Using Hollywood to improve your security program
by Dwayne Melancon - CTO at Tripwire - Tuesday, 29 July 2014.
In the 2001 movie, “Ocean’s Eleven,” Danny Ocean (George Clooney) and his crew are able to rob a casino, right under the owner’s nose. A number of attacks are involved:
  • In various parts of the movie, criminals pose as consultants, employees, and other experts to gain access to the inner workings of the casino. This is analogous to credential theft or a compromise of your trusted insiders.
  • The surveillance system is compromised to make the casino operators believe everything is normal. Ocean’s crew tamper with the video feed so the casino ends up watching fake camera footage instead of what’s really happening. This is the equivalent of cyber criminals tampering with logs and other traces to cover their tracks.
  • There are also several instances in which the casino owner and law enforcement personnel are fed bogus information that sends them on wild good chases with the goal of luring them away from the location where the real crime was occurring. We’ve seen DDOS attacks, cyber vandalism, and other tactics in the infosec world used in a similar way to distract organizations from the real attack (often fraud, or data exfiltration in some other area of the business).
In these examples, we can implement safeguards such as multifactor authentication, strong identity and access management, oversight and “big picture” continuous monitoring. These approaches reduce the risk that we will miss criminal acts because we’re distracted by a theatrical event designed to grab our attention, tie up our resources and lure us away from the real crime.

Think Like Hollywood

These examples provide mental models that can help us think about information security in a different way. If your data security strategy were featured in a Hollywood blockbuster, how would you be fooled? Where are the weak spots that criminals could take advantage to get at your company’s ‘crown jewels?’

Thinking like Hollywood is a fun and useful way to find weaknesses in your security posture. I think you’ll find that most of the opportunities for improvement center around weak or sloppy handoffs; the lack of a clear picture of what “normal” looks like; the inability to notice small changes in your environment; the tendency to trust without verifying; and a bias to focus on the biggest, latest, and loudest incident you encounter.

In Hollywood heist movies, the bad guys often win. In real life, you have the power to make sure they don’t – imaging you’re in a Hollywood movie can help, and it’s a lot more fun than a pen test.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th