How ViacomCBS Digital delivers uninterrupted content streaming to millions of fans without compromising security: Lessons for enterprise CISOs

Each day, ViacomCBS Digital sees a growing surge in digital content demand-from MTV and Comedy Central to CBS Sports, rushing across its Paramount+ (formerly CBS All Access) streaming platform. Delivering digital content to millions of users on a daily basis doesn't happen on its own-it makes it to the screens of subscribers and fans across the globe thanks to the hard work of the many Paramount+ developers and engineers. Not surprisingly, many of them do not carry security in their titles. This poses a dilemma many security leaders of large organizations face: how to beat the hackers to the punch and keep their digital content infrastructure secure.

We had the privilege to learn from Johnathan Keith, Director of Information Security at ViacomCBS Digital, about meeting this growing, complex security challenge. Brian Johnson, Senior Vice President Cloud Security and co-founder of DivvyCloud, joined Johnathan in exploring the many hats security leaders have to wear to keep digital infrastructure and critical workloads highly available and secure. The session explored not just the technical aspects of applying an automated remediation approach, but also the important dynamics between individuals, roles, departments, and organizations in keeping coveted content, applications, and data safe from unintended security gaps, cyber threats, and attacks.

Hackers are beating enterprise security teams to the punch

The sobering reality is hackers have new advantages over burdened enterprise security teams. 'Hackers have now gained access to the same resources that companies have,' Brian said. 'They can now ramp up their attack efforts to match our ability to defend ourselves.' There's a lucrative prize for the hackers too-exfiltrated data that could be worth millions-so hackers' motivation keeps running high.

It doesn't help that for many enterprises, the cybersecurity skills shortage is getting worse. Research from ESG and ISSA shows that 70% of cybersecurity professionals claim their organization is impacted by the cybersecurity skills shortage. The consequences of this shortage? An increasing workload on the existing cybersecurity staff, long-standing open jobs, an increase in hiring and training junior personnel, and an inability to learn or utilize security technologies to their full potential, per CSO magazine coverage of the research findings.

Hackers face no such challenges. Their job is exploiting vulnerabilities in increasingly complex cloud environments with porous security measures.

What's more, the attack surface for hackers has become increasingly wide-not just the massive quantities of content being served up daily, but the supporting cloud assets that are far more difficult to keep track of than in years past. Brian calls it 'the signal to noise problem.'

While data and applications used to be housed on-premises on a couple of dozen servers, now it's spread over thousands of instances and containers in multiple cloud environments across the globe. Those who create them can't easily track them-a container can end up in a less secure VM that the creator no longer has access to. Yet hackers can find it and do damage.

Then there is the additional challenge that comes with using Infrastructure as Code /IaaS (for example, Terraform). Leading enterprises such as ViacomCBS use IaaS to weave together a lot of components quickly and deploy them in a variety of environments-some public, some private-around the world. As the complexity of digital infrastructure environments grows, so does the need for intelligent automation to enable continuous visibility, monitoring, and remediation. In such environments, manual processes no longer cut it.

It's not all doom and gloom: A unified cloud security framework for Dev, Sec, and Ops

Many cybersecurity leaders are starting to prioritize more preventative strategies, 'shifting left' by bringing security guardrails into the automation build pipeline and partnering more closely with the DevOps community. After all, the best security problems are the ones that don't manifest in live environments, and the best solution is to fix problems at the source.

It's become common of late to say that security issues need to be addressed by shifting left. In this model, instead of the security team having to solve the problems that arise in production, developers are equipped to prevent these issues from happening in the first place. What's needed is more than a shift. Developers, much like their ops and sec counterparts, need new tools for tackling security issues at the beginning of the dev cycle. And all these teams need a new framework to align around as they play their parts. Unified visibility across multi-cloud environments, such Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, is the starting point.

Automation and real-time remediation come next. One of the best ways to ensure an inclusive dialog, and that dev on the left and sec and ops on the right all have what they need, is to be united around an intelligent, automated remediation solution, such as DivvyCloud. Johnathan shares that given everything he and his teams need to address, DivvyCloud has been critical to keeping track of vulnerabilities and automatically remediating issues before it is too late.

To learn more about the challenges faced by ViacomCBS and how the co-founder of DivvyCloud suggests companies fight ongoing hacker threats, watch theon-demand webinar here.

For more information about protecting against vulnerabilities in similar environments, read our2020 Vulnerability Intelligence Report and howDivvyCloud helps protect against such threats.

To contact a representative about DivvyCloud, Rapid7's solution for cloud workload protection,click here.