THE STATE OF MEDIA SECURITY | Akamai · different types of security breaches, with SQL injections,...
Transcript of THE STATE OF MEDIA SECURITY | Akamai · different types of security breaches, with SQL injections,...
THE STATE OF MEDIA SECURITYHOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES
The State of Media Security
2
TABLE OF CONTENTS
3 Introduction
4 SurveyFindings
4 RecentBreachesSpanaBroadSpectrum
4 SiteDowntimeandEnterpriseApplicationSecurityAretheGreatestConcerns
5 PremiumContentisKeytoaSuccessfulVideoStrategy,ButItMustbeProtected
6 MediaCompaniesLagBehindOtherIndustriesinUsingCloudSolutions
toDefendAgainstDDoSAttacks
7 DefendingAgainstWebApplicationAttackswithCloudandOn-PremiseFirewalls
7 DealingWithAutomatedorBotTraffic:33%AreStillManuallyInvestigating
8 MediaOrganizationsAreNotCompletelyConfidentinTheirCurrentSecurityMeasures
9 Conclusion
The State of Media Security
3
For media companies, the over-the-top (OTT) content opportunity is larger
than ever and is projected to continue its rapid growth in the coming years as
more viewers are “cutting the cord” and consuming their TV over the Internet.
These organizations have the opportunity to not only replace traditional TV, but to
provide a better-than-TV experience through personalization and other online-based
innovations. In order to take advantage of this tremendous opportunity, broadcasters
and OTT providers need to deliver flawless, uninterrupted viewing experiences to
each and every one of their viewers. A key part of delivering that viewer experience
will be securing it; not only the content itself, but perhaps more importantly, your
applications, sites, and data, as the amount of cyber-attacks continues to grow.
A survey of almost 200 media technology influencers and decision-makers by
BizTechInsights on behalf of Akamai Technologies reveals the most common types
of attacks organizations are facing, the measures they are taking to protect against
them, their biggest security concerns, and more.
INTRODUCTION
The State of Media Security
4
SURVEY FINDINGS
Recent Breaches Span a Broad SpectrumSecuritybreachesthatgobeyondstealingpremiumcontent
arearealandpresentdangerformediaorganizations.Attacks
arewidespreadandofdifferenttypes.Thefourmostfrequent
breachesinthesurveywereSQLinjections(23%),DNSattacks
(21%),contentpirating(20%),andDDoS(17%).Thesefindings
showthatorganizationsmustbepreparedforalargevariety
ofattacks.
23% 21%
17%
11%
6%
2%0%
8%
15%
23%
30%
Figure 1: Which security breach has your organization recently experienced?
SQL injection DNS attack
Pirated content
DDoS attack Account hacks
Website defacement
XXS attack (cross-site scripting)
20%
Site Downtime and Enterprise Application Security Are the Greatest ConcernsIt’snosecrettomedialeadersthatthreatsaremultiplyingacrossallvectorsandgrowinginsize.Reflecting
theprevalenceofsecuritybreachesintheprecedingchart,26%ofrespondentsindicatedthatslowsite
performanceordowntimeduetoDNSattacksaretheirnumberoneconcern,whileanother17%chose
DDoSmitigationandsite/applicationprotection.Thesefindingsarenotsurprisingasviewerscannot
consumeyourcontentifitisnotavailable.Thesecondhighestareaofconcernwasprotectingpremium
videocontent(23%).Interestingly,enterpriseapplicationswasthethirdmostcommonconcern.Nextin
thesurveywasmanagingthebusinessimpactofbots(15%).
Breaches that go beyond stealing premium content are
a real and present danger.
The State of Media Security
5
26%
Figure 2: What are your biggest concerns when itcomes to securing your online video business?
0%
8%
15%
23%
30%
23%
20%
15%
13%
4%
DNS attacks Protecting premium
video content
Enterprise/internal
application security
Managing the business and IT impact of
bots
DDoSmitigation
Website and application protection
Premium Content is Key to a Successful Video Strategy, But it Must be ProtectedForbusinessestoprofitablyprovidepremiumvideocontent,theyshouldemployanongoingprocessto
protectitagainstunauthorizedusageanddistribution.Inthisendeavor,organizationsfacechallengesin
implementingtechnologiestoassertcontroloveraccessandusage.Encryption(34%)rankedasthetop
challenge,whilepreventinglinksharing(25%)anddigitalrightsmanagement(24%)weresecondandthird,
respectively.
34%
Figure 3: When it comes to protecting your premium content,what are your organization’s biggest challenges?
0%
10%
20%
30%
40%
25%24%
13%
2% 2%
Encryption Preventing link sharing
Digital rights management
Securing communications
with end viewers
(TLS security)
Managing geographic
rights restrictions
Watermarking
The State of Media Security
6
Media Companies Lag Behind Other Industries in Using Cloud Solutions to Defend Against DDoS Attacks Organizationsarepursuingseveraltechnologystrategiesinorder
toprotectagainstDDoSattacks--ahighpriorityaspreviously
noted.Thedefensivemeasuremostfrequentlycitedwasthe
useofanetworkfirewallinthedatacenter(31%).Theuseof
adedicated“scrubber”DDoSmitigationsolution(26%)was
aclosesecondwhileutilizinganintrusionpreventionsystem
inthedatacenter(17%)wasthethirdmostpopularmeasure.
Surprisingly,only14%ofrespondentsindicatedtheyareusing
cloud-basedCDNDDoSmitigation,amethodthathasbeen
morewidelyadoptedinotherindustries.
0%
10%
20%
30%
40%
12%14%
26%
17%
31%
Figure 4: Describe your organization’s strategy aroundprotecting your online video business from DDoS attacks.
Network firewallin the data
center
Dedicated "scrubber" DDoS
mitigation
Intrusion prevention
system in the data center
Cloud-based CDN DDoS mitigation
DDoS mitigation
from my ISP
Only 14% are using cloud-based CDN DDoS
mitigation, which has been more widely adopted in
other industries.
The State of Media Security
7
Defending Against Web Application Attacks with Cloud and On-Premise FirewallsThemajorityofsurveyrespondentsindicatedtheyareusingacloud-basedwebapplicationfirewall
and36%ofrespondentsindicatedtheyuseon-premisemeasuresinadditiontocloud-basedprotections.
28%ofrespondentsindicatedthattheyonlyrelyonanon-premisewebapplicationfirewallwhile20%
saidthattheyonlyusecloud-basedwebapplicationfirewalls.
0%
9%
18%
27%
36%
16%
28%
20%
36%
Figure 5: Describe how your online video businessprotects against web application attacks.
Combination of on-premise and
cloud-based web application firewall
On-premise web
application firewall
Cloud-based web
application firewall
Regular application
security audits and testing
Dealing With Automated or Bot TrafficNon-humanagents,orbots,makeupalargepercentageoftoday’sInternettraffic.Someofthesebotsare
beneficialtoyourbusinesswhileotherscancauseseriousdamage.Somebotscanexploitstolencredentials
tocircumventsubscriptionswhileotherscouldscrapeyoursitestostealcontentandsensitivedata.Because
ofthis,organizationsneedtomanagebots,notcompletelyblockthem.Ofsurveyrespondents,22%areusing
apurpose-builtbotmanagementsolutionwhile33%aremanuallyinvestigatinglogstomanagebots.
The State of Media Security
8
Figure 6: How do you address automated or bot traffic today?
0%
13%
25%
38%
50%
1%
33%
22%
45%
Existing security solution, like a
WAF or firewall
Manually investigate logs and block individual IP
addresses
Purpose-built bot
management solution
We don't do anything to address our automated or bot traffic today
Media Organizations are Not Completely Confident in Their Current Security MeasuresOnly1%ofsurveyrespondentsindicatedtheyare“veryconfident”
intheircurrentsecuritymeasuresandoverhalfseemtobeonthe
fenceaboutwhetherornottheyarefullypreparedtoprotectagainst
today’sthreats.Another3%indicatedtheyarenotveryconfidentin
theircurrentsecuritymeasures.Ahealthydoseofskepticismand
alwaysstrivingtoimprovesecuritymeasuresarenecessaryascyber-
attacksbecomelargerandmorepublicized.Itseemsthateverymonth
anattackmakesglobalnews,causingseveredamagebothtobrands
andconsumers.
Only 1% are “very confident” in their current
security measures.
The State of Media Security
9
Figure 7: How confident are you that your organization's current securitymeasures provide sufficient protection against today's web threats
[Rate on a scale of 1-5; 1=not confident, 5=very confident]?
0%
15%
30%
45%
60%
1%
57%
39%
3%
2 3 4 5
CONCLUSION Asthenumberandvarietyofcyber-attacksincrease,mediaorganizationsneedtotakemeasurestoprotect
theirentireonlinebusiness,notjusttheirvideostreams.Surveyrespondentsrecentlyhavesufferedseven
differenttypesofsecuritybreaches,withSQLinjections,DNSattacks,contentpiratingandDDoSattacks
leadingtheway.
Mediacompaniesappeartobeawareofthesethreatsandaretakingstepstomitigatetheriskstheyface.
However,theyarenotyetconfidentthesolutionstheyhaveputinplacearesufficienttoaddresstherisks
totheirbusinesses--only1%ofsurveyrespondentsindicatedtheywere“veryconfident”intheircurrent
securitymeasures.Suchagapindicatesmediacompanieswillremainvulnerabletoattackersuntilthey
employstrongsecuritymeasuresacrosstheirentireonlineecosystem.
Formediacompanies,solvingthesecuritychallengemeansestablishingprocesses,communicationsand
programs,notmerelydeployingasingle-point-in-timesolution.Otherindustrieshaveaddressedsecurityby
establishingindustryforums,educationseminarsandcloselinkstogovernmentalsecurityagencies.Such
measuresenableindustryplayerstobewellinformedaboutthelatestsecuritychallengesandsolutions,
givingthemconfidenceintheparticularsecuritysolutiontheyhavechosentodeploy.Asimilarindustry
communityandcommunicationsystemisdevelopingamongmediacompaniesandlikewisewillhelpbring
awarenessandconfidence.n
The State of Media Security
10
About Akamai Astheworld’slargestandmosttrustedclouddeliveryplatform,Akamaimakesiteasierforitscustomers
toprovidethebestandmostsecuredigitalexperiencesonanydevice,anytime,anywhere.Akamai’s
massivelydistributedplatformisunparalleledinscalewithover200,000serversacross130countries,
givingcustomerssuperiorperformanceandthreatprotection.Akamai’sportfolioofwebandmobile
performance,cloudsecurity,enterpriseaccess,andvideodeliverysolutionsaresupportedbyexceptional
customerserviceand24/7monitoring.Tolearnwhythetopfinancialinstitutions,e-commerceleaders,
media&entertainmentproviders,andgovernmentorganizationstrustAkamai,pleasevisitwww.akamai.
com,blogs.akamai.com,or@AkamaionTwitter.
Copyright©2017AkamaiTechnologies,Inc.AllRightsReserved.Nopartofthispublicationmaybereproduced,transmitted,
transcribed,storedinaretrievalsystemortranslatedintoanylanguageinanyformbyanymeanswithoutthewrittenpermission
ofAkamaiTechnologies,Inc.Whileeveryprecautionhasbeentakeninthepreparationofthisdocument,AkamaiTechnologies,Inc.
assumesnoresponsibilityforerrors,omissions,orfordamagesresultingfromtheuseoftheinformationherein.Theinformationin
thesedocumentsissubjecttochangewithoutnotice.AkamaiandtheAkamaiwavelogoareregisteredtrademarksorservicemarks
intheUnitedStates(Reg.U.S.Pat.&Tm.Off).AkamaiIntelligentPlatformisatrademarkintheUnitedStates.Productsorcorporate
namesmaybetrademarksorregisteredtrademarksofothercompaniesandareusedonlyforexplanationandtotheowner’sbenefit,
withoutintenttoinfringe.Published12/17.AkamaiandtheAkamaiwavelogoareregisteredtrademarksorservicemarksintheUnited
States(Reg.U.S.Pat.&Tm.Off).