The Importance of Holistic Security Solutions Encompassing On-prem and Cloud Services in Today’s Complicated Attack Landscape
Preface
In my last Blog post (“Ensuring your DDoS solutions stays cost-effective despite the ever-evolving business environment”) we have established that the Cyber landscape is growing rapidly, with more services transitioning into digital and with that – more new and innovative digital services being created. This, in turn, increases the cyber-attack surface and creates considerable challenges for organizations to protect their business.
In the previous Blog post, I chose to focus on “staying cost-effective,” an important consideration by itself.
In this Blog post, I will focus on choosing a security solution that is holistic and comprehensive enough to keep your business always protected and against multitude of attacks, varying in volume and vectors. Let us dive into it…
The attack landscape: the attacker’s candy jar
Attacks can be grouped into several categories, and so do the tools that counter-measure the attacks and mitigate them. Focusing on network and application-level attacks, we can identify the following categories:
Volumetric attacks: focusing on the volume of traffic directed at the attacked entity. Those are typically L3/L4 (in the OSI model) attacks. These can further split into attacks targeting a specific server (IP/URL) or service or network wide attacks that are targeting a whole network prefix or part of it (e.g., a “/24”) and can result also in “carpet bombing” attacks.
Application (L7) attacks: these attacks are more focused on the application and its behavior, business-logic, structure, and code itself. They typically result in cross-site scripting (XSS), inventory scraping, identity theft, APIs attack, etc.
Network L7 DDoS attacks: those attacks are typically targeting the L7 network protocols used to communicate with the applications / services. Those protocols would typically be HTTP, HTTPS SSL, TLS, with the more sophisticated attacks targeting TLS specifically by obfuscating the attack inside of the TLS itself. With TLS being an encrypted protocol, this creates an even bigger challenge for attack detection and mitigation solutions to detect the attack and mitigate it. DNS attacks are also gaining more popularity with “DNS dictionary” and “DNS water torture” attacks” at the forefront.
One characteristic of L7 attacks *network or application) is that they do not necessarily result in large volume of traffic aimed at the attacked entity but rather the attacks are sophisticated and can result in lower volumes (sometimes referred to as “low and slow”).
There are additional attack types, but these are enough to show the numerous possibilities and vectors to attack an organization and its business. As I said – the attacker’s “candy jar.”
An important note to add is that if you are not well educated and familiar with the attack landscape, you would be amazed of how easy it is to become an attacker! Tools are readily available in various Internet sources and are quite cheap to purchase and to operate. This makes the life of an attacker quite easy and the life of a legitimate organization, trying to protect itself, quite challenging.
If you got this far – you are highly likely to understand the scope of attacks that your organization and business can experience, and that proper planning and strategy is required to ensure your organization is well covered and protected against the attacks that it might experience
Deploying & consuming a cyber-security solution – a sea of options
With the growth of digital transformation and cyber-attack possibilities, the options to deploy and/or consume cyber-security solutions also grew. Here are typical examples.
Consuming a cyber-security service from one’s service provider: organizations are typically consuming their Internet, as well as communication (landlines as well as cellular) from well-known service providers. In recent years, service providers have also added cyber-security services to their offering. For a typical organization, this means that instead of purchasing the equipment and deploying it on-premises, the organization can instead subscribe to a cyber-security service offered by the organization’s service provider. The service provider purchases the equipment, the peripherals and labor to maintain the service and equipment. The organization – simply pays to consume the service and be protected.
A combination – on-premises with cloud expansion: this option combines the deployment of on-premises equipment (owned by the organization itself) and the ability to expand to a cloud service, owned by a professional cyber-security cloud service provider. This approach is typically used when an organization wants to or needs to mitigate some of the attacks / attack volume on premise but also needs to ability to expand to cloud services in case the attack volume overcomes the on-premises capacity or if the attack becomes far more complicated for the on-premises equipment to handle. In this case, the organization can enjoy the benefits of both “worlds”.
Consuming a cyber-security service from a well-known cloud provider: this option is typically similar to the one above with an important difference that now the service is provided by a dedicated cyber-security cloud provider (such as Radware), which specializes in providing dedicated cyber-security protections and, as in the case of Radware, also develops and produces the actual cyber-security devices used to protect the organizations. Typically, dedicated cyber-security cloud providers provide the utmost professional services in the market.
On-Premises deployment: this means that the protected organization purchases all the necessary equipment and deploys it in its own organization’s datacenter or scrubbing-center. It also means that the organization is responsible for hiring skilled security personnel and accompanying peripherals such as routers, switches, landlines with appropriate throughput to absorb the attack volume.
There are pros and cons to each of the above approaches. Here are some of them:
Deploying on-premises only: enables the organization to completely control the exceptionally fine details of its attack protection policy and capabilities. If the organization has the proper skillset and labor – the organization can fine-tune its protection policies as well as keep up to speed as those change. There are also exceptionally large enterprises owning exceptionally large networks; these organizations will typically not want to pass through yet another network, as their network is large on its own. Lastly, some organizations cannot allow their data (traffic) to move out of the organization’s perimeters and on to the cloud. Thus – on-premises solutions are optimal in such cases. The cons of this approach are that the organization needs to hire experienced cyber-security personnel as well as to purchase the equipment itself (e.g., Capex).
Consuming cyber-security from a service-provider or a dedicated cloud provider: means that the organization does not have to spend Capex (no need to purchase equipment) and can go with Opex. In addition, the organization does not have to hire experienced cyber-security personnel, a task that is becoming ever more challenging over time. The Cons are that the organization needs to move its data to the cloud and rely on others to ensure it is always protected.
If you got this far – you understand that a holistic cyber-security solution requires coverage for the attack types that you may experience (volumetric L3/L4, L7 network, application, DNS…) combined with the proper deployment methodology suiting your organization the best (on-premises, cloud service or hybrid…)
As in life – there are no perfect solutions and it all boils down to one’s needs, preferences, restrictions, and constraints. But – it is up to you – the organization – to make the right choice for your business.
Choosing the appropriate cyber-security solution – considerations
As a rule of thumb, we at Radware recommend that your organization runs a thorough review of your your security needs, internal workforce capabilities, budget, and company policies (desires, constraints, and restrictions) so that you can decide on the most optimal, effective, and cost-efficient cyber-security solution for you.
Having said the above, here are a few guidelines to help you determine which solution is appropriate for you.
Do not underestimate application protection: Obviously, if your organization does not deploy applications at all then this is not necessary. However, most organizations in today’s business landscape do own and deploy applications, be it to serve their customers and / or to serve their own employes. If that is the case in your organization – you must also deploy application protection in the form of Web Application Firewalls (WAF), WAAP – Web and API protection, Bot Management protections, L7 network DDoS protections. As for deployment policy, Radware recommends deploying the network L7 DDoS protections on-premises while WAF, WAAP and Bot-management and advanced webDDoS solutions to be consumed as a service from Radware’s cloud. Application-level attacks are becoming extraordinarily complex and are employing artificial intelligence (AI) and machine learning (ML) engines and algorithms. As such, the mitigating solutions also use AI and ML. AI and ML typically require heavy computing resources, which could turn an on-premises solution to be quite expensive for an organization to own and deploy. By having those consumed by a professional cyber-security cloud owner, the organization benefits from a best-in-class solution, which is also cost-effective.
Reliant on APIs? Do not overlook this section: if you deploy services that offer APIs, either to your own employees or to your customers, it is super important that you deploy a WAAP (Web and API protection) solution. APIs are typically the biggest vulnerabilities of organizations. Even to date, developers are overlooking API “engineering excellence” and are not developing APIs with security in mind. This is reality. Overlooking this is a mistake. Radware recommends that you deploy / subscribe to a WAAP solution which will ensure your APIs are protected at all times!
Network volumetric protection is necessary: while the attack landscape is becoming increasingly sophisticated, with advanced application layer attacks, network volumetric attacks are going nowhere and are not reduced in usage nor volumes at all. Organizations must deploy or consume solutions to protect their networks at the perimeter / edge from being overwhelmed. If your organization seeks complete control over the network protection and has the resources – Radware recommends that you purchase and deploy a DDoS solution on-premises. If your budget is short of spending considerable Capex in advance and/or your in-house expertise is short, Radware offers its professional, best of breed, cloud DDoS solutions. You could also enjoy the “hybrid” strategy, where your organization will deploy a solution on-premises but also purchase “the right” to divert traffic to the Radware cloud in case attacks supersede your on-premises capacity to mitigate. This strategy lets one enjoy both worlds while keeping the overall cost of the solution effective.
Summary
The attack landscape is indeed extraordinarily complex and full of various attack vectors. The importance of a true comprehensive cyber-security solution is imperative. Network (volumetric) attacks go nowhere but application-targeting attacks, be it at the networking level (L7 protocols), or the targeting of the application itself, are becoming increasingly dominant. A comprehensive and inclusive cyber-security solution should protect your network and applications. It should be deployed and/or consumed (Cloud SaaS) in accordance with your organization’s policies, budget, and needs. Failing to attend to one piece of the cyber-security protection puzzle will leave you vulnerable and susceptible to attacks.
Radware is a leader in DDoS and application protection and has been developing on-premises and cloud-oriented solutions for over 25 years with hundreds and thousands of customers across the world.
For more information, we welcome you to log in to the Radware portal, where you can find information on Radware’s products and services. www.radware.com