Why Large Enterprises Need Modern DDoS Defense
Cloud complexities raise the bar for effective protection
I recently had an interesting conversation with an industry analyst about how Kentik customers use our big data network visibility solution for more accurate DDoS detection, automated hybrid mitigation, and deep ad-hoc analytics. I was focused on our current customer base in digital business as well as cloud and service providers. But it became clear to me based on his feedback that any complex enterprise today can benefit from a modern approach to DDoS protection, and that Kentik can add real value in that context.
What’s a complex enterprise? The term, which surfaces repeatedly in my conversations with various analysts, goes beyond just the notion of size, though there’s a fairly strong correlation between the size of a business and the complexity of its IT infrastructure. From an infrastructure point of view, a complex enterprise operates multiple, geographically dispersed datacenters and cloud deployments. These datacenters each have multiple BGP Internet peerings to facilitate resilience and performance. The collective bandwidth profile of these datacenters is high volume, in some cases adding up to hundreds of Gbps.
It’s important to note that the IT architecture of many of these complex enterprises leans increasingly towards distributed applications. Service components and dependencies are spread across datacenters, the cloud, and the Internet, and applications involve increased east-west traffic flows, which makes end-to-end performance heavily reliant on predictable network behavior. The disruption of network bandwidth or performance to any particular set of services can create a disastrous ripple effect on the entire application eco-system, which makes it critical to protect more than just north-south, client-server Web traffic.
To get an idea of how important effective protection can be, remember that by disabling just one digital dependency — the Dyn DNS service — hackers were recently able to shut down e-commerce for many of the industry’s most visible Web brands. But given the number of datacenters, diversity of internet peering, and overall traffic volume, outsourcing DDoS mitigation full time to cloud services is astronomically expensive and doesn’t provide a sound ROI.
Another wrinkle for complex enterprises is that over time they’ve often acquired a variety of Internet-edge facing devices, including edge routers, switches, and load balancers. Plus they often have a multitude of siloed tools for network analysis, DDoS detection, and mitigation. In the many cases where these enterprises have grown via mergers and acquisitions, the diversity of infrastructure and tools is even more pronounced.
The above realities — growing vulnerability due to distributed applications, increasingly complex and diverse infrastructure, and archaic siloed tools — underscore the challenges that complex enterprises face in the realm of DDoS protection. They need greater unification of telemetry data, detection policies, and mitigation triggering. And they need to be able to construct their own hybrid defense system, with a combination of detection plus both on-site mitigation appliances and on-demand bursting to cloud mitigation.
These factors are driving enterprises to reconsider further investment in legacy tools, looking instead for modern solutions that transcend traditional silos and limitations. When I asked the analyst what percentage of his client inquiries about DDoS are from large enterprises his responses was “most,” in particular from large financial services organizations.
So far we’ve established that there’s a real need for modern DDoS protection, but what does that mean? Many analysts define as “modern” the widespread move in IT toward hybrid cloud and cloud-scale applications and analytics. In this context, modern DDoS protection can be understood to mean a fully hybrid approach combining the following characteristics:
- Cloud-like scale for the “application” aspect of detection and forensics.
- A hybrid on-premises and cloud-bursting approach to deep packet inspection (DPI) mitigation hardware, both in terms of where it lives and how it’s paid for (CAPEX vs OPEX).
Kentik Detect is a modern approach to detection and analytics, and supports a modernized approach to DDoS defense. Kentik Detect delivers both cloud scale and field-proven gains of 30% in attack detection accuracy versus traditional detection appliances. How is this possible? Detection appliances are limited to simple policies such as looking at volume (bits/packets/flows per second) against large IP pools. Any baselining, if it’s available at all, can only be performed on a per-exporter basis and relies on static policies that quickly fall out of date. Kentik, meanwhile, leverages its significant computational advantage to perform far more sophisticated anomaly detection policies than earlier appliance-based solutions can handle.
Freed from the compute and storage constraints of appliance architectures, Kentik Detect enables you to do things no appliance-based system can:
- Track millions of individual IPs, so you don’t lose important attacks in the noise of high overall traffic volumes.
- Configure multi-dimensional alerting policy criteria by grouping BGP, IP, GeoIP, and other fields.
- Measure a broad variety of metrics including the traditional (bps/pps/fps) as well as innovative new types including unique source IPs, unique dest IPs, unique source AS, unique dest AS, unique source Geo, unique dest Geo, and TCP retransmits.
- Baseline on a network-wide basis using an adaptive inclusion-set configuration so that significant IPs are always baselined and important deviations aren’t missed.
Aside from the capabilities enabled by superior compute power and storage capacity, Kentik is also different because it’s built to be a data unification platform combining flow records (NetFlow, sFlow, IPFIX, etc.) with BGP, GeoIP, SNMP, and performance metrics from packet capture. With daily storage of flow records in the range of 130 billion, our SaaS platform has the proven scale to serve the largest enterprise needs, and we also deploy on-premises for large telecoms, cloud providers, and enterprises. SaaS or on-prem, the performance of our ad-hoc analytics is super-fast even on multi-dimensional queries across multiple billions of rows. Over 95% of our customers’ queries return answers in just a couple of seconds.
Kentik’s column store architecture is also extensible, allowing customers to create custom columns that are auto-generated on ingest from a combination of inbound data records and pre-configured tags. We’re continuously adding more supported data types, with data columns such as threat feeds already in the works.
The combination of speed and data extensibility means that Kentik can be a one-stop, silo-free platform for network visibility — not just for DDoS but for a broad range of use cases including operations, security, planning, and business intelligence. That’s why Kentik has been recognized by leading analyst firms Gartner, Forrester, and IDC for the big data power of its analytics platform. When it comes to DDoS detection, that analytical power is crucial for gaining forensic and situational awareness, which is why there’s no comparison between Kentik Detect and traditional appliances.
Kentik Detect is also mitigation neutral, with built-in RTBH capabilities and automated triggering of 3rd-party solutions via multi-condition settings in our alert policies. Because it already supports multiple mitigation techniques and vendors out of the box, and is “API-first” in its software architecture, Kentik Detect is an ideal arbiter for detecting attacks and triggering hybrid mitigation across the whole enterprise network.
As with the rest of IT, the modernization of DDoS defense is being driven by the rising importance of the cloud, a trend that is likely increasing the complexity of your organization’s infrastructure, network, and DDoS attack surface. That’s why, as advised by the analyst I began this post with, if you’re looking to modernize it’s important to thoroughly assess what you’re trying to protect. Getting a handle on all of your critical digital dependencies is an essential step in developing a clear picture of your requirements.
The bottom line is that there’s no better time than the present to assess whether your enterprise network security organization needs to modernize its approach to DDoS. For a big-picture view of DDoS trends and why Big Data Analytics is needed in the Age of DDoS, check out our webinar by that name, which we presented in collaboration with Joseph Blankenship, a senior analyst from Forrester. If you’re a Gartner client and you’d like to get their perspective on Kentik, feel free to talk to your contacts in the core analyst or GTP organization; they’re familiar with us.
Meanwhile, if you’re already keeping your eyes open for the best way to modernize, it’s definitely worth your while to take a look at what we’re doing at Kentik. Check out our DDoS solution page for more information on using Kentik Detect for DDoS protection. You can also contact us at firstname.lastname@example.org to arrange a demo, or dive right in by starting a free trial.