Rewriting the Rules for DDoS Protection in 2015
Download as PPTX, PDF4 likes998 views
The document outlines the rising threats and costs associated with DDoS attacks, highlighting that 20% of data center downtimes can be attributed to these attacks, averaging $700k per incident. It emphasizes the need for comprehensive DDoS protection strategies, including on-premises and cloud solutions that provide real-time mitigation and visibility into evolving threats. Moreover, it discusses various attack techniques and the importance of investing in robust security measures to safeguard critical infrastructure.
Rewriting the Rules for DDoS Protection in 2015
- 1. Re-Writing the Rules for DDoS Defense On-Prem + Cloud Based Protection Stephen Gates - Chief Security Evangelist © 2014 Corero www.corero.com
- 2. DDoS Attacks, 2013-2014 Total Attack Bandwidth Gbps Data shown represents the top ~2% of reported attacks JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 JAN 1 2014 FEB 1 APR 1 MAY 1MAR 1 JUN 1 JUL 1 100 200 300 400 DEC 4 2013 MAR 17 2014 JUNE 23 2014 HONG KONG VOTING SITES JUNE 21 2013 AUG 9 2013 DEC 1 MAR 29 2014DEC 31 2013 MAJOR HOSTING SITES Source: Network Computing/Ponemon Institute © 2014 Corero www.corero.com2 20% of data center downtime is caused by a DDoS attack86minutes is an average of data center downtime due to DDoS attacks$8K per minute is the average cost of this downtime$700K per incident is the average cost of a DDoS outage Source: Digital Attack Map - DDoS attacks around the globe
- 3. DDoS Digital Attack Map © 2014 Corero www.corero.com http://www.digitalattackmap.com/ Volumetric Application TCP Connect Fragmented According to a recent survey conducted by the SANS Institute… “The most damaging DDoS attacks mix volumetric attacks with targeted, application-specific attacks.”
- 4. Are the attackers getting smarter? Researchers are finding an uptick in the number of new techniques Attackers defeating traditional protection (Firewall, ACL, Blackhole) Attackers are developing new methods of bypassing defenses © 2014 Corero www.corero.com
- 5. High Orbit ION Cannon HULK SlowHTTPtest Hping3 NMAP Metasploit Slowloris Low Orbit ION Cannon www.yoursite.com KillApache.pl What tools are the attackers using? © 2014 Corero www.corero.com
- 6. Can your existing security layers handle the onslaught? Volumetric Attack Components Bandwidth Saturation Connection Saturation Spoofed Connections Reflections/Amplifications Fragments Partial Saturation 6 © 2014 Corero www.corero.com
- 7. Concerns with partial saturation attacks Beyond very small attacks exhausting or slowing a particular resource Worse than traditional attacks targeted at disabling infrastructure New attacks that are a diversion for some larger threat (data exfiltration, planting malware, etc.) 7 © 2014 Corero www.corero.com
- 8. Businesses need protection from the Internet With a first line of defense that: network/service outages by blocking attacks in real time PREVENTS the effective life of your existing security investments EXTENDS insight into attacks and evolving threats PROVIDES customers can access online services ASSURES © 2014 Corero www.corero.com8
- 9. Proper DDoS Protection Three options © 2014 Corero www.corero.com9 On-Premises Hybrid Cloud/Hosted Hybrid
- 10. On-premises and in-line • Always-on, real-time protection • Complete, comprehensive security event visibility • Inspection, analysis, alerting and real-time mitigation • Protects against layer 3–7 attacks • Do-no-harm approach Threat mitigation benefits 10
- 11. On-premise and in-line: • Improved response time and mitigation for the vast majority of attacks • Allows highly-trained staff to focus on more nefarious threats • Broad protection at all layers protects critical infrastructure and optimizes its performance • Service availability protects business integrity, and increases productivity Operational benefits 11
- 12. On-premises and in-line: • Fraction of the cost compared to scrubbing or out of band solutions • Protects downstream security investments • Allows skilled (and highly-paid) staff to focus on higher- layer threats, not mundane operational tasks Cost benefits 12
- 13. Cloud/Hosted Scenario If scrubbing is an option that your business is committed to, consider the following: • Always on, or on demand • Cost implications • Total event traffic captured and analyzed • Manual/human intervention • Duration of large scale attacks • Application layer attacks 1
- 14. What will it take to eliminate this problem? © 2014 Corero www.corero.com14 Service Provider Defenses L3-L4 Attack Traffic Attack Leakage Good Traffic Protected Critical Infrastructure Good Traffic Attack Traffic On-Premises Defenses L3-L7 Good Traffic Good Users Attackers N Always on Redirection Method Attack Type Size of Attack Base Service $ $$ $$$ $$$$ Cloud Service Pricing 30 Mins. 20Mins. 10 Mins. Attack Begins Attack Detected Rerouted to Scrubbing Center Time to Reroute Attack Detection to Prevention Process
- 15. Conclusions: There is no one-size-fits-all solution 15 r Plan for day-to-day protection against baseline attacks Consider solutions that you can turn around and monetize Think about the cost of mitigation in a 24/7 attack environment: human and capital Prepare for larger sustained attacks and massive spikes What is Your DDoS Protection Plan?
- 16. Advanced DDoS/Cyber Threat Protection Comprehensive Visibility © 2014 Corero www.corero.com16 Next Generation Architecture
- 17. Corero SmartWall® Network Threat Defense ADVANCED DDOS & CYBER THREAT DEFENSE TECHNOLOGY BUILT ON NEXT GENERATION ARCHITECTURE COMPREHENSIVE ATTACK VISIBILITY & NETWORK FORENSICS SmartWall Threat Defense System (TDS) Enterprises & Service/Hosting Providers On-Premises or Cloud deployments Protection in modular increments of 10 Gbps In-line or scrubbing topologies © 2014 Corero www.corero.com17 Confidential
- 18. Comprehensive Visibility Security Events Threat Intelligence System Health Data Forensics Data Network Statistics Powered by Corero First Line of Defense® VALUABLE RAW DATA ACTIONABLE SECURITY ANALYTICS & VISUALIZATION Real-time Dashboards Historical Reporting Forensic AnalysisBehavioral Analysis Virtual SOC Portal Powerful Analytics Engine © 2014 Corero www.corero.com18 10:00 PM
- 19. Visibility – Attack Analytics & Reporting © 2014 Corero www.corero.com
- 20. Internet Corero SecureWatch® Analytics Portal Corero Secure Operations Center CORERO SOC CAN REMOTELY ASSIST CUSTOMERS AND PARTNERS Corero Partner CORERO PARTNERS CAN VIEW DASHBOARDS OF CUSTOMERS THEY MANAGE Corero Customer CORERO CUSTOMERS CAN VIEW DASHBOARDS OF THEIR OWN DATA DASHBOARD 1 DASHBOARD 2 DASHBOARD 3 DASHBOARD 4 DASHBOARD 5 DASHBOARD 6 Corero SecureWatch Analytics App Site A Site B © 2014 Corero www.corero.com20
- 21. First Line of Defense Applications © 2014 Corero www.corero.com8 Protected Critical Infrastructure and Services In the Cloud Service providers, IT hosting and Cloud providers On Premises Enterprises – financial services, e-commerce providers, gaming, education 1- 10 Gbps SLB/ADC IPS/APT WAF SP Internet
- 22. © 2014 Corero www.corero.com22 Arrange for a proof of concept Learn more at: www.corero.com Join the Conversation @Corero @StephenJGates @SecurityBistro Corero Security Blog – The Security Bistro www.securitybistro.com NEXT STEPS
- 23. Thank You! For a copy of this presentation: info@corero.com
Editor's Notes
- #2: Corero First Line of Defense introduction
- #3: DDoS attacks have been increasing in frequency, capacity and overall effectiveness in recent months. This is just a sampling. You will notice a variety of spikes on this chart that indicate single attacks that that neared or exceeded 300Gbps per second. 100Gbps attacks are no longer uncommon, and there are very few environments that can withstand that class of attack. 20% of datacenter downtime is attributed to DDoS attacks Average downtime of 86 min, translating to an average of 86k in costs. With Total outage damage averaging 700k This is a sophisticated problem that requires a First Line of Defense.
- #9: In an era where more bandwidth is required, and more bandwidth is being purchased, organizations are increasing their attack surface from a volumetric DDoS attack perspective. Corero provides a FLoD that prevents network and service outages by blocking attacks in real time. We do this unlike most competitive offerings that provide strictly scrubbing center solutions. Our solution ensures that customers’ online services are maintained even while under attack. We block all attack traffic while allowing the good traffic to transit into your environment. We provide robust analytics/reporting to gain insight into the attacks and threats against your network. The FLoD extends the effective life of your security investments—your firewalls, IPS’s etc, by protecting those security solutions from attacks allowing them to operate as intended without forcing you into costly upgrades to support the expanded bandwidth requirements associated with the peak of attacks.
- #17: The Corero FLoD employs a Next Generation architecture that delivers advanced DDoS and cyber threat protection, as well as comprehensive visibility into the attack landscape associated with your network. We will dig into each of these key areas in the following slides.
- #18: Present the product line in context of the bandwidth requirements. Dave L to mark up Evolutionary deployment for existing customers Existing DDS deployments can be scaled up without a fork lift upgrade with a SmartWall as an added component
- #19: From a visibility perspective the Corero FLOD correlates security event info along with threat intelligence – like information about clients perpetrating an attack, their geo-location, the targeted victim server, and a host of other correlated event information provided by the Corero security analytics . We incorporate system health data on our appliances in your network as well as network statistics and forensics data about all of the flows moving within your environment. We present this in a virtual security operations center portal, which allows you to utilize our package analytics tool without having to invest in your own. This incorporates a powerful analytics engine that can determine real actionable security recommendations and even visualization in real time. Our dashboards show attacks as they occur, top attacks against an environment over any period of time. We offer historical reporting, behavioral analysis, full drill down for forensics capabilities to investigate any attack against your environment.
- #21: All of this is packaged within the Corero SecureWatch analytics portal. For customers that don’t want to invest in their own SOC or don’t have the IT Staff of expertise to build this type of tool, we have provide a tool that allows you to optionally connect to the Corero SOC where our security analysts can remotely assist our partners and customers. Our customers can have a view of their own data, while our partners that are servicing their customers can also have a view and provide managed services on behalf of their customers using eth Corero environment. SecureWatch analytics is built on Splunk. So, for customers that are already invested in Splunk, we offer an application that seamlessly integrates with the Splunk environment that can be integrated into any analysis tools on that platform. All of our data is provided in sys log and can be optimized to work with any log management tool.
- #22: There are couple of applications for the FLoD highlighted here. The first is in the cloud. Our hosting, service providers customers utilize FLoD to protect against attack s on their internet peering points, shown in the top boxes connected to the cloud. Additionally these customers can provide managed services to their customers. Whether they be tenants in a multi-tenant environment or service provider subscribers by aggregating our system at their edge. We also provide on premises capabilities to enterprise sand data center environments where we support the ability to mitigates from 1GB to 10GB and even beyond. In all cases we can scale independently up to 40Gbps , 100GB and beyond. The right hand description shows the FLoD provides DDoS protection in front of traditional security infrastructure, like firewalls, IDCs, WAF, IPS’s etc…by deploying the product there, we are protecting everything to the right of our devices from DDoS attacks. in many cases if the enterprise owns the router we can even deploy to the left of the router and protect it as well.
- #23: Connect with your local sales personnel to discuss a POC. Why? Because if you take and deploy the Corero our First Line of Defense in your environment, you will be amazed at the amount attacks that are already occurring in your environment whether that be initial probes looking for vulnerable surfaces, or already significant attacks that are already occurring that you are not aware of. Our systems can be deployed in under an hour, up and running and providing benefit.