Joe Eskew


Security as a Service

Joe Eskew, Vice President, NSFOCUS

Data is constantly under attack. Some malicious actors seek to profit from stolen credit card and other sensitive data, while others seek to discredit competitors via a security breach and make themselves look better in the process. Still others have an ideological agenda and want to shut down the networks of those they oppose.

These attacks come in all shapes and sizes, and they can cost an organization its reputation, money and even its existence. The British Chamber of Commerce, for instance, reports that 93 percent of businesses that suffer data loss for more than 10 days file for bankruptcy within a year. In fact, 50 percent of these businesses fold immediately.

Assaults on data are a serious threat to business. So are assaults on data centers. OVH, a large hosting provider in Europe, and CloudFlare, a content delivery network (CDN) and anti-DDoS services provider, both reported NTP amplification attacks exceeding 350Gbps. Since the beginning of this year, hosting providers have begun to see an increase in multiple Network Time Protocol (NTP) amplification and reflection DDoS attacks. 2014 may well go down in history as the “Year of the DDoS Attack.”

As the DDoS threat landscape evolves, new attack types are discovered. As an example, a leading Australian data center detected a new, large-scale NTP amplification attack called a Combination Distributed Reflective Denial of Service (CDRDoS). Before the attack took place, the data center had seen the writing on the cybersecurity wall and updated its services to provide a variety of data scrubbing options for its clients in order to detect and mitigate DDoS threats. The implementation of the DDoS mitigation system couldn’t have come at a better time.

For the data center, the goal of DDoS mitigation is to protect customer data while keeping the attack from interfering with its own business operations. That is exactly what the mitigation system did. The data center and all of its customers were able to stay online and conduct business as usual.

Expanding Your Security Horizons

As DDoS attacks increase in type, quantity and volume, many hosting providers are recognizing the wisdom of offering additional security options. This would, in essence, turn them into Security as a Service providers. The good news is that if implemented and managed properly, adding security as a service has the potential to generate new revenue streams for many hosting centers.

With the solutions available today, and in light of current threats, it makes sense for

hosting or service provider companies, whether it be website hosting, cloud computing, network, etc., to provide anti-DDoS as a marketable service. Typically, when an attack occurs, the customer’s site is shut down – either by the hosting provider in an effort to protect its other customers, or by the attack itself. To prevent this kind of downtime, your customers will gladly pay extra for an anti-DDoS service.

Hosting providers need to consider what their options are for delivering such a service.

Here are three best practices to help you get started:

  1. One best practice is to place detection equipment at the edge routers and purpose-built scrubbing appliances that attack traffic is then easily routed to – this is a cleaning center. Geographic diversification, size and available routing/bandwidth will determine whether you need more than one center. This solution is a good catch-all that works well against common DDoS attack types. The cost for this service will depend on your market.
  2. To provide more granular inspection for a specific customer’s traffic on-premise, offer anti-DDoS appliances or a web application firewall (WAF) appliance to end-customers that can auto-communicate with your cleaning centers. Each appliance is specially tuned, based on a wide variety of factors, and can act as a “speed bump” for even large-scale attacks. The smaller (in the 1-2 Gbps range) on-premises appliance detects even the harder-to-uncover layer-7 attacks (because the appliance knows this smaller environment, it can detect anomalies faster than a broad-based detection engine).  If the attack is larger than the cleaning capacity of the smaller device, it can automatically signal the provider’s cleaning center to take the traffic and scrub it. This ensures that attack traffic gets mitigated quickly and business continuity is maintained.
  3. A third best practice is to work with a security provider that offers a subscription service to assist you with customer onboarding, fine-tuning and threat mitigation, in addition to deploying the layered approach described above. With this approach, a security team provides proactive detection and prevention before the DDoS attack, response and mitigation during the DDoS attack and analysis and reporting after the DDoS attack. This will ease your administrative load while allowing you to offer aggressive SLAs for the service.  Perhaps the most attractive aspect of this option is that you can pass the cost of this subscription on to the customer.

Dangerous times require advanced security measures. Hosting providers are well positioned to offer greater security to their customers, who will thank them for the extra protection and the reduction in downtime. Providing Security as a Service creates a more comprehensive offering that attracts clients and builds your reputation. Furthermore, you will not only safeguard all customers and yourself from the impact of DDoS attacks, but you will increase your revenue by doing so. That’s a silver lining to a black cloud if ever there was one.

About the Author:

Joe Eskew, vice president of NSFOCUS, previously served as the VP of worldwide sales – virtualization at Oracle. He played key roles at technology leaders IBM, Xerox PARC, Andersen Consulting, Citrix and Network Associates (McAfee/Intel). He graduated from the University of Southern California.