Proper DDoS Protection Requires Both Detective and Preventive Controls

In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventive and detective controls. As the name suggests, preventive controls are designed to reduce the potential that a given threat will negatively affect a given environment.

Of course, preventive controls don't always work as designed, and some threats will always get through them. To supplement this protection, detective controls are also used. Detective controls identify security issues soon after they occur, so that they can be remediated before too much damage has occurred.

Using preventive and detective controls in tandem is a routine practice that is applied across many areas in the security space, including network security, application security, endpoint protection, identity and access management, and cloud security.

That is by no means an exhaustive list — this practice is applied in myriad areas within the security space. You can imagine my surprise, then, that one area is noticeably lacking the powerful combination of preventive and detective controls: distributed denial-of-service (DDoS) protection.

Why DDoS Is Still a Problem

DDoS is a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of businesses lose at least $120,000 due to DDoS attacks, while 15% of businesses lose at least $1 million. Even with the best DDoS protections in place, businesses still suffer from 30% to 75% exposure of their online services to DDoS, MazeBolt says. This means that DDoS is a serious problem confronting the industry — and one that is not getting the preventive controls it needs.

Perhaps that will surprise you, too. When it comes to DDoS, organizations focus mainly on detection and mitigation. They purchase DDoS mitigation solutions, but they don't give much thought to protecting the organization from attack in the first place. We as a profession don't seem to focus much on DDoS preventive controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest DDoS mitigation guidance.

It may seem odd, but historically, there are reasons for this, such as the difficulty in checking for vulnerabilities and susceptibility to DDoS in a nondisruptive manner.

5 Steps to Round Out DDoS Protection

So once an organization decides to take a more well-rounded approach to DDoS, what are some steps it should follow to ensure it is adequately protected? I've offered a few thoughts here.

1. Check for vulnerabilities. Organizations should ensure that they check for vulnerabilities and susceptibility to DDoS at layers 3, 4, and 7 of the OSI model. This is easier said than done, of course. This requires being nondisruptive in identifying vulnerabilities. Taking down the infrastructure in the name of DDoS security would not be a good thing.

2. Stay nondisruptive. No one needs their DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime, and customer satisfaction. There is a better way — namely, new nondisruptive, nonintrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risk.

3. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are missed is to know the environment well. This is the case regardless of how complex the environment is, and even if that environment involves hybrid and multicloud environments. Understanding the environment is the best way to eliminate blind spots. That, in turn, makes the vulnerability identification and remediation process far more thorough and effective.

4. Establish and follow a process. Organizations should have a process to document and prioritize vulnerabilities for remediation. This ensures that things do not fall through the cracks and reduces the potential for oversight and human error. Even with the best process, organizations will still need determination and follow-through to remediate the vulnerabilities they have identified. DDoS security is a marathon, not a sprint.

5. Iterate your security steps. DDoS security, like many areas within the security field, is not a one-time activity. Organizations need to continually test for new or persistent vulnerabilities within the infrastructure. They need to ensure that they are continually aware of changes to the environment so that they can retain the requisite level of understanding and knowledge of the environment. Organizations will also need to continually stick to and follow their process to ensure that vulnerabilities are remediated in a timely manner. Simply put, DDoS security is an effort that requires continuous attention.

Time for DDoS Preventive Controls

Like many areas in the security space, DDoS security leverages both preventive and detective controls — or at least it should. For a variety of reasons, our historical focus around DDoS has been primarily on detection and mitigation of DDoS attacks. We as a field are long overdue for leveraging preventive controls in the DDoS security area.