Companies in a digital world are at an interesting crossroad in terms of security. On the one hand, there is an expectation that their systems and services will be available to consumers 100% of the time. On the other hand, companies now face a much bigger threat profile predicated on the fact that when they are not achieving 100% uptime, the downtime experienced is a direct cause of costly losses.
Consider the DDoS attack. In this style of attack (the instances of which are vastly increasing), the goal is not to gain entry to a network, but to cripple it and bring it down. Cybercriminals of today realize they do not have to steal anything to profit. They recognize, and exploit, the vast brand damage and expense that can be caused by a company simply by being offline. Recently, popular event organizing site Meetup.com experienced just this type of attack. After launching a massive DDoS attack to cripple their services, the attacker contacted Meetup offering to stop the attack for $300. Yes, this is an almost laughably marginal sum (though it may have been a probe to see if this company is susceptible to blackmail). Regardless of the demand, the implications are clear: Cybercriminals are changing the complexity and nature of their attacks to take advantage of the demand for 100% uptime.
Not all threats that have the same capacity to disrupt your system are malicious in intent. Take a look at another recent example – the 86th Academy Awards (the Oscars). As part of the program host Ellen DeGeneres wanted to break the record for “most re-tweeted selfie”. She took a picture of herself surrounded by a number of big name celebrities and posted it during the show. While she accomplished her goal, the volume of re-tweets also managed to crash Twitter for 20 minutes. Now, there are no reports as to the cost of the outage, and it seems there may be some users unaffected by the disruption, but this is a great example of benign intent with very real consequences for a business. Many companies have started to integrate interactive components to their goods, services, or content, and while this is a great strategy it is important that businesses properly prepare for the demand it may put on their IT systems.
Fortunately, there is lots of development and innovation in the world of security that can help companies architect for resilience. Here’s a great example that synthesizes both of the previous ideas: the Eurovision Song Contest is an internationally televised singing competition featuring countries from around the world that reaches over 170 million viewers. The competition encouraged viewers to participate online, but during the semifinal rounds they experienced crippling malicious DDoS attacks. Eurovision alone was not prepared to handle attacks of the size and nature they were faced with, so they engaged CloudFlare, a Content Delivery Networks vendor who was able to eliminate all service disruptions.
Knowing that the capabilities of your infrastructure will be tested, and will possibly fail, is an important step in developing resilience. That is why Netflix, Facebook, Etsy, and others have dedicated teams to test the strength of their systems. Gilt, a flash sales site, is another example. They use Akka to build a concurrent, distributed and fault-tolerant event-driven application that handles the daily burst in traffic when flash sales go live. The workload management tool Akka helps developers go beyond agile and leverage their cloud infrastructure investments to build more distributed and concurrent applications and services, adding resiliency to organizational while decreasing deployment timelines.
As businesses transform to truly digital businesses with the need to satisfy a demand for “always on” preparedness will be key. IT leaders need to re-evaluating their systems today to ensure they have the right tools, experts, and capabilities in place to ensure they are actively defending their infrastructure.