DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

Similar documents
Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

DDoS: STRATEGIES FOR DEALING WITH A GROWING THREAT

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Cyber War Chronicles Stories from the Virtual Trenches

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

` 2017 CloudEndure 1

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

THE CYBERSECURITY LITERACY CONFIDENCE GAP

WHITE PAPER Hybrid Approach to DDoS Mitigation

A10 DDOS PROTECTION CLOUD

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DDoS: Evolving Threats, Solutions FEATURING: Carlos Morales of Arbor Networks Offers New Strategies INTERVIEW TRANSCRIPT

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

DDoS MITIGATION BEST PRACTICES

Building a Threat Intelligence Program

CICS insights from IT professionals revealed

STATE OF THE NETWORK STUDY

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

DDoS Detection&Mitigation: Radware Solution

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Why Enterprises Need to Optimize Their Data Centers

Analisi degli attacchi DDOS e delle contromisure

Comprehensive datacenter protection

Arbor White Paper Keeping the Lights On

A GUIDE TO DDoS PROTECTION

Securing Your Digital Transformation

SIEM: Five Requirements that Solve the Bigger Business Issues

The Cost of Denial-of-Services Attacks

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Large FSI DDoS Protection Reference Architecture

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

State of Cloud Survey GERMANY FINDINGS

NINE MYTHS ABOUT. DDo S PROTECTION

A Top US Bank Trusts Neustar SiteProtect for Reliable DDoS Protection Depth

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Defending against increasingly sophisticated DDoS attacks

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

9 STEPS FOR FIGHTING AGAINST DDOS ATTACKS IN REAL-TIME.

Security in India: Enabling a New Connected Era

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

THE STATE OF IT TRANSFORMATION FOR RETAIL

Symantec Security Monitoring Services

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

CYBER RESILIENCE & INCIDENT RESPONSE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Survey: Global Efficiency Held Back by Infrastructure Spend in Pharmaceutical Industry

RSA NetWitness Suite Respond in Minutes, Not Months

The power management skills gap

Sustainable Security Operations

Introduction to DDoS Attacks

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

NEXT GENERATION SECURITY OPERATIONS CENTER

Downtime by DDoS: Taking an Integrated Multi-Layered Approach. Arbor Solution Brief

Toward an Automated Future

The 2017 State of IT Incident Management. Annual Report on Incidents, Tools & Processes

Prolexic Attack Report Q4 2011

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

CompTIA Security Research Study Trends and Observations on Organizational Security. Carol Balkcom, Product Manager, Security+

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

IBM Cloud Internet Services: Optimizing security to protect your web applications

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

The State of Cloud Monitoring

Tripwire State of Container Security Report

BRING EXPERT TRAINING TO YOUR WORKPLACE.

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

I D C T E C H N O L O G Y S P O T L I G H T

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Imperva Incapsula Product Overview

DDN Annual High Performance Computing Trends Survey Reveals Rising Deployment of Flash Tiers & Private/Hybrid Clouds vs.

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Professional Services for Cloud Management Solutions

HOW IT INVESTMENT STRATEGIES HELP AND HINDER GOVERNMENT S ADOPTION OF CLOUD & AI

A Survey of Defense Mechanisms Against DDoS Flooding A

SECURITY SERVICES SECURITY

Security. Made Smarter.

MULTIPLAYER GAMING SOLUTION BRIEF

CYBERSECURITY RESILIENCE

PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

Enterprise D/DoS Mitigation Solution offering

Transcription:

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT SEPTEMBER 2014 COMMISSIONED BY:

Contents Contents... 2 Introduction... 3 About the Survey and Respondents... 3 The Current State of DDoS... 4 DDoS and Incident Response... 5 Incident Detection and Response Today and Tomorrow... 9 About Arbor Networks... 10 About IANS... 10 2

Introduction Since 2010, the number and types of DDoS attacks perpetrated against enterprise networks has grown dramatically. The rise in hacktivism has led to numerous DDoS attacks, with groups like LulzSec and Anonymous repeatedly attacking government and commercial sites. One of the largest attacks in 2011 was against Sony s Playstation Network, and was again attributed to Anonymous. The year 2012 saw a significant rise in attacks against financial organizations, with many of the world s leading financial service institutions and banks experiencing significant outages and slowdowns due to politically motivated DDoS attacks. Some of these reached sustained 100 Gbps speeds, which many in the security community believe to be the foreshadowing of trends we are seeing now. Through 2013 and 2014, numerous attacks of more than 200 Gbps have been witnessed, and the total number of attacks seen in 2014 seems to be eclipsing years past. The types of attacks are changing, too. While most attacks are still volume-based, primarily SYN Floods and ICMP and UDP traffic, more and more application-level traffic is seen today, primarily HTTP and HTTPS and DNS queries, as well as NTP data. Given the likelihood that organizations will be hit with DDoS attacks at some point, how are organizations preparing for them? What kinds of incident detection and response processes and technologies are organizations using to best handle DDoS attacks today? For those who experienced a DDoS attack, what were the costs? In this report, we ll review the state of DDoS readiness across the industry, and analyze where organizations identified costs associated with DDoS attacks. We ll also look at tools, tactics, and what s changing for those organizations seeking to better handle DDoS attacks against their networks. About the Survey and Respondents IANS conducted a survey of one hundred information security professionals in the industry. Of the respondents, 16% were CISOs, CTOs, and other executive roles, the majority (56%) were managers and directors, and the remaining 28% were technical practitioners. Almost half worked in large organizations of 10,000 or more employees, with a fair representation of smaller organizations as well. The full breakdown of organization size is shown in Figure 1: Organization Size 37% 12% 20% 31% 1,000-4,999 5,000-9,999 10,000-19,999 20,000+ Figure 1: Organization Size 3

All respondents were based in the United States, with the most representation from Texas, California, Florida, Maryland, Ohio, New Jersey, and North Carolina. Many other states were represented, as well, and the regional breakdown was highest for the South (43%), with almost equal representation for the West (19%), Midwest (20%), and Northeast (18%). The Current State of DDoS The first question we asked security professionals was a straightforward one - how many of them had experienced a DDoS attack in the past two years? Of the respondents, 22% indicated that they had experienced a DDoS attack during this time period, which amounts just over 1 in every 5 organizations who responded. This corresponds to the growing rate of DDoS attacks seen in the wild, and is likely to keep growing rapidly, especially for certain industries like the financial sector. Out of the respondents who indicated they d experienced a DDoS attack, two-thirds said that they had been able to reasonably assess the costs associated with the attack (14 out of 22 organizations). The other eight respondents could not accurately gauge the overall cost of the attack. For those who did determine the costs associated with a DDoS attack, a number of factors were involved in generating the costs. For most, the amount of operational time needed to detect and respond to the attack comprised at least a portion of the costs. Many also experienced system downtime due to crashes or adverse responses within the environment, as well. Half of the organizations who experienced a DDoS attack measured the loss of customer traffic to business web sites, and several also experienced a loss of goodwill and a hit to their reputation. The full breakdown of responses is shown in Figure 2: DDoS Costs Stem From... Operational time spent responding to the DDoS 73% System downtime due to crashes or adverse responses 68% Loss of customer traffic to web sites 50% Loss of goodwill and reputation 23% Figure 2: Means of Measuring DDoS Costs 0% 10% 20% 30% 40% 50% 60% 70% 80% 4 Based on these results, most costs for DDoS attacks are directly related to operations in one or more ways - either the time that IT operations teams spend detecting and cleaning up the attacks, or the direct impact to systems and applications affected by them. For larger sites which are

reliant on customer traffic to critical web sites, web application and analytics teams are likely measuring all impacts to traffic very frequently and tying changes in traffic to revenue will be second nature. Loss of goodwill and reputation is much harder to measure, especially in the short term, and may also be harder to translate to true revenue costs directly. DDoS and Incident Response Regardless of whether organizations have experienced a DDoS attack or not, all organizations should have an incident response plan that aligns with DDoS. If one in every five organizations has seen a DDoS attack already, the likelihood that organizations will see DDoS attacks in the future is very high. However, only 56% of respondents stated that they currently have a DDoSspecific response plan in place. This seems to indicate that many are either not concerned with a potential DDoS attack, or do not think they are likely targets for DDoS. In some cases, security teams may not have the proper resources to devote to planning and executing a DDoS incident response program, as well. In fact, when asked who handles DDoS-specific incident response currently, the results seem split between traditional security teams (64%), network engineering teams (54%) and incident response teams (54%). Survey respondents could choose more than one answer, which implies that most organizations are sharing the responsibility for DDoS incident response across several teams. Not having a dedicated owner of DDoS response may lead to less direct focus on DDoS overall, too. Currently, 39% of respondents perform custom training drills for their security teams for DDoS response. This is also a low number, especially in light of the increasing threat of DDoS to more and more organizations. However, most organizations are investing in some equipment and services that can help with DDoS attacks. Given the cross-functional nature of DDoS detection and response between network engineering and security teams, it s not surprising that the top technology used for DDoS detection and defense is network load balancing equipment (57%). Almost half of respondents indicated that they are using some sort of dedicated on-premise DDoS detection and prevention tools. Almost a third of organizations are leveraging cloud-based DDoS detection and response services or application traffic shaping tools, as shown in Figure 3: Current DDoS Detection and Response Tools Network load balancing equipment 57% On-premise DDoS detection and protection systems 49% Cloud-based DDoS detection and protection services 31% Application traffic shaping tools 30% 0% 10% 20% 30% 40% 50% 60% Figure 3: Current DDoS Detection and Response Tools 5

What do these results indicate? First, the mix of network load balancing and application traffic shaping equipment indicates network operational involvement in DDoS detection and response, with equipment typically maintained by the network operations and engineering teams. Onpremise and cloud-based DDoS detection and protection tools are often jointly configured and maintained by security and network teams, which correlates with the response question discussed earlier - DDoS detection and response is a shared task. How do organizations first detect DDoS attacks - in other words, what are the most prevalent initial indicators of a DDoS attack? Surprisingly, only 21% of respondents included volume of TCP SYN packets, which has traditionally been the most common volumetric DDoS attack. The highest volume of responses indicated that HTTP/HTTPS and DNS packet volume were leading indicators, followed by behavioral changes in traffic patterns. The full list of DDoS leading indicators is shown in Figure 4: DDoS Initial Indicators Volume of HTTP/HTTPS packets Volume of DNS packets Traffic behavior pattern changes Volume of TCP SYN packets 21% 28% 31% 30% Application server and process indicators Volume of NTP packets All of the above None of the above 12% 18% 17% 23% 0% 5% 10% 15% 20% 25% 30% 35% Figure 4: DDoS Initial Indicators Application server and process indicators are also starting to factor into DDoS detection, which shows more attention at a host level and likely also indicates a higher level of attention and involvement from operations teams responsible for system administration and monitoring. NTP DDoS attacks are becoming more common, too, but are still a small percentage of the DDoS landscape. Not surprisingly, almost a quarter of the respondents use all the different indicators listed, while a smaller group did not leverage any of them. How long does it take most organizations to detect and respond to DDoS attacks? Many organizations stated that they could start to detect and react quickly, with responses ranging from less than one hour to 1-12 hours. A smaller number needed 12-24 hours, or even days, to properly detect and mitigate DDoS attacks. The full breakdown of responses is shown in Figure 5: 6

Average DDoS Response Time 3% 7% 6% 30% Less than one hour 1-12 hours 11% 12-24 hours 1-3 days 3-7 days More than 7 days 43% Figure 5: Average DDoS Response Time Do most organizations know that they can respond this quickly, or is this an example of overconfidence? Many of the organizations that indicated very low detection and mitigation times for DDoS attacks may not have experienced the full brunt of a dedicated and focused attack yet. Organizations that leverage service providers for help during DDoS attacks can transition incident response efforts to the service providers, if possible (or at least enlist their aid during attacks). When this happens varies widely, however. The majority tend to enlist service providers quickly, as soon as attacks are detected. This may account for the previous responses about immediate detection and mitigation. The rest of the responses were evenly spread across when a certain cost threshold is reached or varied thresholds of network saturation (shown in Figure 6): DDoS Service Provider Response Transition Immediately, as soon as the attack is detected 36% When a certain cost threshold is reached When network saturation reaches 50% When network saturation reaches 25% When network saturation reaches 75% 14% 13% 12% 11% Figure 6: DDoS Service Provider Response Transition Thresholds 0% 5% 10% 15% 20% 25% 30% 35% 40% Several respondents also indicated that they worked in service provider organizations, or never transitioned to a service provider. The kinds of DDoS containment tools and techniques security teams are leveraging is also critical to understand. Given the lack of maturity in developing a 7

sound DDoS incident response strategy, it s not surprising to find that many are still relying heavily on firewalls, IDS/IPS, and network load balancing to contain DDoS attacks and eradicate unwanted traffic. Some are also using DNS redirection and application traffic shaping, as mentioned in the earlier question about tools currently in place. With the rise in application-centric DDoS, this is likely to grow over time. Only a small percentage of respondents (17%) are using clean pipe packet scrubbing services to contain and eradicate DDoS traffic currently, yet this is a growing market area at the moment. The full breakdown of eradication and containment techniques is shown in Figure 7: DDoS Containment and Eradication Techniques Traditional IDS/IPS/Firewall blocking 64% Network load balancing 53% DNS redirection 41% Application traffic shaping 27% "Clean pipe" packet scrubbing services 17% Figure 7: DDoS Containment and Eradication Techniques 0% 10% 20% 30% 40% 50% 60% 70% After detection, how long does it take most organizations to start mitigating a DDoS attack? Ten percent of respondents said they don t mitigate, which implies they have outsourced services in place to handle this. Half the respondents indicated that they could start responding immediately or within 10-20 minutes. The rest took up to 30 minutes or longer, as shown in Figure 8: DDoS Mitigation Time 10% 25% Automatically 10-20 minutes 22% 20-30 minutes 16% 27% More than 30 minutes We do not mitigate DDoS attacks Figure 8: DDoS Mitigation Time After Detection 8

We asked practitioners who had successfully responded to DDoS attacks to give some tips from the trenches. Several responded that properly trained staff and a defined incident response plan were key in detecting and eradicating the attacks, with one comment stating, expect it to happen and be prepared. Others noted that you should use all the tools you can afford to use and invest in competent security operations personnel and the tools for them to use. Some of the other tips included using cloud-based DDoS mitigation services and DNS redirection to successfully respond, as well. Incident Detection and Response Today and Tomorrow Today, most organizations employ a wide variety of tools and services to detect threats against their networks and applications. Firewall logs are far and away the most prevalent detection method across organizations at 70%, followed by performance monitoring and management solutions (43%) and SIEM (41%). From there, we see fewer organizations making use of inhouse scripting and tools, helpdesk tickets and calls, and other network-focused tools like SNMP and NetFlow analysis platforms, as well as Deep Packet Inspection (DPI) tools, as shown in Figure 9: Current Threat Detection Firewall logs Performance Management / Monitoring Security Information and Event Management In-house developed scripts/tools Customer Call / Helpdesk Ticket SNMP-based tools NetFlow analyzers Deep Packet Inspection (DPI) tools 43% 41% 34% 30% 29% 27% 24% 70% 0% 10% 20% 30% 40% 50% 60% 70% 80% Figure 9: Current Network Threat Detection Tools With this wide variety of tools, organizations are likely able to detect many network threats. However, there s still a gap in skills and technology for detecting and responding to DDoS attacks. Only half of organizations have a definitive DDoS response plan in place, and responsibilities for handling DDoS seem spread out across several different teams, primarily network and security operations. Many organizations are still using traditional network tools to detect and mitigate denial-of-service, which may not be the ideal controls for the job. The use of application traffic-shaping tools and DDoS detection and prevention services is growing, too. Many organizations may experience DDoS attacks in the next several years - what will the impact be? Currently, most organizations affected by DDoS measured costs in operational time spent on response, as well as downtime. It will be interesting to see how these trends continue in the future. 9

About Arbor Networks Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world's Internet service providers and many of the largest enterprise networks in use today. Arbor's proven network security and management solutions help grow and protect customer networks, businesses and brands. Through its unparalleled, privileged relationships with worldwide service providers and global network operators, Arbor provides unequalled insight into and perspective on Internet security and traffic trends via the ATLAS Active Threat Level Analysis System. Representing a unique collaborative effort with 250+ network operators across the globe, ATLAS enables the sharing of real-time security, traffic and routing information that informs numerous business decisions. About IANS IANS is the leading provider of in-depth security insights and decision support delivered through research, community, and consulting. Fueled by interactions among IANS Faculty and information security practitioners, IANS experience-driven advice helps IT security, risk management, and compliance executives make better, faster technical and managerial decisions. IANS was founded in 2001 as the Institute for Applied Network Security. Inspired by the Harvard Business School experience of interactive discussions driving collective insights, IANS adapted that format to fit the needs of the information security community. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback