Under Attack? Call (844) END.DDoS

The Network Perspective: achieving a natural asymmetry in cyber defense


In a recent conversation with a colleague responsible for national cyber defense, the question of how to get the best equipment and tools into the hands of his investigators and security personnel came up and led to a fascinating conversation.  Most of what we do in our industry is identify an ideal reference architecture and then look for the best-of-breed products (or services) to fill every slot.  This isn’t what we’d do with a war fighter in the old kinetic theatre because the speed, performance and behavior of the whole person matter more than the point equipment in isolation.  You wouldn’t start with a soldier and give them “the best” machine gun (at 40lbs), helmet (at 5 lbs), boots (at 5 lbs), explosives (at 10 lbs), armor (at 40 lbs) and so on.  Weighing in at over 200 lbs of equipment, all-in, you would have in fact made them slower and less effective as a war fighter and would be more of a target than anything else!

And yet that’s what we do in security.  As another colleague of mine put it “we are in a replacement industry,” by which he meant the best mouse trap will get adopted and deployed if it can prove it’s superiority in a particular situation.  The problem of actually reducing the likelihood of an incident and stopping enemies has become so bad that security departments have a lot of trial gear sitting around that has been converted to production and a stack of tools and techniques, but the actual end user is far less effective than they could be if we instead built from the ground up and sought speed,and leverage from each tool and practice.  Is all that kit really used or even usable if people spend 90+% of their time in Wireshark?

In the case of my theoretical war fighter, every addition of a new system, no matter how amazing it might be in a given mission scenario (like heavy support or demolition) needs to be balanced to make the person wearing it most effective.  And the same holds true for all things cyber.

Today, Arbor is announcing Arbor Networks Spectrum: a network-based platform that is designed from the ground up to make investigators and security personnel faster and more effective.  It is a force multiplier for getting ahead of the bad guys.  As a CISO, I get tired of hearing “breaches are inevitable” and “there’s those that have been breached and those that don’t know it.”  I’ve said it before, and I’ll say it again: infrastructure breach is inevitable because the opponents have asymmetry to their advantage.  They can pick the time, place and tool that suits them best to get into the environment.  However, information breach is evitable.  It can be avoided because at that moment, the defender enjoys the advantage of asymmetry provided they can effectively find and respond to incidents before the clock runs out.  I am dedicated, and we are dedicated at Arbor, to making that true for all.  We believe that it’s our responsibility to enable security departments able to win these fights.

Hollywood has done us a tremendous disservice by showing hackers as people (usually with an exotic accent) who sit at the keyboard while talking excitedly and then pound the enter key and say “done.”  That’s not what this is about.  It takes time to infiltrate, expand and own an environment.  It’s a cat-and-mouse game that can be won with the right tools applied in the right places and equipping the right people to take advantage of the asymmetry that defenders can and should enjoy.

Our modern world is all about context: facts are cheap and are actually overwhelming.  You see it in the news all the time: facts wash over us.  What we are starved for is context.  We don’t want to know the fact that a plane has had an accident or that a particular nation has cut diplomatic relations with another or that new technology is available.  We crave what these things means and to whom.

The problem with SIEM systems is that the event is the atomic unit at the center of everything.  It’s largely an academic exercise with theoretical measures of criticality.  It’s understood in isolation alone.  It’s ingested as rapidly as possible, and the long haul to tie it to other events is painful and grueling to reconstruct.  Context is elusive in a SIEM world, and asking a question of a SIEM system is non-trivial.  That makes finding attack campaigns hard.  Even with end-point instrumentation, the notion of context stretches only as far as a given host being instrumented.

This leads us to the network.

The network is the place to instrument for enterprise-wide context.  It is query-able and flexible and available for security folk to ask questions without having to wonder how they ask questions.  In other words, done right, it lets investigators work at the speed of thought without hindrance.  At the end of the day, we have to put people in a position to enjoy asymmetry if we’re going to start beating attackers on our networks.

I’ll draw on another analogy to wrap up here: the Battle of Britain.  I realize this is an oversimplification for so complex a conflict, but a colleague of mine at Arbor (Jerry Skurla) made this parallel two weeks ago, and I think it’s a good one.  In the summer and autumn of 1940, a fierce battle waged over England for control of the skies.  The Brits brought three things to bear for effect.  First, they fully leveraged radar for unmatched visibility. Operational and tactical linking of radar with air command was essential for picking and choosing fights.  Second, the new Spitfire airplane was an amazing platform able to put a stunning amount of metal on target in a short period of time due to 8 forward firing machine guns (which required a whole different wing design).  Finally, the pilots themselves were often young and relative green.  This combination of radar, platform and pilot and a clear strategy of what to shoot at (the bombers, not the fighters protecting them) made the Battle of Britain a decisive victory against overwhelming odds and represented a turning point for Hitler.  This was not a quick battle but was a fight for survival and, as Churchill would late put it “never in the field of human conflict was so much owed by so many to so few.”

I’d very much like to think that we are a time when a combination of (1) the right global visibility and perspective (ATLAS and ASERT) with the (2) right tools (Arbor Spectrum) and the (3) right people could have an effect in the long, drawn out fights we see in Enterprise networks.  It isn’t by burdening ourselves with a massive set of tools that are over engineered and over architected for all sorts of functions and features.  It will be by placing the security incident responders at the center and equipping them with what they need to be most effective and to take advantage of the natural asymmetry that can exist when you can finally home in on the real threats, validate and prove them and enable faster Enterprise response…and then keep getting faster, better and more accurate.

DDoS as a Smokescreen for Fraud and Theft

There’s nothing subtle about a DDoS attack. Your incident response console is lit up like a Christmas tree. Alarms are going off indicating that your network is down or severely disrupted. System users and managers are sending you panicky messages that business has ground to a halt. Meanwhile your mind is racing: Who would do […]

11 years of reporting on DDoS and Advanced Threats

Arbor Networks is proud to release the 11th annual Worldwide Infrastructure Security Report. This report is designed to help network operators understand the breadth of the threats that they face, gain insight into what their peers are doing to address these threats, and comprehend both new and continuing trends. This year’s report features responses from […]

Stephen Gostkowski, SOC Analyst

Well, the Patriots lost another heartbreaker in Denver, and it happened because of something that nobody, and I mean nobody saw coming. A missed extra point.   You see, Patriots kicker Stephen Gostkowski had made an NFL record 523 consecutive extra points. This streak became even more significant this year when the NFL made a […]

When was the last time you (really) thought about your DDoS protection?

Thousands of distributed denial of service (DDoS) attacks are executed every day. For any company that depends on its Internet presence, the consequences can be severe – lost revenue, the cost to mitigate the attack, brand repair if your company name is splashed across media headlines, lost/customer credits, lost productivity, ransom payment demands, and…and…If you […]

ISP Traffic Visibility and the Future of Network Services

The process of prepping for my recent interview with Light Reading’s Steve Saunders got me thinking about Arbor’s rich service provider history and how the value of traffic visibility for these large network operators – and how it is achieved – is evolving over time.  What follows is the virtual Q&A I conducted in my head… […]

‘Twas the Night Before Vaca

Just a day away from a long holiday break, so I thought that it best to save the best for last.  As a marketer for a security vendor, I have seen how security solutions are developed to often solve a single problem.  This approach to mitigating threats for a business is completely outdated.  These solutions […]

You’re a Mean One, Master Hack

I cannot help it. I love watching the “The Grinch Who Stole Christmas.” So for the next holiday carol spook, I am taking the perspective of the security administrator who has just dealt with an advanced threat attack and breach at work…to the sound of “You’re a Mean One.” Enjoy!!! You’re A Mean One, Master […]

Favorite Pings

So…let’s carry the theme of my last couple of blogs translating holiday carols to security threats.  This week I attempt to create a song that some blackhats could sing along to.  Taking the music from one of the most popular holiday-time musicals, and combining what excites a hacker on a daily basis, I have created […]