main

DDoSSecurity

Welcome To the Age of the Constant Attack

February 24, 2015 — by Ben Desjardins2

Time has a way of changing our perspective on things. New experiences and the evolution of everything around us can’t help but cause us to reconsider past ideas and outlooks. It is a truism of life that extends into many areas, including the way we look at IT.

The perspectives on how best to address cyber security threats have gone through their own evolution. Headlines suggest that in the case of a threat like DDoS the challenge is simply having enough capacity to handle volumetric attacks. We know from experience that it just isn’t that simple. What’s needed to solve the problem of DDoS is based on three core characteristics of attacks:  number of vectors, volume of attack, and finally, duration of attack. Escalations of all three present their own unique challenges, and the best approach will be one that balances a focus on preparation and response.

Each characteristic is also something we monitor and explore across a number of inputs, included in our annual Global Application & Network Security report. This year we surveyed over 300 information security practitioners and this yielded some especially interesting results around attack duration, a couple of which I’ll highlight here.

First, we found a troubling dynamic between the percentage of attacks lasting over a day, and respondents stated ability to mitigate for a day or more. According to the survey, nearly half of attacks are lasting a day or longer. Yet, when asked about their ability to effectively fight around-the-clock attacks, over half (52%) indicated their abilities would end after 24 hours. This disparity of requirements and capabilities highlights a broader issue: the difficulty of building and maintaining internal security operations teams that can reasonably be expected to keep up with the fast-moving threat landscape.

This challenge also plays right into another compelling take-away. In past years, we’ve seen a relatively small percentage of respondents say they operate in a state of constant attack. That number jumped threefold from 2013 to 2014, with now nearly 20% of respondents indicating they are under constant attack.

This shift is significant. Most security teams have as a pillar of their operation, the notion of incident response and management – built on the premise that attacks have a starting point, an end point, and then a series of processes to assess and remediate.  The common phases of incident or emergency response from identification, containment, eradication, recovery and policy adjustment takes on a very different look when it occurs as more of a rolling and never-ending process.

And how exactly can we expect the teams asked to manage these incident response processes to do this work while they are often the very same resources running triage on whatever is the newest attack to target the organization. Not surprisingly, many of the organizations indicating a state of constant attack are from the verticals with the longest history of cyber threats. But we now know for a fact, that attacks target every imaginable industry. No one is immune and it is reasonable to assume that the constant attack reality could spread to other industries.

How You Can Manage

Without a doubt, dealing with a state of constant attack will represent an important progression for security teams. Here are some areas that these teams can focus initial efforts in order to manage an almost unmanageable volume and complexity of threats:

Understand the threat landscape

Having a team well versed in the variety of attacks (vectors, targets, tactics, etc.) will help triage in situations when some threat must go initially unaddressed, and also help teams predict attacks that may be a harbinger of more severe threats to come.

Prioritize assets, applications, and processes

Know well the network-dependent aspects of the business that cannot afford to have interrupted operations and have contingency plans to keep these operations afloat during attack.

Assume the attacks are coming

There are so few businesses that haven’t been targeted, that the “head in the sand” phenomenon is quickly going away. This is good because an assumption you won’t be attacked is playing right into the hands of the malicious actors. Advanced security teams assume the opposite (that they will be attacked) to force disciplined planning processes.

Coordinate with peers on the business side

Stakeholders within the business often have unrealistic expectation about balancing protection and network-enablement. Work with them so they understand the realities of the threats and come to an agreement on the absolutely essential elements of the businesses network.

Proactively seek help

Even if you’re not ready to pull the trigger on bringing in outside support to protect from certain threats, do the research in advance to have a sense of exactly where you’ll turn when the worst happens.

Click here to download the full 2015 Global Application & Network Security Report

Ben Desjardins

Ben Desjardins drives the development of vertical and use-case specific solutions for Radware’s Security Product Portfolio. In this role, Ben focuses extensively on the competitive landscape for anti-DDoS, WAF and anti-scraping technologies. Ben has extensive experience across a wide array of security technologies and disciplines, including DDoS, DNS, SSL, Threat/Vulnerability Management, IAM and PCI-DSS and he brings nearly two decades of marketing management experience to his work at Radware, including over 12 years focused on the information security and cyber threat arenas. Additionally, Ben has led global go-to-market efforts across many industries including retail, Ecommerce, financial services, public sector and healthcare/life sciences.

2 comments

  • Greg

    May 10, 2015 at 12:33 pm

    you capture it
    Bavo Zulu

    Wondering what your read is on the future of the web(s) with regard to privacy. At some point, is it necessary to have total visibility in order to safeguar natsec? I have no official opinion, but at times personally feel like learning to can food and make medicine. We need to find a way to turn this around before someone launches a cyber war, takes someones grid down, and trips a pannicked nuclear responce… My own worse faar. Faced with millions of casualties or worse, what might we do to compel the advisary to back down, shut down? Or is it more likely the internet is also an equalizer allowing small organizations, countries to induce the same result?

    Reply

  • Pingback: DDoS in Review | Apakau Blog

Leave a Reply

Your email address will not be published. Required fields are marked *