Remember the term “fence”? Not the barrier between houses, but a criminal whose main income comes from buying and selling stolen goods. Traditionally we’ve thought of the bad actors trying to breach our security defenses as a person or group that could use our data directly for some type of gain. However, in modern times a black market for that data exists which motivates a much larger pool of bad actors. Or, in other words, ecommerce fences. Your data can be stolen by someone who couldn’t care less about the contents, and then sold to someone who has little technical know-how but does have nefarious plans (such as identity theft).
This has created a major motivation for attackers who actually perform the attacks. They have grown in ranks, organized into groups, and frequently invest resources to make more money. According to the Verizon Data Breach Report, 93% of web application attacks were associated to organized crime. These financially motivated attackers have made it hard for regular businesses to keep up with the pace of quickly changing attacks and necessary security defenses.
Besides data theft, attacks that deny availability to applications and data (i.e., DDoS, ransomware) are becoming more commonplace. Cheap for-hire DDoS and rent-a-botnet services are readily available for anyone to use. (Try googling “DDoS for hire.”) Anyone with access to a computer can point a DDoS-for-hire push button tool anywhere they want for just a few bucks. The sophistication is low and the accessibility is high, meaning the frequency of these attacks is primed to increase.
So how do you defend against the high volume of unique attack types aimed at the full spectrum of your threat surface? Based on your risk assessment, ensure you have tools to align with technical controls and double—maybe triple—your staff head count.
Hopefully that didn’t make you spit your coffee all over the screen, but I’m actually serious. Now, show of hands on who can sell the idea to their boss of tripling operating expenses? It’s probably a safe assumption that no hands went up. The next assumption is that you’re okay with missing alerts from your tools because of alert fatigue, or because it’s a weekend or holiday. Okay, if neither are really acceptable solutions, then what’s the answer?
Outsource it. Security leaders (if your company has one) often times have a hard time letting go of certain aspects of their security program, but in many cases, it’s to their benefit.
In the past outsourcing meant lackluster security, but times have changed. Although your due diligence is still required to evaluate cloud security providers, it is now a commonly shared belief that most providers have security as a core competency, in practice, and in the services provided.
Managed security services or security-as-a-service vendors understand that having well-audited security systems are crucial to keeping customer data and availability secure and in turn, selling services. Because 3rd party security is a big focus of most organizations, managed security vendors are audited by all of their customers to some extent and go through independent assessments themselves such as PCI or SOC2. Additionally, you typically get the sum total of all customers’ security requirements. If a customer has diverse compliance requirements, then all customers benefit from the security controls even if they aren’t required. For example, if a vendor implements new controls to satisfy PCI, you as a customer would benefit from additional security even if PCI is not applicable to you.
Compliance aside, a managed-service approach provides a fully staffed Security Operations Center (SOC) with 24x7 coverage (holidays included) with specialized security expertise in the service the vendor provides, unlike security engineers at individual companies which are stretched to work within many different threat areas, oftentimes making them a master of none. Additionally, justification for an increase in headcount at a managed security vendor is typically much easier since they provide security service to create revenue. This is not always as easy for security departments inside companies where security is not a core competency, nor an engine for profit.
Because security is their business, managed security vendors understand the threat landscape, and predicting future trends is a standard business practice in order to stay competitive in the marketplace. Besides attack trends, they stay in tune to new legislation and industry mandates coming down the pike to ensure you stay compliant. This is rarely a focus at non-security companies. Additionally, vendors typically have relationships with law enforcement agencies because of the value that both entities have in data collection. This high-level trend information from law enforcement agencies can enhance the identification of new attack types.
And if you’ve ever felt that you’re preaching to empty pews trying to embed security awareness into the company culture, managed security vendors are your dream. Security is ingrained in many parts of their company culture because of brand reputation risk associated with a potential breach.
As a means to realizing the advantages described above, F5 offers its cloud-based security services platform, Silverline, that provides DDoS protection and web application firewall capabilities. This subscription-based service has the 24x7 certified experts on hand to augment your security tools and team, which helps you drive down operational expenses. For more information, visit: https://f5.com/products/deployment-methods/silverline