DDoS Threat Drives Automation in Both Analysis and Response

The fact that even more organizations are taking longer to counter DDoS attacks today than was the case a year ago is troubling.

istock 539085410

In an earlier post, we noted how distributed denial of services (DDoS) attacks have become all too common experiences for many companies, and how an on-site and cloud-based hybrid defense can help counter these ever-more-powerful assaults. In another post, we discussed the monetary and reputational impacts that can occur if you first learn of a DDoS attack from your customers.

Recent global research by Neustar provides some sobering insights as to how organizations are coping with DDoS attacks. Two examples:

  • 45% of the organizations surveyed experienced five or more DDoS assaults.
  • 40% of organizations were notified of DDoS attacks by their CUSTOMERS.
  • Nearly half (48%) needed at least three hours to respond to these attacks once detected – that is in ADDITION to the slower detection times.

The fact that even more organizations are taking longer to counter DDoS attacks today than was the case a year ago is troubling. In part, that trend suggests the growing sophistication and scope of these attacks is overwhelming companies’ incident response protocols. It’s also likely, however, that many organizations struggle to take advantage of all the attack analysis and response tools now available to them.

A fundamental element of any cyber defensive strategy is the ability to delineate performance anomalies from potential security events. Being able to do so, of course, requires that you first understand your “security baseline” of normal operations and user activities, so that you can spot anomalies in the first place.

Even with a security baseline in place, the task of analyzing and responding to potential threats has quickly outpaced human capacities. Even small organizations often have computer and networking infrastructures that generate hundreds of thousands of events each hour. Large organizations’ IT and communications operations can easily generate millions of events per hour. Combined, that’s a lot of risk.

It’s numbers such as these that make it clear why security automation has become such a critical aspect of DDoS and other cyber defenses. Automated threat analytics systems, IP Intelligence services, and other technologies can process vast numbers of events in real time, looking for known threat signatures and patterns, as well as out-of-threshold operational anomalies.

While automating threat analytics and identification has become a broadly accepted goal (though not a universally adopted capability), automating the response to attacks is a more complex and controversial issue.

True, if an automated threat ID system determines beyond doubt that a DDoS attack is underway, most organizations would be happy to have automated countermeasures to quickly mitigate the attack. In some cases, however, there is enough uncertainty about an attack’s status (or, even, its existence), that security analysts must enter the decision-making loop. In these instances, the attack-alerting systems must do a good job of quickly summarizing the circumstances causing an alert, perhaps by putting critical information in easy-to-absorb dashboards.

We’ll inevitably see increasing automation in incident response, as organizations gain confidence in the ability of automated solutions to minimize false positives and to take appropriate action against real threats in line with each organization’s needs and policies. Given the severe consequences of responding to DDoS and other attacks too slowly, the existing reluctance to automate the response elements of the security lifecycle is likely to dissipate quite quickly.


Copyright © 2017 IDG Communications, Inc.