Overview
The Motion Picture Association (MPA) has developed Content Security Best Practices for the Media and Entertainment industry to establish a benchmark for minimum-security preparedness. A direct link to the MPA Content Security Best Practices can be found here.
When properly configured, ThreatLocker can assist organizations in meeting this benchmark. We have done our best to outline the best practices that ThreatLocker supports. Where a best practice is not listed, ThreatLocker doesn’t currently support it.
Disclaimer: We make no claim on the end-user. If ThreatLocker policies are not configured correctly, they will not support the listed best practices.
Best Practices
Domain: Organizational Security
Policies and Procedures
- Data and Assets:
- Establish and regularly review a policy and process for the classification, protection, and handling of Data & Assets throughout its lifecycle, according to local laws, regulations, and agreements.
ThreatLocker can assist with the protection of data. ThreatLocker Storage Control allows you to create policies to protect you from data theft. Ringfencing™ can be configured to limit what the application that is used to open your data can do, preventing permitted applications from being able to be exploited or weaponized.
Risk Management
- Risk Management
- Establish a formal, documented security Risk Management program, to include the following:
- Address workflows, assets, and operations
- Apply principles of Confidentiality, Integrity, and Availability (CIA)
- Regularly review and upon key changes
- Conduct a risk assessment annually
- Document decisions on risk management, to include monitoring and reporting remediation status with relevant stakeholders
ThreatLocker can assist with conducting a risk assessment. The ThreatLocker Health Report offers valuable insights into ongoing activities within the environment and is supplemented by actionable recommendations to enhance security measures and strategies.
Personnel Security
- On-boarding/Off-boarding
- Establish and regularly review a process for the On-boarding/Off-boarding of all relevant full- and part-time employees, consultants, contractors, interns, freelancers, and temporary workers, by performing the following:
- For On-boarding:
- Communicate and require sign-off from all company personnel for all current policies, procedures, and/or client requirements
- Provision physical/digital access
- Complete required training
- Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for on-boarding
- Retain all signed agreements
- For Off-boarding:
- Transfer ownership of data & access
- De-provision physical/digital access
- Return all company assets/equipment (e.g., keys, fobs, badges, devices, etc.)
- Confidentiality Agreements, Non-Disclosure Agreements (NDAs), etc., specifically applied for off-boarding
- Retain all signed agreements
ThreatLocker can assist with provisioning and de-provisioning digital access. ThreatLocker Storage Control can be configured to allow or restrict access to specified file paths, folders, network shares, or external storage devices. ThreatLocker Application Allowlisting can be configured to only permit applications that are necessary to the user’s role to be accessed. ThreatLocker Elevation Control can be configured to enable users to run specific applications as a local administrator without giving users local admin rights.
Incident Response
- Incident Response
- Establish and regularly review a formal Incident Response process, which covers both IT and content incidents/events, to include the following:
- Detection
- Notification/Escalation
- Response
- Evidence/Forensics
- Analysis
- Remediation
- Reporting and Metrics
- A corrective action process, to include root cause, lessons learned, preventative measures taken, etc.
ThreatLocker can assist during an incident response. ThreatLocker can be configured to secure the environment against all malicious scripts launched inside the incident. The Unified Audit provides more visibility into the incident.
Domain: Operational Security
Policies & Procedures
- Work From Home/Remote Workers
- Establish and regularly review a policy and process for Work From Home (WFH)/Remote Workers, in accordance with local laws, regulations, and agreements, and apply the following Best Practices:
- Authentication & Authorization
- Background Screening
- Business Continuity Plan
- Endpoint Protection
- Identity Access Management
- On-boarding/Off-boarding
- Remote Access
- Risk Management
- Training & Awareness
- Wireless Networks
ThreatLocker can assist with enforcing a policy or process for remote workers. ThreatLocker Protect, which includes Allowlisting, Ringfencing™, and Network Control, is the core protection suite for endpoint protection. Allowlisting and Ringfencing™ can be configured to work together to only allow permitted applications to run in the environment and to ensure these permitted applications do not interact with or call out to other applications or powerful tools, such as PowerShell. Network Control regulates traffic, keeping ports closed and opening on-demand for authorized connections.
- Remote Sites & Locations
- Establish and regularly review a policy and process to secure Remote Sites & Locations, and apply the following Best Practices:
- Disaster Recovery
- Entry/Exit Points
- Remote Access
ThreatLocker can assist with enforcing and reviewing the process to secure remote access. ThreatLocker Network Control is an endpoint and server firewall that allows for total control of inbound traffic to your protected devices. Once Network Control is enabled, the Unified Audit will log all nework traffic.
Domain: Physical Security
Monitoring
- Data Centers, Co-locations & Cloud Providers
- For an owned and operated Data Center and/or Co-location, or when utilizing a Cloud Provider, proof can be provided via policy, procedure, or audit report documents, that includes the following Best Practices:
- Alarm System
- Application Hardening Guidelines
- Authentication & Authorization
- Camera System
- Change Control
- Contracts & Service Level Agreements
- Encryption
- Endpoint Protection
- Entry/Exit Points
- Environmental Controls
- Identity Access Management
- Incident Response
- Network Topology Diagram
- Patching
- Penetration Testing
- Risk Management
- Shared Security Responsibility Model
- Systems Configuration
- Vulnerability Management
- Web & Cloud Portals
ThreatLocker can assist by providing supporting documentation for audit report documents. For any of the ThreatLocker policies configured within the environment, the Unified Audit will log the corresponding activity.
Domain: Technical Security
Information Systems
- Data I/O Workflows & Systems
- Establish, document, and regularly review a workflow and process for Data I/O Workflows and Systems, to include the following:
- Use dedicated data I/O systems to move content between external networks (Internet) and internal networks (data I/O network, production)
- Scan all content for viruses and malware prior to ingest onto the network
- Segmented data I/O network and workflows
- Segregation of duties between data I/O staff and other staff (e.g., production, development, etc.)
- Implement separate isolated networks for data I/O and production
- Content movement must be initiated from the more secure layer (e.g., push/pull content at the data I/O zone to/from Internet; push/pull content at the production network to/from the data I/O zone)
- Implement strict (IP and port) layer 2/3 Access Control Lists (ACLs) to allow outbound network requests from the more trusted inner layer, and deny all inbound requests from the less trusted outer layers
- Hardware-encrypted hard drives using at least Advanced Encryption Standard (AES) 256-bit encryption can also be used to transfer data between production networks and data I/O systems (e.g., ‘air gapped network’)
- Delete content after it has been on the data I/O system for more than 24 hours
ThreatLocker can support the established workflows. The ThreatLocker Testing Environment can be used to scan new software for viruses and malware before adding it to the environment. ThreatLocker Network Control is an endpoint and server firewall that allows for total control of inbound traffic to your protected devices. Network Control allows for dynamic ACLs, which can automatically open ports based on a computer's or group of computers' location at a point in time.
- Endpoint Protection
- Establish and regularly review a process for Endpoint Protection, to include the following:
- Endpoint protection and anti-virus/anti-malware software with a centralized management console
- Updating anti-virus/anti-malware definitions regularly and performing regular scans on systems
- Apply to the following:
- Workstations (e.g., desktop, laptop, etc.)
- Servers
- SAN/NAS
- Virtual Machines
ThreatLocker can assist with enforcing endpoint protection. ThreatLocker Protect, which includes Allowlisting, Ringfencing™, and Network Control, is the core protection suite for endpoint protection. Allowlisting and Ringfencing™ can be configured to work together to only allow permitted applications to run in the environment and to ensure these permitted applications do not interact with or call out to other applications or powerful tools, such as PowerShell. Network Control regulates traffic, keeping ports closed and opening on-demand for authorized connections.
- Security Information & Event Management
- Implement Security Information & Event Management (SIEM) and regularly review system logs, to include the following:
- Centralized real-time logging of firewalls, authentication servers, network operating systems, content transfer systems, virtual machines/servers, storage services, databases, container-based application services, API gateway connections, key generation/management, etc.
- Retain logs for a period of one year, in accordance with local laws, regulations, and agreements
- Access to logging infrastructure should be restricted to authorized personnel only
- A synchronized time service protocol (e.g., Network Time Protocol (NTP)) to ensure all systems have a correct and consistent time
- Protect logs from unauthorized deletion or modification by applying appropriate access rights on log files
- Configure logging systems to send automatic notifications when security events are detected
- Assign personnel to review logs and respond to alerts
- Incorporate into Business Continuity Plan & Incident Response procedures
ThreatLocker can assist by providing supporting documentation of logs. The Unified Audit will log activity that corresponds with configured policies. These logs cannot be edited.
- Authentication & Authorization
- Establish and regularly review a policy to enforce Authentication & Authorization policy of all relevant full- and part-time employees, consultants, contractors, interns, freelancers, temporary workers, administrative accounts, service accounts, to include the following:
- Unique username
- Use the Principle of Least Privilege (PoLP)
- For passwords and passphrases:
- Minimum password or passphrase length of at least 12 characters
- Minimum of 3 of the following parameters: upper case, lower case, numeric, or special characters
- Maximum password or passphrase age of 1 year (not applicable to service accounts)
- Minimum password or passphrase age of 1 day (not applicable to service accounts)
- Maximum of 5 invalid logon attempts
- User accounts locked after invalid logon attempts must be manually unlocked by a system administrator
- Can't reuse last 5 passwords or passphrases (not applicable to service accounts)
- Changing of password or passphrase upon detection of suspicious activity or incident
- For Multi-Factor Authentication (MFA), apply to the following:
- Any Internet facing systems, including webmail and web portal
- Source code repository
ThreatLocker can assist with enforcing an Authentication & Authorization policy. ThreatLocker Application Allowlisting and Storage Control can be configured to only allow a user to access specified applications and file paths, utilizing the Principle of Least Privilege. ThreatLocker Configuration Manager enables IT admins to set standardized Windows configurations, such as automatic lock policies, maximum password age, and minimum password length.
- Cloud Misconfigurations
- Establish and regularly review a process for the detection and correction of Cloud Misconfigurations, to include the following:
- Proactive alerts
- Appropriate role(s) for reviewing and correcting misconfigurations
- A configuration and management tool
- Investigate and have a remediation plan for misconfigurations
ThreatLocker can assist with the detection and correction of Cloud Misconfigurations. ThreatLocker Configuration Manager provides a centralized, policy-driven portal where IT admins can set configuration policies per individual endpoint, computer group, organization, or across multiple organizations. ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and automatically respond to potential indicators of compromise or weakness in the environment.
- Security by Design & Privacy by Design
- Establish and regularly review a process to develop systems and applications based upon principles of Security by Design (SbD) and Privacy by Design (PbD), to include the following:
- Data protection and privacy requirements are included by default at the design stage and throughout the product development lifecycle
- According to local laws, regulations, and agreements
ThreatLocker can assist with data protection. ThreatLocker Application Allowlisting only allows the software you need, blocking ransomware, viruses, and other unwanted software from running. ThreatLocker Storage Control will enable you to protect your data from unauthorized access or theft by setting granular policies over your storage devices.
Network Security
- Network Configuration
- Place externally accessible servers (e.g., web servers, remote access servers, VPN gateways, remote access brokers, application servers, etc.) within a DMZ, VLAN, or a public subnet DMZ within a Virtual Private Cloud (VPC) and not on an internal network, to include the following:
- Isolate virtual or physical servers in the DMZ to provide only one type of service per server (e.g., web server)
- Implement network controls to restrict access to the internal network from the DMZ, or access from public subnets to private subnets within a VPC (e.g., ACLs, security groups, etc.)
- Maintain an inventory for the external IP addresses and components that are exposed to the Internet
ThreatLocker allows organizations to implement network controls. ThreatLocker Network Control allows granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs.
- Firewall Access Control List
- Establish and regularly review a policy and process to separate external network(s)/WAN(s) from the internal network(s) by using stateful inspection firewall(s), to include the following:
- Review Firewall Access Control Lists (ACLs) regularly
- Rules to generate logs for all traffic and for all configuration changes, and logs are inspected regularly
- Deploy a Web Application Firewall (WAF) in front of Internet facing web applications and APIs
- Apply the following configurations:
- Deny all WAN traffic to any internal network other than to explicit hosts that reside on the DMZ
- WAN network to prohibit direct network access to the internal content/production network
- Deny all incoming and outgoing network requests by default
- Enable only explicitly defined incoming requests by specific protocol and destination
- Enable only explicitly defined outgoing requests by specific protocol and source
- For externally accessible hosts, only allow incoming requests to needed ports
- Restrict unencrypted communication protocols (e.g., Telnet, FTP, etc.), and replace with encrypted versions
ThreatLocker can assist with applying and enforcing network configurations. ThreatLocker Network Control is an endpoint and server firewall that enables you to have total control over network traffic. Network Control allows granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs. Once Network Control is enabled, the Unified Audit will log all network traffic.
- Intrusion Detection & Prevention Systems
- Establish a policy and process to implement a network-based Intrusion Detection/Prevention System (IDS/IPS) to protect the network, to include the following:
- Configure the system to alert and block suspicious network activity
- Implement basic border gateway services (e.g., gateway anti-virus, URL filtering, etc.)
- Update attack signature definitions/policies regularly
- Log all activity and configuration changes
ThreatLocker can assist with implementing a network intrusion detection system. ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules, including Network Control, to identify and automatically respond to potential indicators of compromise or weakness in the environment. ThreatLocker Ops can be configured to alert and block suspicious network activity. The Unified Audit will log the corresponding activity.
- Internet Access
- Establish and regularly review a policy and process for Internet Access in production networks and all systems that process or store digital content, to include the following:
- Prohibit directly accessing unauthorized Internet sites, resources, or services
- Prohibit direct email access
- Implement firewall rules to deny all outbound traffic by default, including to the Internet and other internal networks
ThreatLocker can assist with enforcing an internet access policy. ThreatLocker Configuration Manager allows IT admins to block access to specified webmail providers. ThreatLocker Network Control is an endpoint and server firewall that allows for total control of inbound traffic to your protected devices. Ringfencing™ can be configured to limit what the application that is used to open your data can do or access, preventing permitted applications from being able to be exploited or weaponized.