Distributed Denial of Service attacks (DDoS) are among the most widely utilized attack type targeting service provider and enterprise organizations. As a result, these organizations are increasingly challenged to handle the volume and diversity of attacks.
The 13th annual Worldwide Infrastructure Security Report (WISR), published by NETSCOUT Arbor, has revealed how the threats have proliferated at a time when persistent staffing challenges are stretching internal network and security teams. This latest WISR found that there were 7.5 million DDoS attacks overall, as well as a 30% increase in the number of enterprise organizations that experienced stealthy application layer attacks. Given this threat environment, awareness of DDoS attacks has increased, with 77% of respondents reporting that DDoS is part of either their business or IT risk assessments.
The WISR also uncovered that the number of organizations reporting revenue losses as an impact of DDoS attacks almost doubled in 2017, with 10% of enterprises estimating that a successful DDoS attack would cost in excess of $100 000. The scale and potential impact of the infrastructure security problem is therefore clear and well understood, but organizations face three core challenges in their efforts to fight back against hackers.
First, the sheer volume of attacks, as detailed above, is overwhelming security teams. Second is the dynamic nature of the threat landscape with the style of attacks constantly changing. In fact, a DDoS attack can involve multiple types of attack, quickly changing their targets to exploit weaknesses. Organizations must be agile in their defensive response.
Finally, there simply aren’t enough cybersecurity experts available for organizations to hire. A recent study by ESG research found that 51% of organizations report having a problematic shortage of cybersecurity skills in 2018. This is up from 45% in 2017. ESG found that 41% of cybersecurity professionals say the skills shortage has led to staff spending disproportionate amounts of time dealing with high-priority issues and incident response.
A situation in which the workload is increasing at a rate higher than the workforce is growing is evidently unsustainable so new, automated approaches are required to alleviate the skills shortage. This is especially relevant because some DDoS attacks can last for just 15 seconds, ending with the network down and needing hours to recover.
It’s not effective to have a manual response to a 15-second burst attack, so automation is seen as a critical component of DDoS defense. The fact that automation provides an answer to some of the challenges means that the market has been flooded with vendors claiming to provide automated solutions, but these may not be suitable or capable of the providing the automated threat protection that organizations need. It’s therefore important to carefully assess what a DDoS protection solution offers and what automation means in the marketplace.
The fact that automation provides an answer to some of the challenges means that the market has been flooded with vendors claiming to provide automated solutions, but these may not be suitable or capable of the providing the automated threat protection that organizations need. It’s therefore important to carefully assess what a managed service offers and what automation means in the marketplace.
NETSCOUT Arbor describes three key attributes of automated threat protection:
- The first attribute may seem obvious: the automation has to work and stop the attack.
- Automated mitigation on its own is not enough. What’s needed is intelligent automation that can distinguish between legitimate and attack traffic. With blunt mitigation, it is highly likely to cause significant business damage by blocking legitimate traffic. For example, if a retailer was running a coupon offer and an automated system decided to block the most popular traffic as part of its efforts to end the attack, the retailer's special offer would fail, causing substantial wasted expenditure plus reputational damage.
- The third attribute is reporting. The solution should explain what it is doing and allow operators to understand the decisions that are being made. It can’t be a black box; it must be able to be adapted to respond to changing situations and be able to report on them in detail.
At the moment, there is a gap between what’s marketed and what is the reality when it comes to threat protection automation. By asking the right questions about automation, you can distinguish between the hype, vaporware, and solutions that truly add value.
~Written by George Malim. George is a freelance journalist who covers the telecoms and internet markets.