Mitigating Sophisticated Security Threats at the WAN Edge

According to several industry surveys, it takes the typical enterprise over 200 days to discover a security breach, such as undisclosed web vulnerabilities or spearfishing for email credentials, according to the 2018 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute.

The study calculated that the global average cost of a data breach is $3.86 million, up 6.4% from last year. The average cost, globally, for each lost or stolen record containing sensitive and confidential information is also up from last year, landing at $148 per record or a 4.8% increase from 2017.
Although the overall DDoS (distributed denial-of-service) attack volume is somewhat declining, the size of attacks is more foreboding; for example, in 2018 Arbor Networks was able to mitigate the largest DDoS attack ever seen, a 1.7 terabits reflection/amplification attack. DoS (Denial of Service) profiles allow the control of several types of traffic floods such as SYN floods, UDP and ICMP floods. GitHub suffered an attack of more than 500 million packets per second (Mpps), which is believed to be the largest packets-per-second (PPS) attack on record or 1.35 terabits per second. A (DDoS) attack is an attempt to disrupt network services and deny network access by overloading unnecessary traffic using multiple sources.

However, as enterprises increasingly expand applications to the cloud and extend access to mobile devices, many experts say that activist hackers and organized crime will correspondingly promulgate more web-borne and mobile-app attacks. These attack vectors including everything from exploiting backdoor holes in rogue app stores to disparate Android OS versions to SMS (Trojans malware files).

Gartner believes that by 2021, 27% of corporate data traffic will bypass perimeter security (an increase from 10% today) and flow directly from mobile and portable devices to the cloud. Web app vulnerabilities continue to threaten business continuity: according to Imperva, the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). Imperva says that more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.

Clearly, the contemporary enterprise has to constantly evaluate cyber threat posture to ensure that its defenses are progressing from a reactive mode to a more predictive posture that results in a self-healing architecture. One of the key elements to achieving such a milestone is to employ an SD-WAN fabric with real-time monitoring and analytics that capture end-user behavior metrics and detect anomalies based on AI and MI algorithms.

While most SD-WAN solutions provide the highest standards of on-premise traffic encryption, the other element to scrutinize is encryption key management, which is the ability to generate, distribute, store, rotate, and revoke/destroy cryptographic keys, partial key-strings and cyphertext as needed to protect the privacy of associated data.

Additionally, there are specific maneuvers enabled by Versa SD-WAN to mitigate DDoS damage, such as creating a profile that allows for setting rules for the maximum number of concurrent sessions as well as for setting independent limits on aggregate as well as source-destination pairs. This protection method involves implementing an extensive DoS template at the outset, which protects the network from high volume DoS attacks and acts as the first security barrier against DoS attacks.

Users can define the profile as a group of common settings for implementing the same settings across various zones. The settings are deployed in the zone where network traffic enters the firewall. The zone protection profile covers the zone and all the interfaces defined with the zone to which the protection is applied.

In terms of endpoint protection, users can configure Versa’s DoS policies to match interface, zones, IP address or user information as match rules for preventing DoS attacks. These zone protection profiles broadly provide defenses at the zone where packets enter the firewall.