Perforce's Mark Warren discusses the security threats - both internal and external - that games studios face
Games studios have enough to worry about, without having to also wonder whether their games assets from being stolen. Given that the code, the art, the animations, audio and video are the lifeblood of any game being developed, then it makes sense to protect these crown jewels.
This isn’t idle scaremongering talk. The IP Commission Report puts the cost of IP theft (of all kinds) in excess of $300 billion. Financial losses from cyber-theft could cause as many as 150,000 Europeans to lose their jobs, according to a Cybercrime report by Intel Security/McAfee in 2014. While not specific to the games industry, there have been some high profile cases in the past couple of years of companies having massive data leaks and breaches, often with far-reaching consequences.
While a bank having its customer’s financial data exposed or a hospital endangering patient privacy is bad enough, software just helps to drive these organisations, it is not their core product. For a games studio, finding out that its code has not only been stolen but is being replicated in Asia, free for anyone to download from the Internet or even leaked as an entire pre-launch game could close that business down very quickly.
So, readers may be wondering, am I pointing the finger at rogue employees? Potentially, though it is also possible – and increasingly so – that external hackers have found ways to impersonate a legitimate employee’s ID to infiltrate a company. Once inside, they can behave like any normal employee, with access to confidential information and it could be a long time before they are caught (if ever).
Here’s an alarming real-life example that puts some concrete context around that theoretical threat. A well-known manufacturer had spent over one million US dollars over 12 months trying to confirm the source of software IP theft. Not until it applied some advanced behavioural analytics technology to the log data (held in Perforce) from 20,000 global developers from 30 days’ worth of activity – totalling over nine billion events - did it get to the root of the problem. As a result, the source of the thefts were uncovered in less than two weeks, with the two suspected rogue engineers confirmed, plus another 11 other previously unknown thieves were discovered.
Developer threats are hard to find
This example highlights the situation experienced by many organisations – not just in the games industry – namely that even when they invest in lots of security solutions, such as anti-virus, firewalls, privilege management, vulnerability management, end-point protection devices – security is still a massive challenge.
The problem for the cybersecurity industry has been that development assets are typically held in different ‘repositories’ (usually on several different computer servers or even in a shared public cloud service), making it hard for traditional software security tools to track and protect. Traditional security tools are typically not designed to protect source code, plus it’s not unusual for a company to receive in excess of 100,000 alerts a day from such tools, which can quickly become overwhelming, not to mention hard to analyse what is a real threat.
Behavioural analytics applies algorithms that look at what individual users, within the network, may be doing and then calculates the likely risk of threat. These help companies to understand the context of an attack and accurately rate the risk priority.
The key is detection of anomalous IP access behaviour and to identify the users, machines and projects involved. Using advanced algorithms, these tools observe, measure and even predict outcomes from human decision-making processes, based on each person’s unique decision-making patterns and risk-tolerance levels.
Modern threat detection identifies that a pattern of behaviour has deviated from its norm, but also whether that behaviour is likely to be risky. For instance, someone accessing a single important source code project more often than they have historically accessed it is interesting, but not as interesting (or potentially as risky) as someone accessing 10 important source code files that they have never accessed before.
What’s also important to understand is the type of threat perpetrator and also the different ways in which they can instigate an attack.
To catch a thief
Headline grabbers include the internal hacktivists, organised criminal groups and state-sponsored espionage. While these are very real threats, particularly for some global organisations, for most games studios, one of the biggest source of risk is careless employees.
Many workers are guilty of moving data to an insecure location in order to make their working processes easier and in doing so, expose that information to potential threat. A Cisco study entitled ‘Data Leakage Worldwide: the high cost of insider threats’ found that 44 percent of employees share work devices with others, 46 percent of remote workers admitted to transferring work files to home computers and 18 percent admitted to sharing passwords.
People leaving an organisation, or being paid by an external hacker or criminal group, are another issue altogether. In September 2014, the FBI put out an alert that it was seeing a significant increase in attacks of this category.
Types of attack
Attack types also vary. The ‘impulsive attack’ is typical of leaving employees and insider hacktivists, usually occurring in hours or just a few days. The ‘below-the-radar slow attack’ may go on for years and are typically found in government or corporate espionage. The ‘outside or targeted attack’ – often called an advanced persistent attack (APT) - can be very sophisticated and again, usually takes place over time. Less common are malware-based outside attacks, which are hard to defend against because they are constantly changing.
Then we also have the rise of combined orchestrated inside/outside attacks: the insider (perhaps an unhappy employee who accepts payment in order to breach corporate confidentiality) introduces the malware and then relinquishes control to an anonymous command-and-control (C&C) mechanism. With the malware present and obfuscated, the C&C server quietly and continuously extracts data out of the organisation.
Let’s hope that for most people reading this article, the risks around software security and IP theft will never come to light. However, given how vital software development is to any games studio, surely it makes sense to be as well armed as possible? While realistically it may not be possible to stop threats completely, being able to stop them in their tracks has to be a step forward.
Mark Warren is European marketing director of Perforce Software, with additional responsibility for solutions marketing. Worldwide, the version management and code collaboration portfolio from Perforce Software is used by thousands of customers, including Salesforce.com, NVIDIA, Samsung, and EA Games. Mark has over two decades' experience in the software industry with roles as a provider and consumer of advanced development tools.