View
197
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Defeating Cyber Threats Require A Wider Net
Citation preview
DEFEATING CYBER THREATS REQUIRES A WIDER NET
INTRODUCTION
The evidence on cyber threats is staggering:
▪ Malware is reaching new all-time highs – McAfee, a provider of endpoint
security software, reported there were nearly eight million new pieces of malware —
just in the third quarter of 2012.1 Additionally, malicious and high-risk mobile apps
are also on the rise. Trend Micro, for example, has identified 145 thousand malicious
Android apps, as of September 2012.2 Keeping malware at bay, already a “treading
water” challenge, is intensifying.
▪ BYOD is a growing threat vector – With the escalating pervasiveness of
smartphones and tablets—Frost & Sullivan estimates smartphones shipped in 2012
will reach 558 million, and tablets will reach 93 million—more fuel is added daily to
the Bring Your Own Device (BYOD) movement. From a security perspective, the
implications of BYOD are more untrusted devices connecting into corporate
networks and connecting to enterprise public-facing Web sites; and, with that, more
devices are potential participants in malware propagation and botnet -based attacks.
The enemy is everywhere.
▪ Distributed Denial of Service (DDoS) attacks are approaching mainstream
In a 2012 survey of network operators conducted by Arbor Networks, over three -
quarters of the operators experienced DDoS attacks targeting their customers. 3 In a
2012 Frost & Sullivan-conducted global survey of security professionals, cyber
terrorism and attacks by hacktivists were identified as top security concerns by 19
percent and 14 percent of the survey respondents, respectively. Malware infections
and application vulnerabilities were cited as top concerns by the greatest number of
survey respondents—27 percent each. The list of significant security concerns is
growing in length and diversity.
▪ Exposure footprint is expanding – The cloud is becoming another computing
“location” for a growing number of organizations. According to the same Frost &
Sullivan 2012 global survey of security professionals, slightly more than one -third of
the respondents cite cloud computing as a high priority for their organizations now,
and that percentage increases to 54 percent in two years. In other words, more than
half of the surveyed organizations expect to be using or in the process of moving a
portion of their operations to the cloud in two years.
1 McAfee Threats Report: Third Quarter 2012, available for download at: http://www.mcafee.com/us/mcafee-labs.aspx.
2 TrendLabs 3Q 2012 Security Roundup, available for download at: http://www.trendmicro.com/us/security-intelligence/research-and-
analysis/index.html#threat-reports.
3 Worldwide Infrastructure Security Report, available for download at:
http://www.arbornetworks.com/research/infrastructure-security-report.
What is of equal concern is that organizations cannot change how they conduct their
operations. Networks, whether they are private or public, are the circulatory systems of
business. Malicious and unwanted traffic clog these electronic arteries and add risk to
maintaining stable operations, reaching profitability objectives, managing a business’s
brand reputation, complying with compliance regulations, and safeguarding sensitive data.
TRADITIONAL CYBER DEFENSE APPROACHES ARE INSUFFICIENT
To lessen these risks, organizations rely on an assortment of gateways and filters to
cleanse their network traffic. Although logical, this approach is dependent on the ability
to identify threatening traffic with effectiveness and time efficiency, and then update
security policies and malware and intrusion signatures with equal accuracy and speed.
Many factors, however, make this critical task difficult, such as: unending escalation in
traffic volume and originations, evolving network and computing infrastructures and
traffic patterns, and hacker sophistication to evade detection.
Despite all of these challenges, Stratecast’s perspective is that this identify -and-mitigate
approach is fundamentally sound but incomplete. Where the incompleteness lies is in the
restricted net of information and resulting analysis. Too often, organizations rely
extensively on the traffic that they can see on their individual networks, and the traffic
their individual carriers see. While essential, these views are not the entire universe, but
merely a sample and, as a sample, subject to interpretative error (i.e., insufficient data
points to reach conclusions with a maximum level of confidence and in an optimized
window of time).
What is needed is a net that is wider, with continuous data feeds from a community of
carriers. Not only does this extended reach add to the breadth of data available for
analysis (e.g., catching clues on threatening traffic on one carrier’s network before this
same type or origin of trending traffic invades other carrier and enterprise networks),
but also improves the integrity of mitigation policy changes and creation of new policies
as more confirming data points on threatening traffic are available.
Arbor’s ATLAS® (Active Threat Level Analysis System) reflects this carrier and enterprise
community attribute. Furthermore, ATLAS is not a theoretical concept but a set of
established services that have been supporting carriers and large, Internet -based
enterprises on an opt-in basis for six years. ATLAS’s existence and expanding carrier and
large enterprise participation is a testament to its value.
In this paper, Stratecast will provide an overview of ATLAS, and detail why carriers and
enterprises should participate in ATLAS; and, by association, why enterprises should take
note of the participating carriers in making their carrier selections.
ARBOR ATLAS FUNDAMENTALS
ATLAS is a global-operating threat analysis network. Launched in 2007, ATLAS
transparently, and on an hourly basis, collects network traffic data from sensors hosted
in carriers’ darknets, and data from carrier and enterprise -deployed Arbor security and
traffic-monitoring platforms. Between these two sources, Arbor is collecting data from
all assigned IP addresses—service-active IP addresses from Arbor platforms and service-
inactive IP addresses from darknet-hosted ATLAS sensors.
In terms of scale, there are more than 250 ATLAS-participating carriers and enterprises
supplying a peak stream of network traffic data of over 38 terabytes per second (Tbps).
Stripped of carrier and customer sensitive information, this data is fed into the Arbor
Security Engineering Response Team (ASERT) database and combined with third -party
threat information sources for assessment.
Operating 24x7, ASERT researchers transform this data stream into actionable
intelligence on malware, phishing attempts, botnet (command & control and botnet
zombies) and DDoS attacks. Notable of depth, this data is bi -directional, representing
traffic originating in carrier networks and their customers’ locations (where ATLAS
platforms are deployed), as well as inter-carrier traffic. Alternatively stated, origins of
Source: Arbor Networks
threatening traffic (compromised hosts and locations) and targets are both included in
the ASERT database. Furthermore, ASERT researchers examine traffic data over time and
in simulated and real polymorphic forms, in order to identify highly sophisticated,
composite, and personalized threats.
From a historical perspective, ATLAS, underpinned by ASERT (a 12-year old
organization), is the culmination of pioneering, industry-collaboration initiatives
sponsored by Arbor. The first launch, in 2004, was the Arbor Worldwide Infrastructure
Security Report. An original, this report was prepared by Arbor with direct participation
by its carrier customers and for its carrier customers to improve their network security
strategies and tactics. One year later, in 2005, Arbor launched its Fingerprint Sharing
Alliance (FSA). This alliance demonstrated the inter-carrier benefit of automated sharing
of Internet attack information; in essence, uplifting the information sharing value of the
Arbor Worldwide Infrastructure Security Report from once-a-year to continuous. For
alliance participants, FSA again leveraged the power of community. For example, rather
than establishing multiple pair-wise, carrier-to-carrier data sharing arrangements, or as a
supplement to these, the clearinghouse function of FSA delivers Arbor -certified attack
and anomaly traffic identifiers to each FSA subscriber, and does this without exposing
private carrier or enterprise information. FSA also delved into the next layer of pressing
needs for carrier and enterprise security professionals—that is, transforming threat
information into trusted and actionable threat intelligence. Or, stated alternatively,
assisting Arbor customers in being wise in threat information assessments and
confidently deliberate in acting on this information.
ASERT’s actionable threat intelligence exists in two Arbor automated services:
▪ Active Threat Feed (ATF) – The ATF is an activity-based threat detection
service for known and emerging threats. ASERT uses attack information from
ATLAS to create detailed profiles or “fingerprints” of security threats, including
attacks, unauthorized activity or malicious traffic patterns. Unlike traditional
defenses such as IPS/IDS or anti-virus, which use signatures to detect attacks, the
ATF fingerprints provide subscribers with a broad scope of security intelligence
and visibility into the events occurring on the network, including advanced
threats and botnet activity.
▪ ATLAS Intelligence Feed (AIF) – With DDoS attacks going mainstream,
carriers and enterprises are facing a legitimate business appropriation concern:
whether additional hardware investments and security personnel will be required
to address this looming threat. AIF delivers real-time DDoS and botnet
signatures to protect networks and Web infrastructure from DDoS attack
toolsets and their variants. In action, these feeds directly and automatically
populate DDoS and botnet identification and mitigation policies. With DDoS
attacks having the capability of going from a trickle to a debilitating wave in a
cyber moment, automatic policy updates based on the wide experience aperture
of ATLAS community members and vetted by ASERT researchers is essential.
For ATLAS subscribers seeking additional threat intelligence, Arbor hosts a Web -based
portal. Subscriber views can be dynamically customized at a highly granular level; e.g., for
a specific Autonomous System Number (ASN), IP address, or country. For non -
subscriber, portal visitors, the ATLAS portal lists the top 20 threat sources from the
latest 24-hour period.
ATLAS BENEFITS FOR CARRIERS AND ENTERPRISES
For security professionals, useful threat intelligence is paramount. But, as previously
stated, value lies in the range, integrity and timeliness of this intelligence. This is the first
benefit of ATLAS—a community-supported, vetted, real-time and actionable source of
threat intelligence.
In practice, this benefit has three correlated business and operational offshoots:
▪ More threats are proactively mitigated, resulting in a lower overall risk posture.
▪ Less remediation occurs. With fewer attacks being successful, remediation efforts
(e.g., purging endpoint devices of malware infections, bolstering Web
infrastructure to defend against DDoS attacks, and conducting data breach
notifications) will be fewer in number and smaller in scale.
▪ As ATLAS researchers monitor and assess traffic data from Arbor platforms and
darknet sensors, carrier and enterprise security analysts gain the benefits of this
threat analysis without incurring the work effort. Their knowledge levels are
enhanced.
Obviously, these outcomes contribute to heightened operational efficacy for security
organizations. However, efficacy improvements do not end there. Placing ATLAS’s threat
intelligence in the broader context of existing security technologies that rely on
signatures, such as IPS/IDS and anti-malware, security teams may determine that
examining and updating signature files does not always need to be conducted on an
“urgent” basis. Armed with the contextual attack data from ATLAS, security
professionals have the information necessary to prioritize signature deployment in other
network security products such as IDS/IPS and anti -malware applications.
Lessening “break away” crises leaves more uninterrupted time for security professionals
to concentrate on other important responsibilities and initiatives.
ADDED ATLAS BENEFITS FOR CARRIERS
Whereas the previously listed ATLAS benefits are focused on gains in operational
efficacy, improving risk posture, and de-stressing the work lives of security professionals,
there is also a de-stressing benefit to carriers’ network infrastructures. This benefit
comes into play in the routing of darknet IP addresses. By routing darknet IP addresses
to the carrier-hosted ATLAS sensors, rather than the carrier’s production routers, the
traffic load associated with the darknet is removed from these production routers. This
darknet “off-loading” benefit is most evident during periods of high volume attacks aimed
at darknet addresses. As the carrier’s production routers are not bombarded by this
influx of undesirable, yet useful, traffic (i.e., useful in the sense that this traffic provides
clues on emerging security threats), network administrators will not be pulled away from
their important responsibilities to concentrate on this traffic spike, and how to mitigate
the impact on their production networks.
Another carrier benefit of ATLAS is in its market positioning. When given a choice,
network administrators rank service reliability among the top attributes in network
service selection. In a mid- 2012 survey of U.S. businesses, conducted by Frost & Sullivan,
service reliability was second only to security as the most cited network services
attribute. ATLAS directly contributes to both of these attributes by uplifting carriers’
ability to fortify the security and reliability of their production networks. Built on the
“worldwide traffic library and brain” of ASERT, ATLAS -participating carriers have a
tangible point of evidence to show their customers that they are not combating cyber
threats alone; they are taking advantage of an expansive community.
ENTERPRISE SHOULD TAKE NOTE
Enterprise security operators are responsible for protecting their networks from
confidential data breaches, unauthorized access (even from trusted users), maintaining
network integrity, and ensuring solid brand reputation—as well as helping the network
team keep stable service levels. Attackers are taking advantage of these professionals’
multiple responsibilities and launching multi-stage, blended attacks that are uniquely
designed for that organization’s infrastructure. While some enterprise security
professionals love getting into the weeds of attack information—understanding where it
came from, the triggers associated with attacks and so on—it is simply not practical for
most.
In addition to security, service reliability is vital to any business that runs critical
operations on the Internet or private networks that are not fully isolated from the
Internet. While the business implications of service disruptions and uneven service
performance will vary by circumstance, gauging those implications through experience is
a risky proposition. Given the choice, is it not preferable to select network services from
ATLAS-participating carriers?
Data from ATLAS provides these busy security professionals with not only accurate and
effective security via the AIF and ATF feeds that run in Arbor’s products; it also provides
valuable context and information on attacks that can be used for proactive security. This
security intelligence and forensic data can be used for updating security enforcement
policies across the network, as well as for mitigation of threats that were previously not
known. By updating these policies and proactively blocking threats, the security team can
keep the network uncluttered from attack traffic—maintaining reliable service for critical
business applications.
Michael Suby
VP of Research
Stratecast | Frost & Sullivan
Stratecast
The Last Word
Shortly after the dawn of the public Internet, carriers supporting the Internet’s
backbone, and commercial entities relying on the Internet to support their internal
operations and conduct public-facing businesses, have been in a constant and ever-
evolving battle against a myriad of threat types and actors. There is absolutely no
reason to expect this battle to end. Moreover, battlefield expansion is a certainty as
the volume and diversity of Internet-enabled devices grows and enterprises expand
their virtual points of presence into a variety of interconnected cloud and hosting
environments. In essence, the Internet’s relevancy and enterprise dependency are
rising. With that, the attraction of it to cyber criminals, protestors and disruptors—
from basement hobbyists to highly organized entities—will also increase.
For carriers, hosting and cloud services providers, and enterprises, a fundamental
question is how to leverage and protect the openness of the Internet and the
business opportunities the Internet presents. Our position is that a structured
worldwide, community-supported approach to threat analysis and response is
fundamentally essential. The diversity, morphing velocity and sophistication of
emerging threats calls for nothing less than a complete and real -time assessment of
all battleground fronts. ATLAS has the carrier and enterprise relationship scale,
expertise of ASERT and experience to support such an effort.
877.GoFrost • [email protected]
http://www.frost.com
ABOUT FROST & SULLIVAN
Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company's
TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth -focused
culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50
years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community
from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership
Services, visit http://www.frost.com.
ABOUT STRATECAST
Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -
competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription
research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only
attainable through years of real-world experience in an industry where customers are collaborators; today’s
partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your
Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.
Silicon Valley
331 E. Evelyn Ave., Suite 100
Mountain View, CA 94041
Tel 650.475.4500
Fax 650.475.1570
London
4, Grosvenor Gardens,
London SWIW ODH,UK
Tel 44(0)20 7730 3438
Fax 44(0)20 7730 3343
San Antonio
7550 West Interstate 10, Suite 400
San Antonio, Texas 78229-5616
Tel 210.348.1000
Fax 210.348.1003
Auckland
Bangkok
Beijing
Bengaluru
Bogotá
Buenos Aires
Cape Town
Chennai
Colombo
Delhi / NCR
Dhaka
Dubai
Frankfurt
Hong Kong
Istanbul
Jakarta
Kolkata
Kuala Lumpur
London
Mexico City
Milan
Moscow
Mumbai
Manhattan
Oxford
Paris
Rockville Centre
San Antonio
São Paulo
Seoul
Shanghai
Silicon Valley
Singapore
Sophia Antipolis
Sydney
Taipei
Tel Aviv
Tokyo
Toronto
Warsaw
Washington, DC