Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/10/2020
09:00 AM
By Hardik Modi, AVP, Threat and Migitation Products, NETSCOUT
By Hardik Modi, AVP, Threat and Migitation Products, NETSCOUT
Sponsored Article
100%
0%

Assuring VPN Availability & Performance in a Pandemic World

Monitoring key performance indicators, and deflecting attacks is critical to maintaining VPN availability and performance in today's locked down, telecommuting workplace.

The current pandemic has spurred a revolutionary shift to remote work environments, and triggered a huge increase in Internet traffic. According to OpenVault’s Q12020 Broadband Insights Report, averagebandwidth consumption has jumped 47% since the same time last year, much of that traffic being outbound, signifying VPN usage.

Amazingly, though, the Internet hasn’t broken. “It’s running hot, but stable,” is the way one Internet backbone engineer put it. But the hidden truth in these statistics is that business in a pandemic world is depending on the Internet more than ever, in particular in business use of VPNs. VPNs are the best-practice technology for safe distance working and learning. And now they’re essential to most every job.

Keep in mind that Internet consumption statistics are spread across all use cases, with some applications spiking higher than others. In particular, multiple US ISPs reported an increase in VPN traffic of 60 to 90 percent, with weekend reductions that flag this as remote worker activity.

High usage leads to new risks: reduced network maintenance due to worker isolation, unplanned capacity exhaustion, and malicious attacks. The only way to effectively mitigate these risks is by close VPN monitoring, not just of up/down status, but detailed performance statistics.

Tracking Application Failures
Packet loss often presages a more serious outage, and is worth watching. The best place for monitoring performance degradation is not at the circuit level, as you might think, but at the application level, where gradual network congestion first shows up as loss-induced application errors.

Some applications are more sensitive to lost packets than others. For example, a streaming video application might experience a few “glitches” on the screen, while a remote control application, such as Citrix, might freeze up completely. Thus, it’s critical to monitor applications separately, first establishing a normal performance baseline, and then setting thresholds for each application to report excessive errors.

Unthinkable Exploitations
As if the pandemic’s worldwide depression of business isn’t bad enough, unethical third parties are exploiting this diversion of attention to force data breaches and other intrusions. The most common tool for this is the DDoS – Distributed Denial of Service – attack, where an intruder marshals an army of “bot” computers across the Internet to drive increasingly high transaction levels against a company or application in order to crash it, and hopefully gain illicit access to the target network.

NETSCOUT has reported nearly 4.6 million DDoS attacks in the first half of 2020, as compared to 8.4 million attacks over the entirety of 2019. Attackers can be expected to pay special attention to VPNs, because with one endpoint typically being a less-heavily secured residential broadband connection, the “attack surface” is much larger than the fortified enterprise firewall at corporate headquarters.  Malicious “VPN help” websites abound, and can dupe many a home worker into infecting their computer with botware, or worse.

Often, DDoS attacks start out slowly, and step up over time before they become debilitating. By monitoring key performance indicators, you get an early warning that a DDoS attack may be in progress, giving you time to mitigate it using inline protection tools.

An important adjunct to monitoring is threat intelligencea set of processes that includes situational awareness about which of a business’s assets hackers see as low-hanging fruit, as well as trend analysis and alerting to new and innovative techniques that have been observed ‘in the wild’. The best threat intelligence services are not just monthly or weekly reports, but real-time portals that give you immediate notification for any nefarious activity.

The Root of the Problem
Just finding a problem is only half the battle. Any monitoring or alerting software should also help you identify the cause of the problem, either by identifying choke points in an application’s data flow, or by revealing anomalies in the types of transactions. The former might signal an impending circuit failure, while the latter may foretell a DDoS attack.

Called root cause analysis, this process requires specific tools, such as transaction logs, traffic history charts, and the ability to compare trends across your network. Today’s best tools employ machine learning to rapidly recognize deviations from baselines that can’t be explained by normal application activity. By analyzing workflow context, these ML engines can isolate a problem to a specific application or server.

The NETSCOUT Pandemic VPN Protection Toolkit
You can assemble your own toolkit of applications that perform application monitoring, service level tracking, DDoS detection, threat intelligence, and root cause analysis. But they likely won’t be integrated, leaving you to manage an armful of web portals and reporting systems. NETSCOUT offers a complete VPN Protection Toolkit, in the form of its nGeniusONE service assurance platform and Arbor Edge Defense (AED). The comprehensive application monitoring console lets you view performance statistics across the enterprise, with the ability to drill down to any application or location. nGeniusONE also gives you at-a-glance status of your entire company in a single pane of glass. AED provides in-line DDoS protection in front of the firewall protecting not only the applications, but the security stack as well.

Because nGeniusONE extracts application data from multiple locations across your network, it’s able to correlate events and provide predictive data about impending network failures so that you can fix them before users feel them. When DDoS attacks are suspected, AED by NETSCOUT delivers DDoS mitigation to secure application performance and prevent future DDoS attacks.

Through its deep intelligence and analysis features, nGeniusONE can quickly – and precisely -- identify a problem’s root cause and AED can block DDoS attacks before they impact the business. Even better, the nGeniusONE dashboard, lets you create proactive views to head off problem recurrence, letting you address a repeating failure before customers notice.

Comprehensive monitoring, single-pane-of-glass visibility, bulletproof DDoS protection, and solid root cause analysis make nGeniusONE a toolkit worth investing in. For more information, check out:

About the Author: Hardik Modi, AVP, Threat and Migitation Products, NETSCOUT

Hardik Modi oversees the teams responsible for mitigation products as well as the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes. Prior to joining NETSCOUT, Hardik was Vice President Threat Research at a network security vendor. He has nearly 20 years of experience in networks, product design and security research. He is a frequent author of blogs and speaker at security events. Hardik holds a Bachelor of Engineering degree from Gujarat University, India.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...