DDoS mitigation is a set of techniques or tools for resisting or mitigating the impact of DDoS (distributed denial-of-service) attacks on networks connected to the Internet by protecting the target and relay networks. While thinking about mitigation techniques against these attacks, it is useful to group them as Infrastructure layer (Layers 3 and 4) and Application Layer (Layer 6 and 7) attacks. Among the various types of DDoS attacks:
- Layer 3/4
User Datagram Protocol (UDP) reflection attacks
- Layer 7
DNS query flood
HTTP flood/cache-busting attacks
Best practices for DDoS mitigation:
- Minimize attack surface e.g. using NACLs, Security Groups, FWs Scale to absorb attack: Auto scaling groups, CDNs, Static web content via S3
- Safeguard exposed resources: DNS, WAF
- Learn normal behavior: using ML
- Have a plan.
- Prevent loss of revenue
- Ensure customer satisfaction and sustain their trust and confidence in your brand
- Prevent identity theft
- Protect your Web applications and APIs against infrastructure layer attacks like SYN floods, UDP floods ;
- Protect against application layer attacks to minimize application downtime and latency ;
- Automating near real time DDoS detection and response.
- DDoS attacks keep changing and becoming more sophisticated.
- Public cloud adoption continues to increase at a rapid pace.
- Larger and more sophisticated enterprises that are prone to more frequent attacks will continue to use specialty DDoS mitigation providers.
- Many CSPs offer (tiered) DDoS services that are sufficient for most companies.
Network Access Control
Network Access Control (NAC) technology enables organizations to build and implement policies to control access to enterprise resources for both user oriented devices as well as Internet of Things (IoT) devices.
NAC policy can enforce a better security posture based on context. It can also help implementing lateral (east-west) segmentation becoming the foundation of Zero Trust Network Access, CARTA and microsegmentation.
- Network visibility
- Network Segmentation
- Bring Your Own Device (BYOD) security
- Guest access management
- OT/IoT discovery
This technology is now part of Zero Trust concept and can seamlessly integrate with SIEM, IPS, NTA, enterprise firewalls (formerly NGFW), etc. NAC systems can use alerts generated by these products to better react to network status and context.
NAC is a very complex technology and even basic deployments can involve multiple appliances. Once NAC appliances are deployed, it will require connections to enterprise user directory, PKI as well as every network access device (switch, wireless lan controller, etc).
NAC will essentially change the way a network function:
Before NAC, the network applied implicit trust for all devices just because they were connected inside enterprise premises. After NAC, network will implicitly not trust any device based on a deny-all policy for both users and devices.
Given that more clients are moving towards hybrid networks and seeking firewall capabilities in the cloud, Gartner as well as other analysts are starting to analyze native cloud firewall capabilities of cloud providers along with stand-alone firewall vendors. Also, they are consolidating Enterprise Firewall (ex NGFW) and Unified Threat management under the same Quadrant providing a unified Network Firewall view.
Enterprise firewalls (EFW), formerly known as Next Generation Firewalls or NgFW, are devices that not only can go beyond port based protocol inspection by providing deep packet inspection capabilities, identity awareness and intrusion prevention using intelligence from outside the firewall including cloud based advanced threat detection (ATD) and threat intelligence (TI).
Enterprise firewall should not be confused with stand-alone network IPS or SMB multifunction firewalls also known as UTM.
- Secure public cloud: virtual firewalls can secure public cloud services from providers as GCP, AWS and Azure and some can provide visibility across multiple CSP.
- Extend security to branches and/or software-defined environments (SDN/SD-WAN)
- Safeguard Private Cloud
- Distributed branch office firewall will switch to firewall as a service.
- New firewall deployments will have to consider cloud native firewall policy support for IaaS as a mandatory selection criterion.
- Firewall end-user licensing is going to be part of larger security “platform” deals delivered by enterprise license agreements(ELAs).
- New firewall purchases in enterprise area will utilize SD-WAN features with growing adoption of cloud-based services.
- Recently leading Enterprise Firewall vendors are including Network Traffic Analytics capabilities next to IDPS capabilities.
- EFW can also play an important role in CASB architecture.
Secure Mail Gateway
Secure Mail Gateway works as a firewall technology that protects businesses by blocking risky email content and blocking malicious emails from being delivered into the inbox.
Secure Mail Gateway acts like a protection against spam, malware, virus attachments and other multi-vector attacks.
To secure cloud email, SMG connects throughout a proxy to the outside of the email provider’s cloud environment. If the content is safe, the message is sent to the email provider, where it is scanned through built-in security.
- Malware and virus scanning & protection – acts as a filter blocking malicious emails and viruses to infect business network ;
- Spam filtering – core feature of SMG that controls and block spam, using a special algorithm to detect risky patterns ;
- Phishing Attacks – using anti-fraud technologies identifies and blocks phishing attacks, and in this manner mails that contain phishing links.
- Protecting business critical assets ;
- Demonstrating adherence to compliance requirements ;
- Cost reductions and efficiency gains via the use of a SaaS service model per default ;
- Modular service design enables customization to meet business requirements for cost, scalability ;
- Pro-active security support ;
- Success through State-of-the-Art technologies
Secure Web Gateway
Web content and web traffic are exposed to an extreme number of various malicious attacks.
Secure Web Gateway Service (SWG) is an advanced network security service providing protection users from external threats while accessing internet and while using web-based applications.
A SWG – also called proxy – acts as an intermediary that receives requests on one side to set up a connection to the other side via its own address. This prevents end users communicating directly with the remote side (typically the Internet) and being directly open to attack.
By sending all web requests through a Secure Web Gateway system, an organization adds a level of security that can protect web information from possible exploits and the network systems from malware or denial of service attacks.
- Forward Proxy solution: Users web requests will be forwarded to a proxy system to manage and control web access centrally. This use case allows user authentication to eliminate non-work-related or undesired Internet browsing activities and also allows content scanning, to protect against malware or unwanted web content (malware, URL and keyword filtering).
- Reverse Proxy solution: The Reverse Proxy is a web applications’ fronting security gateway where all internet users talk to the proxy rather than directly to the web enabled application.
- Secure Web Gateway Service covers various security functionalities in one go ;
- It can be deployed on virtual appliance or in the cloud ;
- Comprehensive content analytic and malware protection is enabled by default ;
- Modular service design allows individual customization of the Secure Web Gateway solution to meet business requirements concerning scalability, security and costs in much accurate manner.
The fifth generation of cellular networking brings new cybersecurity threats. Both network and devices are taken into account as far as security risk is concerned. Solutions like encryption and network monitoring are highly desirable and will have to be adapted to the high bandwidth and low latency this technology encompasses. Other solutions will have to evolve as well. AI-powered software installed on each end point, continuous patch updates and strong authentication will become mandatory, plus automated solutions to manage incidence response in a faster way.
Connected Vehicle domain based on many different communication protocols, services and data being exchanged (remote maintenance and tele-operated driving, etc) is an example of architectural, regulatory and security architecture complexity brought by 5G implementations.
- Mandatory effectiveness of security controls and processes.
- Automated decisions which reduce the time-consuming tasks.
- Provide a single, or main, source of analyst immersive experience with possibility to abstract and aggregate the answers from multiple data sources. Such solution will meet the data speed and complexity in the security operations with 5G bringing strong ties as well to the EDR & AV (endpoint) for the focused search of malware execution etc.
- Automated remediation of the IOC, proper control / governance over the automation and Ability to automate / offload the communication channels.
Telco & Media
Public Sector & Defense
More verticals to be impacted further
- Existing security technologies must evolve massively in order to cope with 5G security challenges.
- The high number of routing points, high speed and capacity are leading to difficulties in the monitoring, especially to monitoring of real-time traffic. This is the point where AI and automation are highly needed.
- The general lack of security standards in IoT plus the fact that many low-end IoT devices do not support security configuration creates many weak points in the network.
Active Directory Security
Active Directory (AD) is a Microsoft Windows directory service (based on Kerberos and OpenLDAP) that facilitates administrators to create, delete and manage users, applications, data etc on the network.The biggest threat to Active Directory is that someone unauthorized will gain Domain Admin rights. The term used for a compromised AD is called Assume Breach. Assume Breach means that we must assume that an attacker has gained access into our network through a client. Doing this, the attacker has equal access to all our resources like a normal user.
- Backup the AD configuration regularly.
- Patch vulnerabilities regularly
- Automate processes
- Use RealTime Windows Alerting and Auditing
- Implement multi privilege AD roles and groups
- Change AD default settings
- Change Passwords regularly
Business Email Compromise Mitigation
Email has migrated to the cloud at a large scale requiring a shift in mindset to secure this communication channel. Business Email Compromise Mitigation includes the prediction, prevention, detection and response to email attacks. It includes gateways, email systems, user behavior, and various supporting processes. Email attacks are e.g. malware, email spoofing, account hacking, email phishing.
- Secure emails with encryption ;
- Protect email users from common attachment based cyber threats ;
- Protect users from cyber threats that use hyperlinks in email (phishing attacks).
- Identity theft protection
- Protect your brand and customer trust
- Revenue loss protection
- Organizations that have migrated to cloud email and those that are planning a migration are overwhelmingly choosing cloud-delivered email security products.
- The email security market has begun to adopt a continuous adaptive risk and trust assessment (CARTA) mindset in response to the dissolving perimeter.
DNS, or Domain Name System, was designed by IETF engineers back in the 80s to be a scalable distributed system and like most early Internet protocols without a security focus. Later, the expansion of Internet into the commercial public sector changed the requirements for security measures to protect data integrity and user authentication. DNS responses originally did not have cryptographic signature capabilities, leading to multiple attack possibilities like packet sniffing, DNS hijacking DNS poisoning, man in the middle etc.
DNS Extensions, or DNSSEC, is a solution to add authentication to DNS response, providing authentication of the sender and message integrity. DNScurve has been proposed as an alternative for DNSSEC.
DNSSEC protects the communication between DNS servers but not the communication between the client and local recursive DNS server. This last segment is known as the “last mile”, and there are various other technologies that can address it. We are only talking here about DNS over HTTPS (DoH) and DNS over TLS (DoT).
- DNSSEC – Prevent DNS cache poisoning ;
- DNS over HTTPS (DoH) – increase user privacy and security by using HTTPS instead of UDP ;
- DNS over TLS (DoT)- increase user privacy and security by encrypting both DNS queries and answers using TLS.
Network Security Policy Management
Network security policy management tools (NSPM) can help security and risk management leaders address multiple use cases by offering centralized visibility and control of security policies across hybrid networks, risk analysis, real-time compliance and application mapping.
NSPM tools go beyond user policy administration interfaces coming from firewall vendors and provide analytics and auditing, change management flow, rules testing and visualization often using a visual network map of devices and firewall access rules overlaid onto multiple network paths.
Network security policy management suites are often containing adjacent functions such as application connectivity management, policy optimization and risk-oriented threat path analysis.
- Centralized management of multiple/multi brand firewall rules
- Visibility and management of network security policies across hybrid networks and/or multicloud environments
- Continuous audit and compliance of security rules.
- Change management and automation of network security operations
- Continuous network security analysis and vulnerability assessment
- Firewall rules management
- Centralized policy management and visibility
- Automated Change management
- Topology mapping and path analysis
- Application discovery and connectivity management
- NSPM tools are expensive to be added to a smaller security organization’s solution portfolio.
- Because these tools interact with multivendor devices and environments including firewalls. routers, switches, and private and public cloud, enterprises often face implementation and initial administration issues if the tools are not implemented correctly.
- Enterprises often fail to conduct a proper evaluation of these products before bringing them onboard, and eventually face integration issues with their existing network security devices and change management tools.
These tools are extending their support for visibility and control to hybrid environments, yet support for private and public cloud is extended to only a few limited providers with limited functions.
Secure Instant Communication
Securing Instant Communication technologies require multiple security controls being multi-factor authentication, antivirus software, endpoint monitoring and data encryption, the mandatory ones apart from the secure code and development measures that must be present during the development lifecycle of such technologies.
- Compliance with data protection frameworks (like GDPR or HIPPA) is one of the main drivers for Secure Instant Communication. Regulations put even higher demand on protecting personal and sensitive data and an instant communication application must be secure by design.
- Having remote working as a growing trend makes Secure Instant Communication even more needed. Remote workers increase and enforcement of BYOD company policies become a bigger challenge.
- Compliance to corporate policies and data protection standards.
- Secure Instant Communication facilitate business interactions as it enables sharing sensitive data in a secure way.
- MDM technologies will benefit a lot for achieving such secure communication, especially for employees who can use their own devices to work from everywhere still relying on privacy and protection. Segregating user’s personal data from the company’s data, software solutions improve the overall security through encryption, remote device management and application control.
The user behavior is one of the main challenges with secure instant communications as they may not stick to the company policies due lack of awareness or negligence. Education of employees should be a priority in the overall solution implementation.
TLS decryption Platform
The Transport Layer Security (TLS) decryption platform is a technology designed to decrypt, pass the unencrypted traffic (SSL/TLS) for further processing to additional security services and finally re-encrypt the processed traffic towards its ultimate destination. It can function both for inbound as well as outbound traffic.
- Detection and analysis of encrypted malware communication channels
- Visibility into data exfiltration attempts via encrypted channels
- Malware distribution detection via encrypted channels
- Improved generic content filtering
- Deeper network and traffic analytics visibility
Cyber Physical System
A networked suite of devices comprised of both software and hardware designed to sense, interact and control the physical world with a high degree of autonomy in a safe and security conscious manner.
- Smart grids in the Energy industry
- Personalized medicine in the Healthcare industry
- Smart weapons systems in the Military industry
- Connected and autonomous vehicles (CAVs) in the Automotive industry
- Smart building and cities in the Infrastructure industry
Significant economic value is derived by shifting manual processes towards machine and logic-controlled automation and control.
Certain use cases specifically require the absence of a human-in-the-loop and the offloading of a certain process entirely to a CPS in order to fend off any subjective course of action.
Manufacturing, utilities, telecommunications, transportation
While the IoT/OT landscape is merging and finds itself “in-transition”, IoT use cases are crossing the boundaries towards a more mature, security focused approach that underpins a CPS. The prevailing assumption is that by 2023 50% of IoT marketing will be focused on a security conscious CPS approach.
As market players begin to understand the dangers and impact of scale of security weaknesses, an emerging and productive field is open in order to compensate those concerns in the form of CPS with intrinsic security.
Network flow Analyzer
Network Flow Analysis (NFA) is a solution that provides network traffic monitoring with a full overview of all devices connected from various enterprise networks. It can help organizations optimize their network infrastructure for better application performance, align resources to help supporting business results, and support data-driven decisions. NFA analyzes the network traffic in real time to identify and detect anomalies, continuously discover and classify every IP connected device with access to the network. It brings devices into compliance and ensures patches and appropriate software versions are installed and running on all managed and unmanaged devices.
The key use case of NFA solution is providing network visibility and traffic monitoring with:
- Real-time asset inventory without introducing operational risk or impacting reliability.
- Providing automation of risk and compliance activities to both reduce overall compliance cost and increase efficiency and effectiveness.
- Agentless and passive discovery and profiling in sensitive OT network zones.
- Discovery and feed the Asset Management (CMDB) services with enriched asset information such that subsequent business actions.
- Detect unknown devices earlier in the kill chain and improve detection & response times.
- Identify unauthorized devices immediately and in an automated manner independent of device type.
- Provide full visibility of all devices by classification into traditional IT, Operational Technology and industrial Internet of Things.
- Identify security gaps immediately and helps to obtain endpoint device compliance.
Telecom Media & Technology, Public Sector & Defense, Financial Sector and Insurance, Manufacturing.
Network Traffic Analyzer
Network traffic analysis (NTA) is a detection technology that uses analytical techniques and machine learning for intercepting, recording and analyzing network traffic communication patterns to identify performance problems, suspicious activities and threats on enterprise network.
NTA can monitor and analyze, throughout network sensors, raw network traffic as well as flow records.
NTA solutions allow network administrators to collect data on the traffic that flows through a network and if they detect a security threat, an unusual pattern, automatically raise alerts.
NTA products can serve as organizations’ single source of truth, identifying what is actually on the network.
- Detect Threats You Didn’t Know About (entity tracking) – Machine learning can detect things that we cannot predict and define on a network (including users, devices, applications etc) adding value to organization ;
- Detection and Response workflow: detects unusual patterns identifying the root cause and reacts based on the result ;
- Generates network activity reports for any time period.
- 100% Visibility beyond the endpoint- Improve security with complete visibility of the network across hybrid, multi-cloud, and IoT infrastructure. It can detect and respond to threats and insiders before they do damage ;
- Analyze network traffic ;
- Offer advanced analytics in order to detect anomalous traffic.