No matter how much prevention you have, serious security incidents will inevitably occur. Read the next article in our security series that covers how to understand cyberattacks as quickly as possible so that your organization can respond swiftly.
This is part 2 of 3 in a blog series about how to fortify your security posture with Kentik. Also see part 1.
Kentik is crucial in strengthening the security posture for our customers before, during, and after a cyberattack. We do this by using deeply enriched network data from across your entire data center, cloud, and container footprint to prevent, detect, and respond to cyber threats.
- Prevent: Kentik reduces the likelihood of a full-blown attack before it happens
- Detect: Kentik helps you mitigate attacks faster when they do occur
- Respond: Kentik uses real-time network data to kick off mitigation efforts and, when the dust settles, obtain a deep understanding of what happened so you can prevent future attacks.
In Part 1 of this series, we looked at how Kentik reduces the likelihood of a full-blown attack before it happens. By going beyond the basics of tracking network IP, port and protocol, Kentik’s deep multidimensional enrichment of network data, integrated threat feeds, and anomaly detection, enable customers to detect threats faster before attackers can pivot deeper into the network.
But no matter how much prevention you put in place, serious security incidents will inevitably occur. It is essential to understand what is happening as quickly as possible so that you can respond. That is the topic of today’s post.
The 1-10-60 rule
Timing is everything in cyberattacks. It is increasingly impossible to defend IT resources against a determined attacker; however, the blast radius and severity of the attack can be significantly reduced if detected sooner.
Crowdstrike popularized this idea with the 1-10-60 rule. The rule states that an organization should aim to detect an attack in one minute, investigate its source in 10 minutes and remediate the root cause in 60 minutes. Our last post showed that the average time to detect and contain a breach is 277 days. Clearly, much work still needs to be done, but Kentik can help.
Kentik provides real-time visibility into network traffic, allowing security teams to monitor ongoing attacks. This visibility is essential to identify the attack source, understand the attack vectors, and take immediate action to mitigate the attack. And it applies at one minute, 10 minutes, and 60 minutes of the attack investigation.
For example, Kentik allows security teams to see all their networks in one fell swoop and understand traffic and telemetry across clouds, data centers, edge, SaaS, WAN, and SD-WAN.
Incident response teams can query, filter, drill in, and add context to find the answers they need, even across mountains of data. And they are supported in their jobs with Kentik’s intuitive dashboards and reports to see patterns quickly. These reports can easily be shared with colleagues even if they are not Kentik users, which is extremely useful for network and security team collaboration.
“In a DDoS attack you want to look at traffic volumes, but with Kentik we also can look at source IPs, AS numbers, and other metrics to see if it’s a distributed attack. This is so easy to do in Kentik.”– Jurriën Rasing, Group Product Manager for Platform Engineering
When seconds count, it is crucial to correlate seemingly unrelated events to find the root cause of the cyberattack faster.
For instance, if your security team has identified that an attack is taking place, it would be extremely useful to understand that the traffic is originating from an embargoed county. Kentik can tell you that and more.
This is where Kentik’s real-time enrichment comes in. The additional context provided by enrichment enables security and network teams to identify root causes much faster because they have a complete picture of traffic in and out of their networks, not just the basics of IP, port, and protocol.
Kentik enables the utilization of various types of metadata to provide insights into flows. For instance, it can include information like geolocated IP addresses, the specific service being communicated with, the names of autonomous systems (AS), or metadata from cloud providers.
Kentik allows its customers to enhance their data based on their own sources, ensuring the most relevant context is available. The sources for enhancing data can range from any logs or event data to telemetry at the endpoint or application level.
SIEM integrations and more
As great as the Kentik real-time dashboards are, and they are pretty great, your organization most likely has other tooling in place to monitor security incidents. With Kentik, you don’t have to choose between multi-dimensional network data that is rich in context or your integrated security incident response toolkit. You can send real-time enriched network data to your SIEM tool via the Kentik Firehose to give your security teams complete visibility into an attack as it happens.
Kentik also provides other integrations that come in handy during a security incident. For example, we support modern workflows like Chatops, on-call systems such as PagerDuty, and even configurable webhooks so that you can integrate Kentik with any downstream system that needs to know when an attack or vulnerability has been detected.
Advanced DDoS detection algorithms
Kentik’s DDoS protection streamlines network protection against attacks by offering customizable preset alert policies and automatic mitigation triggers. Kentik uses machine learning-based traffic profiling to eliminate false positives/negatives and reduce response time. Users can visualize attack characteristics and their impact on the network and trigger automatic mitigation actions.
Some popular configuration options include:
- Enable attack profiles: DDoS Defense offers preset alert policies for different attack profiles. You can enable specific attack profiles relevant to your network and adjust the threshold settings to tailor the detection parameters based on your network’s characteristics. This allows you to customize the detection and response to different types of DDoS attacks.
- Exclude interfaces: You can choose to exclude specific interfaces from being monitored for DDoS attack traffic. This allows you to focus on monitoring only your network’s most vulnerable or critical interfaces.
- Exclude IP addresses: You have the option to globally exclude specific IP addresses from being considered in the baseline for normal traffic patterns. This helps ensure that particular IP addresses, such as trusted sources or known outliers, do not affect the accuracy of DDoS attack detection.
Once an attack has been identified, automatically trigger your own mitigation strategy via RTBH/Flowspec or integrate with threat mitigation providers like Cloudflare, Radware, and A10. Again, our webhooks can integrate with any downstream system for complete automation.
Kentik customer Square Enix’s use of Kentik’s DDoS detection services illustrates this point. According to Square Enix, “As a gaming company, we see a lot of DDoS attacks, and when we see them, we use Kentik to analyze where they’re coming from and alert our security team so they can deploy countermeasures.”
Before Kentik, the customer explained, “All we had was an on-prem DDoS monitor that would send an alert about unusual changes in traffic volume, but we didn’t have any information about what type of traffic it was. We could only react to alerts and start hunting across a wide range of potential sources of an attack. With Kentik, we can pinpoint the source of suspicious traffic virtually in real time.”
Kentik also can help identify a false alarm, he adds. “In the past, we might have seen unexpected spikes in traffic from developers that set off the on-prem DDoS alarm. Now with Kentik, we can see exactly what that traffic is and where it’s coming from to determine if it’s normal traffic and something threatening.”
Sophisticated BGP analysis
As we wrote in our recent A Brief History of the Internet’s Biggest BGP Incidents, BGP routing incidents can be problematic for various reasons. In some cases, they simply disrupt the flow of legitimate internet traffic, while in others, they can result in the misdirection of communications, posing a security risk from interception or manipulation. Routing incidents occur with some regularity and can vary significantly in operational impact.
Kentik’s BGP monitoring solution helps mitigate BGP attacks faster by actively monitoring BGP for routing issues, including hijack detection and RPKI problems. Kentik provides the following capabilities:
- Event tracking: Analyze route announcements and withdrawals over time to identify unusual activities.
- BGP hijack detection: Detect and receive instant alerts about hijacking incidents for quick response.
- Route leak detection: Identify and alert about route leaks caused by configuration errors.
- RPKI status checks: Monitor unexpected origins and invalid RPKI status for secure BGP routing.
- Reachability tracking: Track changes in prefix visibility and receive alerts when prefixes become unreachable.
- AS path change tracking and visualization: Monitor frequent AS path changes and visualize route changes for faster troubleshooting.
Attacks are inevitable. Responding to them faster is the key to minimizing their impact. With Kentik’s real-time visibility, data enrichment, and deep integration into the rest of your security stack, your company can be well on its way to living up to the 1-10-60 rule. In our third and final post in this series, we will look at how Kentik uses this real-time network data to kick off mitigation efforts and obtain a deep understanding of what happened so you can prevent future attacks.