Time has a way of changing our perspective on things. New experiences and the evolution of everything around us can’t help but cause us to reconsider past ideas and outlooks. It is a truism of life that extends into many areas, including the way we look at IT.
The perspectives on how best to address cyber security threats have gone through their own evolution. Headlines suggest that in the case of a threat like DDoS the challenge is simply having enough capacity to handle volumetric attacks. We know from experience that it just isn’t that simple. What’s needed to solve the problem of DDoS is based on three core characteristics of attacks: number of vectors, volume of attack, and finally, duration of attack. Escalations of all three present their own unique challenges, and the best approach will be one that balances a focus on preparation and response.
Each characteristic is also something we monitor and explore across a number of inputs, included in our annual Global Application & Network Security report. This year we surveyed over 300 information security practitioners and this yielded some especially interesting results around attack duration, a couple of which I’ll highlight here.
First, we found a troubling dynamic between the percentage of attacks lasting over a day, and respondents stated ability to mitigate for a day or more. According to the survey, nearly half of attacks are lasting a day or longer. Yet, when asked about their ability to effectively fight around-the-clock attacks, over half (52%) indicated their abilities would end after 24 hours. This disparity of requirements and capabilities highlights a broader issue: the difficulty of building and maintaining internal security operations teams that can reasonably be expected to keep up with the fast-moving threat landscape.
This challenge also plays right into another compelling take-away. In past years, we’ve seen a relatively small percentage of respondents say they operate in a state of constant attack. That number jumped threefold from 2013 to 2014, with now nearly 20% of respondents indicating they are under constant attack.
This shift is significant. Most security teams have as a pillar of their operation, the notion of incident response and management – built on the premise that attacks have a starting point, an end point, and then a series of processes to assess and remediate. The common phases of incident or emergency response from identification, containment, eradication, recovery and policy adjustment takes on a very different look when it occurs as more of a rolling and never-ending process.
And how exactly can we expect the teams asked to manage these incident response processes to do this work while they are often the very same resources running triage on whatever is the newest attack to target the organization. Not surprisingly, many of the organizations indicating a state of constant attack are from the verticals with the longest history of cyber threats. But we now know for a fact, that attacks target every imaginable industry. No one is immune and it is reasonable to assume that the constant attack reality could spread to other industries.
How You Can Manage
Without a doubt, dealing with a state of constant attack will represent an important progression for security teams. Here are some areas that these teams can focus initial efforts in order to manage an almost unmanageable volume and complexity of threats:
Understand the threat landscape
Having a team well versed in the variety of attacks (vectors, targets, tactics, etc.) will help triage in situations when some threat must go initially unaddressed, and also help teams predict attacks that may be a harbinger of more severe threats to come.
Prioritize assets, applications, and processes
Know well the network-dependent aspects of the business that cannot afford to have interrupted operations and have contingency plans to keep these operations afloat during attack.
Assume the attacks are coming
There are so few businesses that haven’t been targeted, that the “head in the sand” phenomenon is quickly going away. This is good because an assumption you won’t be attacked is playing right into the hands of the malicious actors. Advanced security teams assume the opposite (that they will be attacked) to force disciplined planning processes.
Coordinate with peers on the business side
Stakeholders within the business often have unrealistic expectation about balancing protection and network-enablement. Work with them so they understand the realities of the threats and come to an agreement on the absolutely essential elements of the businesses network.
Proactively seek help
Even if you’re not ready to pull the trigger on bringing in outside support to protect from certain threats, do the research in advance to have a sense of exactly where you’ll turn when the worst happens.