The data center - a bastion of computing power, availability and bandwidth. We have come to rely on the services offered by data centers to make our sites and offerings available to the world with 99.9% uptime. Whether the data center is outsourced or private, its mission is still the same. Often, the data center also houses the servers and systems that are most critical to business operations, and as such, these machines can be attractive targets. That fact has been clearly demonstrated by a recent wave of attacks that seek to use the resources of the data center to launch denial-of-service attacks.
How horrible. Hackers are using the bandwidth and availability that you pay for as a weapon. Even more horrendous is the idea that the attackers would use your private data center to attack others. In the case I am referencing, found here, the malware du jour was the ridiculous sounding “Itsoknoproblembro.” While it sounds ridiculous, its effects were profound, sending vast amounts of traffic at the target in order to knock them offline. Aside from the compromised machines, the aim of the attack did not appear to be theft, but rather to disrupt the function of a list of U.S. banks.
Complicating matters was that the data sent toward these banks was encrypted, making it appear legitimate. And because the traffic was coming from IP addresses associated with a data center, reputation feeds would not have flagged it. The attack’s hallmark was vast amounts of data leaving the data center and being received by the target. So, are we doomed? Can this be detected even though it was encrypted and coming from legitimate IP addresses? Fortunately, yes it can.
Securing the network on which you physically reside can be accomplished because you own it. In the case of the data center, that may or may not be true. Considering the case of the offsite data center, they already have firewalls, IPS and perhaps one or two other countermeasures. But “Itsoknoproblembro” accounted for that by using encryption over port 443 (the same port used in secure banking). The only recourse left then is to have an understanding of the behavior of the network and look not at the traffic itself, but at how much of it there is. If a normal server load is x and the data received is x times 50, then, regardless of the source or type, you have a problem.
Lancope’s StealthWatch System, deployed on the local network, at a private data center or at an outsourced data center, can profile the normal behavior of the network, even accounting for reasonable spikes. StealthWatch can be flexibly deployed in physical and virtual environments, enabling you to see and be alerted when a big change in traffic happens – regardless of the source.
As conventional security solutions have become less effective in the face of today’s advanced attackers, obtaining visibility into the network interior and monitoring for anomalous traffic and behaviors have become increasingly critical for protecting enterprise assets. Just think of how good you’ll feel when you thwart an attack with such a ridiculous name! Click here for more information on detecting network anomalies with StealthWatch.Tweet
TAGS stealthwatch, lancope, network security, network visibility, anomaly detection, network behavior analysis, advanced threats, ddos, data center security