Arbor Networks Company Overview Tomas Sundstrom Millmark Arbor Networks

Download Report

Transcript Arbor Networks Company Overview Tomas Sundstrom Millmark Arbor Networks

Arbor Networks Company Overview
Tomas Sundstrom Millmark
Arbor Networks
Agenda
The Problem
Company Overview
Smart.
Secure.
Available.
The Arbor Solution
2
The Business Risks
Agenda
The Problem
Company Overview
• About Arbor Networks
• Global Customer Base
• A Proud History Protecting
Networks & Businesses
Smart.
Secure.
Available.
The Arbor Solution
3
The Business Risks
Who is Arbor Networks?
A Trusted & Proven Vendor Securing the World’s Largest
and Most Demanding Networks
Percentage of world’s Tier 1 service providers who are Arbor customers
100%
105
22.7 Tbps
4
Number of countries with Arbor products deployed
Amount of global traffic monitored by the ATLAS security intelligence
initiative right now – 25% of global Internet traffic!
#1
Arbor market position in Carrier, Enterprise and Mobile DDoS equipment
market segments – 61% of total market [Infonetics Research Dec 2011]
11
Number of years Arbor has been delivering innovative security and
network visibility technologies & products
$16B
2011 GAAP revenues [USD] of Danaher – Arbor’s parent company
providing deep financial backing
Agenda
The Problem
Company Overview
• DDoS is the #1 Security Threat
• What is a DDoS Attack
• Why DDoS is a Complex Threat
• Why Other Solutions Simply Fail to
Stop DDoS Attacks
Smart.
Secure.
Available.
The Arbor Solution
5
The Business Risks
DDoS Attack? It Will Not Happen to Me…
“When an ostrich is afraid, it buries its head in the ground,
assuming if it can’t see danger, danger cannot see it.”
The Ostrich Mentality
The attitude to DDoS has been similar in the past, but it has now
become the #1 threat to availability & security because of:
$2T
(3.4% of G12 GDP)*
#1. Broader Awareness
#2. Greater Risk
#3. More Attacks
(High-Profile DDoS Attacks:
Anonymous & LulzSec)
(Massive Internet Economy)
(Increased Motivations)
*McKinsey & Co: Internet Matters Report May 2011)
*2011 Worldwide Infrastructure Security
Report from Arbor Networks
DDoS Attack? It Will Happen to You…
7
What is a DDoS Attack?
During a Distributed Denial of Service (DDoS) attack,
compromised hosts or bots coming from distributed sources
overwhelm the target with illegitimate traffic so that the servers
8
can not respond to legitimate clients.
The Broad Impact of DDoS Attacks
Modern DDoS Attacks Are Complex & Diverse
IPS
Load Balancer
DATA
CENTER
Attack Traffic
Good Traffic
Today’s DDoS attacks can cause (1) saturation upstream, (2)
state exhaustion, or (3) service outages – many times a single
attack can result in all three – and all with the same end result:
9
critical services are no longer available!
Today’s Defenses Are Not Designed for DDoS
Existing perimeter security devices focus on integrity
and confidentiality but not on availability
Firewalls including WAFs help enforce confidentiality or that information
and functions can be accessed only by properly authorized parties
Intrusion Prevention Systems (IPS) help enforce integrity or that
information can be added, altered, or removed only by authorized persons
Information
Security Triangle
IPS
All firewalls and IPS
are stateful devices
which are targeted
by state-based DoS
attacks from
botnets!
10
DATA CENTER
IPS
Load
Balancer
The Concept of State
The main reason this term is so elusive is that it can mean different things in
different situations. Basically, state is the condition of being of a given
communication session. The definition of this condition of being for a given host or
session can differ greatly, depending on the application with which the parties are
communicating and the protocols the parties are using for the exchange.
Devices that track state most often store the information as a table. This state table
holds entries that represent all the communication sessions of which the device is
aware. Every entry holds a laundry list of information that uniquely identifies the
communication session it represents. Such information might include source and
destination IP address information, flags, sequence and acknowledgment numbers,
and more. A state table entry is created when a connection is started out through the
stateful device. Then, when traffic returns, the device compares the packet’s
information to the state table information to determine whether it is part of a
currently logged communication session. If the packet is related to a current table
entry, it is allowed to pass.This is why the information held in the state table must be
as specific and detailed as possible to guarantee that attackers will not be able to
construct traffic that will be able to pass the state table test.
Page 11 - Company Confidential
Agenda
The Problem
Company Overview
Smart.
Secure.
Available.
The Arbor Solution
The Business Risks
• The Impact of DDoS to a Business
• Why All Firms Must do a DDoS Risk
Analysis & Mitigation Plan
• Select the Right Tools & processes
for the Organization
12
Impact of DDoS Attacks on the Business
Bar Chart 9: Significance of revenue loss resulting from
website downtime for one hour
50%
40%
43%
31%
30%
21%
20%
5%
10%
0%
0%
Very Significant
Significant
Somewhat
Significant
Not Significant
None
Botnets & DDoS
attacks cost an
average enterprise
$6.3M* for a 24hour outage!
* Source: McAfee – Into the Crossfire – January 2010
Source: Ponemon Institute – 2010 State of Web Application Security
The impact of loss of service availability goes beyond financials:
Operations
How many IT
personnel will
be tied up
addressing
the attack?
Help Desk
How many
more help
desk calls will
be received,
and at what
cost per call?
Recovery
How much
manual work
will need to
be done to
re-enter
transactions?
Lost
Worker
Output
How much
employee
output will be
lost?
Penalties
Lost
Business
Brand &
Reputation
Damage
How much
will have to
be paid in
service level
agreement
(SLA) credits
or other
penalties?
How much
will the ability
to attract new
customers be
affected?
What is the
full value of
that lost
customers?
What is the
cost to the
company
brand and
reputation?
DDoS is Availability Risk Planning
DDoS is the #1 threat to the availability of
services – but it is not part of the risk analysis
Availability Scorecard
Site Selection
Physical Security
Fire Protection & Detection
Electrical & Power
Environment & Weather
DDoS Attacks?
14
When measuring the risk
to the availability or
resiliency of services,
where does the risk of
DDoS attacks fall on the
list?
How big do you think a DDoS is?
Ground Truth!
Bots and DDoS
“It is hard”
This Talk
• “Ground-truth” about security is hard…
– True in enterprise
– But especially so in carrier / national
infrastructure
• Most infrastructure attacks go unreported
– Less than 5 percent surveyed ISPs reported one
Network Infrastructure Security Report
http://www.arbornetworks.com/report
• Significant anecdotal reports / surveys
– including Arbor, Cisco, etc.
• But no validation
– e.g. do providers really know the size of botnets?
All Firms Must Have DDoS Risk Mitigation Plan
All enterprises must take control of their DDoS
risk mitigation strategy – don’t be an ostrich!
A simple cost-benefit
analysis reveals the
benefits of a proactive
strategy – can any
enterprise simply afford to
not control their response
to a DDoS attack?
19
Costs
Benefits
The Right DDoS Tools for the Organization
• Modern DDoS attacks are complex, and only a complete
DDoS solution can stop them by protecting all services
–
–
–
Critical services – HTTP, SSL, DNS, Mail, VoIP
Key protocols – TCP/IP, UDP, ICMP
Bandwidth – from upstream providers
• Any solution that does not address the complex nature of
DDoS or protects only HTTP/S will fail in the real world.
• Choose the right tools for the enterprise based on threats:
1. Volumetric & Flood
DDoS
• DDoS protection
services from ISPs
• Ability to communicate
seamlessly with ISPs
2. State-Exhausting
DDoS
• DDoS protection at
the perimeter
• Full control of the
DDoS response
3. Application-Layer
DDoS
• DDoS protection in
the network
• Quickly stop servicedegrading attacks
Agenda
The Problem
Company Overview
Smart.
Secure.
Available.
The Arbor Solution
• Overview of Products & Services
• Peakflow SP & TMS
• Pravail APS & NSI
• ATLAS, ASERT, & Arbor’s Key
Technologies
21
The Business Risks
Arbor Products & Services
Enterprises
NSI
Visibility
Protection
APS
Security
Response
TMS
SP
Support
Research
Service Providers
Products
22
Services
Right Tools and Processes for the Job!
Pravail Products
Visibility
Pravail NSI
Protection
Pravail APS
Models: X-CONT-1, X-COL-8K32/16K,
X-COL-AIC, X-VIRTUAL
Models: APS-2104, APS-2105, APS2107, APS-2108
The Pravail Network Security
Intelligence (NSI) solution (formally
known as Peakflow X) collects and
analyzes Flow and raw packet data;
performs behavioral anomaly
detection; and provides applicationlevel and pervasive security
intelligence across the enterprise
network.
The Pravail Availability Protection
System (APS) provides out-of-box
protection for attacks while being
immune to state-exhausting attacks;
blocks complex application-layer
DDoS; supports a dynamic threat from
ATLAS to stop botnets; supports inline
deployment models; and ability to
send cloud signals upstream.
26
The ATLAS Initiative
The ATLAS initiative is the world’s most
comprehensive Internet monitoring &
security intelligence system
Services: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint
Sharing, Global Threat Analysis Portal
ATLAS intelligence is seamlessly
integrated into Arbor’s products and
service including real-time services, global
threat intelligence, and insight into key
Internet trends.
ASERT, Arbor’s Security Engineering and
Research Team, also leverages ATLAS to
provide expert commentary on security
trends and to address the significant
Internet research questions.
27
Active Threat
Feed (ATF)
ATLAS – Research & Collaboration
Annual Worldwide
Infrastructure Security Report
Finger Print Sharing Alliance
Six Phases of Infrastructure “Availibillity”
PREPARATION
POST MORTEM
What was done?
Can anything be done to prevent
it?
How can it be less painful in the
future?
Prep the network
Create tools
Test tools
Prep procedures
Train team
Practice
Infrastructure Security Report
IDENTIFICATION
How do you know about the
attack?
What tools can you use?
What’s your process for
communication?
REACTION
What options do you have to
remedy?
Which option is the best under
the circumstances?
CLASSIFICATION
TRACEBACK
Where is the attack coming from?
Where and how is it affecting the
network?
What kind of attack is it?
The Cloud Signaling Coalition
Unite the enterprise
& service providers
via Arbor’s Cloud
Signaling Coalition
Subscriber Network
Subscriber Network
Internet Service Provider
Arbor Peakflow
SP / TMS-based
DDoS Service
30
Firewall / IPS / WAF
2. Attack Begins &
Blocked by Pravail
3. Attack Grows
Exceeding Bandwidth
4. Cloud Signal
Launched
5. Customer Fully
Protected!
Cloud Signaling Status
Public Facing Servers
Data Center Network
Arbor Pravail
APS
1. Service Operating
Normally
Arbor’s Threat Ecosystem
The Arbor ecosystem between service providers & enterprises
DCs offers unique insight into emerging and active threats
Service Providers
Enterprise Data Centers
Enterprise data center services are now fully available!
31
Thank You