DEFEATING CYBER THREATS REQUIRES A WIDER NET

INTRODUCTION

The evidence on cyber threats is staggering:

▪ Malware is reaching new all-time highs – McAfee, a provider of endpoint

security software, reported there were nearly eight million new pieces of malware —

just in the third quarter of 2012.1 Additionally, malicious and high-risk mobile apps

are also on the rise. Trend Micro, for example, has identified 145 thousand malicious

Android apps, as of September 2012.2 Keeping malware at bay, already a “treading

water” challenge, is intensifying.

▪ BYOD is a growing threat vector – With the escalating pervasiveness of

smartphones and tablets—Frost & Sullivan estimates smartphones shipped in 2012

will reach 558 million, and tablets will reach 93 million—more fuel is added daily to

the Bring Your Own Device (BYOD) movement. From a security perspective, the

implications of BYOD are more untrusted devices connecting into corporate

networks and connecting to enterprise public-facing Web sites; and, with that, more

devices are potential participants in malware propagation and botnet -based attacks.

The enemy is everywhere.

▪ Distributed Denial of Service (DDoS) attacks are approaching mainstream

In a 2012 survey of network operators conducted by Arbor Networks, over three -

quarters of the operators experienced DDoS attacks targeting their customers. 3 In a

2012 Frost & Sullivan-conducted global survey of security professionals, cyber

terrorism and attacks by hacktivists were identified as top security concerns by 19

percent and 14 percent of the survey respondents, respectively. Malware infections

and application vulnerabilities were cited as top concerns by the greatest number of

survey respondents—27 percent each. The list of significant security concerns is

growing in length and diversity.

▪ Exposure footprint is expanding – The cloud is becoming another computing

“location” for a growing number of organizations. According to the same Frost &

Sullivan 2012 global survey of security professionals, slightly more than one -third of

the respondents cite cloud computing as a high priority for their organizations now,

and that percentage increases to 54 percent in two years. In other words, more than

half of the surveyed organizations expect to be using or in the process of moving a

portion of their operations to the cloud in two years.

1 McAfee Threats Report: Third Quarter 2012, available for download at: http://www.mcafee.com/us/mcafee-labs.aspx.

2 TrendLabs 3Q 2012 Security Roundup, available for download at: http://www.trendmicro.com/us/security-intelligence/research-and-

analysis/index.html#threat-reports.

3 Worldwide Infrastructure Security Report, available for download at:

http://www.arbornetworks.com/research/infrastructure-security-report.

What is of equal concern is that organizations cannot change how they conduct their

operations. Networks, whether they are private or public, are the circulatory systems of

business. Malicious and unwanted traffic clog these electronic arteries and add risk to

maintaining stable operations, reaching profitability objectives, managing a business’s

brand reputation, complying with compliance regulations, and safeguarding sensitive data.

TRADITIONAL CYBER DEFENSE APPROACHES ARE INSUFFICIENT

To lessen these risks, organizations rely on an assortment of gateways and filters to

cleanse their network traffic. Although logical, this approach is dependent on the ability

to identify threatening traffic with effectiveness and time efficiency, and then update

security policies and malware and intrusion signatures with equal accuracy and speed.

Many factors, however, make this critical task difficult, such as: unending escalation in

traffic volume and originations, evolving network and computing infrastructures and

traffic patterns, and hacker sophistication to evade detection.

Despite all of these challenges, Stratecast’s perspective is that this identify -and-mitigate

approach is fundamentally sound but incomplete. Where the incompleteness lies is in the

restricted net of information and resulting analysis. Too often, organizations rely

extensively on the traffic that they can see on their individual networks, and the traffic

their individual carriers see. While essential, these views are not the entire universe, but

merely a sample and, as a sample, subject to interpretative error (i.e., insufficient data

points to reach conclusions with a maximum level of confidence and in an optimized

window of time).

What is needed is a net that is wider, with continuous data feeds from a community of

carriers. Not only does this extended reach add to the breadth of data available for

analysis (e.g., catching clues on threatening traffic on one carrier’s network before this

same type or origin of trending traffic invades other carrier and enterprise networks),

but also improves the integrity of mitigation policy changes and creation of new policies

as more confirming data points on threatening traffic are available.

Arbor’s ATLAS® (Active Threat Level Analysis System) reflects this carrier and enterprise

community attribute. Furthermore, ATLAS is not a theoretical concept but a set of

established services that have been supporting carriers and large, Internet -based

enterprises on an opt-in basis for six years. ATLAS’s existence and expanding carrier and

large enterprise participation is a testament to its value.

In this paper, Stratecast will provide an overview of ATLAS, and detail why carriers and

enterprises should participate in ATLAS; and, by association, why enterprises should take

note of the participating carriers in making their carrier selections.

ARBOR ATLAS FUNDAMENTALS

ATLAS is a global-operating threat analysis network. Launched in 2007, ATLAS

transparently, and on an hourly basis, collects network traffic data from sensors hosted

in carriers’ darknets, and data from carrier and enterprise -deployed Arbor security and

traffic-monitoring platforms. Between these two sources, Arbor is collecting data from

all assigned IP addresses—service-active IP addresses from Arbor platforms and service-

inactive IP addresses from darknet-hosted ATLAS sensors.

In terms of scale, there are more than 250 ATLAS-participating carriers and enterprises

supplying a peak stream of network traffic data of over 38 terabytes per second (Tbps).

Stripped of carrier and customer sensitive information, this data is fed into the Arbor

Security Engineering Response Team (ASERT) database and combined with third -party

threat information sources for assessment.

Operating 24x7, ASERT researchers transform this data stream into actionable

intelligence on malware, phishing attempts, botnet (command & control and botnet

zombies) and DDoS attacks. Notable of depth, this data is bi -directional, representing

traffic originating in carrier networks and their customers’ locations (where ATLAS

platforms are deployed), as well as inter-carrier traffic. Alternatively stated, origins of

Source: Arbor Networks

threatening traffic (compromised hosts and locations) and targets are both included in

the ASERT database. Furthermore, ASERT researchers examine traffic data over time and

in simulated and real polymorphic forms, in order to identify highly sophisticated,

composite, and personalized threats.

From a historical perspective, ATLAS, underpinned by ASERT (a 12-year old

organization), is the culmination of pioneering, industry-collaboration initiatives

sponsored by Arbor. The first launch, in 2004, was the Arbor Worldwide Infrastructure

Security Report. An original, this report was prepared by Arbor with direct participation

by its carrier customers and for its carrier customers to improve their network security

strategies and tactics. One year later, in 2005, Arbor launched its Fingerprint Sharing

Alliance (FSA). This alliance demonstrated the inter-carrier benefit of automated sharing

of Internet attack information; in essence, uplifting the information sharing value of the

Arbor Worldwide Infrastructure Security Report from once-a-year to continuous. For

alliance participants, FSA again leveraged the power of community. For example, rather

than establishing multiple pair-wise, carrier-to-carrier data sharing arrangements, or as a

supplement to these, the clearinghouse function of FSA delivers Arbor -certified attack

and anomaly traffic identifiers to each FSA subscriber, and does this without exposing

private carrier or enterprise information. FSA also delved into the next layer of pressing

needs for carrier and enterprise security professionals—that is, transforming threat

information into trusted and actionable threat intelligence. Or, stated alternatively,

assisting Arbor customers in being wise in threat information assessments and

confidently deliberate in acting on this information.

ASERT’s actionable threat intelligence exists in two Arbor automated services:

▪ Active Threat Feed (ATF) – The ATF is an activity-based threat detection

service for known and emerging threats. ASERT uses attack information from

ATLAS to create detailed profiles or “fingerprints” of security threats, including

attacks, unauthorized activity or malicious traffic patterns. Unlike traditional

defenses such as IPS/IDS or anti-virus, which use signatures to detect attacks, the

ATF fingerprints provide subscribers with a broad scope of security intelligence

and visibility into the events occurring on the network, including advanced

threats and botnet activity.

▪ ATLAS Intelligence Feed (AIF) – With DDoS attacks going mainstream,

carriers and enterprises are facing a legitimate business appropriation concern:

whether additional hardware investments and security personnel will be required

to address this looming threat. AIF delivers real-time DDoS and botnet

signatures to protect networks and Web infrastructure from DDoS attack

toolsets and their variants. In action, these feeds directly and automatically

populate DDoS and botnet identification and mitigation policies. With DDoS

attacks having the capability of going from a trickle to a debilitating wave in a

cyber moment, automatic policy updates based on the wide experience aperture

of ATLAS community members and vetted by ASERT researchers is essential.

For ATLAS subscribers seeking additional threat intelligence, Arbor hosts a Web -based

portal. Subscriber views can be dynamically customized at a highly granular level; e.g., for

a specific Autonomous System Number (ASN), IP address, or country. For non -

subscriber, portal visitors, the ATLAS portal lists the top 20 threat sources from the

latest 24-hour period.

ATLAS BENEFITS FOR CARRIERS AND ENTERPRISES

For security professionals, useful threat intelligence is paramount. But, as previously

stated, value lies in the range, integrity and timeliness of this intelligence. This is the first

benefit of ATLAS—a community-supported, vetted, real-time and actionable source of

threat intelligence.

In practice, this benefit has three correlated business and operational offshoots:

▪ More threats are proactively mitigated, resulting in a lower overall risk posture.

▪ Less remediation occurs. With fewer attacks being successful, remediation efforts

(e.g., purging endpoint devices of malware infections, bolstering Web

infrastructure to defend against DDoS attacks, and conducting data breach

notifications) will be fewer in number and smaller in scale.

▪ As ATLAS researchers monitor and assess traffic data from Arbor platforms and

darknet sensors, carrier and enterprise security analysts gain the benefits of this

threat analysis without incurring the work effort. Their knowledge levels are

enhanced.

Obviously, these outcomes contribute to heightened operational efficacy for security

organizations. However, efficacy improvements do not end there. Placing ATLAS’s threat

intelligence in the broader context of existing security technologies that rely on

signatures, such as IPS/IDS and anti-malware, security teams may determine that

examining and updating signature files does not always need to be conducted on an

“urgent” basis. Armed with the contextual attack data from ATLAS, security

professionals have the information necessary to prioritize signature deployment in other

network security products such as IDS/IPS and anti -malware applications.

Lessening “break away” crises leaves more uninterrupted time for security professionals

to concentrate on other important responsibilities and initiatives.

ADDED ATLAS BENEFITS FOR CARRIERS

Whereas the previously listed ATLAS benefits are focused on gains in operational

efficacy, improving risk posture, and de-stressing the work lives of security professionals,

there is also a de-stressing benefit to carriers’ network infrastructures. This benefit

comes into play in the routing of darknet IP addresses. By routing darknet IP addresses

to the carrier-hosted ATLAS sensors, rather than the carrier’s production routers, the

traffic load associated with the darknet is removed from these production routers. This

darknet “off-loading” benefit is most evident during periods of high volume attacks aimed

at darknet addresses. As the carrier’s production routers are not bombarded by this

influx of undesirable, yet useful, traffic (i.e., useful in the sense that this traffic provides

clues on emerging security threats), network administrators will not be pulled away from

their important responsibilities to concentrate on this traffic spike, and how to mitigate

the impact on their production networks.

Another carrier benefit of ATLAS is in its market positioning. When given a choice,

network administrators rank service reliability among the top attributes in network

service selection. In a mid- 2012 survey of U.S. businesses, conducted by Frost & Sullivan,

service reliability was second only to security as the most cited network services

attribute. ATLAS directly contributes to both of these attributes by uplifting carriers’

ability to fortify the security and reliability of their production networks. Built on the

“worldwide traffic library and brain” of ASERT, ATLAS -participating carriers have a

tangible point of evidence to show their customers that they are not combating cyber

threats alone; they are taking advantage of an expansive community.

ENTERPRISE SHOULD TAKE NOTE

Enterprise security operators are responsible for protecting their networks from

confidential data breaches, unauthorized access (even from trusted users), maintaining

network integrity, and ensuring solid brand reputation—as well as helping the network

team keep stable service levels. Attackers are taking advantage of these professionals’

multiple responsibilities and launching multi-stage, blended attacks that are uniquely

designed for that organization’s infrastructure. While some enterprise security

professionals love getting into the weeds of attack information—understanding where it

came from, the triggers associated with attacks and so on—it is simply not practical for

most.

In addition to security, service reliability is vital to any business that runs critical

operations on the Internet or private networks that are not fully isolated from the

Internet. While the business implications of service disruptions and uneven service

performance will vary by circumstance, gauging those implications through experience is

a risky proposition. Given the choice, is it not preferable to select network services from

ATLAS-participating carriers?

Data from ATLAS provides these busy security professionals with not only accurate and

effective security via the AIF and ATF feeds that run in Arbor’s products; it also provides

valuable context and information on attacks that can be used for proactive security. This

security intelligence and forensic data can be used for updating security enforcement

policies across the network, as well as for mitigation of threats that were previously not

known. By updating these policies and proactively blocking threats, the security team can

keep the network uncluttered from attack traffic—maintaining reliable service for critical

business applications.

Michael Suby

VP of Research

Stratecast | Frost & Sullivan

msuby@stratecast.com

Stratecast

The Last Word

Shortly after the dawn of the public Internet, carriers supporting the Internet’s

backbone, and commercial entities relying on the Internet to support their internal

operations and conduct public-facing businesses, have been in a constant and ever-

evolving battle against a myriad of threat types and actors. There is absolutely no

reason to expect this battle to end. Moreover, battlefield expansion is a certainty as

the volume and diversity of Internet-enabled devices grows and enterprises expand

their virtual points of presence into a variety of interconnected cloud and hosting

environments. In essence, the Internet’s relevancy and enterprise dependency are

rising. With that, the attraction of it to cyber criminals, protestors and disruptors—

from basement hobbyists to highly organized entities—will also increase.

For carriers, hosting and cloud services providers, and enterprises, a fundamental

question is how to leverage and protect the openness of the Internet and the

business opportunities the Internet presents. Our position is that a structured

worldwide, community-supported approach to threat analysis and response is

fundamentally essential. The diversity, morphing velocity and sophistication of

emerging threats calls for nothing less than a complete and real -time assessment of

all battleground fronts. ATLAS has the carrier and enterprise relationship scale,

expertise of ASERT and experience to support such an effort.

877.GoFrost • myfrost@frost.com

http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company's

TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth -focused

culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50

years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community

from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership

Services, visit http://www.frost.com.

ABOUT STRATECAST

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -

competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription

research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only

attainable through years of real-world experience in an industry where customers are collaborators; today’s

partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your

Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

Silicon Valley

331 E. Evelyn Ave., Suite 100

Mountain View, CA 94041

Tel 650.475.4500

Fax 650.475.1570

London

4, Grosvenor Gardens,

London SWIW ODH,UK

Tel 44(0)20 7730 3438

Fax 44(0)20 7730 3343

San Antonio

7550 West Interstate 10, Suite 400

San Antonio, Texas 78229-5616

Tel 210.348.1000

Fax 210.348.1003

Auckland

Bangkok

Beijing

Bengaluru

Bogotá

Buenos Aires

Cape Town

Chennai

Colombo

Delhi / NCR

Dhaka

Dubai

Frankfurt

Hong Kong

Istanbul

Jakarta

Kolkata

Kuala Lumpur

London

Mexico City

Milan

Moscow

Mumbai

Manhattan

Oxford

Paris

Rockville Centre

San Antonio

São Paulo

Seoul

Shanghai

Silicon Valley

Singapore

Sophia Antipolis

Sydney

Taipei

Tel Aviv

Tokyo

Toronto

Warsaw

Washington, DC