Would most enterprises really rather fend for themselves when it comes to security? One reputable survey seems to say so. Organizations are largely investing technology and staffing budgets earmarked for information security into related in-house skills and technology, according to a 2016 SANS Institute report on IT Security Spending Trends. That could and probably would be the topic of this article but for one little thing.
DDoS security stands out as the only exception in the aforementioned report with companies spending outside their own ranks for detection and remediation. Most companies surveyed prefer cloud service-based DDoS protection when picking a provider.
A list of top DDoS protection cloud services given in random order can include F5 Silverline, Arbor Networks' Arbor Cloud, CloudFlare's advanced DDoS protection, VeriSign DDoS Protection Service, Imperva Incapsula, Akamai Kona Site Defender, Cisco Guard, and Level3 DDoS Mitigation. There are many more such services; this list includes the best, depending on who you talk to.
Risk profiles, coverage, research methods, deployments
Here are four tips to know when preparing to select a DDoS protection cloud service.
Tip No.1: Know Your Risk Profile. Determining what DDoS protection cloud service is best for your business starts with knowing the risk profile of your organization, since you will have to marry a suitable service to that profile. ISACA offers information about what to include in a risk profile. According to Tim Cullen, senior security consultant, CISSP, and chair at the Cybersecurity Simulation for the Technology Association of Georgia, here are the impact profile points you must know for your enterprise.
- How long can your site/service endure downtime in the event of a successful DDoS attack?
- What is the range of losses in revenue that would affect your company if an attack prevails?
- How would DDoS inflicted downtime contribute to loss of customer confidence or market share?
Tip No.2: Know the protections/coverage you need. Once you have established what the weight of these pain points would be on your organization in and after an active attack, you need to establish what kinds of protections are necessary.
You might, for example, need to detect and protect yourself against zero-day attacks since many DDoS attacks flood requests for services using new OS or application vulnerabilities that the vendors have not yet patched, explains Cullen. "You need to know how quickly the provider can implement the solution to protect you and whether it secures you and your data if you are currently under attack," adds Cullen.
Tip No.3: Know providers' research methods. The methods the DDoS protection cloud service uses to gather data about attack vectors is also important to your selection. According to Cullen, you should confirm whether the provider has and uses the following abilities:
- Do they use their own metrics for isolating attack data?
- Do they rather use a cloud service to report and disseminate attack alerts and to update virus/malware signatures?
- Do they have a global footprint for data collection?
- Do they proactively research and identify new attacks as they are first appearing in the wild?
The cost of some features such as a proactive security (proactive research) approach will be a factor in your selection.
Tip No.4: Deployment options. Be sure to ask whether the service can be deployed in different ways so that you can select the deployment approach that leaves you feeling confident and comfortable. Choices include setups with everything going through the cloud, arrangements where you have to recognize an attack and then elect to divert traffic to the cloud manually, and setups where the system recognizes an attack and redirects traffic to the cloud service for you.
Service qualities to look for
Cullen offers eight tips for ranking DDoS protection cloud services based on the quality of critical service capabilities.
Quality No.1: Low latency. Test your applications on the service to see whether they offer low latency while they are running scans. "Published scrubbing capacity numbers peg F5 at 2Tb/sec, Imperva at 1.5Tb/sec, and Arbor Networks at 1.1Tb/sec. These three are usually on my short list of vendors to talk to about speed," says Cullen.
Quality No.2: Security track record. Ask for letters of recommendation and lists of customers whom you can question. F5, Arbor Networks, and Imperva have been in this market a long time and have many letters of recommendation to demonstrate that they perform well in securing their customers, says Cullen.
Quality No.3: Remote ticketing service. Most services offer remote ticketing on your behalf. "We have had good results with vendors like F5 and Akamai for problem resolution and remote ticketing; they seem to own the problem till resolution," says Cullen.
Quality No.4: Strong UI/dashboards for self-management. Depending on your preference most any provider could come out on top here. "I like the Imperva and F5 dashboards. Arbor Networks gets an honorable mention; it was not as intuitive for us as the others," says Cullen.
Quality No.5: A Forensics Team. Such a team can help understand the specific challenges and appropriate resolutions on a case-by-case basis. "F5 was a standout vendor for this option with a research team that watches the hacking community for attacks and trends," says Cullen.
Quality No.6: Logging. Complete data records of attacks culled from logs are critical to prosecuting the culprits behind breaches. This is another option that everyone has and you may end up basing your selection on your own preference.
Quality No.7. Licensing. Providers can offer licensing based on the protection options available, the amount of bandwidth you require or use, and whether you choose an onsite hardware/cloud subscription, says Cullen. Another form of licensing is access-based licensing, which applies to the means you use to access the cloud and can include all services. Akamai and F5 were the best for this last licensing option, according to Cullen.
Quality No.8. Minimal impact to the local environment. Some services route all traffic to the cloud first, some allow some traffic to go to the company site first, and some let all traffic go to the company site until the time of an attack. The last option has the least effect on the local environment.