Arbor Networks Company Overview Tomas Sundstrom Millmark Arbor Networks Agenda The Problem Company Overview Smart. Secure. Available. The Arbor Solution 2 The Business Risks Agenda The Problem Company Overview • About Arbor Networks • Global Customer Base • A Proud History Protecting Networks & Businesses Smart. Secure. Available. The Arbor Solution 3 The Business Risks Who is Arbor Networks? A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks Percentage of world’s Tier 1 service providers who are Arbor customers 100% 105 22.7 Tbps 4 Number of countries with Arbor products deployed Amount of global traffic monitored by the ATLAS security intelligence initiative right now – 25% of global Internet traffic! #1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments – 61% of total market [Infonetics Research Dec 2011] 11 Number of years Arbor has been delivering innovative security and network visibility technologies & products $16B 2011 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing Agenda The Problem Company Overview • DDoS is the #1 Security Threat • What is a DDoS Attack • Why DDoS is a Complex Threat • Why Other Solutions Simply Fail to Stop DDoS Attacks Smart. Secure. Available. The Arbor Solution 5 The Business Risks DDoS Attack? It Will Not Happen to Me… “When an ostrich is afraid, it buries its head in the ground, assuming if it can’t see danger, danger cannot see it.” The Ostrich Mentality The attitude to DDoS has been similar in the past, but it has now become the #1 threat to availability & security because of: $2T (3.4% of G12 GDP)* #1. Broader Awareness #2. Greater Risk #3. More Attacks (High-Profile DDoS Attacks: Anonymous & LulzSec) (Massive Internet Economy) (Increased Motivations) *McKinsey & Co: Internet Matters Report May 2011) *2011 Worldwide Infrastructure Security Report from Arbor Networks DDoS Attack? It Will Happen to You… 7 What is a DDoS Attack? During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed sources overwhelm the target with illegitimate traffic so that the servers 8 can not respond to legitimate clients. The Broad Impact of DDoS Attacks Modern DDoS Attacks Are Complex & Diverse IPS Load Balancer DATA CENTER Attack Traffic Good Traffic Today’s DDoS attacks can cause (1) saturation upstream, (2) state exhaustion, or (3) service outages – many times a single attack can result in all three – and all with the same end result: 9 critical services are no longer available! Today’s Defenses Are Not Designed for DDoS Existing perimeter security devices focus on integrity and confidentiality but not on availability Firewalls including WAFs help enforce confidentiality or that information and functions can be accessed only by properly authorized parties Intrusion Prevention Systems (IPS) help enforce integrity or that information can be added, altered, or removed only by authorized persons Information Security Triangle IPS All firewalls and IPS are stateful devices which are targeted by state-based DoS attacks from botnets! 10 DATA CENTER IPS Load Balancer The Concept of State The main reason this term is so elusive is that it can mean different things in different situations. Basically, state is the condition of being of a given communication session. The definition of this condition of being for a given host or session can differ greatly, depending on the application with which the parties are communicating and the protocols the parties are using for the exchange. Devices that track state most often store the information as a table. This state table holds entries that represent all the communication sessions of which the device is aware. Every entry holds a laundry list of information that uniquely identifies the communication session it represents. Such information might include source and destination IP address information, flags, sequence and acknowledgment numbers, and more. A state table entry is created when a connection is started out through the stateful device. Then, when traffic returns, the device compares the packet’s information to the state table information to determine whether it is part of a currently logged communication session. If the packet is related to a current table entry, it is allowed to pass.This is why the information held in the state table must be as specific and detailed as possible to guarantee that attackers will not be able to construct traffic that will be able to pass the state table test. Page 11 - Company Confidential Agenda The Problem Company Overview Smart. Secure. Available. The Arbor Solution The Business Risks • The Impact of DDoS to a Business • Why All Firms Must do a DDoS Risk Analysis & Mitigation Plan • Select the Right Tools & processes for the Organization 12 Impact of DDoS Attacks on the Business Bar Chart 9: Significance of revenue loss resulting from website downtime for one hour 50% 40% 43% 31% 30% 21% 20% 5% 10% 0% 0% Very Significant Significant Somewhat Significant Not Significant None Botnets & DDoS attacks cost an average enterprise $6.3M* for a 24hour outage! * Source: McAfee – Into the Crossfire – January 2010 Source: Ponemon Institute – 2010 State of Web Application Security The impact of loss of service availability goes beyond financials: Operations How many IT personnel will be tied up addressing the attack? Help Desk How many more help desk calls will be received, and at what cost per call? Recovery How much manual work will need to be done to re-enter transactions? Lost Worker Output How much employee output will be lost? Penalties Lost Business Brand & Reputation Damage How much will have to be paid in service level agreement (SLA) credits or other penalties? How much will the ability to attract new customers be affected? What is the full value of that lost customers? What is the cost to the company brand and reputation? DDoS is Availability Risk Planning DDoS is the #1 threat to the availability of services – but it is not part of the risk analysis Availability Scorecard Site Selection Physical Security Fire Protection & Detection Electrical & Power Environment & Weather DDoS Attacks? 14 When measuring the risk to the availability or resiliency of services, where does the risk of DDoS attacks fall on the list? How big do you think a DDoS is? Ground Truth! Bots and DDoS “It is hard” This Talk • “Ground-truth” about security is hard… – True in enterprise – But especially so in carrier / national infrastructure • Most infrastructure attacks go unreported – Less than 5 percent surveyed ISPs reported one Network Infrastructure Security Report http://www.arbornetworks.com/report • Significant anecdotal reports / surveys – including Arbor, Cisco, etc. • But no validation – e.g. do providers really know the size of botnets? All Firms Must Have DDoS Risk Mitigation Plan All enterprises must take control of their DDoS risk mitigation strategy – don’t be an ostrich! A simple cost-benefit analysis reveals the benefits of a proactive strategy – can any enterprise simply afford to not control their response to a DDoS attack? 19 Costs Benefits The Right DDoS Tools for the Organization • Modern DDoS attacks are complex, and only a complete DDoS solution can stop them by protecting all services – – – Critical services – HTTP, SSL, DNS, Mail, VoIP Key protocols – TCP/IP, UDP, ICMP Bandwidth – from upstream providers • Any solution that does not address the complex nature of DDoS or protects only HTTP/S will fail in the real world. • Choose the right tools for the enterprise based on threats: 1. Volumetric & Flood DDoS • DDoS protection services from ISPs • Ability to communicate seamlessly with ISPs 2. State-Exhausting DDoS • DDoS protection at the perimeter • Full control of the DDoS response 3. Application-Layer DDoS • DDoS protection in the network • Quickly stop servicedegrading attacks Agenda The Problem Company Overview Smart. Secure. Available. The Arbor Solution • Overview of Products & Services • Peakflow SP & TMS • Pravail APS & NSI • ATLAS, ASERT, & Arbor’s Key Technologies 21 The Business Risks Arbor Products & Services Enterprises NSI Visibility Protection APS Security Response TMS SP Support Research Service Providers Products 22 Services Right Tools and Processes for the Job! Pravail Products Visibility Pravail NSI Protection Pravail APS Models: X-CONT-1, X-COL-8K32/16K, X-COL-AIC, X-VIRTUAL Models: APS-2104, APS-2105, APS2107, APS-2108 The Pravail Network Security Intelligence (NSI) solution (formally known as Peakflow X) collects and analyzes Flow and raw packet data; performs behavioral anomaly detection; and provides applicationlevel and pervasive security intelligence across the enterprise network. The Pravail Availability Protection System (APS) provides out-of-box protection for attacks while being immune to state-exhausting attacks; blocks complex application-layer DDoS; supports a dynamic threat from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream. 26 The ATLAS Initiative The ATLAS initiative is the world’s most comprehensive Internet monitoring & security intelligence system Services: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint Sharing, Global Threat Analysis Portal ATLAS intelligence is seamlessly integrated into Arbor’s products and service including real-time services, global threat intelligence, and insight into key Internet trends. ASERT, Arbor’s Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address the significant Internet research questions. 27 Active Threat Feed (ATF) ATLAS – Research & Collaboration Annual Worldwide Infrastructure Security Report Finger Print Sharing Alliance Six Phases of Infrastructure “Availibillity” PREPARATION POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future? Prep the network Create tools Test tools Prep procedures Train team Practice Infrastructure Security Report IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication? REACTION What options do you have to remedy? Which option is the best under the circumstances? CLASSIFICATION TRACEBACK Where is the attack coming from? Where and how is it affecting the network? What kind of attack is it? The Cloud Signaling Coalition Unite the enterprise & service providers via Arbor’s Cloud Signaling Coalition Subscriber Network Subscriber Network Internet Service Provider Arbor Peakflow SP / TMS-based DDoS Service 30 Firewall / IPS / WAF 2. Attack Begins & Blocked by Pravail 3. Attack Grows Exceeding Bandwidth 4. Cloud Signal Launched 5. Customer Fully Protected! Cloud Signaling Status Public Facing Servers Data Center Network Arbor Pravail APS 1. Service Operating Normally Arbor’s Threat Ecosystem The Arbor ecosystem between service providers & enterprises DCs offers unique insight into emerging and active threats Service Providers Enterprise Data Centers Enterprise data center services are now fully available! 31 Thank You