Clumio announces $75M Series D and 4X YoY growth in ARR
Bright lights, high stakes: sporting events and data risk
This weekend, 113 million people will all be doing the same thing at the same time: watching the Super Bowl. No matter who you’re rooting for (Clumio’s HQ is a minute away from the Levi’s Stadium, so no points for guessing where our allegiances lie), you’ve got to be impressed with that audience size. In today’s highly personalized, on-demand media environment, it’s hard to find anything that 113 million people would agree on watching, let alone all at the same time.
With this massive audience (and money involved), unfortunately, there are people who see it as an opportunity to disrupt, to sow chaos, and potentially profit.
Why events like the Super Bowl are targeted
There is no shortage of reasons someone may want to target an event, but to better understand what the defense should be, let’s take a look at the motivations that drive threat groups.
Profit: Events like the Super Bowl are high-stakes for the organizers. An exceptional amount of money changes hands, from event tickets and concessions to broadcasting rights, advertising, halftime entertainment, and the list goes on. The NFL broadcast and streaming rights deal alone is worth 9 billion dollars. Those high stakes make it a prime target for ransomware attacks. The more the organizers stand to lose from a disruption, the more likely they are to pay up.
Attention: If a bad actor wants to shine a light on an issue or cause, they’re looking for the most attention from the biggest possible audience. Hacktivists, terror groups, and smaller nation states seeking attention – air time, notability, and a desire to have their message reach likely every person in the US – make this is prime target.
Chaos: Sometimes with cyberattackers, the point is simply the desire to cause havoc or gain notoriety for successfully attacking a high-value, high- security target.
When has this happened before?
This is more than an unfounded worry. The NFL and its teams have been hacked before.
This year’s Super Bowl feels familiar, and that’s because San Francisco and Kansas City also faced off in 2020. Around a week before the big game, both teams and the NFL had their social media accounts hacked. Apparently the purpose of these hacks was to illustrate security shortcomings, and there was no major fallout.
In 2022, The 49ers were hit by a ransomware attack, with the BlackByte group claiming responsibility. Supposedly financial data was stolen, and data was encrypted.
In general, threats to sports organizations are on the rise. The UK’s National Cyber Security Centre’s report on The Cyber Threat to Sports Organisations states that at least 70% of UK sports organizations surveyed had experienced a cyber incident or breach, with more than 30% stating they’d experienced 5 or more incidents in the previous 12 months.
The technology environment
With almost all Super Bowl technology being connected – from lighting controls and physical body scanners, to the technology to create screen overlays – cyber attacks have the potential to disrupt viewing, event security, and potentially even the facilities.
These services are more and more relying on cloud computing to operate efficiently. For regular season play, streaming through Amazon prime is a great example. AWS has a brief writeup on what technologies the Prime business unit uses to enable massive scale real time streaming. On top of that, the NFL is a case study customer for AWS. AWS is used for everything from scheduling, to using machine learning capabilities for stats.
This is just a small sample of what is supporting the NFL, but when we look at the Super Bowl specifically there are hundreds of vendors supporting everything from streaming to event security. Companies such as ARMED Inc and Marinus Analytics use AWS Rekognition computer vision to identify threats. While it’s not clear which vendors directly support the Super Bowl, the NFL is likely using a vendor that does physical threat detection via computer vision.
This highlights the pervasive cloud connectivity of our digital ecosystems and represents a small part of what the NFL, DHS, and others must consider as part of the attack service when planning for these events.
Teams across both the public and private sector spend months planning and preparing for these events. It takes coordination, communication, and practice. (See this press announcement from last year on the DHS organizations that support the Super Bowl.)
And while an entire book’s worth of preparation goes into these types of events, there are a few more concise lessons that we can take away to impact our day to day jobs in IT and Security, especially when it comes to our cloud attack surface.
A Three “P” lesson from the Super Bowl for resiliency and security in AWS
Prepare
Preparation for big events starts a year or more ahead of time. Preparation can mean many things, but ultimately the takeaway is about due diligence. Know what needs to be secured, the interlock of all components, operational tempo, and who needs to be involved. As the saying goes, “prior planning prevents poor performance.”
From a practical standpoint, this maps back to the CIS controls framework, one of the standard ways we assess both traditional and cloud infrastructure for its resilience to cyber attacks. The top two controls are inventory-related; you need to know what you have before you can even begin to protect it.
Another lesson we can learn from Super Bowl preparation is from the Intelligence community. Intelligence is used to not only inform what to be on the watch for, but to design defenses to thwart attacks to begin with. Defending against attacks in this way has become known as threat-informed defense. Whether preparing for a big event or just ensuring operational resiliency, knowing how attackers operate, and what they are able to carry out against your infrastructure provides a strong foundation for planning.
In the cloud we can use tools like the MITRE ATT&CK® Matrix to build our own threat-informed defense models. Whether you are at the beginning of your cloud journey or have a mature practice, taking time to perform threat modeling allows you to manage risk effectively.
Practice
One of the most overlooked tools we have to make ourselves better at anything is role playing, or what we in security and technology call “tabletop exercises.” This is the tool we use to find out how our team will perform in an incident response.
Overlooking nothing, the NFL partners with CISA on Super Bowl security and resiliency, and together they complete a yearly tabletop exercise. This is a great example of practicing to manage risk. They test not only technical systems, but human systems as well.
When it comes to cloud resiliency, we do dry runs, we perform DR tests, and we load test. All of these technical evaluations are meant to ensure the technology is configured correctly, performs correctly, and works as expected.
But what we see happen over and over is that the biggest gaps are in process execution.
If you boiled this blog down to one lesson it would be this: Practice for both IT and Security incidents. Know how the team performs, and adapt processes and technology to meet your needs. Having technology that allows people to execute repeatedly with success can make all the difference in an incident.
Prudence
Expect to fail, and expect your fallback plan to fail. Live by the mantra that one is none and two is one. If you plan for failure you know the exact actions to take when a failure occurs so you can mitigate impact.
For large events like the Super Bowl, highly distributed systems with near-real-time capabilities are required, but you also need separate security domains to manage the worst case (like ransomware in the enterprise).
In extreme cases typically reserved for only the most intense security, systems will not only have separate security domains, they won’t share any commonality. No shared supply chain even. While for events with real-time information flows to millions of people, this usually isn’t a practical option, it helps with the thought exercise if you are planning an event, or just want to think about your daily operations.
Being able to identify every point of failure and determine which risks are worth mitigating is what makes good security and IT resilience practitioners stand out.
If you want to take the exercise even further, read NASA’s various publications and papers on designing systems to handle failure. Their publication on fault-tolerant cloud architecture is a great place to start.
Be your team’s data resiliency MVP
For help kicking off a tabletop exercise, start with this article from TechTarget. If you’re like Parchment and your tabletop exercise uncovers data resiliency needs, Clumio can help ensure your cloud data’s recoverability with air-gapped, immutable backups, and fast, flexible restores. Request a personalized demo to see it for yourself.
About the author
Jacob is Clumio’s Field CISO with a background in Cyber Security and Technology, focused on helping customers build secure cloud operating environments. He has extensive experience in offense and defense security, security operations, and working across multiple verticals in both private and public sectors.