Mitigating DDoS Risks

Download the transcript of this interview in PDF format (sponsored by Corero Network Security)

The recent wave of distributed denial of service attacks against U.S. financial institutions prove organizations aren't doing enough to prepare for online attacks, says Jason Malo of CEB TowerGroup.

Malo, a financial-services research director at the Boston-based consultancy and web security expert formerly with VeriSign, has been studying DDoS attacks for some time. He says the recent wave of large-scale attacks affecting leading institutions have exposed website weaknesses few organizations have adequately addressed.

Malo says DDoS-attack preparation and prevention comes down to risk assessment and scale.

"As the breadth of the attacks starts to ramp up, you've got to be able to not only understand the traffic coming in and out of your network, but also what that traffic looks like," Malo says in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "That's one thing that has really marked the evolution."

Companies, Malo says, can then scale their abilities to handle traffic based on normal patterns. "With [DDoS attacks], it's a significant amount extra traffic, and the numbers don't tend to work out if you're looking at scaling to that significant level."

There are solutions out there to deal with these types of attacks, he adds. "Banks don't have to put in huge investments of capital to be able to put mitigation in place."

Further, a cloud approach could assist with deflecting a large, volume-based attack, Malo says. "If someone is hitting you with a significant amount of data, there's benefit in meeting volume-per-volume," he says. "If there's a way to augment that through a public cloud infrastructure, where you don't need to crack open packets and get into any kind of deep inspection, there's absolutely benefit there."

During this interview, Malo discusses:

• Cloud-based services and other outsourced solutions that address DDoS;
• How banks and credit unions should use big data to improve analytics and anomalous activity detection; and
• Why banking institutions need to implement more than intrusion detection and prevention systems to thwart DDoS-related outages.

Malo, who works in CEB TowerGroup's retail banking and cards practice, has more than 16 years of online service development, management and marketing experience. Malo is focused on market evaluation and product strategy for mobile banking, emerging threats, regulation and customer attitudes surrounding security and fraud across banking and card channels. Before joining CEB TowerGroup, Malo spent five years with VeriSign, where he managed development roadmaps and go-to-market strategies for cloud-based products that address threats to personal information, network infrastructure and commerce. Earlier, at Bank of America, Malo led projects that addressed enterprise and consumer authentication, consumer privacy and security, online banking, information security, and platform consolidation.

DDoS Attacks

TRACY KITTEN: Can you give us some background about what a DDoS attack actually is?

JASON MALO: It's an attack that's meant to deny resources to someone, and, most traditionally, this has been looked at in a consumer environment, where a website is hit with a denial-of-service attack which renders it unavailable to its normal clientele.

A DDoS attack - while categorized as a massive overwhelming of critical resources - is not just blunt instruments. They're not just flooding Internet pipes and pounding on Web servers until they fall down. There's actually a wide range of different attack types at every place in the delivery of those services. You can have attacks that are going after and trying to flood your Internet pipes. You can have attacks that go after the amount of processing power that any one of your Web-application servers may have. Or you can have things that look to exhaust the number of sessions that your application can have in place. It can put a taxing amount of traffic on the amount of images and content it's able to deliver back out, for instance.

• 1
• 2
• 3
• 4
• ...

Follow Jeffrey Roman on Twitter: @ISMG_News