Upload
stephanie-weagle
View
239
Download
2
Tags:
Embed Size (px)
Citation preview
Re-Writing the Rules for DDoS Defense On-Prem + Cloud Based Protection
Stephen Gates - Chief Security Evangelist
© 2014 Corero www.corero.com
DDoS Attacks, 2013-2014
Total Attack Bandwidth GbpsData shown represents the top ~2% of reported attacks
JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 JAN 12014
FEB 1 APR 1 MAY 1MAR 1 JUN 1 JUL 1
100
200
300
400
DEC 42013
MAR 17 2014 JUNE 23 2014HONG KONG VOTING SITES
JUNE 21 2013
AUG 92013
DEC 1
MAR 29 2014DEC 31 2013MAJOR HOSTING
SITES
Source: Network Computing/Ponemon Institute
© 2014 Corero www.corero.com2
20% of data center downtime is caused by a DDoS attack86 minutes is an average of data center
downtime due to DDoS attacks$8K per minute is the average cost of this downtime$700K per incident is the
average cost of a DDoS outage
Source: Digital Attack Map - DDoS attacks around the globe
DDoS Digital Attack Map
© 2014 Corero www.corero.com
http://www.digitalattackmap.com/
Volumetric
Application
TCP Connect
Fragmented
According to a recent survey conducted by the SANS Institute…
“The most damaging DDoS attacks mix volumetric attacks with targeted, application-specific attacks.”
Are the attackers getting smarter?
Researchers are finding an uptick in the number of new techniques
Attackers defeating traditional protection (Firewall, ACL, Blackhole)
Attackers are developing new methods of bypassing defenses
© 2014 Corero www.corero.com
High Orbit ION Cannon
HULK SlowHTTPtest
Hping3 NMAP
Metasploit
Slowloris
Low Orbit ION Cannon
www.yoursite.com
KillApache.pl
What tools are the attackers using?
© 2014 Corero www.corero.com
Can your existing security layers handle the onslaught?
Volumetric Attack Components
Bandwidth Saturation
Connection Saturation
Spoofed Connections
Reflections/Amplifications
Fragments
Partial Saturation
6 © 2014 Corero www.corero.com
Concerns with partial saturation attacks
Beyond very small attacks exhausting or slowing a particular resource
Worse than traditional attacks targeted at disabling infrastructure
New attacks that are a diversion for some larger threat (data exfiltration, planting malware, etc.)
7 © 2014 Corero www.corero.com
Businesses need protection from the InternetWith a first line of defense that:
network/service outages by blocking attacks in real time
PREVENTS
the effective life of your existing
security investments
EXTENDS
insight into attacks and evolving threats
PROVIDES
customers can access online
services
ASSURES
© 2014 Corero www.corero.com8
Proper DDoS ProtectionThree options
© 2014 Corero www.corero.com9
On-Premises
Hybrid
Cloud/Hosted
Hybrid
On-premises and in-line
• Always-on, real-time protection
• Complete, comprehensive security event visibility
• Inspection, analysis, alerting and real-time mitigation
• Protects against layer 3–7 attacks
• Do-no-harm approach
Threat mitigation benefits
10
On-premise and in-line:
• Improved response time and mitigation for the vast majority of attacks
• Allows highly-trained staff to focus on more nefarious threats
• Broad protection at all layers protects critical infrastructure and optimizes its performance
• Service availability protects business integrity, and increases productivity
Operational benefits
11
On-premises and in-line:
• Fraction of the cost compared to scrubbing or out of band solutions
• Protects downstream security investments
• Allows skilled (and highly-paid) staff to focus on higher-layer threats, not mundane operational tasks
Cost benefits
12
Cloud/Hosted Scenario
If scrubbing is an option that your business is committed to, consider the following:• Always on, or on demand
• Cost implications
• Total event traffic captured and analyzed
• Manual/human intervention
• Duration of large scale attacks
• Application layer attacks
13
What will it take to eliminate this problem?
© 2014 Corero www.corero.com14
Service Provider Defenses
L3-L4
AttackTraffic
AttackLeakage
GoodTraffic
Protected CriticalInfrastructure
Good Traffic
Attack Traffic
On-PremisesDefenses L3-L7
GoodTraffic
GoodUsers
AttackersN
Always on
RedirectionMethod
Attack Type
Size of Attack
Base Service
$
$$
$$$
$$$$
Cloud Service Pricing
30 Mins.
20Mins.
10 Mins.
Attack Begins
Attack Detected
Rerouted to Scrubbing
Center
Time to Reroute
Attack Detection to Prevention Process
Conclusions: There is no one-size-fits-all solution
15
r
Plan for day-to-day protection against baseline attacks
Consider solutions that you can turn around and monetize
Think about the cost of mitigation in
a 24/7 attack environment:
human and capital
Prepare for larger sustained
attacks and massive spikes
What is Your DDoS Protection Plan?
Advanced DDoS/Cyber Threat Protection
Comprehensive Visibility
© 2014 Corero www.corero.com16
Next Generation Architecture
Corero SmartWall® Network Threat Defense
ADVANCED DDOS & CYBER THREAT DEFENSE TECHNOLOGY
BUILT ON NEXT GENERATION ARCHITECTURE
COMPREHENSIVE ATTACK VISIBILITY & NETWORK FORENSICS
SmartWall Threat Defense System (TDS)
Enterprises & Service/Hosting Providers
On-Premises or Cloud deployments
Protection in modular increments of 10 Gbps
In-line or scrubbing topologies
© 2014 Corero www.corero.com17 Confidential
Comprehensive Visibility
SecurityEvents
ThreatIntelligence
System HealthData
ForensicsData
NetworkStatistics
Powered by
Corero First Line of Defense®
VALUABLE RAW DATA
ACTIONABLE SECURITY ANALYTICS & VISUALIZATION
Real-time Dashboards
Historical Reporting Forensic AnalysisBehavioral Analysis
Virtual SOC Portal
Powerful Analytics Engine
© 2014 Corero www.corero.com18
10:00 PM
Visibility – Attack Analytics & Reporting
© 2014 Corero www.corero.com
Internet
Corero SecureWatch® Analytics Portal
Corero Secure Operations Center CORERO SOC CAN REMOTELY ASSIST CUSTOMERS AND PARTNERS Corero Partner
CORERO PARTNERS CAN VIEW DASHBOARDS OF CUSTOMERS THEY MANAGE
Corero CustomerCORERO CUSTOMERS CAN VIEW DASHBOARDS OF THEIR OWN DATA
DASHBOARD 1 DASHBOARD 2
DASHBOARD 3 DASHBOARD 4
DASHBOARD 5
DASHBOARD 6
Corero SecureWatch Analytics App
Site A Site B
© 2014 Corero www.corero.com20
First Line of Defense Applications
© 2014 Corero www.corero.com8
Protected CriticalInfrastructure and Services
In the CloudService providers, IT hosting and Cloud providers
On Premises Enterprises – financial services, e-commerce providers,
gaming, education
1- 10 Gbps
SLB/ADC
IPS/APT
WAF
SP
Internet
© 2014 Corero www.corero.com22
Arrange for a proof of conceptLearn more at: www.corero.com
Join the Conversation@Corero
@StephenJGates@SecurityBistro
Corero Security Blog – The Security Bistrowww.securitybistro.com
NEXT STEPS
Thank You!
For a copy of this presentation: [email protected]