Organizations in every industry are accelerating their digital transformation initiatives to remain competitive and relevant. But while they’re expanding their capabilities, increasingly complex IT infrastructures can open new doors for DDoS attacks to get past traditional protection.
That’s why it’s time to rethink DDoS protection.
Responsible for managing trillions in assets worldwide, a major Wall Street investment banking firm found itself increasingly targeted by coordinated, multi-stage attacks.
To gain the detailed, real-time insight and traffic control it needed to mitigate these attacks, the firm turned to NETSCOUT Arbor.
Read on this article to see how a major investment banking firm reassessed the risk to its business from next-generation DDoS attacks, and worked with NETSCOUT to ensure its mission-critical services – and its business – will stay protected.
Read the case study to discover:
- The cybersecurity challenges facing the global banking sector
- Why financial institutions must rethink DDoS protection
- How NETSCOUT Arbor mitigates threats
A major Wall Street investment banking organization manages trillions in assets and providing investment strategies, wealth management, trading and market-making services through offices in over 30 countries. The success of their business — of their customers achieving their goals — depends upon reliable, secure online infrastructure and services. A McKinsey study, “Strategic Choices for Banks in the Digital Age,” estimates that by 2018, 42 percent of revenue will come from online or mobile channels.
Like other financial institutions around the world, the company has increasingly been the target of coordinated, multi-stage attack campaigns. They also were aware of the Federal Financial Institutions Examination Council’s (FFIEC) statement in April of 2014 and the New York State Department of Financial Services 23 NYCRR 500 — Cybersecurity Requirements for Financial Services Companies calling attention to the threat posed by Distributed Denial of Service (DDoS) attacks. Forward-thinking networking, security and operations executives within the organization were looking for increased DDoS and attack campaign protection for their Internet-facing data centers. They realized they needed greater traffic insight and more rapid, flexible countermeasures than a cloud-based DDoS protection service provider solution alone could provide.
They needed more detailed, real-time insight and control of traffic to and from their data centers. The challenge was recognizing attack components quickly — such as the detection of traffic micro-bursts from data centers — and changing attack vectors. They needed in-line mitigation capabilities that could alert via their existing network management systems. Relying upon their cloud-based DDoS protection service providers to re-route and effectively scrub evolving attack vectors was acceptable for ‘simple’ volumetric attacks, but suboptimal against more sophisticated attacks that might include targeting the application-layer. Relying solely on cloud-based protection simply did not give them the control and protection they required.
Given the growing complexity of their infrastructure, applications and sheer volume of network traffic, automation and ease-of-use were also critical decision-making factors. They did not want to add staff to identify threats; any solution needed to automate as much of the ‘analysis’ and countermeasures as possible. Naturally, the tool could not take weeks to learn and needed to be relatively easy to use.
IoT-Based DDoS Attacks Are Real
The wake-up call for DDoS attack protection came in October of 2016 when and IoT-based botnet named Mirai launched a DDoS attack against a DNS service provider named Dyn. The collateral damage associated with this attack was unprecedented as many enterprises and common internet-based services such as social media, video, music etc. were impacted. The Mirai attack was not only large, but also complex as it executed a dynamic combination of Volumetric, TCP-State Exhaustion and Application layer attack vectors. Mirai represents the modern-day DDoS attack.
Are you sure you’ll be prepared to stop a multi-vector DDoS attack that targets your organization?
The financial industry—particularly when it comes to choosing security solutions — relies heavily on shared experience, reputation and talking with their peers. For example, this organization contributes to and has executives who participate in the FS-ISAC (Financial Services Information Sharing and Analysis Center).
This firm had several solutions in their lab for evaluation as a DDoS protection solution, including a next-generation firewall and an Intrusion Prevention System (IPS) that had recently added “DDoS protection” to its roster of features. When one of their peers in the industry suffered a DDoS attack, the security leadership team took a closer look at the capabilities of these devices.
Fearing that they too could be the target of a DDoS attack, the organization decided to also evaluate purpose-built on-premise DDoS solutions. Their goal was to evaluate and have a solution in place in three months. Checking with their network of security professionals, including employees within the company that had implemented and used on-premise DDoS protection solutions, Arbor Networks was identified and contacted about its APS, which was selected for immediate lab trial.
What they quickly discovered in the lab was eye-opening. Most perimeter security devices operate with a fixed configuration that needs to be set once and then largely forgotten until changing needs require the configuration be revised. For example, most firewalls act as a policy enforcement device, and the configuration is the manifestation of that policy. It’s similar to IPS where the configuration might be nothing more than instructing the device to block all known intrusions as matched by signature. Again, the device is installed, configured, and largely left unmonitored to perform its job.
DDoS attacks are fundamentally different; the point of a DDoS attack is to overwhelm the website with traffic that pretends to be legitimate. The attacker generates traffic that goes through much of the same motions as normal traffic would but ultimately results in no productive work and simply consumes resources. Maintaining the appearance of normal traffic allows the attack to bypass firewalls, as it meets the defined policy configuration, and typically does not make use of known exploits that would be detected by an IPS.
Unlike worms and automated scans, a DDoS attack generally represents a real human actively targeting the website or network under attack. And what makes DDoS attacks particularly difficult to mitigate is that there are many different ways an attacker can generate normal-looking traffic with the intent to overwhelm a website or network. So if an attacker is finding one particular method of DDoS attack doesn’t work very well, they might try a different tactic or invoke multiple forms of DDoS attacks simultaneously.
Often the best defense against a human attacker evolving their DDoS attack is a human defender pushing back, armed with the best defense tools. When defending against an active DDoS attack, the defender needs to quickly analyze the attributes of the attack, understand how the attack is evolving, and then adapt the configuration to best mitigate the current form of the attack. They might need to repeat this process regularly while the DDoS attack is ongoing. And since the website or network might be overwhelmed with DDoS attack traffic, legitimate users might be unable to access the website or simply find it off-line. Restoring availability is critical, and time is of the essence.
The perimeter security devices under evaluation offered poorly integrated monitoring or security analysis and buried the configuration in the depths of the user interface or even in an arcane text file. If the user needed to respond quickly to an ongoing attack they struggled with a user interface that was not designed for use during an urgent security incident. Understanding that a single defense configuration might eventually be bypassed, they found that APS is designed to empower the defender with an optimized operations interface structured into a DDoS defense lifecycle workflow. APS directs the user from attack detection via alerting, to attack analysis through detailed traffic and packet analyzers, to defense adaptation, and finally post-attack investigation, all through a single and contiguous workflow. Time is saved and availability more quickly restored because the user has immediate and efficient access to powerful tools and methods to analyze and mitigate any DDoS attack.
Arbor Networks APS
- Always On, In-Line Protection from network and application-layer DDoS attacks and advanced threats
- Mitigation Platforms and Capacities, anging from 2U appliances (1 Gbps-40 Gbps) to virtual (sub 1 Gbps) and support for Amazon Web Services (AWS)
- One-Box SSL Inspection to protect against malicious attacks embedded into encrypted traffic with SSL Card
- Peace Time Value via detailed traffic analysis reports
- Intelligently, Automated Communication via Cloud Signaling between APS and Arbor Cloud for comprehensive, layered DDoS protection
- ATLAS Intelligence Feed (AIF), continuously arms APS with global, actionable threat intelligence
- Managed APS (mAPS) for optimized DDoS protection
Based on their evaluation of APS’ performance inline, and Arbor Networks’ experience and reputation within the financial sector, the organization ordered additional APS solutions to protect their main US data centers. The process from when the Arbor Networks team was originally contacted to when systems had been evaluated inline and a decision made, took less than three months. The company was convinced that APS could provide them with the required insight, analysis and real-time control needed to better protect their data center operations. They particularly liked the ‘force-multiplier’ effect Arbor APS had for their existing staff: the configurable threat alerts and automated countermeasures. The user interface was easy to use and integrated with their current network management system; it did not require additional staff nor extensive training of existing staff.
In the end, they decided that purpose-built was a better solution than relying on a new feature within an existing solution. After all, the very availability of their network, services and applications were at stake. That is true risk management.
“We felt that DDoS protection based solely in the cloud was only partial protection. We wanted more control of our online traffic and connections to the Internet. But what really sold us was the depth and experience of the Arbor Networks team. The more peers we spoke to, Arbor just kept coming up again and again.” – Network Engineering Manager