Sony's new Chief Security Officer has offered some insight into how the company's defenses against hackers have changed since the infamous PlayStation Network Incident of aught-eleven.
Say what you will about the sorry state of Sony's cyberdefenses prior to the attack that brought down the PlayStation Network last year, but there's no denying that the company is at least trying to appear to take the matter of network security very seriously now. The company hired Brett Wahlin, formerly of McAfee, as its new Chief Security Officer, and he's moved quickly to overhaul the division from a mere four staffers in October of last year to a comprehensive security operation that includes a "security operations center" run by HP and Arcsight that reports to directly to him.
"The types of ['hacktivist'] attacks we see are by groups with social agendas. The methods they use aren't the same as the state-sponsored guys," Wahlin, who also served eight years in the U.S. military as a counter-intelligence officer, told SC Magazine. "We are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different."
A big part of the plan relies on the ongoing analysis of behaviors, which will include "FBI-inspired behavior profiling methods" and other systems and technologies to detect when an individual's activities move suddenly beyond the norm. "If we detect unusual activity, it may be that someone's been owned by a Trojan that we don't know about, and we can stop data flying out the door," Wahlin explained. He's also employing similar strategies for detecting more straightforward incidents of fraud on the PlayStation Network.
"You start to see a lot of similarities to the social engineering tradecraft in the Cold War," he continued. "They have a discrete set of characteristics and targets and if we can begin to adapt some of the pattern recognition to a digital-based [environment]... we may be able to detect fraud more effectively."
Last but not least is simple education, in the form of figuring out why people do stupid things and how to make them stop. It sounds simple enough - don't click unknown links, don't tell people things you know you're not supposed to - but it's actually a far greater challenge than just telling people to smarten up.
"Your typical education program of emails, mouse pads and posters - no one pays attention to that," Wahlin said. "Everyone has their own hot buttons, different genders, age groups, ethnic backgrounds, and even job types - they all have a different innate senses of satisfaction that you have to meet in order for staff to see security as valuable. Then we need to get them to repeat it until it's habit."