Академический Документы
Профессиональный Документы
Культура Документы
INSIDE:
• Complete Survey Results
• In-Depth Analysis
• Expert Commentary
Sponsored by
From the Editor
DDoS attacks may be out of the headlines, but they have hardly disappeared as a significant
business concern.
In this new 2015 DDoS Impact & Response Study of organizations in the U.S. and UK, we find:
»» 55% of respondents say they have experienced as many or more attacks as in the past year;
»» 60% say the attacks were equal or more powerful than previous attacks.
Tom Field Some clear messages emerge in the survey results ahead, and I’m eager to share them with you.
VP - Editorial
Among those messages:
Information Security
Media Group
Now, it’s important to point out: This survey, although sponsored by Neustar, is distinct from Neustar’s own
annual DDoS Attacks & Protection Reports. This past April, in fact, Neustar released two such reports –
one for the U.S. and one for EMEA. You will find links to these studies at the end of this report.
Our DDoS Impact & Response Study is meant to complement Neustar’s DDoS Attacks & Protection
Reports, taking a deeper dive into trends specifically in financial services.
Please enjoy this snapshot of today’s DDoS activity and defenses in financial services, and pay close
attention to survey analysis provided at the end by Joseph Loveless of Neustar.
Do our findings match your experience with DDoS? Please share your feedback with me.
Best,
Tom Field
Vice President, Editorial
Information Security Media Group
tfield@ismgcorp.com
2 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
Contents
Survey Results
»» DDoS Today .......................................................... 5
»» Detection and Response ...................................
»» DDoS Defense .....................................................
11
19
23
2016 DDoS Defense Agenda
»» 2016 DDoS Defense Agenda ........................... 23
Conclusions ................................................................. 27
Survey Analysis from Neustar’s Joseph Loveless .. 28
Resources ..................................................................... 32
28
Survey Analysis from Neustar’s
Joseph Loveless
Sponsored by
Neustar is a trusted, neutral provider of real-time information and analytics with expertise in DNS management, DDoS mitigation, IP intel
and much more. We protect your online presence, safeguarding your websites, customer experience and reputation.
Learn more at www.neustar.biz.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 3
Message From the Sponsor, Neustar
Neustar’s focus is on bringing powerful data insights to help drive high-value business decisions. As a respected
provider of DDoS mitigation services, we make continual investments, not only in our network capacity, but also in
our knowledge-base.
To that end, every year, Neustar conducts a survey about DDoS activity and defenses with organizations across
the world. This year, we conducted two surveys:
»» April 2015 Neustar DDoS Attacks & Protection Report: North America
https://www.neustar.biz/resources/whitepapers/ddos-attacks-protection-report-us-2015
Intrigued by the trends specifically from the financial services industry, we partnered with ISMG to sponsor a
DDOS report focused on that segment. The result is this 2015 DDoS Impact & Response Study, which is meant to
complement our two other reports.
At Neustar, our focus is on keeping companies online. That is why we invest in research year after year. We serve
over 14,000 customers worldwide, and our world-class facilities include a global Network Operations Center, two
secure data centers and points of presence in 112 cities across 37 countries. We provide real-time information and
analytics for almost 7 billion physical and virtual device addresses (including telephone numbers, IP addresses,
global domain names and U.S. business listings).
So, whether it’s managing traffic, defending against cyber threats, ensuring website performance, or all of the
above, Neustar has you covered.
4 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
DDoS Today
»» 56 percent of respondents saw as many or more attacks in the past year than in the
previous;
C - average 35
A - superior 12
D - below average 11
F - failing 2
0 10 20 30 40 50
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 5
More than As is common in surveys such as this one, broad self-assessment questions lead to
50 percent of
answers that reflect general corporate optimism. It’s only when the questions dig
deeper that they uncover the truth – which isn’t always as rosy as general opinion
rate themselves In this case, the study finds that organizations generally feel good about their abilities
above average to successfully mitigate DDoS attacks. More than 50 percent of respondents rate
themselves above average or superior.
or superior
when mitigating But pay attention to the remainder who rate themselves at average or lower. Later in this
report, subsequent findings will unveil greater insight into organizations’ pain points in
DDoS attacks. their fight against DDoS attacks.
Yes 35%
No 50
I don’t know 16
0 10 20 30 40 50
6 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
Although 50 percent say they have not
been attacked in the past year, note
that just as many either have evidence
they were attacked, or are not sure.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 7
If your organization did experience DDoS in the past year, were
the attacks more or less frequent than in the previous year?
Of those organizations that know they experienced DDoS in the past year, more than half
saw attacks that were at least as frequent, if not more so, than in previous years. Only 14
percent say they experienced fewer attacks.
8 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
Of those who If your organization did experience DDoS in the past year, were
the attacks more or less powerful than in the previous year?
acknowledge
attacks, 60 There was no measurable change in
strength of DDoS attacks
percent say either 41%
that there was I don't know
32
no measurable We experienced more powerful
change in the DDoS attacks in the past year
19
strength of We experienced less powerful DDoS
attacks in the past year
the attacks, 13
or they were 0 5 10 15 20 25 30 35 40
more powerful
than those
experienced
And, again, reviewing responses from those who acknowledge attacks, 60 percent say
either that there was no measurable change in the strength of the attacks, or they were
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 9
In the past year, where have you seen your organization’s biggest
increases in DDoS defense and mitigation?
Staff 31
0 10 20 30 40 50 60 70 80
In short, the strong majority has increased investment in technology solutions. Later in this
report, the findings will get into the specific solutions.
But respondents also have hiked their investments in internal staff, as well as third-party
vendor relationships with organizations that specialize in DDoS mitigation.
10 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
Detection & Response
C - average 34
A - superior 14
D - below average 7
F - failing 1
0 10 20 30 40 50
But look at the 34 percent who give themselves a C. More than one-third of respondents
rate themselves average at best when it comes to detecting DDoS attacks.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 11
In your opinion, where do the most damaging DDoS attacks
against your organization originate?
Cyber-vandals 26
Hacktivist groups 16
Nation-states 10
Competitors 5
0 5 10 15 20 25 30
Understanding where attacks are coming from is important to defining a defense plan. In
recent years, the world has seen strings of high-profile attacks attributed to nation-states
and hacktivist groups, and those trends persist.
Among the key threat-actors identified by the respondents are criminal gangs, cyber-
vandals, hacktivists, nation states and even competitors.
12 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
When it comes to detecting an attack
that can take down a site and impact
business, is “average” good enough?
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 13
In the event of DDoS, how long does it typically take your
organization to detect the attack?
Under 30 seconds 13
0 5 10 15 20 25 30
Returning to the topic of detection, how long does it typically take an organization to
realize it’s under attack?
According to survey respondents, more than half can spot these incidents in under
10 minutes.
14 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
How do you self-assess your organization’s ability to respond to
and mitigate DDoS attacks?
C - average 39
A - superior 13
D - below average 8
F - failing 2
0 5 10 15 20 25 30 35 40
When asked to self-assess, organizations are not quite as optimistic about their abilities
to respond to DDoS – despite feedback offered previously about general detection
and response.
Only 52 percent rate themselves at above average or superior, while 39 percent grade
themselves at just average.
Where are the deficiencies? The next section helps answer this question.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 15
More than half the respondents say they are
mitigating these attacks in under an hour.
More than half the respondents say they are mitigating these attacks in under an hour.
16 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
When considering detection and response,
it is important to know how many
individuals an organization dedicates
to mitigating a DDoS attack.
The simple answer for financial
services is: Not many.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 17
How many people in your organization typically are involved with
DDoS mitigation and response?
2-5 53%
More than 10 16
6-10 15
1 11
0 10 20 30 40 50 60
The majority of respondent organizations have fewer than six individuals typically involved
with DDoS response and mitigation. Considering the potential impact of these attacks on
the business, this is a modest personnel investment, indeed.
18 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
DDoS Defense
In this section, the report reviews specific deployments. What the findings
generally reveal is:
»» 30 percent do not believe their tools, staff and skills are adequate to defend against
DDoS;
»» 50 percent say their biggest deficiencies are either technology & tools or staff
expertise.
0 10 20 30 40 50 60 70 80
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 19
DDoS defense?
There are many layers of DDoS defense – as many as there are types of attacks.
The most common current security tools: web application firewalls, traditional ISP-based
firewalls, switches and routers.
But the findings also reveal a mix of on-premise appliances and third-party services,
which supports the market move toward hybrid DDoS solutions.
Yes 47%
No 30
I don’t know 24
0 10 20 30 40 50
Fewer than half the survey respondents believe their current defenses and skills are
adequate to respond to the strength and frequency of today’s attacks.
20 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
What do you believe is your organization’s biggest advantage
when it comes to defending against today’s larger and more
sophisticated DDoS attacks?
Staff expertise 23
Technical skills 10
0 5 10 15 20 25 30 35
Organizations cite technology and tools as their biggest advantage over their adversaries.
Third-party support and staff expertise rank second and third.
But …
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 21
What do you believe is your organization’s biggest deficiency
when it comes to defending against today’s larger and more
sophisticated DDoS attacks?
Insufficient staff 25
Lack of skills 20
When asked to name their biggest deficiency, organizations also name their technology
tools, as well as their current staff.
22 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
2016 DDoS Defense Agenda
Key takeaways:
No change 54%
Decrease 1
0 10 20 30 40 50 60
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 23
Significant numbers of organizations expect sizeable increases in their DDoS defense
resources.
0 5 10 15 20 25 30 35
24 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
How will your organization in the coming year counter the growth,
proliferation and strength of DDoS attacks?
0 10 20 30 40 50 60
To counter the DDoS expansion and growth, organizations show strong desire to invest
more in specific tools, as well as in third-party relationships. Again, greater support for the
notion of a hybrid solution.
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 25
How will your organization calculate return on investment in these
new measures in the coming year?
0 10 20 30 40 50
26 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
Conclusions
Next, Neustar’s Joseph Loveless will offer his unique take on the survey results, what
they mean, how they correspond with other research Neustar has conducted, and most
importantly … how can security leaders apply these findings in their own organizations?
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 27
Analysis
28 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
“Attacks and the impact organizations are tied up much longer. In fact, some of the recent
work that we had done last year showed that organizations that
can not only be real, have customer service departments are hit with, basically, four to
six times the length of the attack in terms of cleaning up customer
but they can prove to complaints and so on, which makes a two-day attack a two-week
be a real detriment to
problem. So when I look at the 40% in this particular study that talk
about direct impact, it is very clear that the impact is real.
customer retention.” The threats are unrelenting, and there’s just significant fall-
out from being put on the news, from having the organization
disrupted, from having mobile applications not working. And
to consume IT attention, while actually different activity is going customers within financial institutions can be quite unforgiving,
on, whether it be the insertion of malware, or an open breach to right? If you lose trust in your organization, then it’s really a tough
steal financial assets. road to gain that trust back. When you think about the behavior
of the customers – look, this is an online world. Now they can’t
So when I look at the 60% of respondents that talk about the trust you to keep your website up? How can I possibly trust you to
frequency and the [intensity] of the attacks, what’s really driving be able to guard and safeguard my personal private information,
that is the payoff to the attackers, and the fact that there is a much less my financial assets and the sanctity and the security of
constant effort to not just simply disrupt website operations all of the financial tools that keep my family and my business in
and infrastructure operations; they actually breach deep into good order? So attacks and the impact can not only be real, but
And it is very easy to be able to launch attacks. There are many Staffing Needs
tools, and there are even companies that will do it cheaply from
FIELD: It’s clear from the results that the number of staffers trained
$5 an hour to $200 an hour, where they’ll create attacks for you.
to handle DDoS attacks is relatively small, six or fewer, and there
There’s an industry that’s risen around creating DDoS attacks, and
are questions among our respondents about the skill levels of
… it was no surprise to see that those that were attacked were
their staffing. How much of a concern do you find appropriate
experiencing this level of threat and this level of activity.
staffing to be in the organizations that you frequently see?
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 29
“You’ve got to invest not simply in getting the
right skill sets in, but the investments in being
able to work with third-party providers.”
home-based cable modems. And those modems become, organizations is we see about $100,000 an hour at stake [during
unknowingly to the homeowners, part of large botnets. And that a DDoS attack]. Well at that time, 10 hours times $100,000 is a
was something we didn’t see a lot a couple of years ago. So when million-dollar problem, right?
we talk about staffing, it’s really about being able to find folks that
have contemporary skills and experience within the organization. Today, in the study that we see here, organizations are detecting
in less than an hour. And that means sharper skills; it means
But there’s also the problem of being able to find that [person]. much stronger defenses; it means the incorporation of third-party
One of the things that we know is there are many, many, many defenders who are actually constantly looking and screening
open security positions. We are largely understaffed. We have a traffic; it means always-on configurations where traffic is
tremendous skills gap in terms of being able to cover all of the constantly moving through mitigation to make sure that no DDoS
defensive needs of organizations. So when you look at staff, and is actually occurring.
you look at something like DDoS, it is tough to find the right type
of staff. That’s great news for businesses and our industry; it’s bad news
for the attackers.
When organizations are really seeking out those types of people,
what we are seeing is much more of a move to third parties. Traditional Defenses
And by moving into third parties, this alleviates that burden a bit
FIELD: How do you read our respondents’ investment in what we
on organizations. It’s allowed the contemporary current, highly
might consider traditional solutions, and how can they leverage
skilled, highly expert talent to be on the third party to help your
these investments going forward?
organization, while you have someone of competent skill to be
able to effectively manage that third party. That is becoming a very
LOVELESS: Again, we’re really looking at the institutionalization
successful combination within an organization.
of DDoS as one of the credible cyberthreats … these are
tremendous, powerful threats that exist to these organizations,
Detection & Response
and the investments in traditional solutions is perfectly reasonable.
FIELD: Do you see organizations getting both faster and more
effective when it comes to detecting and responding to attacks? You want to make sure that you got strong endpoints and you’ve
got the up-to-date hardware. You want to make sure that you’ve
LOVELESS: We do, and it’s a good sign. A couple of years ago, we got strong firewalls and a good relationship with your ISP. But
had run a massive study, and the typical timeframe of being able what you don’t want to do is just leave it there. And we do see still
to detect an attack was about 4.9 hours. Then it was another five a lot of organizations that are leaving it there, meaning that they’ll
to actually start responding to it. That’s a 10-hour problem. rely on the ISP to basically blackhole traffic.
One of the things that remains consistent within financial
30 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
The problem is, to a lot of organizations, you just can’t do that. cleansing mechanisms to be able to then run that clean traffic
There’s so much bad traffic that’s being thrown out with the back to the organization, and do it quickly. And hybrid is what’s
good traffic as well. And so blackholing, just from a hardware filling that gap, and that’s why you’re seeing it.
perspective, will only get you so far. That actually ends up hurting
the business somewhat. Put the Study to Work
FIELD: How would you encourage people to look at our survey
But nevertheless, you want to make sure that that investment
results and, more importantly, put them to work for themselves?
is current and up-to-date relevant to the hardware aspect. But
you’ve got to invest in the people that process this. You’ve
LOVELESS: The first thing is to accept that you are going to be
got to invest not simply in getting the right skill sets in, but the
attacked. It’s very clear that organizations have done that. But it
investments in being able to work with third-party providers, and
also means to move forward and have a plan. If we got hit now,
more importantly, be able to run and work the processes internally
what does that look like? Walk through the scenarios, do that
to make sure that you have a plan, to make sure that you are
scenario building. Make sure that you’re assessing the risk within
executing according to that plan when those attacks occur.
your organization. Know what is potentially a significant problem
Because in the midst of the attack, that’s the last place you want
and understand how you currently are mitigating those risks. And
to actually come up with a plan.
make sure that you’ve got a plan that evolves to be able to protect
rightfully what’s important. And then, test. Just test, test, test. Run
Hybrid Solutions
exercises internally, run simulated DDoS attacks.
FIELD: The message is clear that organizations aren’t investing in
any one area; they’re investing in hybrid solutions. Your thoughts And if you’re working with a third-party provider, first of all,
on this trend? evaluate them with care. Make sure you’re looking through the
hype, and what they’re offering is going to fit and be flexible
LOVELESS: It is important to be able to have your hardware into the defensive plan that you have. No two defensive plans
working for you. But the attacks that we are seeing are much are the same. They’re like snowflakes; they are different. Taking
larger. We are seeing attacks now that, quite honestly, had not a box of what you get off the shelf and shoehorning it into your
been comprehended just a few years ago. I mean, we’re seeing organization is not necessarily going to be a pleasant experience.
attacks in excess of 300 gigabits. And what is interesting about What you want to make sure is that you got the right options that
the size of the attacks … those end points and that hardware can are being applied to that strategy that your organization has put
absolutely be overwhelmed. together. Then work together with that partner, and then execute.
Run through exercises; make sure everyone’s comfortable. Have
Why hybrid is getting actually some clear traction is that it’s the a communications plan with the executives so that you know
cloud’s failover. You’ve got to be able to have a place to go to who you’re informing in all the different business units, who
move this traffic and scrub it. So to keep those endpoints running, you’re informing upstairs. And more importantly, [know] how your
to keep them from getting saturated and leaving you in a position customer groups are communicating with your customers, your
to where you’re down, you get this cloud failover to where you’re shareholders, your account holders, and make sure that you’re
able to actually route this traffic through the cloud, and then apply clear so that when these attacks happen, you’re executing, you’re
countermeasures to it and scrub it - not just move it. mitigating, you’re getting that trouble out of the way quickly and
you’re just keeping your business on course. n
It’s not about having enough network capacity – it’s about having
enough scrubbing capacity to be able to move traffic through the
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 31
Resources
April 2015 Neustar DDoS Attacks & Protection Report: North America
https://www.neustar.biz/resources/whitepapers/ddos-attacks-protection-report-us-2015
32 2015 DDoS Impact & Response Study © 2015 Information Security Media Group
WEBINAR
• What are the true business impacts, including damage to brand reputation
and customer trust?
• What are the most effective strategies and solutions for DDoS defense?
REGISTER NOW
http://www.inforisktoday.com/webinars/2015-ddos-impact-response-study-survey-results-w-677
Sponsored by
2015 DDoS Impact & Response Study © 2015 Information Security Media Group 33
About ISMG Contact
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (800) 944-0401
(ISMG) is a media company focusing on Information Technology Risk Management for sales@ismgcorp.com
vertical industries. The company provides news, training, education and other related
content for risk management professionals in their respective industries.