Security Improvements – Part 1

EDR, MDR, and XDR: Strengthening Detection and Response in Media & Entertainment

‍

Back in August 2023, the MPA published its new set of best practices for their TPN certification. In addition to the ongoing requirements that allow studios to operate securely, the MPA has added and improved several key security practices that will need to be addressed. 

‍

In this two-part article, I will go over three important best practices, what they are, why they are important, and how to implement them. In this first piece I will introduce these best practices and delve into what each one entails. In the next article we will explore how each best practices do and how it functions and discuss its impact on your business. We will also go over where to start and how to correctly implement them.

‍

The first best practice we’ll discuss, which has always been present, is Pen Testing (Penetration Testing). I often encounter studios that don’t see the value of conducting pen tests or aren’t sure how to go about them. Simply put, a pen test is a comprehensive scan of your external security posture. This means scanning your firewall - which manages access to the internet - for any potential vulnerabilities. Many studios do not allow any inbound services like VPN or remote access so the pen test may be relatively straightforward since no external services are permitted. However, it’s still essential to ensure your firewall functions correctly and doesn’t allow any external threats to reach your internal networks. 

‍

There are several types of Pen Testing, but most studios will only need the standard network test. Even with standard testing, there are different options, typically based on the number of IP addresses your ISP assigned to you (what you’re actually using) and whether you run any internal services accessible from the outside. 

‍

Pen testing can sometimes reveal unexpected issues. Old firewall codes, for instance, can lead to significant vulnerabilities, exposing your environment to external threats. Pen testing also helps identify whether internal services you are exposing to the outside are vulnerable and need attention. 

‍

The second best practice TPN lists on their latest release is Vulnerability Scanning. While Pen Testing primarily addresses external scanning for vulnerabilities, Vulnerability
Scanning is done on internal networks, ensuring that all internal devices are free from any vulnerabilities that could potentially harm the company. 

‍

Once a scanning is performed, a report is usually generated that outlines the issues found. Different tools scan in different ways, but the results are generally consistent, depending on the source of the vulnerabilities database. The idea is to use the report  to identify and resolve any issues. Vulnerability Scanning should be done regularly and automated as much as possible. 

‍

The vulnerability scanning tool will find all devices on the network being scanned. At times it will even uncover old devices or equipment you weren’t aware of. However, the tool is only as effective as your response to its findings. It is not enough to only identify problems, you also must fix them. To be honest, these tools will uncover many vulnerabilities though some may not be applicable to your environment, or their risk may be very low. In such cases immediate action may not be necessary. Still, it’s crucial to have expert eyes on these reports to ensure you’re not missing anything critical.

‍

The last area to discuss is logging. Although logging has always been part of the best practices, the latest release from MPA, calls for much higher standards. The concept of logging is essential, especially now, with the rise in cyber attacks and the increase in remote work. Many tools can handle logging, but it’s important to understand the distinction between them. 

‍

I like to divide logging into two categories: endpoints and other systems running less common operating systems. Endpoints Include any computers or mobile devices in your environment (Mac, Windows or Linux, iOS, Android, etc…) while uncommon systems include things like switches, firewalls, storage devices, and specific servers. The idea of logging seems quite simple but can be very complex. Logging involves installing agents on endpoints that forward specific event patterns to a destination (usually a cloud-based service, though a local aggregation is also an option). Systems also forward their unique sets of logs to either the same or a different location. Sending logs is only a small part (more like 10%) of the process. The real complexity lies in the rules followed by the logging software, which generates alerts based on potential security issues. 

‍

Traditionally, this process was manual. The new TPN best practices recommend using a SIEM (Security Information & Event Management) tool to capture and analyze these logs. SIEM Systems intelligently analyze logs, detecting patterns by collecting information from the various sources. Alerts can be generated automatically, but there are various options:

‍

• Endpoint Detection & Response (EDR) - EDR focuses on endpoints (computer & mobile devices). An agent installed on each device detects irregular activities and responds accordingly. The response can be customized, but can range from sending an email notification to disabling the device. Each EDR type will have their own method of dealing with detection and response. 
• Managed Detection & Response (MDR) - MDR is similar to EDR but involves sending detected events to an intelligent repository, where a team of professionals monitors and analyzes them, and responds accordingly. The main advantage is that all events are constantly monitored and addressed. 
• Extended Detection & Response (XDR) - XDR takes it a step further by monitoring endpoint devices but also other entities within your environment. It correlates events from multiple sources, This unique approach helps security professionals detect various security risks with greater precision and reduce false positives. 

‍

In the next article I will provide more information about the best practices discussed here, their impact on your business and how to get started. Check out Zalcore’s solution page to find out more about EDR options, Vulnerability Scanning and many more.

‍