Myth Vs. Fact: What You Need to Know About DDoS Cloud Security

blopost_no_text

Cloud security is not a new concept for the digital space. Nor is cloud security posture management, which scans, monitors, and remediates configuration issues in the public cloud. These concepts have been around since the early days of cloud computing, attempting to secure cloud computing infrastructure and services.

One essential component of securing your cloud is DDoS testing, which is now becoming more critical for organizations with recent reports of global enterprises suffering some of the largest DDoS attacks in history. According to experts, DDoS attacks will reach beyond 15M by end of 2022. This illustrates the failure of their DDoS protection to block these attacks and demonstrates that organizations are lacking the tools necessary to effectively combat DDoS threats. DDoS testing must be continuous, have zero impact on business operations, and ultimately provide security teams with clarity into their true attack surface in order to be prepared to defend against these attacks.

Enterprises need to ask themselves if their cloud protection also offers DDoS security. And if the answer is yes, does it offer it at the highest level?

We’ve found in our interaction with customers that they have several misconceptions about DDoS cloud security. In this post, we’ll separate myths from facts.

Myth #1: Enterprises can rely on DDoS mitigation providers to identify existing vulnerabilities and a strategy to efficiently remediate them.

Fact: You have zero visibility into your organization’s true DDoS readiness.

Whether in the cloud or on-premises, traditional DDoS mitigation systems forgo the discovery of exposures for static protection, leaving their mitigation teams scrambling in the event of a successful attack. Red team testing, typically done bi-annually, delivers only partial results coupled with misconfigurations while compromising your company’s uptime.

Myth #2: Our DDoS cloud protection offers full DDoS protection.   

Fact: Even if your DDoS cloud protection is managed by DDoS experts, you still need to test it in action. 

Many of our customers have a false sense of security when it comes to cloud protection. 

It’s not hard to understand why. After all, one of the major advantages of using a cloud provider is that your data is stored on state-of-the-art hardware and backed up across multiple data centers. This ensures that you don’t lose data in the event your primary data center is damaged or destroyed.  

When customers move to the cloud, they also mistakenly believe that the cloud service bundle or basic DDoS protection offered will fully protect them against DDoS attacks. What enterprises often forget is that the cloud provider’s core competency is storage, not DDoS protection. 

Our experience has shown us time and time again that even though these DDoS cloud protection services are managed by tech teams, they are not fine-tuning mitigations for each customer. 

Here are a few common scenarios we’ve seen: 

  • Cloud services don’t fine-tune their protection to defend against ever-evolving DDoS threats. Instead, they usually rely on a template of settings that leave enterprises vulnerable to DDoS threats. 
  • Cloud services often lack the manpower to constantly fine-tune the settings for effective protection per customer, and face technology limitations. Many avoid fine-tuning their DDoS protection so they won’t inadvertently cause false positives, for instance.  
  • While basic levels are more affordable and sometimes offered by default by the cloud service, they most probably exclude many protections such as botnet protection or OSI layer 7 protections. Customers need to remember to read the fine print. 

Myth #3: Cloud providers have powerful scrubbing centers that offer enough DDoS protection.   

Fact: Relying on one security posture, or even a combination of security postures (e.g. WAF, CDN, or scrubbing center) is not enough to identify and eliminate DDoS vulnerabilities.  

Yes, it’s true that the big 3 cloud providers typically have their own powerful scrubbing centers they can offer  to their customers as part of their cloud services. 

There are also outside scrubbing center services. However, many scrubbing centers (whether in the cloud or from an outside service) often only include protections against Layer 3 and 4 attacks. This might be sufficient for more common yet simple volumetric DDoS attacks, but not enough against sophisticated attacks on OSI Layer 7, such as HTTPS flood types. These attacks are harder to identify because they require the ability to distinguish between human and bot traffic. When these attacks are not blocked and reach servers, they result in costly downtime. 

Myth #4: The most advanced level of DDoS cloud protection offers full protection.  

Fact: Even the best current DDoS protection can be successfully bypassed.  

Major global enterprises such as Bandwidth and Blizzard pay for the highest levels of DDoS protection, yet they suffer repeated  DDoS attacks. That only emphasizes the importance of testing your DDoS cloud protection, even if it’s the highest level of service possible.  

Here are the most common reasons why DDoS vulnerabilities are successfully bypassing our customer’s mitigation systems: 

  • Networks change, new services, and infrastructure are added – DDoS configuration needs to be changed as well 
  • DDoS vulnerabilities are constantly evolving, and new ones need to be constantly identified and eliminated before they become threats
  • The massive increase in the number of IoT devices gives DDoS attackers seemingly infinite pathways to launch multi-vector, higher-rate attacks

In addition, most DDoS testing doesn’t give enterprises full visibility into their attack surface. They need a new standard that delivers full attack surface coverage, regardless of these network changes and the evolution of DDoS vulnerabilities. 

Full DDoS Cloud Protection Requires Continuous DDoS Testing That is Truly Always-On 

The only way to identify DDoS vulnerabilities is to continuously test for them. Yet most enterprises run DDoS testing during 3-hour maintenance windows, only once or twice a year. Since these tests require downtime, enterprises minimize the frequency of their DDoS testing. RADAR™ testing, on the other hand, continuously tests for DDoS vulnerabilities to eliminate ones that successfully bypass mitigation systems with zero operational downtime. Once DDoS exposures are identified, recommendations for prioritized remediation are provided for accelerated patching.

Learn more about RADAR testing

 

Picture of Alon Yafe
About Alon Yafe

Alon is a Senior Cyber Security Researcher & Professional Services Expert at MazeBolt Technologies