Bleacher Report boosts its security game plan with self-protecting applications. Enterprise Application Security Case Study April 2015



Similar documents
The Evolution of Enterprise Application Security. Why enterprises need runtime application self-protection

THE EVOLUTION OF ENTERPRISE APPLICATION SECURITY

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Improving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

5 reasons hackers love your application security strategy. February 2015

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Manage the unexpected

Lavastorm Analytics and Mobistar Reducing Mobistar s Fraud Risk Profile with Real-time Analytics and Collaboration

Vulnerability Management

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

10 Things Every Web Application Firewall Should Provide Share this ebook

Making the Internet Business-Ready

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Beyond passwords: Protect the mobile enterprise with smarter security solutions

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

Enabling Database-as-a-Service (DBaaS) within Enterprises or Cloud Offerings

Harnessing the Power of Big Data for Real-Time IT: Sumo Logic Log Management and Analytics Service

How Web Application Security Can Prevent Malicious Attacks

Selecting the right cybercrime-prevention solution

The Advantages of Enterprise Historians vs. Relational Databases

McAfee Total Protection Reduce the Complexity of Managing Security

!!!!! BIG DATA IN A DAY!

Boosting enterprise security with integrated log management

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

The Evolution of Application Monitoring

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Continuous Network Monitoring

Advantages of Managed Security Services

CoreMedia 6

IT Security & Compliance. On Time. On Budget. On Demand.

Interactive Application Security Testing (IAST)

Requirements When Considering a Next- Generation Firewall

Reaching Customers Across Multiple Channels

Network Security Redefined Vectra s cybersecurity thinking machine detects and anticipates attacks in real time

Five reasons SecureData should manage your web application security

DELIVERING EXCEPTIONAL CUSTOMER CARE

GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

APPLICATION DELIVERY

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

A strategic approach to fraud

The Hillstone and Trend Micro Joint Solution

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

The Advantages of Plant-wide Historians vs. Relational Databases

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

I D C T E C H N O L O G Y S P O T L I G H T

Achieve Economic Synergies by Managing Your Human Capital In The Cloud

Adobe Experience Manager Apps

Securing Your Business s Bank Account

Intelligent, Scalable Web Security

Closing the Biggest Security Hole in Web Application Delivery

The Web AppSec How-to: The Defenders Toolbox

Symantec Messaging Gateway 10.5

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Do the impossible simply

End-to-End Application Security from the Cloud

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

The Value of Vulnerability Management*

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Guide to AWS. Brought to you by

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

CASE STUDY. Varian ARIA Offering oncologists better tools to help patients

Symantec Messaging Gateway powered by Brightmail

tibbr Now, the Information Finds You.

Solace s Solutions for Communications Services Providers

Best Practices in Digital Rights Management:

The Case For A Cloud Access Security Broker

Trend Micro. Advanced Security Built for the Cloud

Mobility in Claims Management

CylanceINFINITYENGINE: Applying Data Science to Advanced Threats

How To Compare The Two Cloud Computing Models

On-Premises DDoS Mitigation for the Enterprise

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

Developing a mobile-first strategy across your campus

Put a Firewall in Your JVM Securing Java Applications!

APIs The Next Hacker Target Or a Business and Security Opportunity?

Elastic Private Clouds

A Successful SharePoint Migration: Best Practices Before, During and After Your Migration

Fly. Wealth and Retirement IT Hosting

Managed Security Services for Data

The New PCI Requirement: Application Firewall vs. Code Review

Changing the Enterprise Security Landscape

WHITE PAPER Fighting Banking Fraud Without Driving Away Customers

The SIEM Evaluator s Guide

SECURING IDENTITIES IN CONSUMER PORTALS

The webinar will begin shortly

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Finding Security in the Cloud

DATAMEER WHITE PAPER. Beyond BI. Big Data Analytic Use Cases

Transcription:

Bleacher Report boosts its security game plan with self-protecting applications Enterprise Application Security Case Study April 2015

Bleacher Report s Challenges 1 2 3 Foster a safe, trusted community for secure information sharing, quality sports news delivery, and fan engagement Produce around-the-clock, breaking content that informs and entertains without any application performance, availability or functionality setbacks Reduce risk and impact of high attack volume and relieve burden of reactive application security strategies on in-house engineering resources The Solution Sports media leader Bleacher Report deployed Prevoty s Runtime Application Self- Protection (RASP) product to prevent application layer threats such as cross-site scripting (XSS) and SQL injections (SQLi) and fight high volumes of spam, profanity and other flagged content. Leveraging Prevoty helped Bleacher Report redouble its efforts on growing a successful digital publishing business and engineer product innovations without fear of data exfiltration, brand defacement, user identity theft and fraud. Bleacher Report joins the sports media major league Bleacher Report (B/R), a Turner Broadcasting System company, is a leading sports media publisher of real-time programming content covering hundreds of U.S. and international sports teams. Since launching in 2007, Bleacher Report quickly rose to become a topranking sports entertainment destination, nurturing and engaging an audience of over 80 million monthly unique visitors and over 1 billion monthly pageviews. 2

Sports media technology driven by data and community A fast-growing digital media innovator, Bleacher Report presents comprehensive sports commentary through a network of paid freelance contributors all accessing shared publishing software. In addition to maintaining a high-traffic web application, Bleacher Report brings real-time sports entertainment to a vast user base through multiple outlets and platforms -- from syndication partners such as USA Today, Los Angeles Times, Philly. com, and the San Francisco Chronicle, to native mobile applications for Android and ios. The company initially built its platform on Amazon Web Services (AWS) and the Ruby on Rails framework for their scalability and speed-to-market capabilities. For a while, the company successfully leveraged out-of-the-box security services already available on these platforms. Data informs all of Bleacher Report s engineering decisions, product development and content strategies. This approach has helped fulfill consumer demand and fuel serious growth. As the publication s readership and popularity grew, however, so did its backlog of flagged content and its trove of exploitable personal data. Content: friend or foe? Great content and a reliable news experience are the lifeblood of a company like Bleacher Report. In an industry where falling behind is unacceptable, the Bleacher Report team suddenly found itself tackling not just a few spikes of questionable content but hundreds of pages littered with spam and code injection attacks. Heavy onslaughts of excessive content, cross-site scripting (XSS) and SQL injections (SQLi) taint the browsing experience, threaten the security of its users, and ties up the company s technical resources in a neverending chase. At first, Bleacher Report tapped into its in-house talent to develop a homegrown anti-spam mitigation solution for high-volume, basic spam attacks. It handled usergenerated flags as well as the results from expression-matching algorithms. This solution worked effectively up to a certain point, but required significant upkeep. The company was constantly dedicating over a quarter of its technical team s time to manually analyze their administrative tool in order to identify new or unusual patterns, monitor and fix logged issues. 3

The business burden of security expertise Less sophisticated attacks will try a technique and with that information, it s easy to identify and eliminate future attempts. The more sophisticated attackers continue to find new ways to work around simple matching algorithms. - Chris Nguyen, Senior Director of Product Management The team set aggressive rules to overcompensate for the increase in sophisticated, unknown attacks, but this introduced a new problem: a constant stream of false positives. The added strain was not only detrimental to the user experience, but it also diverted resources away from critical business projects and into deciphering false alarms. It soon became clear that a spam detection system -- albeit successful in its original intent -- was not enough for a company with such a large market footprint. A reactive security strategy meant that pattern definitions would often go stale and sophisticated unknown (a.k.a. zero-day) attacks would fly right through their perimeter stopgaps. Bleacher Report needed a contextual, signatureless application security solution that would help its development team capitalize on its strongest business suit: producing superior applications -- not being security experts. Bleacher Report and Prevoty: a partnership for self-protecting apps Bleacher Report teamed up with Prevoty to make its applications smarter and more secure with Prevoty s runtime self-protection capability. Using Prevoty s pre-built API libraries, Bleacher Report seamlessly integrated proactive security directly into their applications. We wanted a true partnership and not just another vendor, said Chris Nguyen, Senior Director of Product Management, Bleacher Report. Prevoty s attention to detail, followup and consultative approach gave us a confidence and transparency that we rarely see. 4

With applications that could now self-protect against targeted attacks automatically upon deployment, Bleacher Report s team was able to redouble its core product development efforts and reaped many benefits: Performance Bleacher Report realized operational performance improvements as a result of using the Prevoty service. With its submillisecond speeds, the Prevoty engine had no impact whatsoever on Bleacher Report s performance. To the contrary, the team actually experienced workflow improvements. For instance, Bleacher Report suspected hardware issues were causing performance degradation, but after deploying Prevoty, they quickly realized that improvements in memory caching improvements would solve the problem. Threat Prevention Prevoty s contextual security engine analyzes and sanitizes content, queries and state changing activities. Any attempts at cross-site scripting (XSS) and SQL injection (SQL injection) are prevented in real-time, without relying on past definitions or signatures. By including Prevoty, secure coding best practices are followed and vulnerabilities aren t just identified -- they are mitigated instantaneously. Bleacher Report then used Prevoty s detailed console to interpret attack behavior and gain threat intelligence. Prevoty makes sense. It s far more cost-effective to use a tool that can grow with you as your user base continues to grow and as the attacks grow more sophisticated than to bring in full-time staff to take on the role. - Chris Nguyen, Senior Director of Product Management, Bleacher Report. Bleacher Report moved beyond detection and into active prevention. Security was automatic, requiring far less maintenance. Bottom Line Prevoty was a game changer for our development team -- elevating our internal discussions to build better, faster product and servicing our end users versus focusing on how to secure it. - John Degner, Lead Engineer, Bleacher Report 5

Partnering with Prevoty gave Bleacher Report the room to dive into its core competencies and focus on the tasks at large: implementing a secure software development life cycle (SSDLC) and defining -- on a holistic level -- the internal processes and workflows that would lead to smarter, attack-resistant applications that sports fans everywhere can trust. About Prevoty Prevoty was founded in 2013 with a vision to revolutionize application security: why not enable applications to protect themselves? Prevoty delivers breakthrough RASP (Runtime Application Self Protection), making it easy for security professionals and application developers to block top application layer attacks automatically, eliminate vulnerabilities, and secure both legacy and new software. In-app calls to Prevoty s contextual security engine validate inputs, queries and user tokens before they hit your application and database. To find out more about how Prevoty can protect your enterprise from next generation threats in your web application, contact us today: info.prevoty.com 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information