In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventative and investigative controls. As the name suggests, preventative controls are designed to reduce the chance that a given threat will negatively impact a given environment.
Of course, preventative controls don’t always work as expected, and some threats always manage to slip past them. To supplement this protection, detective controls are also used. Investigative controls are designed to identify safety issues soon after they occur, so they can be addressed before undue damage occurs.
The joint use of preventive and investigative controls is a routine practice applied in many areas of the security space, including network security, application security, endpoint protection, identity and access management, and security of the cloud.
This is by no means an exhaustive list – there are myriad areas within the security space where this practice is applied. You can imagine my surprise, then, to see that one area is noticeably missing the powerful combination of preventative and investigative controls: DDoS protection.
Why DDoS is still a problem
DDoS attacks are a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of companies lose at least $120,000 due to DDoS attacks, while 15% of companies lose at least $1 million. Even with the best DDoS protections in place, MazeBolt says, businesses still suffer from 30% to 75% exposure of their online services to DDoS attacks. This means that DDoS is a serious problem that the industry faces and that it is not receiving the preventative controls it needs.
Maybe this will surprise you if you think about it for a moment. When it comes to DDoS, organizations primarily focus on detection and mitigation. They purchase DDoS mitigation solutions for when an attack occurs, but they don’t worry about protecting the organization from attacks in the first place. As a profession we don’t seem to focus much on DDoS preventative controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest Guidelines for Mitigating DDoS Attacks.
It may seem strange, but historically there are reasons for this, such as difficulty in testing vulnerabilities and susceptibility to DDoS non-destructively.
5 Steps to Complete DDoS Protection
So, once an organization decides to take a more comprehensive approach to DDoS attacks, what are some steps it should follow to ensure it is adequately protected? I’ve offered some thoughts here.
1. Check for vulnerabilities. Organizations should ensure they check for DDoS vulnerabilities and susceptibility at layers 3, 4 and 7 of the OSI model. This is easier said than done, of course. This requires being non-destructive in identifying vulnerabilities. Demolishing infrastructure in the name of DDoS security would not be a good thing.
2. Stay uninterrupted. No one needs DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime and customer satisfaction. There is a better way – new non-destructive and non-intrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risks.
3. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are overlooked is to know your environment well. This is true regardless of how complex the environment is and even if that environment involves hybrid and multicloud environments. Understanding your environment is the best way to ensure there are no blind spots. This, in turn, makes the process of identifying and remediating vulnerabilities much more thorough and effective.
4. Establish and follow a process. Organizations should have a process for documenting vulnerabilities and prioritizing them for resolution. This ensures that things don’t go unnoticed and reduces the risk of oversight and human error. Even with the best process, organizations will still need determination and commitment to remediate identified vulnerabilities. DDoS security is a marathon, not a sprint.
5. Repeat the security steps. DDoS security, like many areas in the security field, is not a one-time endeavor. Organizations must continuously test for any new or persistent vulnerabilities within the infrastructure. They must ensure that they are constantly aware of environmental changes so that they can maintain the required level of understanding and knowledge of the environment. Organizations will also need to adhere to and continually follow their process to ensure vulnerabilities are resolved in a timely manner. Simply put, DDoS security is an endeavor that requires continuous attention.
It’s time for DDoS preventative controls
Like many areas in security, DDoS security leverages both preventative and investigative controls, or at least it should. For a variety of reasons, our historical focus on DDoS attacks has primarily focused on DDoS attack detection and mitigation. We, as an industry, have long been waiting to leverage preventative controls in the area of DDoS security.