The Value of Traffic Analytics for DDoS Attacks
Distinguishing distributed denial of service (DDoS) attacks from legitimate traffic, in real-time, is not easy. Many organizations have only minimal visibility into these classes of security events, despite having made significant investments in analytics tools and expert security staff. In such situations, security analysts are typically left to react to the threats after the damage has been done, and must sift through reams of unintelligible log data to do so. There are now, however, solutions that do provide enterprises, MSSPs, hosting providers and service providers with the comprehensive, real-time, analysis needed to accurately identify any traffic flows linked to DDoS attacks.
The Benefits of Real-time Attack Analysis
First, let’s discuss why it’s important to have DDoS attack analysis, both during and after an attack. During a DDoS attack it’s critical to have real-time security event data so that security operators can quickly validate that DDoS mitigation mechanisms are accurately blocking packets relating to the attack and that no harm is being done to legitimate traffic. Cybercriminals are becoming increasingly sophisticated in their DDoS attack strategies; i.e., they now often use multi-vector attacks, which they typically automate to change those vectors on the fly. Furthermore, cybercriminals sometimes leverage the power of a botnet to launch pulse-wave, also known as burst, attacks that alternate between two or more targets. In these situations, real-time visibility into an attack is critical in helping a Security Operations Center (SOC) effectively counter it with appropriate custom mitigations. Although, without also deploying automatic real-time protection it is unlikely that mitigations can keep pace with the moving targets presented by multi-vector attacks.
The Importance of Post-Attack Analysis
Comprehensive visibility into an organization’s network activity is essential not only to quickly combat DDoS threats, but also to enable compliance reporting with archived event data that enables security audits and forensic analysis of past threats. Organizations can learn from past attacks to uncover hidden patterns and identify emerging vulnerabilities within the massive streams of security event data. Without this level of visibility, it is impossible to determine how effectively an attack was mitigated and whether there were any false-positives which led to collateral damage that could substantiate any customer SLA claims.
Critical Analytical Features
Network level metadata typically contains the leading indicators of unusual activity targeting a network. So, when considering a DDoS mitigation solution look for one that provides real-time and historical dashboard views that summarize network and security activity, including traffic anomalies, link utilization, packets per second rate, number of active flows, and flow set up rates. Users should be able to view these dashboards at a site-by-site level, or in an aggregate view that provides a consolidated “single-pane” security picture.
The chosen solution should also offer alerts and scheduled reports that give early warning signs of suspicious and malicious activity. Plus, it should be easily accessible via any browser, as with a portal, so that end-users don’t have to install a specific desktop application to manage and review DDoS attack activity. Lastly, it’s extremely beneficial to have access to a DDoS Managed Security Service so you can benefit from DDoS experts and receive specialized support during any unusual attacks that may occur.
In today’s dynamic cyber threat landscape, granular DDoS attack analysis is one of the tools required to proactively protect any organization. For more information, read about Corero’s SecureWatch® Analytics.
For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.