Our EVP of Operations and Customer Services João Melo looks back over the last decade at the evolution of the integration of our security operations center, managed services, and threat intelligence team and that what that has meant for our customers.
DDoS is a unique type of security challenge that requires always staying one step ahead of the trends and of cyber attackers.
In 2014, Corero customers requested an on-premises managed DDoS service that could unburden their internal staff from constant incident response work. As a result, the Corero Security Operations Center (SOC) rolled out the SecureWatch Managed Service to deliver an efficient and effective solution that leverages the industry’s best practices.
Since then, our SOC has steadily evolved from a reactive to a proactive focus with the goal of increasing automatic protection from DDoS attacks.
Here’s a look into the very clear phases through which that evolution occurred.
Phase 1: Playbook workflows
Phase 1 involved developing and continuously improving our playbook workflows.
Improving our workflows included making sure that our customers’ on-premises solutions were operating with the latest software, configured with the SOC-created best practices settings, and optimized for each customer’s specific environment.
The goal was to improve the response time and mitigation quality for attack vectors not automatically mitigated by the solution. Although we were mitigating attacks within the industry’s typical SLA, the SOC team quickly realized attacks were doing harm before the countermeasures were fully in place.
We needed to be quicker.
Phase 2: Workflow tools
In Phase 2, we developed workflow tools, including a DDoS attack response assistant that provided attack alerts with recommended countermeasures.
The introduction of recommend countermeasures reduced our SOC engineers’ attack analysis time by about 80%. The SOC engineer could review recommendations and then determine if and what portion of the countermeasures should be added to maximize attack response efficacy.
Although we radically improved response times and countermeasure effectiveness, the SOC team felt that we could still do better.
We needed to reduce the number of DDoS alerts requiring manual intervention.
Phase 3: Becoming proactive
In Phase 3 the SOC team, by necessity, transformed once again to focus on being proactive.
They developed and refined automatic responses to reduce the number of alerts requiring human intervention to block the DDoS attack.
Our SmartWall One solution is designed to block a high percentage of DDoS attacks without causing any collateral damage such as network latency, blocking legitimate traffic, and so on. It’s also designed to continuously collect network packet data, which creates a powerful foundation for analysis.
Using this additional capability, the SOC team was able to create real-time data analysis queries to identify attacks that are not automatically mitigated and build specific SmartWall One Flex-Rules that are automatically applied to our customers’ managed on-premises solutions to further protect against attacks. The result was an additional 2% of attacks being automatically blocked.
Phase 4: The Threat Intelligence Team
DDoS attacks have become increasingly complex with multiple changing vectors. To be better-prepared for unknown attacks, the SOC team realized there was a need to perform additional DDoS research to complement the customer-facing activity.
So, in Phase 4, we created our Threat Intelligence Team. The research and SOC teams work closely together, further improving attack efficacy for customers and providing improvement recommendations to our product engineering team for future software releases.
Phase 5: Real Results
The only constant in DDoS attacks is change. So, our SOC team constantly adapts to the changing attack vectors designed to evade modern DDoS protection solutions.
Our SmartWall One solution, coupled with the SOC’s automated capability, has achieved up to a 98% automated protection rate. To keep this high-level of attack efficacy, our SOC continuously pushes the boundaries on how it tackles DDoS protection.
You can watch our recent BrightTALK webinar discussing the key findings of our 2023 DDoS Threat Intelligence Report and download the report from the webinar, as well.