Cloud Security Archives

Using Application Analytics to Achieve Security at Scale

October 16, 2018 — by Eyal Arazi — 0

Are you overwhelmed by the number of security events per day? If so, you are not alone.

Alert Fatigue is Leaving You Exposed

It is not uncommon for security administrators to receive tens of thousands of security alerts per day, leading to alert fatigue – and worse – security events going unattended.

Tellingly, a study conducted by the Cloud Security Alliance (CSA) found that over 40% of security professionals think alerts lack actionable intelligence that can help them resolve security events. More than 30% of security professionals ignore alerts altogether because so many of them are false positives. Similarly, a study by Fidelis Cybersecurity found that almost two-thirds of organizations review less than 25% of alerts every day and only 6% triage 75% or more of alerts per day that they receive.

As a result of this alert flood, many organizations leave the majority of their security alerts unchecked. This is particularly a problem in the world of application security, as customer-facing applications frequently generate massive amounts of security events, based on user activity. Although many of these events are benign, some are not—and it only takes one alert to open the doors to devastating security events, like a data breach.

Not examining these events in detail leaves applications (and the data they store) exposed to security vulnerabilities, false positives, and sub-optimal security policies, which go unnoticed.

Many Events, but Few Activities

The irony of this alert flood is that when examined in detail, many alerts are, in fact, recurring events with discernible patterns. Examples of such recurring patterns are accessed to a specific resource, multiple scanning attempts from the same origin IP, or execution of a known attack vector.

Traditionally, web application firewall (WAF) systems log each individual event, without taking into consideration the overall context of the alert. For example, a legitimate attempt by a large group of users to access a common resource (such as a specific file or page), and a (clearly illegitimate) repeated scanning attempts by the same source IP address, would all be logged the same way: each individual event would be logged once, and not cross-linked to similar events.

How to Achieve Security at Scale

Achieving security at scale requires being able to separate the wheat from the chaff when it comes to security events. That is, distinguishing between large amounts of routine user actions which has little implication for application security, and high-priority alerts which are indicative of malicious hacking attempts or may otherwise suggest a problem with security policy configuration (for example, such as a legitimate request being blocked).

In order to be able to make this separation, there are a number of questions that security administrators need to ask themselves:

How frequently does this event occur? That is, does this behavior occur often, or is it a one-off event?
What is the trend for this event? How does this type of behavior reflect over time? Does it constantly occur at a constant rate, or is there a sudden massive spike?
What is the relevant header request data? What are the relevant request methods, destination URL, resource types, and source/destination details?
Is this type of activity indicative of a known attack? Is there a legitimate explanation for this event, or does it usually signify an attempted attack?

Each of these questions can go either way in terms of explaining security events. However, administrators will do well to have all of this information readily available, in order to reach an informed assessment based on the overall context.

Having such tools – and taking the overall context into consideration – confers security professionals with a number of significant benefits:

Increased visibility of security events, to better understand application behavior and focus on high-priority alerts.
More intelligent decision making on which events should be blocked or allowed.
A more effective response in order to secure applications against attacks as much as possible, while also making sure that legitimate users are not impacted.

Radware’s Application Analytics

Radware developed Application Analytics – the latest feature in Radware’s Cloud WAF Service to address these customer needs.

Radware’s Cloud WAF Application Analytics works via a process of analysis based on machine-learning algorithms, which identify patterns and group similar application events into recurring user activities:

Data mapping of the log data set, to identify all potential event types
Cluster analysis using machine learning algorithms to identify similar events with common characteristics
Activity grouping of recurring user activities with common identifiers
Data enrichment of supplemental details on activities to provide further context on activities

Radware’s Cloud WAF Application Analytics takes large numbers of recurring log events and condensing them into a small number of recurring activities.

In several customer trials, this capability allowed Radware to reduce the number of Cloud WAF alerts from several thousand (or even tens of thousands) to a single-digit (or double digit) number of activities. This allows administrators to focus on the alerts that matter.

For example, one customer reduced over 8,000 log events on one of their applications into 12 activities (seen above), whereas another customer reduced more than 3,500 security events into 13 activities.

The benefits for security administrators are easy to see: rather than drown in massive amounts of log events with little (or no) context to explain them. Cloud WAF Application Analytics now provides a tool to reduce log overload into a manageable number of activities to analyze, which administrators can now handle.

Ultimately, there is no silver bullet when it comes to WAF and application security management: administrators will always need to balance being as secure as possible (and protect private user data), with the need to be as accessible as possible to those same users. Cloud WAF Application Analytics are Radware’s attempt to disentangle this challenge.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Protecting Sensitive Data: The Death of an SMB

September 26, 2018 — by Mike O'Malley — 0

protecting-sensitive-data-death-of-small-medium-business-960x522.jpg

True or False?

90% of small businesses lack any type of data protection for their company and customer information.

The answer?

Unfortunately true.

Due to this lack of care, 61% of data breach victims are specifically small businesses according to service provider Verizon’s 2018 Data Breach Investigations.

Although large corporations garner the most attention in mainstream headlines, small and mid-sized businesses (SMB) are increasingly attractive to hackers because of the combination of valuable records and lack of security protections. The high priority of sensitive data protection should not be limited to large companies but for organizations of all sizes.

While large corporations house large amounts of data, they are also capable of supporting their data center with the respective necessary protections. The combination of lacking security resources while maintaining sensitive personal information is what makes smaller-sized businesses the perfect targets for attackers. Hackers aren’t simply looking at how much information they can gather, but at the ease of access to that data – an area where SMB’s are largely deficient.

The bad publicity and dark connotation that data breaches hold create a survive-or-die situation for SMBs, but there are ways SMBs can mitigate the threat despite limited resources – and they exist in the cloud.

The Struggle to Survive

Because of their smaller stature as a company, most SMBs struggle with the ability to manage cybersecurity protections and mitigation of attacks – especially data breaches. In fact, financial services company UPS Capital found that 60% of smaller businesses fall out of business within six months after a cyberattack. Unlike business giants, SMBs cannot afford the financial hit of data breaches.

Security and privacy of sensitive data is a trending hot topic in today’s society, becoming more of an influence on customers’ purchase decisions. Customers are willing to pay more for provided security protections. Auditor giant KPMG reports that for mobile service providers alone, consumers would not hesitate to switch carriers if one provided better security than the other, as long as pricing is competitive or even for a moderate premium.

[You might also like: Protecting Sensitive Data: What a Breach Means to Your Business]

One Person Just Isn’t Enough

Many SMBs tend to prioritize their business over cybersecurity because of the false belief that attackers would go after large companies first. Research Center Ponemon Institute reports that 51% of its survey respondents say their company believes they are too small to be targeted. For businesses that do invest in cybersecurity, they narrowly focus on anti-virus solutions and neglect other types of attacks such as DDoS, malware, and system exploits that intrusion detection systems can protect from.

Auto dealerships, for example, are typically family-owned and operated businesses, valued at $4 million USD, with typically an average of 15-20 employees overall. Because of its size, of that number of employees there is typically only one employee that manages the IT responsibilities. Dealerships attempt to satisfy the need of security protection with this employee that has relevant certifications and experience; they are equipped with resources to support their day-to-day tasks, but not to manage high-level attacks and threats. Ponemon Institute’s research reports that 73% of its respondents believe they are unable to achieve full effective IT security because of insufficient personnel.

A study conducted by news publication Automotive News found that 33% of consumers lack confidence in the security protection of sensitive data at dealerships. The seriousness of cybersecurity protection, however, should not correlate to the number of employees but the amount and value of the sensitive data collected. The common error dealerships make isn’t the lack of care in their handling of sensitive data, but the underestimation of their likelihood of being attacked.

Dealerships collect valuable consumer information, both personal and financial – ranging from driver’s license information to social security numbers, to bank account information, and even past vehicle records. An insufficient budget and management of IT security make auto dealerships a prime target. In fact, software company MacKeeper in 2016 revealed a massive data breach of 120+ U.S. dealership systems made available on Shodan – a search engine for connected, but unsecured databases and devices. The source of the breach originated from backing up individual data systems to the vendor’s common central systems, without any cybersecurity protections in place.

The Answer is in the Clouds

Cybersecurity is often placed on the backburner of company priorities, perceived as an unnecessary expenditure because of the flawed perception and underestimated likelihood of being attacked. However, the level of protection over personal data is highly valued among today’s consumers and is enough to be the deciding factor for which OS or mobile app/site people would frequent, and likely which SMB they would patronize.

Witnessing the growing trend of data breaches and the rapid advancements of cyberattacks, SMBs are taking note and beginning to increase spending. It is crucial for organizations to not only increase their security budget but to spend it effectively and efficiently. Research firm Cyren and Osterman Research found that 63% of SMBs are increasing their security spending, but still experience breaches.

Internal security systems may seem more secure to smaller business owners, but SMBs lack the necessary security architecture and expertise to safeguard the data being housed. Cloud solutions offer what these businesses need: a data storage system with better security protection services. Meanwhile, in the same Cyren and Osterman Research report, only 29% of IT managers are open to utilizing cloud services. By utilizing cloud-based security as a solution, small-and medium-sized businesses no longer have to depend on one-staff IT departments, but can focus on the growth of their business. Cloud-based security solutions provide enterprise-grade protection alongside improved flexibility and agility that smaller organizations typically lack compared to their large-scale brethren.

Managed security vendors offer a range of fully-managed cloud security solutions for cyberattacks from WAF to DDoS. They are capable of providing more accurate real-time protection and coverage. Although the security is provided by an outside firm, reports and audits can be provided for a deeper analysis of not only the attacks but the company’s defenses. Outsourcing this type of security service to experts enables SMBs to continue achieving and prioritizing their business goals while protecting their work and customer data.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Automated Attacks Are Here to Stay

October 18, 2016 — by Dennis Usle — 0

It seems the future is upon us. Some of you may have heard about the attacks on Brian Krebs’ security researcher and journalist, as well as the attacks on OVH French hosting company. The attacks are accounting for the world’s largest DDoS attacks ever on record, 620Gbps and 1+Tbps respectively. If you’ve read up on these attacks, you’ll also be familiar with the fact that automated bot armies are being leveraged by booter or stresser services. These services are offered by “entrepreneurs” for a nominal fee to their paying clientele. Booter services are not new to the realm of DDoS. What’s changed over the years is the scale and scope these automation engines are achieving. The services command and control networks have grown in number of pwn’d bots and increased capabilities of advanced and effective attack tactics. The exponential population growth of insecure internet-connected devices has enabled this. The Internet of Things (IoT) aka IP-enabled cameras, printers, TVs, refrigerators, etc. have certainly contributed in part because these devices were not developed with security in mind.

9 Ways to Ensure Cloud Security

September 22, 2016 — by Radware — 0

Whether you’ve migrated some or all of your infrastructure to the cloud, or are still considering the move, you should be thinking about security. Too often, organizations assume a certain level of protection from a cloud service provider and don’t take steps to ensure applications and data are just as safe as those housed in the data center.

The sheer range of cloud technology has generated an array of new security challenges. From reconciling security policies across hybrid environments to keeping a wary eye on cloud co-tenants, there is no shortage of concerns. An increasingly complex attack landscape only complicates matters and requires security systems that are vigilant and able to adapt. Here are nine tips to consider before, during, and after a cloud migration to stay ahead of the curve when evaluating security solutions for your cloud service.

Shadow IT – Security and DR concerns?

September 6, 2016 — by Prakash Sinha — 0

According to Gartner, on average, 28 percent of IT spend occurs outside the IT department today. IT behind IT’s back, commonly called shadow IT, is primarily driven by easily available cloud services. Mobile growth and work shifting practices enables the shadow IT further with employees’ desire to work from anywhere. Shadow IT are typically services and applications that an organization’s IT department has had no role in selecting or vetting, and IT may not even be aware that these services and applications are being used within the network.

Convenience and productivity are often the drivers for adopting shadow IT. Employees deploy solutions that are not approved by their IT departments and many times, the reasoning is that going through the traditional route for approvals is too complicated or time consuming.

Securing Online Assets: Four Steps to Protect Your Online Business

August 25, 2016 — by Radware — 0

Businesses of all sizes, across all verticals, generate significant sales online, increasing their risk and exposure from outages and breaches. Unfortunately, malicious actors understand this and target online businesses with this in mind. By and large, their efforts are successful. According to Radware’s 2016 Global Network and Application Security Report, 62% of those attacked suffered downtime or degradation. According to this same report, organizations now see more tangible financial impact from cyber-attacks. Over two-thirds (69%) of organizations say attacks cause revenue, customer, partner, and productivity loss (up from 45% last year).

Attacks aren’t just about outages or breaches, performance degradation caused by attacks are a growing problem as well. According to recent studies, 40% of customers will now wait 3 seconds or less before moving on to a competitor site, meaning the impact of performance loss is extremely tangible for online businesses.

Dry Lighting Cracks against the Cloud: The Rise of the Advanced Persistent DoS (APDoS)

August 8, 2016 — by Carl Herberger — 1

So, let’s say you are up to no good and motivated to attack somebody or some organization.

After somewhat thoughtful considerations you decide you are going to launch a cyberattack to render your victim unavailable or to extort some sort of action or ransom.

However, you have a big problem to solve – – how do you get around today’s most popular Cloud Security Scrubbing Businesses?

Cloud-Based or Provider-Managed DDoS Mitigation: Which is Right for Your Organization?

July 12, 2016 — by Jordan Jacobs — 0

Two facts are changing how companies think about DDoS mitigation: DDoS attacks are more frequent than ever and are increasingly easier to initiate from anywhere in the world.

Simply put, the days when firewalls and a large enough pipe to the internet were enough to protect your network have long since passed. Any organization or website is a potential target, and with high odds of a given attack flooding homegrown defense tactics, most companies are moving their mitigation tools offsite. The cost of downtime – upwards of $9,000 per hour for small businesses and $690,000 for large companies – are just too great to risk going it alone.

“POP” Goes the Vendor that Doesn’t Separate Scrubbing Centers from Always-On Platforms

June 1, 2016 — by Ben Desjardins — 0

It seems hardly a week can pass without some cloud-based security service provider announcing the latest expansion of their cloud infrastructure. The cadence has turned into something of an arms race mentality on the part of these providers, perhaps in response to a sense that’s what the market wants to see in a service provider. After all, X+1 number of Points of Presence (POPs) is better than X, right?

Well, the real answer is that most confounding of answers: it depends. In this case, the dependency is a question of what specific problem you’re trying to solve.

Static Cloud Security Is Obsolete; Long Live Continuously Adaptive Cloud Security!

May 17, 2016 — by Haim Zelikovsky — 0

Successfully protecting against web-based attacks is like trying to win a game that keeps changing its rules all the time… only nobody tells you what the new rules are! Static cloud security services cannot help you win the web security game. Only cloud security services that continuously and automatically adapt to the rapidly evolving threat landscape and protected assets can assure you are well prepared to anything that will be thrown at you… even as the rules continuously change!

main

Application Security Cloud Security DDoS Attacks Security WAF