Beyond the : Protection & Performance

New Technologies Demand New, Flexible Approaches to Web Security 1 Beyond the Firewall: Protection and Performance

The cyber black market has “evolved from a varied landscape of discrete, ad hoc individuals

into a network of highly organized

groups, often connected with

traditional crime groups (e.g.,“ drug cartels, mafias, terrorist cells) and nation-states. 1

the Rand Corporation Contents Threats to Web and network resources Attacks Concerns Escalate 2 are increasingly sophisticated and Many Organizations Unprepared 3 costly. Potential sources of threats have dramatically increased as cyber crime Addressing the Challenge 3 has evolved into big business. The Building a Cloud-based Defense Strategy 4 Ponemon Institute’s annual survey finds Defending the Enterprise’s Growing Web Reliance 5 that in 2013 the average annualized cost of cyber crime was $11.6 million for the organizations it analyzed, up from $8.9 million the previous year.2

The threat environment is facilitated by burgeoning black markets where criminals and others can trade in ready made attack tools, swap information on techniques and strategies, and monetize information they have collected such as credit card account data and personally identifiable information. Beyond the Firewall: Protection and Performance 2

Organizations face great risk from in- tacks, hoping to distract security teams much about network infrastructure,” creasingly frequent and sophisticated with a volumetric assault that camou- says Shugrue. Even novices can attempts to render Web properties flages intrusion through other system download an attack tool and type in unavailable and steal intellectual vulnerabilities. “Often times a DDoS a target URL to initiate an assault.

property or personally identifiable attack will mask an application intru- In an effort to determine how securi- information. Technology is becoming sion attack or an attempt to steal or ty executives perceive this new threat more sophisticated—bots and manipulate data,” says Dan Shugrue, landscape, Akamai commissioned are not only bigger, they’re smarter, director of product marketing for Gatepoint Research to survey senior and are hiding their identities. In ad- security solutions with Akamai. IT security and operations decision dition, attackers are adopting new According to Verizon’s annual Data makers on how they currently man- tactics that take advantage of proto- Breach Investigations Report, in 61 age their organization’s security pos- col vulnerabilities to amplify attacks percent of the Web attacks it investi- ture, how they plan to deal with these utilizing fewer resources. gated the perpetrators were able new realities, and what impediments DDoS, Web application, and DNS in- to discover vulnerabilities within they perceive to their ability to meet frastructure attacks represent some seconds or minutes.4 In 72 percent of these new demands. of the most critical threats to en- the attacks, data exfiltration began terprises today. “Threats to control within days. In 52 percent of those Attack Concerns Escalate systems can come from numerous attacks, the victims didn’t discover Gatepoint’s survey of more than 200 sources, including hostile govern- the attack for months, sometimes executives reveals that 67 percent ments, terrorist groups, disgruntled even years. of security executives expect an in- 3 employees, and malicious intruders,” One reason attacks continue to in- crease over the next three years in at- says the Department of Homeland crease in volume and sophistication tacks that utilize a volumetric DDoS Security’s Industrial Control Systems is the knowledge sharing among assault to bring down a firewall or Cyber Emergency Response Team attackers and the availability of tools distract security analysts, followed by (ICS-CERT). to carry out such attacks. “Most of the an application layer attack to steal DDoS attacks consume resources attacks we are seeing now are execut- data. More than half say they are thus preventing or slowing author- able even by people who don’t nec- aware of other websites already ized access to a system resource or essarily know how to code or know experiencing this type of attack. dependent systems including Web sites, Web-based applications, and databases. By marshaling often- What is your view of converged attacks that utilize a volumetric DDoS hijacked computers and servers, per- attack to bring down a firewall or distract security analysts, followed by petrators are able to direct an over- an application layer attack to steal data? whelming volume of requests at a target system, crippling its ability to respond to legitimate requests. Per- Expect this type of attack 67% petrators are continually escalating to increase the volume of their assaults and can Know of other websites that 53% routinely direct tens of gigabytes of were targeted in this way network traffic at a target. Not aware of this type 10% of attack More insidiously, attacks may com- Have been impacted by 7% bine methods such as a network layer this type of assault DDoS attack with simultaneous Web Expect this type of attack 4% application layer and data center at- to decline 0% 10% 20% 30% 40% 50% 60% 70% 80% 3 Beyond the Firewall: Protection and Performance

Those executives are worried about the Many Organizations Unprepared perience, applying too many rules implications of the growing threat. A majority of survey respondents to- can sap server processing power so Not only that, they understand the im- day utilize in-house only resources the defensive tactic may slow down plications: 95 percent expect attacks for security monitoring and remedi- Web sites. at the network and application layer ation. The most common strategies to cause system downtime and dam- incorporate firewalls, network ap- Addressing the Challenge age to the brand and 89% indicate pliances and/or intrusion protection To scale to meet today’s threats, home- that attacks divert resources from solutions. On-premises firewalls, for grown defenses require additional capi- business needs while 69 percent ex- which 78 percent of respondents rely tal and human resource expenditures pect to lose data during Web attacks. on, may not hold up against volu- to keep up with cyber criminals who

metric DDoS attacks, while a distrib- are able to marshal the resources of According to 75 percent of respon- uted network architecture firewall rogue bots. One industry report found dents, the most “pain” in the event of service can scale automatically, on- that 78 percent of organizations have a successful attack is the disruptive demand, offering the capability to just one or two staffers dedicated to impact on the organization’s ability to defend against massive-scale attack .7 A third of re- meet its business goals and strategic as they are unable to scale to counter spondents in the Gatepoint Research objectives as well as the blocking of the threat of massive attack. survey say that staffing resources are customer and partner access to Web sites. In addition to lost revenue, which 83 percent of those surveyed Which security measures do you currently utilize? see as a key risk of attacks, the indi- rect costs may be staggering, ranging from actual costs of a — On-premise 78% such as regulatory fines, litigation, purchasing credit monitoring servic- DDoS scrubbers 33% es for customers—to those that may Cloud-based 27% be harder to measure though just as DDoS service damaging, such as losing a customer Cloud-based and the indirect costs of brand web application firewall 24% damage. Other 9% Industry data shows that executive concern is more than justified. The 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% number of DDoS attacks increased by 22 percent from 2012 to 2013, ac- cording to the Prolexic Q2 Quarterly Akamai’s Shugrue says many orga- insufficient to be able to improve their DDoS Attack Report.5 Those attacks nizations invest in Web application security posture and eliminate risk, may mask SQL injection and cross- firewalls, but fail to regularly update while 17 percent say senior manage- site scripting attempts to attack a their firewall rules or may not have ment at their companies does not be- Web application or forward logic to a even gotten around to fully deploy- lieve the risk justifies the costs of in- database in an effort to compromise ing this defense. In other cases, he vesting in new Web security solutions the information stored within. Even adds, teams and services. Organizations aren’t a “minor” SQL injection attack on a attempt to counter growing applica- sitting still in the face of these threats, single unsanitized field in a Web tion layer attacks by increasing the though. Enterprises are devoting ever report cost one financial organization number of rules their on-premise more dollars to their defenses. Most of more than $196,000,6 according to Web application firewall processes the survey respondents indicate their the NTT Innovation Institute. on incoming requests; but with the security budgets have been growing volume of traffic that businesses ex- and will continue to grow, with 59 Beyond the Firewall: Protection and Performance 4

percent citing an increase in security a majority (56 percent) of those sur- ment in-house resources. Among budgets over the past three years and veyed indicate they are reliant today those who have already made the 63 percent predicting growth over solely on in-house resources to meet shift, 27 percent are currently utiliz- the coming three years. Just 2 per- the needs of 24x7 security monitor- ing a cloud-based DDoS service and cent indicate security budgets have ing and remediation, only 11 percent 24 percent are using cloud-based decreased over the past three years indicate they plan to go it alone in Web application firewalls. and 3 percent anticipate a decline in the future.

the years ahead. Building a Cloud-based Defense Some of those surveyed will rely en- Strategy It’s clear that decision makers are be- tirely on outside services providers, Cloud-based services provide orga- ginning to rethink how they should while 74 percent will, or already are, nizations with a competitive edge combat the growing threats. While using managed services to supple- over the bad guys. The cloud pro- vides scale and consolidates threat How has your web security budget changed over the past 3 years and intelligence that can offer protection how do you anticipate it will change over the next 3 years? from increasingly large and sophisti- cated DDoS attacks and Web attacks such as SQL injections. Grew Declined Stayed the same Don’t know N/A Cloud-based solutions are able to identify and mitigate suspicious traf- Next 3 years 27% 2% 18% 14% 2% fic without compromising perfor- mance or availability of the origin server. If the solution is running on a robust, global platform, it has the scale to handle spikes in malicious Past 3 years 59% 3% 25% 10% 2% traffic that are increasingly common- place. Cloud-based service providers

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% have visibility into many different Web sites, often across many industry sectors, and are able to spot emerg- How do you currently or in the future expect to meet the needs of ing patterns, alert their customers to 24x7 security monitoring and remediation? new threats, and update their service platforms to combat the threats.

Current Future Don’t know N/A Furthermore, cloud-based solutions can deliver significantly enhanced protection without requiring invest- Supplement ment in new IT security infrastruc- in-house defenses with managed 36% 38% 21% ture, helping to contain costs. Rather services than incurring large upfront CAPEX Primarily utilize to implement a do-it-yourself de- external services 28% 26% 33% providers fense, cloud enables organizations to convert their security investments a In-house only (developed by your lower monthly OPEX, while buying organization’s 56% 11% 20% into a larger global infrastructure resources without the aid of with resources they’d never be able to outside vendors) match internally. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5 Beyond the Firewall: Protection and Performance

Organizations with finite resources if customer data is stolen, a company that can mean the difference between can’t easily adapt to ever-increasing risks business reputation, customer business as usual and being crippled volumes of DDoS traffic, for example, loyalty and lost revenue, in addition by unexpected assaults. With greater but a cloud services provider can pro- to the costs that will be required to visibility into the global threat land- vide on-demand scale to deal with vast get everything back up and running. scape, on-demand scale and an spikes in malevolent traffic aimed Some organizations may have hun- always-on posture, organizations can at crippling servers. While a local dreds of Web sites and applications rely on a more proactive and resilient DDoS appliance can typically handle at risk at any time, creating a broad defense. For more information on no more than 1 gigabit per second profile that attracts cyber criminals, combatting growing cyber threats, and will not stop most DDoS attacks terrorists, and mischief. go to www.akamai.com/security. today, a service provider such as Akamai, which delivers daily Web Service providers utilizing cloud- traffic reaching more than 10 terabits based solutions can provide the scal- per second, is able to absorb attacks ability, expertise and responsiveness measured in tens or even hundreds of Gbps with relative ease. Knowns and Unknowns Unlike inflexible, on-premise devices, While most readers undoubtedly feel like they’ve been using the Web forever, a cloud-based solution can absorb from a security perspective there are new lessons to be learned every day. DDoS traffic targeted at the applica- tion layer, deflecting all DDoS traffic Early in 2014, it was learned that a DDoS assault was launched that targeted at the network layer, and au- exploited “a seemingly innocuous feature of WordPress, [the] content management system that currently runs approximately 20 percent of all thenticate valid traffic at the network 8 edge. A cloud-based Web application websites,” observed Akamai’s Bill Brenner in a blog examining the issue. firewall can help detect and deflect According to PC World, “The WordPress bug ticket related to the pingback threats in HTTP and HTTPS traffic, DDoS issue was originally created in 2007 and reveals that WordPress’ issuing alerts or blocking attack traf- developers tried to partially mitigate the problem with several patches over fic closer to its source. An additional the years, last time in WordPress 3.6, which was released in August.” None- layer of security protection may in- theless, an estimated 160,000 WordPress sites were exploited in March volve cloaking an enterprise’s origin 2014 to direct a DDoS assault against an unnamed but popular WordPress from the public Internet, preventing site that was disabled for several hours.9 direct-to-origin attacks without Larry Cashdollar, a member of Akamai’s CSIRT team, analyzed the vulner- impeding the quick and reliable ability and noted in an advisory that, “Essentially this is an open proxy delivery of content. allowing any malicious user to use a WordPress site to direct layer seven attacks at a target. This can also be abused to target internal systems if the Defending the Enterprise’s webserver is hosted on an internal network.” Growing Web Reliance The Web is at the heart of business One of the adverse impacts of the Web is that such vulnerabilities may in today—workers, customers, partners fact be known to a select few who view them as innocuous, until someone and other external stakeholders with malicious intent discovers how to leverage the vulnerability and un- depend on availability. When Web leash it on the vast number of unknowing innocents. sites slow or go offline, or worse yet,

1 Source: “Markets for Tools and Stolen Data,” Lillian Ablon, Martin C. Libicki, Andrea A. Golay, 2014. RAND Corporation. http://www.rand.org/pubs/research_reports/RR610.html 2 Source, “2013 Cost of Cyber Crime Study: United States,” October 2013. Ponemon Institute. 3 Source: “Cyber Threat Source Descriptions.” https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions 4 Source: “2014 Data Breach Investigations Report,” Verizon 5 Source: “Prolexic Q2 Quarterly DDoS Attack Report,” www.prolexic.com/attackreports 6 Source: “Ntt Innovation Institute Announces The Availability Of The 2014 Global Threat Intelligence Report,” March 27, 2014. NTT Group. http://www.ntti3.com/ntt-innovation-institute-announces-the-availability-of-the-2014-global-threat-intelligence-report/ 7 Source: “The State Of Web Application Security: An Ians Custom Report,” August 2013. IANS. http://resources.idgenterprise.com/original/AST-0100099_IANS_WhiteHat_Custom_Report.pdf 8 Source: “Anatomy of Wordpress XML-RPC Pingback Attacks,” Bill Brenner, March 31, 2014. https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html 9 Source: “Over 160,000 WordPress Sites Used as DDoS Zombies,” PC World, Lucian Constantine, March 11, 2014. http://www.pcworld.com/article/2106940/large-ddos-attack-brings-wordpress-pingback-abuse-back-into-spotlight.html Copyright ©2014, Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not be used, reproduced or redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research. www.gatepointresearch.com.