A Hybrid Approach: Rewriting the Rules for DDoS Defense

IMG_2574

The dilemma for organizations when implementing an effective DDoS defense is whether to deploy on-premises DDoS protection or subscribe to a cloud-based provider. These decisions are not taken lightly, as the threat landscape is wide ranging and increasingly sophisticated.

Organizations outlining their DDoS defense strategy typically begin by looking to out-of-band defenses and anti-DDoS scrubbing-lane approaches for re-routing traffic once an attack has been identified. This approach is a good first step for DDoS prevention; however, it’s only the tip of the iceberg. The recommendation from industry analysts is to execute a two-pronged approach, to include in-line, real time detection and attack mitigation as the primary means for DDoS defense, and cloud anti-DDoS for full pipe saturation attacks.

Here’s why: partial saturation attacks are becoming more commonplace. These DDoS attacks are large (relatively speaking), but only last for a short period of time, and they do not fully saturate the internet link. While these attacks can be devastating to unprotected downstream border defenses, hosted customers or internet-facing services, the motive is most often financial gain or stealing sensitive data. Additionally, these partial saturation events are not long enough in duration for attacks to be detected and re-routed quickly enough for cloud-based DDoS mitigation solutions to provide much, if any benefit.

When assessing DDoS defense strategies, the solutions aren’t like-for-like comparisons. However, there is a suggested approach to protect against the entire spectrum: hybrid on-premise and cloud DDoS mitigation. Let’s look at each of the components.

Cloud Anti-DDoS Solution

DDoS protection, provisioned as a service, is most often an on-demand option for large-scale attacks. Massive volumetric attacks occur when more traffic than the total bandwidth of a network link is sent, which no amount of hardware resources will effectively combat.

Human intervention is critical to an on-demand defense approach – once detected an analyst must then decide to enable the transition to the cloud. In a recent study nearly 50% cited customer complaints as their initial means of DDoS notification. The time from detection to mitigation could range to upwards of one hour with this approach. However, the majority of volumetric attacks last 30 minutes or less. By the time your on-demand defenses are engaged the damage is done.

With out-of-band cloud anti-DDoS, visibility and analysis begin only after the traffic has been re-routed to the scrubbing service, allowing for little if any insight into the attack, eliminating all analysis capabilities.

Some businesses that frequently experience these attacks subscribe to an always-on anti-DDoS cloud solution service. The costs associated with this are substantial. If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization, it’s hard to put a price on uninterrupted service availability.

“If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization”

On-Premises Real-Time Defense

Purpose-built DDoS defense solutions are deployed between the internet and the enterprise network. A first-line-of-defense approach prevents outages by inspecting traffic at line-rate and blocking attacks in real time while allowing approved traffic to flow. On-premises, real-time defence enables complete and sophisticated visibility into DDoS security events when deployed at the network edge. Additionally, archived security event data will enable forensic analysis of past threats and compliance reporting of security activity, acting as a strong advantage against attackers when DDoS is utilized as a distraction.

Given its nature, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premises technology is designed to handle volumetric network-based attacks, reflective and amplified spoof attacks as well as application layer attacks.

A Possible Silver Bullet – The Hybrid Approach

In 2014 the SANS Institute reported: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”

The concept of on-demand cloud defense for a pipe saturation attack coupled with always on, on-premises defense provides protection against the whole spectrum. Businesses that engage with their on-demand DDoS mitigation provider can quickly initiate that service based on visibility in the event of a massive volumetric attack. The main benefit of a hybrid approach is that the on-premises device heavily reduces the number of times an organization switches over to the cloud – lowering cost and providing comprehensive and consistent defense.

During the switchover, an on-premises solution would continue to provide the necessary protection for any threats not mitigated by the cloud. Continuous monitoring can show when your organization can return to normal operation and collaborative communication and sharing of information between you and your provider enables comprehensive visibility, enhancing the overall security performance of your network.

The implementation of an always-on solution combined with on-demand cloud defense provides businesses with a means of safeguarding against the vast scope of DDoS attacks posed to their networks. With DDoS attacks now being delivered in various sizes and with differing intentions, ensuring that the appropriate prevention best practices are utilized correctly could well be what saves your organization from falling victim to a major breach of information.

ORIGINAL ARTICLE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
About the Author

Dave Larson is CTO at Corero Network Security. He is responsible for directing the Corero technology strategy, bringing over 20 years’ experience in the network security, data communication and data center infrastructure industries. Most recently, he served as CTO for HP Networking and vice president of the HP Networking Advanced Technology Group. Prior to HP, Larson was vice president of Integrated Product Strategy for TippingPoint and has held senior roles with Tizor Systems, Sandburst Corporation and Xedia Corporation.

Top Ten Ways to Defend your Network against the Latest SSL Exploits

Top Ten Ways to Defend your Network against the Latest SSL Exploits

29 MAY 2014 | WHITE PAPER

Staying on top of the latest web exploits can be a challenge for Network Admins who are worried about simply keeping up with all the day-to-day management tasks required by a complex environment. This whitepaper details many of the most recent popular SSL-related exploits that your network is likely vulnerable to, along with simple steps you can immediately take to protect yourself.

Armed with the right tools and know how, Network and Security Admins can take the right steps to lock down their networks from viable dangers. The reality is that brute force attacks are not new, but remain a viable danger to your network – even if you are securing it by more traditional means.

This article details many of the most prevalent SSL exploits that your network could be vulnerable to, ranging from not using HSTS (HTTP Strict Transport Security) to the more theoretical BEAST (Browser Exploit Against SSL/TLS) attacks. Most importantly, this paper offers some simple steps you can take to protect your network now. A few of the ten defense techniques you will learn are:

Disabling TLS Compression to defeat CRIME
Using HttpOnly Cookies to defeat Cross-Site Scripting
Supporting Secure Renegotiation to defeat Man-in-the-Middle attacks
And 7 other valuable techniques to strengthen your network’s security

The paper

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Chinese Hacking Charges a Wakeup Call for Both China & US Businesses

Indictments open the door for more aggressive US litigation of intellectual property theft by China — but with possible costs to US businesses.
Call it a calculated risk: The US Department of Justice conducted an unprecedented naming and shaming yesterday of five members of an infamous Chinese military unit known for spying on US companies for intellectual property and other valuable commercial intelligence.

A day after pictures of the men (two in military uniform) were plastered on the FBI’s Most Wanted posters, the fallout already has begun. No one expects China to extradite the defendants to the US, to fess up to stealing corporate secrets from US firms to assist its state-owned businesses, or to promise to curtail that activity. The hope is that the aggressive US strategy of taking very public legal action against China’s cyberespionage activity at the least will send a chill among China’s advanced persistent threat operatives.

As expected, China has strongly denied the charges, which cite specific incidents of cybertheft from major US corporations by the five defendants: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of China’s People’s Liberation Army in Shanghai. Chinese officials confronted the US ambassador to China, Max Baucus, about the indictment and warned that it would have consequences. Today officials released data from the nation’s CERT that they say shows US botnet servers controlling 1.18 million host machines in China.

“This is the first salvo in a tit-for-tat that is going to go on. China is going to retaliate,” says Timothy Ryan, a managing director with Kroll Advisory Solutions’ cyber investigations practice and a former FBI official who headed its cybersquad.

That may mean an escalation of targeted hacking, experts say. But retaliatory hacking could backfire on China, which is now under criminal scrutiny by the US and could face further exposure and indictments of its hackers. Robert Anderson, executive assistant director of the FBI, said yesterday that criminal charges for such activity by China or other nations would be “the new normal,” and that the indictment opens the floodgates for other charges.

“The United States has chosen the old stick and carrot approach — rewards and punishments — when it comes to conducting cyber diplomacy with China. What we are seeing now with the announcement yesterday is the stick, a shot across the bow, and it should be taken seriously by the Chinese. In the past few weeks, the US was primarily using the carrot as an incentive,” says Franz-Stefan Gady, senior fellow with the EastWest Institute. “It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions.”

Though China quit the new China-US working group on cyber security yesterday in protest of the latest developments, Gady says China isn’t likely to make any moves to derail the recent military dialogue between US Secretary of Defense Chuck Hagel and General Chang Wanquan.

Also, Gady doesn’t expect the indictment controversy to hurt the US-China anti-spam collaboration effort, which the EastWest Institute helped establish in February 2011. “I do think that cooperation on the technical level will continue unhindered. The great thing, but also the downside, of tech-tech cooperation is that it is inherently apolitical and not subject to temporary political ill winds.”

It is highly unlikely that the five indicted members of Unit 61398 will ever be tried for these crimes, but they now have some significant travel restrictions. “If they have kids in school in other countries,” the members won’t necessarily be free to travel there, says Michael Quinn, associate managing director with Kroll’s Cyber Investigations Practice and a former FBI supervisory special agent in the Cyber Division. “If they want to see their kid graduate” from a US college, “they may not travel there now, because they’re going to get arrested.” They also could be taken into custody “if they are IDed outside the country somewhere friendly to the US.”

Quinn says the indictment handed down yesterday had been in the works for a long time. “What we saw yesterday was the outcome of a very long process.”

And experts say there are plenty more in the pipeline.

The indictment also may have some unintended consequences for the victim organizations named in the case, which include Alcoa, US Steel, and Westinghouse. “It could go from the criminal realm to the civil realm,” Ryan says. “Now that these very persistent breaches were made public, you’re going to have shareholders asking you: What did you do? When did you know it? How many times were you breached? Was this in the prospectus?”

Kristen Verderame, CEO of Pondera International, says the DOJ move should be a wakeup call for US companies doing business in China and with Chinese companies. “It will open the eyes of US companies to the dangers. If you are doing joint ventures, you need to have your cyber security [strategy] up front and be very careful” sharing information electronically, for example. “If you deal with China, you have to do so with your eyes open.”

That level of scrutiny could make it more difficult for China to steal intellectual property from its corporate US partners without the threat of exposure by US law enforcement, experts say. China culturally is loath to such public embarrassment, they say.

“The US is looking to get some sort of agreement from China… that moderates their behavior,” Ryan says. “I don’t think anyone would fault China for spying to protect its political and economic security… but you can’t have it both ways. You can’t be a capitalist nation but use a state-sponsored apparatus to create this uneven playing field. That’s no different than China subsidizing all exports so no one [from other countries] can compete in China.”

This new pressure on China to dial back its cyberspying for commercial profit is unlikely to yield major results anytime soon. “I wouldn’t think these allegations will stop the Chinese in stealing trade secrets, as I’m sure they will change their TTPs [tactics, techniques, and procedures] and will likely start looking for a mole or any internal leaks,” says John Pirc, CTO of NSS Labs and a former CIA agent.

By Kelly Jackson Higgins
Senior Editor at DarkReading.com.

Retail Breaches Bolster Interest In NIST Cyber Security Advice

Retail Breaches Bolster Interest In NIST Cyber Security Advice

Target data breach highlighted risks in corporate supply chains, and companies are looking to government guidelines for ways to shore up cyber defense, says White House.

Last year’s massive Target data breach, in which hackers infiltrated the retailer’s point-of-sale system by exploiting a vendor’s IT system, has prompted corporate executives to take a deeper look at the security posture of companies in their supply chains. It’s also brought greater attention to recommendations released in February by the Obama administration, outlining voluntary national cyber security practices, a White House aide said this week.

The recommendations are part of a cyber security framework developed by the National Institute of Standards and Technology, together with private industry. The framework was originally aimed at critical infrastructure owners in 16 industries, including banks, utilities, and communications. But the document has caught the attention of executives in many fields, because it provides, for the first time, a common template for assessing corporate security practices across entire industries.

“One of the areas that we’ve seen companies… start to use the [cyber security] framework is in vendor management,” as a tool for assessing cyber security risks in their supply chains, said Ari Schwartz, a cyber security advisor on the White House National Security Council.

[NIST wants your comments on cradle-to-grave IT development recommendations. Find out more: NIST Proposes Guidelines For More Secure IT Systems.]

Finding the weak security links in corporate supply chains has taken on greater urgency for top executives after investigators reported that hackers had gained access to Target’s network using credentials obtained from a heating, ventilation, and air-conditioning (HVAC) vendor. The attackers ultimately made off with as many as 40 million credit and debit card numbers and personal information on 70 million customers. The breach also resulted in the March resignation of Target CIO Beth Jacobs and the departure of Target CEO Gregg Steinhafel earlier this month.

“The key to the cyber security framework is it allows a baseline across different sectors,” said Schwartz. It allows banks, for instance, which have their own set of security practices, a way to better gauge the security practices of their suppliers and discuss that information with their boards of directors.

The framework has already fostered a new market for products that incorporate the cyber security standards outlined in the NIST framework, according to Schwartz.

PwC, for instance, offers a four-step process to implement the cyber security framework that emphasizes collaborative intelligence sharing, according to David Burg, PwC’s global cyber security leader, who pointed to a PwC survey, which found that 82% of companies with high-performing security practices collaborate with others to achieve those goals.

“We feel federal agencies can use these [practices] as well,” Schwartz said. He added that the administration’s “goal is to take the language of the cyber security framework and make it the language of FISMA and the continuous diagnostics and mitigation process,” referring to the federal law guiding agency security practices and to plans for protecting government IT systems.

The cyber security framework was a response to one of five primary areas of cyber security concerns at the White House, Schwartz said at a forum Tuesday at FOSE, a government technology tradeshow.

In addition to protecting the nation’s critical infrastructure, Schwartz said the administration is also concentrating on securing federal networks, developing clearer thresholds for responding to cyberthreats, and working with allies and non-allies on international rules of engagement in dealing with cyber attacks.

Officials are also looking at research and development initiatives to try to get “ahead of the threats,” and in particular, are looking for better identity management and credentialing systems. The user name and password system “is broken, and has been for many years,” he said.

Getting agencies to identify and fix common vulnerabilities, using continuous diagnostics and monitoring (CDM) techniques, is a chief priority for the administration and US deputy CIO Lisa Schlosser.

“Ninety percent of cyber attacks are using common vulnerabilities,” such as phishing and failing to keep patches up to date, and “96% of breaches can be avoided by employing basic controls and hygiene on networks,” she said at the forum.

The White House Office of Management and Budget, the National Security Council, and the Department of Homeland Security have begun a three-phase effort to adopt CDM practices, Schlosser said. Administration officials just completed a government-wide contracting vehicle to help agencies purchase diagnostics hardware and software. Phase 2 will focus on understanding “who’s on the network, where, and why,” and Phase 3 will attempt to provide “real-time visibility, to see what threats are affecting one agency” and use that information to guard against attacks on other agencies, said Schlosser.

NIST’s cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

############
Wyatt Kash is Editor of InformationWeek Government. He has been covering government IT and technology trends since 2004. He served as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post Co. and subsequently 1105 Media), where he directed editorial strategy and content operations. He also was part of a startup venture at AOL, where he helped launch AOL Government and led its content and social media operations. His editorial teams have earned numerous national journalism awards. He is the 2011 recipient of the G.D. Crain Award, bestowed annually on one individual nationally for outstanding career contributions to editorial excellence in American business media.

Trust me: Big data is a huge security risk

Fear the Hadoop! It’ll expose your company data to unwashed hacker hordes! Luckily, this new big data security product fixes everything

By Andrew C. Oliver | InfoWorldFollow @acoliver

20140224-210524.jpg

When Hadoop started, it had a security problem. The spin from the various Hadoop vendors and proponents tended to be something like, “We see security as a front-end application issue.” This is what you say when you don’t have a good answer.

Since then, solutions like Apache Knox and Cloudera Manager have provided answers for authentication and authorization for basic database management functions. The underlying Hadoop Filesystem now incorporates Unix-like permissions.

This hasn’t completely quashed the issue, largely because of the way entrepreneurs think: If you can’t come up with a new idea, then plunk the S-word after the name of a new technology and you have a “BOLD IDEA FOR A NEW STARTUP!!!!” Rummage through the dustbin of recent history and you’ll find startups devoted to SOA security, AJAX security, open source security, and so on. Now we have big data security startups — and the money will roll right in! How do you launch a security startup? Scare people, of course.

The real security problem with Hadoop in particular and big data in general isn’t with everyday access rights — that took all of 10 minutes for the vendors and open source community to solve. The big problem is that when you aggregate a lot of data, you lose context. While I doubt many people are aggregating a lot of data without any context, aggregating any data means losing some context. A highly scalable architecture like Hadoop makes it feasible to store context, too, but checking all that context with each piece of data is an expensive proposition.

Here’s what you need to know about context: Though you learn all about authentication and authorization in any basic computer science course, the most important details are often skirted. Yes, you can get access to the database as a certain user, and yes, you can get access to the BankAccounts table, but which rows can you access? The more data you aggregate, the challenge of preserving granular rights and permissions grows.

How do you keep all of those data ownership and data context rules in place without killing the performance that caused you to choose a big data solution in the first place? Well, there are emerging technology solutions, such as Accumulo, created by the big data community — including everyone’s favorite member, the NSA.

Luckily, this has all been thought of before in research and in great detail. In fact, almost exactly one decade ago this was a hot topic. When you’re building your big data project that aggregates gobs of data from various places in the company and wondering about security, I suggest simply searching on “datawarehouse security.” Though 70 percent of the results will be vendor pitches or complaints about RBAC, you’ll find plenty of results that explain exactly how this was done before. Much of that previously published material describes neither technologies nor tools, but methodologies — and those more or less translate directly to big data.

Now, if you’ll excuse me, I have to work on my slide deck pitching a big data NoSQL cloud-based SaaS security solution, geared specially for Hadoop. VCs, call me!

This article, “Trust me: Big data is a huge security risk,” was originally published at InfoWorld.com. Keep up on the latest news in application development and read more of Andrew Oliver’s Strategic Developer blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Original article: http://www.infoworld.com/d/application-development/trust-me-big-data-huge-security-risk-236684