Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Needed: A Quadrant for Attack Mitigation Systems & Services

For quite some time, there has been an interest in the security industry for a quadrant that’s specifically for attack mitigation systems and services. Gartner has provided a number of “magic-quadrant” reports on arenas such as firewalls, Intrusion prevention systems, SIEM, MSSP and a few others. Additional analysts from firms such as Infonetcis, Forester, and IDC have published security reports but none have covered the attack mitigation market.

For quite some time, there has been an interest in the security industry for a quadrant that’s specifically for attack mitigation systems and services. Gartner has provided a number of “magic-quadrant” reports on arenas such as firewalls, Intrusion prevention systems, SIEM, MSSP and a few others. Additional analysts from firms such as Infonetcis, Forester, and IDC have published security reports but none have covered the attack mitigation market.

What’s missing today is a well-defined set of selection criteria for attack mitigation solutions, mainly for the online business market. The past two to three years, online businesses have been under constant attack. This has caused some of these sites to go down despite being equipped with top of the line firewalls, IPSs and other security applications as recommended in analyst reports.

Firstly, we need to define Attack Mitigation clearly:

– It is not a firewall rule, an intrusion or SQL injection blocking rule or a data leakage preventive rule.

– It is a process that identifies behavior that misuses network bandwidth resources, network elements resources such as firewalls, IDS/IPS, load balancers, servers compute or application resources.

– Most of the attacks that attack mitigation systems should handle are “continuous” in their nature (not a “single bullet” attack) that aim to exploit design weaknesses in each one of the network elements defined as “network weaknesses chain.”

– In general, attack mitigation systems role is to prevent DoS conditions and intelligence gathering.

– Threat categories such as network DDoS, application DDoS, application Bruteforce attacks, application pre-attack probes, business logic attacks, Low & Slow state attacks and similar threats are what attack mitigation systems should address.

Advertisement. Scroll to continue reading.

The following figure shows statistics on the network weakness chain for these types of threats. The percentage bar shows statistics about which network element was the first to fall under these threats (e.g., in 24% of the attacks cases, the firewall was the first to fall).

The figure speaks for itself:

Attack Mitigation - First to Fail

This brings us to the main selection criteria for attack mitigation services. Based on the market demands, the following are the main criteria that will ensure a high quality of attack mitigation:

Coverage – Accurate and effective protection against all vectors of attacks described above.

Time-to-mitigate – This includes the time to detect and to react effectively; a very important parameter which most of the market today is not satisfied with.

“Hands” of Service – Today even large enterprises don’t have the expertise and human resources to handle large scale and prolonged attack campaigns. Small to large online businesses require a system that provides “hands-off” service for the entire spectrum of these threats.

Over the past 10 years we have witnessed different types of attack mitigation functions, systems and services in action. In the past three years the frequency and complexity of attacks has grown, and therefore defining an “Attack Mitigation Quadrant” has become a necessity.

The following conceptual quadrant both defines the types of attack mitigation solutions and allows to position attack mitigation systems and services on one map that characterizes their strengths and weaknesses:

The Quadrant for Attack Mitigation Systems & Services

Coverage axis – Represents the level of attack coverage.

Time to mitigate– Represents the total time to detect and effectively start mitigating the multi-vector attack campaign. As long as we go up the Y-axis, the time to mitigate gets shorter.

Four types of attack mitigation solutions exist in today’s market. In regard to quality of attack mitigation, each one has its own characteristics, which define its position on the attack mitigation quadrant seen above.

1st QuadrantOn-demand Cloud: This solution allows redirecting traffic through cloud security services (scrubbing centers) upon attack detection.

This solution has the following inherent characteristics:

Limited coverage – The cloud statistically monitors the customer’s network. That includes limited traffic utilization parameters (mainly L3-L4 traffic parameters) and server health monitoring. This results in an inability to detect application level attacks, encrypted attacks and low and slow types of attacks.

Long time to mitigate – Sampling factors that are involved in the detection monitoring process (e.g., NetFlow sampling mechanism) as well as the fact that upon each attack detection action, such as traffic redirection and cloud security policies, tunning should take place. This significantly delays the overall mitigation process.

2nd QuadrantAn always-on Customer Premise (CP) or Cloud solution: an always-on solution that analyzes the customer’s traffic all the time with an on-premise device or through cloud security services (using DNS redirection). These solutions are positioned in the 2nd quadrant for the following main reasons:

Limited Coverage

o Customer premise solutions cannot address pipe saturation (volumetric) attacks.

o Cloud always-on solutions lack the capability to analyze encrypted traffic and non-web traffic.

o Cloud always-on solutions are limited in applying security policies that are fully aware of each customer’s network topology and application configurations.

Fast time to Mitigate – Given the right mitigation technologies, attacks that are detected by the customer premise or cloud security service, can be mitigated immediately.

3rd QuadrantAlways-on CP and On-demand Cloud solutions: customers that choose to buy both a customer premise attack mitigation product and on-demand cloud services. This solution is positioned in the 3rd quadrant for the following reasons:

High Coverage

Given that effective detection and mitigation technologies are in place:

o The customer premise solution can be well tuned to detect and mitigate all attacks except the volumetric pipe saturation attacks.

o On-demand cloud service mitigates the volumetric pipe saturation attacks.

Long time to mitigate – Because this solution type doesn’t include a cyber-security control plane that shares alerts, security policies and normal traffic baselines between the CP and the cloud security solutions, cloud mitigation actions are delayed.

4th and best QuadrantHybrid Attack Mitigation Service: This solution includes a CP attack mitigation device, an on-demand cloud attack mitigation solution and a cyber-security control plane that automatically shares security events, security policies and normal traffic patterns between the CP device and the cloud. The following figure describes this Hybrid Attack Mitigation Service (in the scenario of pipe saturation attack).

Hybrid Attack Mitigation Service

This solution is positioned in the 4th quadrant for the following reasons:

High Coverage

Given that effective detection and mitigation technologies are in place:

o The customer premise solution detects and prevents all attacks except pipe saturation (volumetric) attacks.

o Security policies, network and application traffic baselines and alerts are automatically sent from the CP solution to the cloud solution and trigger it in case volumetric pipe saturation attacks are detected.

o High volume encrypted attacks can be mitigated in the cloud as well – the CP device decrypts the traffic, detects the attack sources and shares them with the cloud mitigation service.

o The overall automation provided through this solution allows an “hands-off” type of service

Shortest time to mitigate – The shared security control-plane automatically triggers and tunes the security policies in the cloud solution. Thus, attacks that are redirected through the cloud are immediately mitigated.

The following figure summarized the above analysis on the attack mitigation quadrant:

Attack Mitigation Vendor Quadrant

In conclusion, attack mitigation services that are identified as positioned in the 4th quadrant, can be considered as attack mitigation leaders for online businesses.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet