A Firewall is a Water Balloon in a Hacker’s Gun Fight

Security professionals are under extreme pressure to stop a dizzying array of threats against their organizations. Said one Arbor client, “ … I feel like I’m in a constant gun fight with an enemy that is surrounding me and completely stealth.”

The nature of security these days is often just trying to make the most educated guesses as quickly as possible. For example. When deciding what to use for DDoS protection…why not go with what’s existing – the firewall.  The vendor’s literature states that it stops DDoS attacks. “Check… Onto the next problem”.

Unfortunately, this is where many organizations fail.  A common misconception is that firewalls will stop DDoS attacks.  The reality is that they may stop ‘some’ but not ‘all’ DDoS attacks – in fact they can make matters worse.

Firewalls are required to track state, which makes them extremely vulnerable to certain types of DDoS attacks. Modern day attackers know this all too well and commonly deploy TCP state exhaustion attacks that are designed to fill state tables of firewalls. When this happens, the performance of legitimate traffic flowing through the firewall will be greatly slowed or worse — stopped all together, thus completing the DDoS attack for the attacker.

In addition to a firewall, organizations need purpose-built, dedicated DDoS protection solutions that are constantly armed with up-to-date threat intelligence — otherwise known as Intelligent DDoS Mitigation Systems (IDMS). Today DDoS attacks are a dynamic combination of:

  • Large volumetric attacks;
  • TCP state exhaustion attacks; and
  • Stealthy, low and slow application-layer attacks.

Taking a layered approach provides the most comprehensive protection:

  • Volumetric attacks must be stopped in the cloud. In other words: using your ISP or MSSP.
  • TCP and application-layer attacks should be stopped with purpose-built, stateless, DDoS protection devices, on-premise, closer to where you can control and protect your most critical services.
  • Due to the dynamic multi-vector nature of modern day DDoS attacks, there must be an intelligent form of communication between the in-cloud and on-premise solutions.
  • Finally, solutions must be constantly updated with the latest and greatest threat intelligence.

For other common misconceptions about DDoS, click here.

You wouldn’t think about bringing a water balloon to a gun fight right? Or is this possibly just another common misconception? Check out the video below — you may be surprised.

Continue Reading

Larry Ponemon: How Financial Service and Retail Organizations Tackle Advanced Threats

Just issued today, the Ponemon Institute unveiled key findings from two separate surveys, sponsored by Arbor Networks, that explore how retail organizations and financial services organizations are tackling advanced threats. We took a few moments with Larry Ponemon, President and Founder of the Ponemon Institute, to pick his brain on the key findings that surprised […]

Continue Reading

How can advanced threats stay hidden for so long?

The global threat landscape has changed dramatically in just the past year. Network challenges such as distributed denial of service (DDoS) attacks used to be the main concern of Internet Service Providers. However, with the increased availability of botnets and low-cost, easy-to-use hacking tools, anyone can now launch an attack – and everyone is a […]

Continue Reading

Advanced Threat Detection: Not so SIEMple

Enterprises have been on the receiving end of a lot of confusing and sometimes contradicting messages about security analytics. A year or so ago, the buzz term was “big data” and consequently every vendor announced a solution in the information management space, which only confused the market as to what was important and what was […]

Continue Reading

Security’s People Problem

When you talk about security with industry professionals and experts, one subject will almost invariably arise. No, not APT, DDoS or Threat Intelligence. Ok, well, maybe. In this case, I’m referring to “the people problem.” You’ve probably heard it described in a number of different ways. Let’s take a look at some of the more common ones. (more…)

Continue Reading

Neverquest: a global malware campaign takes root

Last week, the ASERT team published an in-depth analysis of a global malware campaign. Neverquest is a sophisticated global threat targeting the world’s financial institutions by going after their customers – you and me. Neverquest can detect consumer connections to hundreds of financial institutions in over 25 countries. When an infected customer connects to their bank or […]

Continue Reading

Take every risk, drop every fear

“Take every risk, drop every fear” — this is potentially good advice for someone facing a mid-life crisis, but for network security professionals, it is a recipe for disaster.  Now more than ever, it is important for individuals, companies and institutions to understand what risk is, and isn’t. It’s not only understanding who is behind […]

Continue Reading

Arbor Networks @RSA 2015

RSA is just weeks away and the Arbor Networks team is gearing up for a busy week in San Francisco. In our booth (#1541), we’ll be doing product demonstrations, live theater presentations, and threat hunting games with a 3D printer as a grand prize. (more…)

Continue Reading

Is a Four Year Degree Necessary to fill all IT Jobs?

Technology specialists are in high demand due to the many jobs created as technology continues to transform industries. But the type of resumes and training those potential candidates are bringing to companies has evolved dramatically, as the Director of Arbor’s Security Engineering and Response Team (ASERT), Dan Holden discusses in this video. (more…)

Continue Reading