Jimmy Sanders Of Netflix Talks Security Trends And Threats

In the wake of attacks on content producers like Sony and HBO, companies are increasingly aware of their cyber vulnerability. International Business Times spoke to Jimmy Sanders, the head of information security at Netflix DVD, about the challenges faced by his company and others like it.

Sanders has been involved in computer technology for nearly a decade. Prior to his role at Netflix, he was the Security Architect for Samsung Research of America. Sanders also holds an advisory board role at several nonprofit organizations and committee positions for security conferences and is the president of the San Francisco Bay Area chapter of the Information Systems Security Association. (He noted that his responses are his opinions and not necessarily Netflix official security policy.)

IBT: Given the string of attacks against content producers earlier this year, has the threat landscape changed for content companies like Netflix in recent years and how does that affect the organization's approach to security?

Sanders: The threat landscape has not changed, the visibility of the landscape has changed. The added visibility has caused more attackers to take notice of an area of attack that they may not have considered. Content producers have always understood that their content is their prized jewels. There have been security concerns on the release of content from music and movie producers before the digital age. The Internet has simply accelerated the ability to disseminate the content and associated threats. As security professionals, our jobs are to understand our business's most valuable assets and protect them with the various means available to us.

When working with third-parties, how can organizations work to ensure their partners and clients also engage in the best security practices?

First, companies need to agree on what exactly best security practices represent. There are various standards and audit requirements that formally outline security practices, including ISO 27001, SSAE16, COBIT and PCI-DSS. Once the companies understand through common language the expectations of good security, an audit of the third-parties is necessary. The strictness of the audit and the coverage of the audit should be in correlation to the importance of the third-party to the business.

In terms of clients, companies need to understand exactly what constitutes their client base and what is the appropriate level of trust. Once you understand your client base, you can build security models to layer your security to work with your clients to give them the best experience while also mitigating the most risk. An example of various options could be the use of captchas, multifactor authentication, or client security awareness training.

What current or growing trend in cyber threats should organizations be aware of and preparing for?

A growing trend that organizations should be aware of is the use of government-created tools obtained by attackers. Examples of this trend would be WannaCry, Stuxnet, as well as other state sponsored attacks. Most companies and staff of security companies do not have the budget or the sophistication to match trained government employees. A good approach to mitigate against sophisticated attacks is to layer your protection. In addition a company should ensure their security investment is geared towards a company's most valuable assets.

What tend to be the most difficult vulnerabilities for organizations to defend against and how can they improve their defenses?

There are two types of vulnerabilities that tend to be the most difficult to defend against. The first vulnerability concern the various technical and social engineering attacks. I am referring to the growing trend of whaling, spear phishing, and social media profiling. A whaling attack is where the target of the attack is a high-profile executive, star or other high-ranking person. These attacks are hard to stop because regardless of the tools that you may put in place, an attacker can trick the user to circumvent the user’s own protection. In terms of improving defenses, there are various User Behavior Analytic (UBA) tools that can help detect when an identified entity is deviating from their normal behavior.

The second type of vulnerability that is hard to defend against is the internal lateral movement of a threat. There are many tools that are designed to protect a company's’ perimeter as well as protect attacks from penetrating a system. However, many companies lack the tools to accurately identify intra-network attacks and the lateral movement of attacks. Luckily, there are many tools and companies now that identify internal attacks as well as track threats as they flow along the cyber kill chain cycle.