There are cushier jobs than leading Sony Entertainment Network’s burgeoning security shop, but Brett Wahlin was never one to shy from a challenge. So when the entertainment giant looked to revamp its security in the wake of the devastating hacking attacks against its PlayStation Network last year, the former McAfee Chief Security Officer answered the call.
By the end of 2011, Sony had been attacked more than 20 times by ‘hacktivists’ angry at its attempts to prevent modification to its PlayStation 3 console. The attacks ranged from petty denial of service attacks, to defacements and ultimately took Sony’s PlayStation Network online gaming platform offline for almost a month.
Wahlin joined Sony as its first CSO, when only four security staff remained at the company in October last year. The revamped security department is a smaller version of Microsoft’s Trustworthy Computing Group, following its tenets of security, privacy, reliability and business integrity. The new department, Wahlin says, is the “connective tissue” that ties Sony’s electronics and computer divisions together and is the company’s biggest investment in information security.
Sony wanted to expand beyond stock-standard information security, and enhance and automate processes, implement better software code audits and run regular internal penetration tests.
In October, Sony created a security operations centre (SOC) run by HP and Arcsight. Its staff report to Wahlin and analyse feeds from all corners of SonyEntertainment Network, including information security and CCTV feeds. The centre’s goal is to automate security prevention capabilities so staff may work on enhanced detection and response.
If the SOC and the fledgling security department are successful in building a resilient and adaptable security posture, it will be expanded to the various independent departments that make up the Sony brand.
Wahlin is a specialist in the field of social engineering, having served as a counter-intelligence officer in the US Military for eight years during the Cold War. SC Magazine Australia has previously reported on Wahlin’s work on complex social engineering defensive measures for McAfee, based on his counter-intelligence background. Under Wahlin’s leadership, McAfee also re-engineered and de-perimetrised its internal network.
To Wahlin, defending against the ‘Anonymous’ hacktivist collective means thinking like a modern-day social engineer. “The types of attacks we see are by groups with social agendas. The methods they use aren’t the same as the state-sponsored guys.”
Wahlin knows the state-sponsored attacker well. He fought them in the army, and at McAfee. That enemy prefers to target supply-chain organisations, governments and the corporations they deal with.
But Anonymous is different, and aims to damage targets, not profit from them. “At Sony, we are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different.” This new strategy will stand on the shoulders of the tried and tested model Wahlin built at McAfee.
Locking down
Like many large organisations, Sony is not a single beast but a network of thousands of minds in hundreds of countries. To a social engineer, each staffer is a potential target with different levels of vulnerability and privilege. Sony’s customers – millions of PlayStation gamers – also are counted as victims and vectors of attack.
Wahlin is drafting an ambitious strategy to combat the threat. The strategy combines social engineering psychology with data analytics and user education, using Wahlin’s counter-intelligence, FBI-inspired human behaviour profiling methods and advanced fraud detection systems.
“We are looking to see if there are there key elements within a person’s interaction with their environment. That could be interaction with badging systems, with telephones – when and who do they call– and with systems like browser habits and applications used,” he says. “All these things allow us to set up a pattern for users, so when something different happens we can respond.”
Wahlin plans to have these complex information streams pour into Sony’s SOC. There, the process of separating normal from the abnormal would be automated. The centre would know, for example, what applications staff typically use, the web sites they normally visit and so on.
“If we detect unusual activity, it may be that someone’s been owned by a Trojan that we don’t know about, and we can stop data flying out the door.” Similar monitoring systems could detect social engineering attacks made against staff by monitoring Sony’s IP phone network and building a profile of who users call, when, for how long and what actions they take during the call.
Wahlin is also melding the social engineering craft with Sony Entertainment Network’s fraud team which monitors the PlayStation Network for suspicious transactions. Here, Wahlin is considering how counter intelligence strategies could help analyse user buying habits – including purchases of music, movies and games – to increase the effectiveness of the anti-fraud team.
“You start to see a lot of similarities to the social engineering tradecraft in the Cold War... they have a discrete set of characteristics and targets and if we can begin to adapt some of the pattern recognition to a digital-based [environment]... we may be able to detect fraud more effectively.”
Wahlin is particularly interested in coupling available fraud detection systems with social engineering prevention methods to reduce false positives that result in legitimate transactions on the PlayStation Network being blocked. The security team is now building a profile on what makes a typical gamer to generate data that Wahlin hopes will position Sony to detect fraud and fight social engineering attacks by phone, email and physical intrusion.
Education
“Why do people keep clicking on [bad] links, why do they give out information that they shouldn’t over the phone, and what are the barriers to change this?” Those questions underpin Sony Entertainment Network’s education strategy, dubbed Security Transformation. It strives to examine why users are resistant to change and provide a method to make security a habit.
The Security Transformation program rides on the coattails of Sony’s workplace safety education strategy which pushed home the personal benefit of safe practice – put simply, be safe if you don’t want to go to hospital.
For the program, Wahlin is researching how to tie good security practice to the values of staff. But this becomes complex in an organisation the size of Sony. “Your typical education program of emails, mouse pads and posters – no one pays attention to that,” he says.
“Everyone has their own hot buttons, different genders, age groups, ethnic backgrounds, and even job types – they all have a different innate senses of satisfaction that you have to meet in order for staff to see security as valuable. “Then we need to get them to repeat it until it’s [a] habit.”
This article first appeared in SC Magazine's March print edition.
