back caretBlog

Watch Out for These Creative Streaming Methods

Get ready for March Madness with a few of our best examples of detecting video streaming at work

March Madness (noun): an annual event taking place in March in which millions of office workers hog up corporate bandwidth by streaming college basketball games over company wifi. Also a major college basketball tournament.

All joking aside, March Madness has actually turned into a major headache for a lot of IT departments. The ubiquity of streaming services has made it possible for sports enthusiasts and bracket holders everywhere to watch, or at least half-listen, to first- and second-round tournament games from the comfort of their ergonomic office chairs.

Streaming—whether it's March basketball or casual background music—chews up bandwidth, slowing down access to actual work resources for every employee. Many companies now expressly prohibit it on the main network, forcing employees to use guest or mobile networks if they want to stream.

But as ExtraHop has seen in numerous customer environments over the years, streaming rules were apparently made to be broken, and seem to inspire a high degree of creativity when it comes to getting around the restrictions. With March Madness just around the corner, here are a few of the best examples of the lengths to which people will go to get their fix.

Serving Up YouTube on Company Wifi

IT and security teams treat different devices differently. Traffic coming from human IP space (e.g. desktops, laptops, etc.) usually goes through proxy inspection to make sure no one is doing anything questionable and to enforce certain controls on things like, you guessed it, streaming. Non-human IP (e.g. servers), on the other hand, tend to get a bit more latitude and traffic often isn't proxied for speed and efficiency reasons.

Recently an ExtraHop customer was looking at some server traffic and noticed something very strange: YouTube traffic coming from a server. Yes, a machine untouched by humans was streaming music videos. A lot of them. And, because the traffic was coming from a server, it was exempt from proxy inspection (and subsequent controls).

Using ExtraHop Reveal(x) to investigate this strange behavior, the security team found that a human user had effectively turned this server into a jump box. The employee would remote in, connect up a YouTube stream, and listen away.

Netflix and… Drive?

These days, most organizations with any type of truck fleet equip those trucks with some type of hotspot or tablet device. These make it easier to communicate with the driver en route, facilitate things like mileage tracking, and simplify the processing of credit card payments for services, among other things.

You can check out a case study on this here.

But as many organizations are learning, these devices, even hotspots, can be a double-edged sword. For the most part, data utilization on these devices should be very low. They're meant to be used for very specific activities related to the driver's job and should incur minimal use.

One organization with whom ExtraHop works was seeing a consistently high data rate coming from one particular laptop installed in a truck. The rate was sustained all day, every day, far exceeding that of other devices. So they took a look at the traffic in ExtraHop. Turns out the driver was streaming Netflix as he travelled around the city—all day, every day. Definitely not an approved use of company resources, not to mention a major safety hazard.

March Madness

Just in case you're thinking to yourself, "Ok, I get the music streaming thing and I gotta commend that truck driver on his creative binge-watching strategy, but how many people seriously stream basketball games at work?"

The answer is: a lot. A lot of people stream basketball games at work. This is an old screenshot from a few years ago, but it still gets the point across. What you see below is live tracking of how many people were streaming individual basketball games. Yes, ExtraHop can not only tell you that people are streaming, we can tell you what they are streaming, as it happens.

Parting Thoughts

Whenever I see one of these stories hit my inbox, I always have to chuckle and appreciate the lengths people will go to for entertainment. But it's important to remember that these unsanctioned uses of company resources can have far-reaching implications. Whether it's taking a driver's eyes off the road, potentially exposing a company server to malicious interference, or just slowing down company internet, streaming isn't a victimless policy violation.

So folks, if you have to stream that basketball game, use your mobile network or at least the guest wifi. And for pity's sake, leave the servers alone.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed