ESG Blog: SOAPA Video with Arbor Networks (Part 1)
Next up on the SOAPA video series is Arabella Hallawell, Sr. Director of Product Marketing at Arbor Networks.
Jon Oltsik   ESG Blog: SOAPA Video with Arbor Networks (Part 1)
Author: Jon Oltsik


Next up on the SOAPA video series is Arabella Hallawell, Sr. Director of Product Marketing at Arbor Networks. I first met Arbor Networks back in 2003 when it was a leading provider of network behavior anomaly detection (NBAD) tools and the company has been a steady player in network security ever since. Today, Arbor Networks is a leading provider of products and services for DDoS protection, network security analytics, threat intelligence, etc. 

In part 1 of this SOAPA video, Arabella and I discuss:

  1. The current state of DDoS attacks. With SOAPA, we tend to think about low-and-slow targeted attacks that can be difficult to detect and remediate but the SOAPA vision should also include all types of incursions – even volumetric attacks designed to disrupt business operations. Arabella provides a sobering look at the current state of DDoS attacks and it ain’t pretty. In 2016, the Mirai botnet used IoT devices to create a tsunami of Internet traffic that took down the website of security researcher Brian Krebs and DNS services at Dyn. Arbor is currently tracking a similar botnet called ‘Reaper” that may eventually be used as a similar weapon. Arabella also points out that stealthy application-layer DDoS attacks are also on the rise. I find that many organizations don’t understand the subtleties of DDoS attacks and remain vulnerable. Arbor Networks understands this risk as well as anyone. 

  2. DDoS protection within SOAPA. In the past, DDoS protection was usually owned by the network operations but this is starting to change. Arabella tells me that some organizations are starting to consolidate anti-DDoS efforts with the security operations team who are then tasked with preventing, detecting, and responding to all types of attacks. This makes sense to me, especially since DDoS is often used as part of a more comprehensive cyber-attack campaign.

  3. Network security analytics use cases. I remind Arabella that it wasn’t too long ago when some security pros confused network security analytics with SIEM. More recently, enterprise organizations figured things out and tend to use both types of tools and often integrate the two into SOAPA. Arabella talks about the differences between network security analytics and SIEM and explains how Arbor customers take advantage of “wire data” for real-time analytics and retrospective investigations. 

My observations of the market certainly parallel Arabella’s. Organizations use SIEM to anchor security operations processes while network security analytics are critical for investigations. The two technologies complement each other, providing part of the rationale for integration and SOAPA.

Look for more words of wisdom from Arabella and Arbor in Part 2 of our SOAPA video soon.

Video Transcript

Jon: Welcome back to our continuing SOAPA video series. I'm here today with Arabella Hallawell, Senior Director of Product Marketing for Arbor Networks. Welcome.

Arabella: Thanks, Jon, for having me.

Jon: Great to have you here. So we tend to think of SOAPA in relation to advanced persistent threats, targeted threats, cybercrime, that kind of stuff. But I'd be remiss if I didn't ask you, as one of the leading DDoS providers, to give us an update on what's going on in the world of DDoS these days.

Arabella: Yeah, sure, Jon. Thanks for asking. So we've really seen the DDoS has changed. We call it the stakes have changed. And many organizations, unfortunately, haven't been updated with the changing risk profile of DDoS attacks. But basically, DDoS attacks are becoming much bigger. We've seen huge attacks. Many of you are probably familiar with attacks like Dyn which took down, basically, the internet on the East Coast in the U.S. for several hours.

But basically, we've seen much larger attacks, much more frequent attacks, and as we'll probably talk about during this conversation, many more complex types of DDoS attacks, not just these big volume, tsunami waves, but also more stealth-like application-like attacks which many organizations just aren't prepared to defend against.

Jon: Yeah, and one thing with SOAPA is, as I said, it's security operations, it's looking at anomalies on the network. Are companies starting to merge those two areas so I've got my security operations that are looking at day-to-day activity, but I've also got my DDoS prevention people?

Arabella: Yeah, that's a really great question. If we were having this conversation about five years ago, for many large enterprises, DDoS mitigation prevention was often the domain of the network operations group or those running key online applications or services. As organizations have actually started to look at risk much more closely, they are moving DDoS prevention and strategy over into the security operations group, although still, it can be a little bit of a nexus where the network team may have some responsibility and the security team for others. And that's where really good risk management, as well as planning, is absolutely key to make sure the, you know, there's no finger-pointing and one person thinking they were responsible when, you know, the other person was.

Jon: Yeah, so there's a strategy overlap. There's some process overlap. I mean, if your systems are down, they're down, whether it's a targeted attack or a DDoS attack. So it makes sense that there would be overlap there.

Arabella: Absolutely.

Jon: Now, I remember when I started working with Arbor years ago, people would get confused with what you guys do with network security analytics and SIEM. Are you still seeing that kind of confusion or do people really understand that there's SIEM for log management and for correlation of events, and then there is network security analytics which is a different purpose?

Arabella: Yeah, I mean, just overall, in terms of the Arbor Solution Portfolio, we have a set of solutions that really sort of focus, I would say, looking external, so helping organizations protect against external types of attacks including DDoS. And then we have a newer set of solutions, including Spectrum, that really help organizations look inward, that their internal network traffic from a threat analytics perspective.

And so to your point, network threat analytics is very different from SIEM. Although some security operations teams use their SIEMs for investigations, for threat analytics, when it actually comes to looking at your internal network traffic for anomalies, very, very quickly, trying to understand "what's happened, what's wrong" investigation, we see network threat analytics being, in many ways, complementary, built for a very different set of purpose as well as having both different visibility, but also a different set of data.

Our solutions are built on what we would call wire data, which is, you know, metadata, and you know, down to the packet which is different from most SIEM solutions, which are built upon log data. And it's really the wire data that helps you not just see what happened now, but go back into the past and put together the whole puzzle of "Is this some type of anomaly that I need to be worried about? What happened? Who did it? Why? And do I now need to call my legal counsel or a forensics team to come in and see what they can recover and do?"

Jon: So it's really for that threat detection, forensics, retrospective analysis.

Arabella: And investigation, absolutely.

Jon: It's sort of like an Swiss Army knife. You can do all of those things. And I talked to one of your customers who was doing all of those things and got some acceleration in those activities. Is that accurate?

Arabella: Yeah, and I think as we get into the SOAPA discussion, you know, for most organizations, even if they're a well-resourced team, they simply don't have enough staff, enough expertise, to deal with the number of investigations they have to basically have to deal with. And so we see Spectrum really being a force multiplier, helping organizations automate some of the work of particularly the tier 2 analyst or even the incident responder so they can be much more effective at what they need to do.

Jon: Well, you're hitting the nail on the head with SOAPA in terms of integration and automation and orchestration. Can you stick around for part 2 of our video?

Arabella: Yeah, absolutely.

Jon: Okay. Well, look on our website for more under our SOAPA landing page.

Post a comment

Report Info