When we think about cybersecurity, we most often think about compromised PII — Personally Identifiable Information. PII includes the social security numbers, account numbers, addresses and so on that allow bad actors to open unauthorized accounts in people’s names, to drain existing accounts, and to generally create adverse and hard-to-reverse impacts on the victims.
Generating fewer news headlines, but with an equally devastating economic impact, are the ongoing attacks on the infrastructure that underlies the overall functionality of the Internet. Everyone — and every IT organization — is at risk. Let’s look at a couple of recent attack methods and consider some good practices for preventing them.
Exhibit A: DDOS Attacks
You may remember the massive IT cyberattack against Dyn, one of the Internet’s premier DNS service providers. They were the victims of an overwhelming DDOS attack, resulting in some of the world’s best-known websites going offline. Twitter, Netflix, PayPal, Spotify and many others fell silent – first on the east coast of North America, and then throughout the entire North American continent and into Europe.
In all, the attack came in three waves, creating widespread disruption for more than 11 hours. The overall cost incurred by the affected parties ran into the hundreds of millions of dollars.
Now imagine that attack directed against your service delivery infrastructure. It’s completely plausible. Don’t be misled because you are forward-thinking enough to have robust security measures in place. This was a DDOS attack — Distributed Denial of Service — where there is no infiltration of computer and network assets necessary. A DDOS simply requires a number of other computers to be directed to deliver massive amounts of network traffic to your site. This drowns your servers, preventing any useful activity from occurring.
Let’s look at a DDOS scenario from your perspective. Your Internet-visible servers have been compromised, but since they are not interfering with your processes, that fact can easily go unnoticed. Even after the attack is underway, your users may only experience some sluggishness in the systems, as the systems are busy sending network traffic out. They may not even complain, just chalking it up to “the server is busy” — or the ubiquitous “it’s the network” — but the damage is done.
Exhibit B: Low and Slow Attacks
Much more insidious is the growing trend that has seen adversaries begin to move away from traditional cyber tactics to escape detection by network defenders. The Stuxnet attacks are a prime example of this.
The aim of some of these new types of attacks is not to steal information, but rather to create subtle inefficiencies that, when aggregated across a whole system, result in decreased system effectiveness. The aim of such attacks is to evade detection for long durations, allowing them to cause as much harm as possible. As a result, such attacks are sometimes referred to as “low and slow.”
It is unknown how effective operators are likely to be at detecting and correctly diagnosing the symptoms of low and slow IT cyberattacks. Recent research suggests that the symptoms of the attack may need to be extreme in order to gain operator recognition. This calls into question the utility of relying on operators for detection altogether.
Staying Ahead of IT Cyberattacks
All of this is troubling. While system performance issues are rampant in every industry, the impact of IT cyberattacks on business performance is measurable and potentially catastrophic. The problem is compounded by the difficulty in detection. The services that you deliver to your customers are inherently time-sensitive. Even if it’s immediately apparent, the sources of latency may be difficult to track down.
Immediate losses are only part of the picture. There are also long-term implications due to service outages and overall performance degradation. Customer loyalty can be fickle — a single serious outage may be forgiven, but a repeat will have them looking for alternative solutions. And while the cloud is immensely popular, many IT organizations live with a bit of anxiety about having everything they depend on be out of their direct control.
How to tackle the problem?
Transforming your cyber efforts requires a comprehensive and well thought-out strategy that not only focuses on security, but also leverages network operations information.
Organizations typically have a security operations function focused on protecting intellectual property and infrastructure assets from being compromised. The IT operations team, on the other hand, is focused on ensuring the performance and availability of the infrastructure and business services. Due to the fundamentally different nature of their activities, each team uses different sets of tools and mostly work independently of each other.
Leveraging IT Ops Tools
However, there are immense gains to be achieved if information from the IT Ops side can be leveraged to supplement the efforts of the security operations teams.
As it is, IT Ops teams pay very close attention to the infrastructure and are hypersensitive to changes in performance and throughput. The IT Operations Management (ITOM) platforms they use are optimized for service assurance. They perform full-stack monitoring as a basic activity.
Smart analytics, a critical component of full-stack monitoring, looks at data over time and creates dynamic baselines. These baselines can also create thresholds based not only on deviations from normal, but on the rate of change of those deviations to escalate an issue based on subtle abnormalities, such as those that emerge in a DDOS attack.
Further, the root-cause analysis component of the ITOM platform can zero in on the components of the infrastructure that may be compromised by an ongoing attack.
If this information is piped through to the security ops teams, it can immensely help their efforts to understand the nature of ongoing threats, and enlighten their defensive efforts.
The emerging threats of today’s environment require a rethinking of the traditional paradigm to defend against cyber attacks. Bridging the gap between security and IT operations by leveraging smart analytics and causal information generated by ITOM platforms has the potential to complement and transform your cyber security efforts.
This is part two of a two-part post on cybersecurity.