What is the right DDoS protection cloud service for your organization?

How long can your site/service endure downtime in the event of a successful DDoS attack?

Would most enterprises really rather fend for themselves when it comes to security? One reputable survey seems to say so. Organizations are largely investing technology and staffing budgets earmarked for information security into related in-house skills and technology, according to a 2016 SANS Institute report on IT Security Spending Trends. That could and probably would be the topic of this article but for one little thing.

DDoS security stands out as the only exception in the aforementioned report with companies spending outside their own ranks for detection and remediation. Most companies surveyed prefer cloud service-based DDoS protection when picking a provider.

A list of top DDoS protection cloud services given in random order can include F5 Silverline, Arbor Networks’ Arbor Cloud, CloudFlare’s advanced DDoS protection, VeriSign DDoS Protection Service, Imperva Incapsula, Akamai Kona Site Defender, Cisco Guard, and Level3 DDoS Mitigation. There are many more such services; this list includes the best, depending on who you talk to.

Risk profiles, coverage, research methods, deployments

Here are four tips to know when preparing to select a DDoS protection cloud service.

Tip No.1: Know Your Risk Profile. Determining what DDoS protection cloud service is best for your business starts with knowing the risk profile of your organization, since you will have to marry a suitable service to that profile. ISACA offers information about what to include in a risk profile. According to Tim Cullen, senior security consultant, CISSP, and chair at the Cybersecurity Simulation for the Technology Association of Georgia, here are the impact profile points you must know for your enterprise.

  • How long can your site/service endure downtime in the event of a successful DDoS attack?
  • What is the range of losses in revenue that would affect your company if an attack prevails?
  • How would DDoS inflicted downtime contribute to loss of customer confidence or market share?

Tip No.2: Know the protections/coverage you need. Once you have established what the weight of these pain points would be on your organization in and after an active attack, you need to establish what kinds of protections are necessary.

You might, for example, need to detect and protect yourself against zero-day attacks since many DDoS attacks flood requests for services using new OS or application vulnerabilities that the vendors have not yet patched, explains Cullen. “You need to know how quickly the provider can implement the solution to protect you and whether it secures you and your data if you are currently under attack,” adds Cullen.

Tip No.3: Know providers’ research methods. The methods the DDoS protection cloud service uses to gather data about attack vectors is also important to your selection. According to Cullen, you should confirm whether the provider has and uses the following abilities:

  • Do they use their own metrics for isolating attack data?
  • Do they rather use a cloud service to report and disseminate attack alerts and to update virus/malware signatures?
  • Do they have a global footprint for data collection?
  • Do they proactively research and identify new attacks as they are first appearing in the wild?

The cost of some features such as a proactive security (proactive research) approach will be a factor in your selection.

Tip No.4: Deployment options. Be sure to ask whether the service can be deployed in different ways so that you can select the deployment approach that leaves you feeling confident and comfortable. Choices include setups with everything going through the cloud, arrangements where you have to recognize an attack and then elect to divert traffic to the cloud manually, and setups where the system recognizes an attack and redirects traffic to the cloud service for you.

Service qualities to look for

Cullen offers eight tips for ranking DDoS protection cloud services based on the quality of critical service capabilities.

Quality No.1: Low latency. Test your applications on the service to see whether they offer low latency while they are running scans. “Published scrubbing capacity numbers peg F5 at 2Tb/sec, Imperva at 1.5Tb/sec, and Arbor Networks at 1.1Tb/sec. These three are usually on my short list of vendors to talk to about speed,” says Cullen.

Quality No.2: Security track record. Ask for letters of recommendation and lists of customers whom you can question. F5, Arbor Networks, and Imperva have been in this market a long time and have many letters of recommendation to demonstrate that they perform well in securing their customers, says Cullen.

Quality No.3: Remote ticketing service. Most services offer remote ticketing on your behalf. “We have had good results with vendors like F5 and Akamai for problem resolution and remote ticketing; they seem to own the problem till resolution,” says Cullen.

Quality No.4: Strong UI/dashboards for self-management. Depending on your preference most any provider could come out on top here. “I like the Imperva and F5 dashboards. Arbor Networks gets an honorable mention; it was not as intuitive for us as the others,” says Cullen.

Quality No.5: A Forensics Team. Such a team can help understand the specific challenges and appropriate resolutions on a case-by-case basis. “F5 was a standout vendor for this option with a research team that watches the hacking community for attacks and trends,” says Cullen.

Quality No.6: Logging. Complete data records of attacks culled from logs are critical to prosecuting the culprits behind breaches. This is another option that everyone has and you may end up basing your selection on your own preference.

Quality No.7. Licensing. Providers can offer licensing based on the protection options available, the amount of bandwidth you require or use, and whether you choose an onsite hardware/cloud subscription, says Cullen. Another form of licensing is access-based licensing, which applies to the means you use to access the cloud and can include all services. Akamai and F5 were the best for this last licensing option, according to Cullen.

Quality No.8. Minimal impact to the local environment. Some services route all traffic to the cloud first, some allow some traffic to go to the company site first, and some let all traffic go to the company site until the time of an attack. The last option has the least effect on the local environment.

Join the CSO newsletter!

Error: Please check your email address.

More about Arbor NetworksCiscoCSOF5GoogleImpervaISACAIT SecuritySANS InstituteSilverlineTechnologyTest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place