Security Experts:

Needed: A Quadrant for Attack Mitigation Systems & Services

For quite some time, there has been an interest in the security industry for a quadrant that’s specifically for attack mitigation systems and services. Gartner has provided a number of “magic-quadrant” reports on arenas such as firewalls, Intrusion prevention systems, SIEM, MSSP and a few others. Additional analysts from firms such as Infonetcis, Forester, and IDC have published security reports but none have covered the attack mitigation market.

What’s missing today is a well-defined set of selection criteria for attack mitigation solutions, mainly for the online business market. The past two to three years, online businesses have been under constant attack. This has caused some of these sites to go down despite being equipped with top of the line firewalls, IPSs and other security applications as recommended in analyst reports.

Firstly, we need to define Attack Mitigation clearly:

- It is not a firewall rule, an intrusion or SQL injection blocking rule or a data leakage preventive rule.

- It is a process that identifies behavior that misuses network bandwidth resources, network elements resources such as firewalls, IDS/IPS, load balancers, servers compute or application resources.

- Most of the attacks that attack mitigation systems should handle are “continuous” in their nature (not a “single bullet” attack) that aim to exploit design weaknesses in each one of the network elements defined as “network weaknesses chain.”

- In general, attack mitigation systems role is to prevent DoS conditions and intelligence gathering.

- Threat categories such as network DDoS, application DDoS, application Bruteforce attacks, application pre-attack probes, business logic attacks, Low & Slow state attacks and similar threats are what attack mitigation systems should address.

The following figure shows statistics on the network weakness chain for these types of threats. The percentage bar shows statistics about which network element was the first to fall under these threats (e.g., in 24% of the attacks cases, the firewall was the first to fall).

The figure speaks for itself:

Attack Mitigation - First to Fail

This brings us to the main selection criteria for attack mitigation services. Based on the market demands, the following are the main criteria that will ensure a high quality of attack mitigation:

Coverage – Accurate and effective protection against all vectors of attacks described above.

Time-to-mitigate – This includes the time to detect and to react effectively; a very important parameter which most of the market today is not satisfied with.

“Hands” of Service – Today even large enterprises don’t have the expertise and human resources to handle large scale and prolonged attack campaigns. Small to large online businesses require a system that provides “hands-off” service for the entire spectrum of these threats.

Over the past 10 years we have witnessed different types of attack mitigation functions, systems and services in action. In the past three years the frequency and complexity of attacks has grown, and therefore defining an “Attack Mitigation Quadrant” has become a necessity.

The following conceptual quadrant both defines the types of attack mitigation solutions and allows to position attack mitigation systems and services on one map that characterizes their strengths and weaknesses:

The Quadrant for Attack Mitigation Systems & Services

Coverage axis – Represents the level of attack coverage.

Time to mitigate– Represents the total time to detect and effectively start mitigating the multi-vector attack campaign. As long as we go up the Y-axis, the time to mitigate gets shorter.

Four types of attack mitigation solutions exist in today’s market. In regard to quality of attack mitigation, each one has its own characteristics, which define its position on the attack mitigation quadrant seen above.

1st QuadrantOn-demand Cloud: This solution allows redirecting traffic through cloud security services (scrubbing centers) upon attack detection.

This solution has the following inherent characteristics:

Limited coverage - The cloud statistically monitors the customer’s network. That includes limited traffic utilization parameters (mainly L3-L4 traffic parameters) and server health monitoring. This results in an inability to detect application level attacks, encrypted attacks and low and slow types of attacks.

Long time to mitigate – Sampling factors that are involved in the detection monitoring process (e.g., NetFlow sampling mechanism) as well as the fact that upon each attack detection action, such as traffic redirection and cloud security policies, tunning should take place. This significantly delays the overall mitigation process.

2nd QuadrantAn always-on Customer Premise (CP) or Cloud solution: an always-on solution that analyzes the customer’s traffic all the time with an on-premise device or through cloud security services (using DNS redirection). These solutions are positioned in the 2nd quadrant for the following main reasons:

Limited Coverage

o Customer premise solutions cannot address pipe saturation (volumetric) attacks.

o Cloud always-on solutions lack the capability to analyze encrypted traffic and non-web traffic.

o Cloud always-on solutions are limited in applying security policies that are fully aware of each customer’s network topology and application configurations.

Fast time to Mitigate – Given the right mitigation technologies, attacks that are detected by the customer premise or cloud security service, can be mitigated immediately.

3rd QuadrantAlways-on CP and On-demand Cloud solutions: customers that choose to buy both a customer premise attack mitigation product and on-demand cloud services. This solution is positioned in the 3rd quadrant for the following reasons:

High Coverage

Given that effective detection and mitigation technologies are in place:

o The customer premise solution can be well tuned to detect and mitigate all attacks except the volumetric pipe saturation attacks.

o On-demand cloud service mitigates the volumetric pipe saturation attacks.

Long time to mitigate – Because this solution type doesn’t include a cyber-security control plane that shares alerts, security policies and normal traffic baselines between the CP and the cloud security solutions, cloud mitigation actions are delayed.

4th and best QuadrantHybrid Attack Mitigation Service: This solution includes a CP attack mitigation device, an on-demand cloud attack mitigation solution and a cyber-security control plane that automatically shares security events, security policies and normal traffic patterns between the CP device and the cloud. The following figure describes this Hybrid Attack Mitigation Service (in the scenario of pipe saturation attack).

Hybrid Attack Mitigation Service

This solution is positioned in the 4th quadrant for the following reasons:

High Coverage

Given that effective detection and mitigation technologies are in place:

o The customer premise solution detects and prevents all attacks except pipe saturation (volumetric) attacks.

o Security policies, network and application traffic baselines and alerts are automatically sent from the CP solution to the cloud solution and trigger it in case volumetric pipe saturation attacks are detected.

o High volume encrypted attacks can be mitigated in the cloud as well - the CP device decrypts the traffic, detects the attack sources and shares them with the cloud mitigation service.

o The overall automation provided through this solution allows an “hands-off” type of service

Shortest time to mitigate – The shared security control-plane automatically triggers and tunes the security policies in the cloud solution. Thus, attacks that are redirected through the cloud are immediately mitigated.

The following figure summarized the above analysis on the attack mitigation quadrant:

Attack Mitigation Vendor Quadrant

In conclusion, attack mitigation services that are identified as positioned in the 4th quadrant, can be considered as attack mitigation leaders for online businesses.

view counter
Avi Chesla is CEO and Founder of empow, a cyber security company that envisions a future where security experts have the freedom, and the technology, to create unique solutions to meet their organizations' security needs. Prior to empow, Avi was CTO and VP of Security Products at Radware, where he was responsible for defining and leading the company’s strategic technology roadmap and vision including the foundation and management of Radware’s Security Division, a provider of cyber attack mitigation solutions. Mr. Chesla has authored a number of articles for major publications on advanced network behavioral analysis, expert systems and information security and has earned numerous patents in these areas. His views on industry trends and best practices have been featured in articles, white papers, and on the conference speaking circuit.