Insider Security Threats Are No Game

A lot of cyber-security discussions make the whole issue seem like some exotic game. There are good guys (white hats), bad guys (black hats), funky-named bots and viruses and all sorts of new defense and attack weapons. The reality, however, is that there’s nothing entertaining about cyber-security for games developers.

This isn’t a new problem. Back in 2003, the Half-Life 2 source code was stolen after five years and hundreds of thousands of dollars had been invested into the development of the game. More recently in 2013, the IP Commission Report put the cost of intellectual property (IP) theft in excess of $300 billion in the United States alone.

In the Half-Life 2 example, the theft appears to have taken place through hacking a staff member’s Outlook email. Although external threats are still an issue whether coming from hactivists, competitors or national governments, insider threats are on the rise.

The Danger Within

Insider threat can appear in a number of forms:

In every one of these cases (and many others), the person stealing the assets (knowingly or otherwise) had perfectly legitimate access to source code and assets. Locking down access may help avoid some forms of leakage, but it’s more likely to slow the production pipeline, which could be an even bigger hit on the studio’s success.

Multilayered Protections Are Only the Start

The basics of security can’t be avoided. The starting point has to be good network protections to prevent external attacks. Fortunately, there are many hardware and software tools available to help with the perimeter defense.

When dealing with internal threats, the first step is to ensure that robust identity and access management tools are in place. Increasingly, helpful tools include multifactor authentication and encryption for data in transit (e.g., between the coder’s or artist’s desktop and code repository) and at rest (in the repository itself).

However, as described earlier, the issue that’s starting to cause the most concern is the threat from people who have completely legitimate access to internal systems. That’s why many companies trying to protect their assets are switching their focus from perimeter defense to rapid detection and reaction. In 2015, companies must assume they will get hacked. The question is, what happens next?

Detect and React

One of the problems to address in protecting all the valuable assets (or IP) in a game is the diversity. Games aren’t just source code; they include a wide variety of digital assets, including models, textures, video, audio and third-party libraries. Having such a mix of content also often means that different teams use various stores (or “repositories”), either because the tools used by some teams aren’t usable by all (e.g., coders may love Git but it can’t hold large binary files) or because some teams prefer the simple integrations or workflows they need (e.g., integration with Maya or Photoshop).

If there are many, diverse repositories, the chance of preventing or detecting suspicious behavior becomes almost impossible. Each of those tools will have differing levels of identity validation, file protections and, critically, audit logs.

For anyone considering how to implement detection systems, the most important first step is to understand what repositories are in place and reduce the number as much as possible. Ideally, standardize on a tool all contributors can use that provides robust user and file protections and reliable, detailed audit logs.

Once such a system is in place, the challenge becomes identifying when suspicious behaviour occurs. Traditional log analyzers can look for specific trigger events in a log (e.g., “100 files have been copied from a project”), but it’s impossible to spot whether the triggers are being fired correctly or not. Some of these repositories could be handling thousands or millions of transactions per day, so manual monitoring of log alerts is not feasible. There will be so many false alarms (“false positives”) that the noise will hide the real threats.

A new generation of tools is becoming available to automate log monitoring. By watching patterns of behavior over a period of time, these tools can learn what “normal behavior” looks like and can then warn when abnormal activity is triggered. The industry buzzwords are “user behavioral analytics.” Indeed, the best tools will look for multiple such events to build up a risk profile, thus further reducing the false positives.

Once risky behavior has been spotted, reaction becomes critical. The first step might be to perform a more detailed investigation to understand better what may be happening. Alternatively, you may want to lock down all access and then use a forensic approach to identify what has occurred.

There are two elements in establishing the impact of a theft – the amount or value of the assets stolen and how long they have been exposed. Those factors are useful when planning your reaction, but they’re also useful to assign a value to implementing the detection tools and processes. A reduction in the detection time by so many days, weeks or months could mean the tools pay for themselves very quickly.

Are You Prepared?

You may not be able to prevent all attacks, internal or external, but now is the time to audit your protection mechanisms, automate detection and have tools and processes in place to deal with any threats as quickly as possible. Then you can focus on building the greatest game ever.