DEFEATING CYBER THREATS REQUIRES A WIDER NETINTRODUCTIONThe evidence on cyber threats is staggering:▪ Malware is reaching new all-time highs – McAfee, a provider of endpointsecurity software, reported there were nearly eight million new pieces of malware —just in the third quarter of 2012.1Additionally, malicious and high-risk mobile appsare also on the rise. Trend Micro, for example, has identified 145 thousand maliciousAndroid apps, as of September 2012.2Keeping malware at bay, already a “treadingwater” challenge, is intensifying.▪ BYOD is a growing threat vector – With the escalating pervasiveness ofsmartphones and tablets—Frost & Sullivan estimates smartphones shipped in 2012will reach 558 million, and tablets will reach 93 million—more fuel is added daily tothe Bring Your Own Device (BYOD) movement. From a security perspective, theimplications of BYOD are more untrusted devices connecting into corporatenetworks and connecting to enterprise public-facing Web sites; and, with that, moredevices are potential participants in malware propagation and botnet-based attacks.The enemy is everywhere.▪ Distributed Denial of Service (DDoS) attacks are approaching mainstreamIn a 2012 survey of network operators conducted by Arbor Networks, over three-quarters of the operators experienced DDoS attacks targeting their customers.3In a2012 Frost & Sullivan-conducted global survey of security professionals, cyberterrorism and attacks by hacktivists were identified as top security concerns by 19percent and 14 percent of the survey respondents, respectively. Malware infectionsand application vulnerabilities were cited as top concerns by the greatest number ofsurvey respondents—27 percent each. The list of significant security concerns isgrowing in length and diversity.▪ Exposure footprint is expanding – The cloud is becoming another computing“location” for a growing number of organizations. According to the same Frost &Sullivan 2012 global survey of security professionals, slightly more than one-third ofthe respondents cite cloud computing as a high priority for their organizations now,and that percentage increases to 54 percent in two years. In other words, more thanhalf of the surveyed organizations expect to be using or in the process of moving aportion of their operations to the cloud in two years.1McAfee Threats Report: Third Quarter 2012, available for download at: http://www.mcafee.com/us/mcafee-labs.aspx.2TrendLabs 3Q 2012 Security Roundup, available for download at: http://www.trendmicro.com/us/security-intelligence/research-and-analysis/index.html#threat-reports.3Worldwide Infrastructure Security Report, available for download at:http://www.arbornetworks.com/research/infrastructure-security-report.
What is of equal concern is that organizations cannot change how they conduct theiroperations. Networks, whether they are private or public, are the circulatory systems ofbusiness. Malicious and unwanted traffic clog these electronic arteries and add risk tomaintaining stable operations, reaching profitability objectives, managing a business’sbrand reputation, complying with compliance regulations, and safeguarding sensitive data.TRADITIONAL CYBER DEFENSE APPROACHES ARE INSUFFICIENTTo lessen these risks, organizations rely on an assortment of gateways and filters tocleanse their network traffic. Although logical, this approach is dependent on the abilityto identify threatening traffic with effectiveness and time efficiency, and then updatesecurity policies and malware and intrusion signatures with equal accuracy and speed.Many factors, however, make this critical task difficult, such as: unending escalation intraffic volume and originations, evolving network and computing infrastructures andtraffic patterns, and hacker sophistication to evade detection.Despite all of these challenges, Stratecast’s perspective is that this identify-and-mitigateapproach is fundamentally sound but incomplete. Where the incompleteness lies is in therestricted net of information and resulting analysis. Too often, organizations relyextensively on the traffic that they can see on their individual networks, and the traffictheir individual carriers see. While essential, these views are not the entire universe, butmerely a sample and, as a sample, subject to interpretative error (i.e., insufficient datapoints to reach conclusions with a maximum level of confidence and in an optimizedwindow of time).What is needed is a net that is wider, with continuous data feeds from a community ofcarriers. Not only does this extended reach add to the breadth of data available foranalysis (e.g., catching clues on threatening traffic on one carrier’s network before thissame type or origin of trending traffic invades other carrier and enterprise networks),but also improves the integrity of mitigation policy changes and creation of new policiesas more confirming data points on threatening traffic are available.Arbor’s ATLAS®(Active Threat Level Analysis System) reflects this carrier and enterprisecommunity attribute. Furthermore, ATLAS is not a theoretical concept but a set ofestablished services that have been supporting carriers and large, Internet-basedenterprises on an opt-in basis for six years. ATLAS’s existence and expanding carrier andlarge enterprise participation is a testament to its value.In this paper, Stratecast will provide an overview of ATLAS, and detail why carriers andenterprises should participate in ATLAS; and, by association, why enterprises should takenote of the participating carriers in making their carrier selections.
ARBOR ATLAS FUNDAMENTALSATLAS is a global-operating threat analysis network. Launched in 2007, ATLAStransparently, and on an hourly basis, collects network traffic data from sensors hostedin carriers’ darknets, and data from carrier and enterprise-deployed Arbor security andtraffic-monitoring platforms. Between these two sources, Arbor is collecting data fromall assigned IP addresses—service-active IP addresses from Arbor platforms and service-inactive IP addresses from darknet-hosted ATLAS sensors.In terms of scale, there are more than 250 ATLAS-participating carriers and enterprisessupplying a peak stream of network traffic data of over 38 terabytes per second (Tbps).Stripped of carrier and customer sensitive information, this data is fed into the ArborSecurity Engineering Response Team (ASERT) database and combined with third-partythreat information sources for assessment.Operating 24x7, ASERT researchers transform this data stream into actionableintelligence on malware, phishing attempts, botnet (command & control and botnetzombies) and DDoS attacks. Notable of depth, this data is bi-directional, representingtraffic originating in carrier networks and their customers’ locations (where ATLASplatforms are deployed), as well as inter-carrier traffic. Alternatively stated, origins ofSource: Arbor Networks
threatening traffic (compromised hosts and locations) and targets are both included inthe ASERT database. Furthermore, ASERT researchers examine traffic data over time andin simulated and real polymorphic forms, in order to identify highly sophisticated,composite, and personalized threats.From a historical perspective, ATLAS, underpinned by ASERT (a 12-year oldorganization), is the culmination of pioneering, industry-collaboration initiativessponsored by Arbor. The first launch, in 2004, was the Arbor Worldwide InfrastructureSecurity Report. An original, this report was prepared by Arbor with direct participationby its carrier customers and for its carrier customers to improve their network securitystrategies and tactics. One year later, in 2005, Arbor launched its Fingerprint SharingAlliance (FSA). This alliance demonstrated the inter-carrier benefit of automated sharingof Internet attack information; in essence, uplifting the information sharing value of theArbor Worldwide Infrastructure Security Report from once-a-year to continuous. Foralliance participants, FSA again leveraged the power of community. For example, ratherthan establishing multiple pair-wise, carrier-to-carrier data sharing arrangements, or as asupplement to these, the clearinghouse function of FSA delivers Arbor-certified attackand anomaly traffic identifiers to each FSA subscriber, and does this without exposingprivate carrier or enterprise information. FSA also delved into the next layer of pressingneeds for carrier and enterprise security professionals—that is, transforming threatinformation into trusted and actionable threat intelligence. Or, stated alternatively,assisting Arbor customers in being wise in threat information assessments andconfidently deliberate in acting on this information.ASERT’s actionable threat intelligence exists in two Arbor automated services:▪ Active Threat Feed (ATF) – The ATF is an activity-based threat detectionservice for known and emerging threats. ASERT uses attack information fromATLAS to create detailed profiles or “fingerprints” of security threats, includingattacks, unauthorized activity or malicious traffic patterns. Unlike traditionaldefenses such as IPS/IDS or anti-virus, which use signatures to detect attacks, theATF fingerprints provide subscribers with a broad scope of security intelligenceand visibility into the events occurring on the network, including advancedthreats and botnet activity.▪ ATLAS Intelligence Feed (AIF) – With DDoS attacks going mainstream,carriers and enterprises are facing a legitimate business appropriation concern:whether additional hardware investments and security personnel will be requiredto address this looming threat. AIF delivers real-time DDoS and botnetsignatures to protect networks and Web infrastructure from DDoS attacktoolsets and their variants. In action, these feeds directly and automaticallypopulate DDoS and botnet identification and mitigation policies. With DDoSattacks having the capability of going from a trickle to a debilitating wave in acyber moment, automatic policy updates based on the wide experience apertureof ATLAS community members and vetted by ASERT researchers is essential.
For ATLAS subscribers seeking additional threat intelligence, Arbor hosts a Web-basedportal. Subscriber views can be dynamically customized at a highly granular level; e.g., fora specific Autonomous System Number (ASN), IP address, or country. For non-subscriber, portal visitors, the ATLAS portal lists the top 20 threat sources from thelatest 24-hour period.ATLAS BENEFITS FOR CARRIERS AND ENTERPRISESFor security professionals, useful threat intelligence is paramount. But, as previouslystated, value lies in the range, integrity and timeliness of this intelligence. This is the firstbenefit of ATLAS—a community-supported, vetted, real-time and actionable source ofthreat intelligence.In practice, this benefit has three correlated business and operational offshoots:▪ More threats are proactively mitigated, resulting in a lower overall risk posture.▪ Less remediation occurs. With fewer attacks being successful, remediation efforts(e.g., purging endpoint devices of malware infections, bolstering Webinfrastructure to defend against DDoS attacks, and conducting data breachnotifications) will be fewer in number and smaller in scale.▪ As ATLAS researchers monitor and assess traffic data from Arbor platforms anddarknet sensors, carrier and enterprise security analysts gain the benefits of thisthreat analysis without incurring the work effort. Their knowledge levels areenhanced.Obviously, these outcomes contribute to heightened operational efficacy for securityorganizations. However, efficacy improvements do not end there. Placing ATLAS’s threatintelligence in the broader context of existing security technologies that rely onsignatures, such as IPS/IDS and anti-malware, security teams may determine thatexamining and updating signature files does not always need to be conducted on an“urgent” basis. Armed with the contextual attack data from ATLAS, securityprofessionals have the information necessary to prioritize signature deployment in othernetwork security products such as IDS/IPS and anti-malware applications.Lessening “break away” crises leaves more uninterrupted time for security professionalsto concentrate on other important responsibilities and initiatives.ADDED ATLAS BENEFITS FOR CARRIERSWhereas the previously listed ATLAS benefits are focused on gains in operationalefficacy, improving risk posture, and de-stressing the work lives of security professionals,there is also a de-stressing benefit to carriers’ network infrastructures. This benefitcomes into play in the routing of darknet IP addresses. By routing darknet IP addresses
to the carrier-hosted ATLAS sensors, rather than the carrier’s production routers, thetraffic load associated with the darknet is removed from these production routers. Thisdarknet “off-loading” benefit is most evident during periods of high volume attacks aimedat darknet addresses. As the carrier’s production routers are not bombarded by thisinflux of undesirable, yet useful, traffic (i.e., useful in the sense that this traffic providesclues on emerging security threats), network administrators will not be pulled away fromtheir important responsibilities to concentrate on this traffic spike, and how to mitigatethe impact on their production networks.Another carrier benefit of ATLAS is in its market positioning. When given a choice,network administrators rank service reliability among the top attributes in networkservice selection. In a mid- 2012 survey of U.S. businesses, conducted by Frost & Sullivan,service reliability was second only to security as the most cited network servicesattribute. ATLAS directly contributes to both of these attributes by uplifting carriers’ability to fortify the security and reliability of their production networks. Built on the“worldwide traffic library and brain” of ASERT, ATLAS-participating carriers have atangible point of evidence to show their customers that they are not combating cyberthreats alone; they are taking advantage of an expansive community.ENTERPRISE SHOULD TAKE NOTEEnterprise security operators are responsible for protecting their networks fromconfidential data breaches, unauthorized access (even from trusted users), maintainingnetwork integrity, and ensuring solid brand reputation—as well as helping the networkteam keep stable service levels. Attackers are taking advantage of these professionals’multiple responsibilities and launching multi-stage, blended attacks that are uniquelydesigned for that organization’s infrastructure. While some enterprise securityprofessionals love getting into the weeds of attack information—understanding where itcame from, the triggers associated with attacks and so on—it is simply not practical formost.In addition to security, service reliability is vital to any business that runs criticaloperations on the Internet or private networks that are not fully isolated from theInternet. While the business implications of service disruptions and uneven serviceperformance will vary by circumstance, gauging those implications through experience isa risky proposition. Given the choice, is it not preferable to select network services fromATLAS-participating carriers?Data from ATLAS provides these busy security professionals with not only accurate andeffective security via the AIF and ATF feeds that run in Arbor’s products; it also providesvaluable context and information on attacks that can be used for proactive security. Thissecurity intelligence and forensic data can be used for updating security enforcementpolicies across the network, as well as for mitigation of threats that were previously notknown. By updating these policies and proactively blocking threats, the security team cankeep the network uncluttered from attack traffic—maintaining reliable service for criticalbusiness applications.
Michael SubyVP of ResearchStratecast | Frost & Sullivanmsuby@stratecast.comStratecastThe Last WordShortly after the dawn of the public Internet, carriers supporting the Internet’sbackbone, and commercial entities relying on the Internet to support their internaloperations and conduct public-facing businesses, have been in a constant and ever-evolving battle against a myriad of threat types and actors. There is absolutely noreason to expect this battle to end. Moreover, battlefield expansion is a certainty asthe volume and diversity of Internet-enabled devices grows and enterprises expandtheir virtual points of presence into a variety of interconnected cloud and hostingenvironments. In essence, the Internet’s relevancy and enterprise dependency arerising. With that, the attraction of it to cyber criminals, protestors and disruptors—from basement hobbyists to highly organized entities—will also increase.For carriers, hosting and cloud services providers, and enterprises, a fundamentalquestion is how to leverage and protect the openness of the Internet and thebusiness opportunities the Internet presents. Our position is that a structuredworldwide, community-supported approach to threat analysis and response isfundamentally essential. The diversity, morphing velocity and sophistication ofemerging threats calls for nothing less than a complete and real-time assessment ofall battleground fronts. ATLAS has the carrier and enterprise relationship scale,expertise of ASERT and experience to support such an effort.
877.GoFrost • firstname.lastname@example.org://www.frost.comABOUT FROST & SULLIVANFrost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The companysTEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth -focusedculture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50years of experience in partnering with Global 1000 companies, emerging businesses, and the investment communityfrom more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth PartnershipServices, visit http://www.frost.com.ABOUT STRATECASTStratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscriptionresearch and customized consulting engagements, Stratecast delivers knowledge and perspective that is onlyattainable through years of real-world experience in an industry where customers are collaborators; today’spartners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact yourStratecast Account Executive to engage our experience to assist you in attaining your growth objectives.Silicon Valley331 E. Evelyn Ave., Suite 100Mountain View, CA 94041Tel 650.475.4500Fax 650.475.1570London4, Grosvenor Gardens,London SWIW ODH,UKTel 44(0)20 7730 3438Fax 44(0)20 7730 3343San Antonio7550 West Interstate 10, Suite 400San Antonio, Texas 78229-5616Tel 210.348.1000Fax 210.348.1003AucklandBangkokBeijingBengaluruBogotáBuenos AiresCape TownChennaiColomboDelhi / NCRDhakaDubaiFrankfurtHong KongIstanbulJakartaKolkataKuala LumpurLondonMexico CityMilanMoscowMumbaiManhattanOxfordParisRockville CentreSan AntonioSão PauloSeoulShanghaiSilicon ValleySingaporeSophia AntipolisSydneyTaipeiTel AvivTokyoTorontoWarsawWashington, DC