuration. That’s not to say that Microsoft hasn’t provided any Azure-specific guidance, as many of the guidelines are accompanied by step-by-step instructions as to how you can implement them in your Azure environment. As AWS has provided checks within AWS Config, Azure has similarly provided checks within Defender for Cloud that help ensure your environment is configured in accordance with the benchmark recommendations.

Five recommendations from the Azure Security Benchmark V3 we find particularly impactful

Now that we’ve compared the benchmarks, let’s take a look at some of the recommendations provided within the Azure Security Benchmark V3 that we find particularly impactful for hardening your cloud security posture.

NS-2: Secure cloud services with network controls

This recommendation focuses on securing cloud services by establishing a private access point for the resources. Additionally, you should be sure to disable or restrict access from public networks (when possible) to avoid unwanted access from folks outside of your organization.

DP-3, 4 & 5: Data Protection and Encryption At Rest and In Transit

These recommendations are focused on ensuring proper implementation of data security controls, most notably via encryption for all sensitive data, whether in transit or at rest. Data should be encrypted at rest by default, and teams should use the option for customer-managed keys whenever required.

DP-8: Ensure Security of Key and Certificate Repository

Another Data Protection control, this recommendation is centered on proper hardening of the key vault service. Teams should ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Key vault service hardening can be accomplished through a variety of controls, including identity and access, network security, logging and monitoring, and backup.

PA-1: Separate and Limit Highly Privileged/Administrative Users

Teams should ensure all business-critical accounts are identified and should apply limits to the number of privileged or administrative accounts in your cloud's control plane, management plane, and data/workload plane. Additionally, you should restrict privileged accounts in other management, identity, and security systems that have administrative access to your assets, such as tools with agents installed on business-critical systems that could be weaponized.

LT-1: Enable Threat Detection Capabilities for Azure Resources

This one is fairly self-explanatory, but focuses on ensuring you are monitoring your cloud environment for potential threats. Whether or not you’re using native services provided by your cloud provider of choice—such as Azure Defender for Cloud or Azure Sentinel—you should leverage a cloud detection and response tool that can monitor resource inventory, configurations, and user activity in real time to identify anomalous activity across your environment.

Implement and enforce Azure Security Benchmark V3 with InsightCloudSec

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on service provider best practices like those provided by Microsoft, a common industry framework, or a custom pack tailored to specific business needs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for the Azure Security Benchmark V3.

InsightCloudSec continuously assesses your entire cloud environment—whether that’s a single Azure environment or across multiple platforms—for compliance with best practice recommendations, and detects noncompliant resources within minutes after they are created or an unapproved change is made. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!

How Crown Media protects its crown jewel

It’s that time of year again…chestnuts roasting on an open-fire, kids making wish-lists, and company holiday parties where you can showcase your most outlandish ugly sweater. It’s also the time of year we all get a little bit less cynical and take in a cheesy holiday movie or two. Enter Crown Media Family Networks and its holiday hitmaker, Hallmark Channel.

Hallmark Channel—and its streaming counterparts like Hallmark Movies Now—are unique in the entertainment world. The company provides year-round programming and has many fans the world over, but the end-of-the-year holiday season is when its content really pops off. Holiday-season die-hards show up for cheesily-wistful-yet-earnest films that have become a cottage industry and an annual jingle-bell juggernaut.

In 2021, Hallmark Channel finished as the number one network among “women 18 and above”, which led to $147.8 million in revenue generated from holiday programming alone. It’s safe to assume the company doesn’t want intellectual property (IP) theft cutting into those kinds of returns.

Cloud-based content delivery

Here’s a scary-sounding sentence for those wary of vulnerabilities: Hallmark Channel’s entire content library is managed in the cloud. Cloud has obvious advantages for any organization, like quick-scaling and not having to build on-prem systems from the ground up. However, it can also increase risk to intellectual property:

• High-risk resources open to the public internet: If a particular cloud instance becomes accessible by anyone on the internet, revenue-generating IP may be compromised.
• Increased complexity: IP can be spread across multiple clouds in multiple locations. This makes identity management critical—who has access? Why do they need access? Where are they located?
• Delayed remediation: So the risk has been identified. But, how old is the data on which the remediation workflow is based? 6 hours? 12 hours? More? This significantly detracts from the efficiency of the remediation.

Action!

Holidays are a particularly busy time for threat actors. So, how do media companies like Hallmark Channel (or any organization) protect their intellectual property?  

• Create a cybersecurity IP legal and strategic framework: According to the American Bar Association, film and TV studios should avoid single-event approaches to IP theft and create a framework that prioritizes strategic management of risk in the long term. Treating the risk of IP theft as systemic will yield benefits like faster mean time to detect (MTTD) and mean time to respond (MTTR).  
• Address supply chain issues: Creating big-budget Hollywood content can involve hundreds of vendors and partnerships. Obviously, not everything can be taken in-house. Therefore it’s critical that a company like Hallmark Channel creates a process whereby each outside vendor’s IT and security is thoroughly vetted prior to engagement of services.
• Implement a disaster recovery solution: Modern cloud playout to streaming services must continue uninterrupted, so media organizations must build redundancy into their content delivery systems. A disaster recovery solution that protects data, enables rapid restore, and offers failover capability is critical.
• Keep clouds confidential: When the people that need to approve a cut of an in-progress TV show or film are scattered all over the world, a digital copy is uploaded onto what is essentially a public-facing cloud so they can access it, just like digital collaboration in any number of other industries. For holiday event films driving ratings and subscriber numbers however, that sort of collaboration can leave highly valuable content open to vulnerabilities and theft. Solutions like InsightCloudSec by Rapid7 can help to lock down identity and access management (IAM) protocols, as well as manage risk with real-time context across infrastructure, orchestration, workload, and data tiers.  

Making film and TV projects is a painstaking, long, and laborious process. All of the hard work by hundreds of people that goes into each project can be devalued by attackers in the blink of an eye. So to all cybersecurity professionals who are also major fans of holiday films and TV shows, let’s take up the call: Protect the IP!

You can read the previous entry in this blog series here.