Dominic Trott (Research Director, European Security & Privacy)
Romain Fouchereau (Research Manager, Security Appliance Program, European Systems and Infrastructure Solutions)

An unnamed AWS customer suffered the largest distributed denial of service (DDoS) attack in history, a third larger than the previous record-holder — a 1.7 Tbps attack mitigated by NETSCOUT Arbor in March 2018.

While news headlines in June 2020 remain dominated by COVID-19 and the Black Lives Matter movement, another major development this month has been somewhat less reported: the publication of the AWS Shield Q1 2020 Threat Landscape Report.

While the title may not scream “headline news,” it may yet echo down the ages given a statement made on page 3 of the report: “In Q1 2020, a known UDP reflection vector, CLDAP reflection, was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS.”

While the size of the attack is significant, there is another important angle to consider: although AWS Shield (the DDoS protection service provided to customers who host web apps on AWS) acknowledges that it took three days to contain the attack, it was able to protect its customer against the attack using in-house capabilities.

Gaining (Digital) Trust Is Key

For companies on the receiving end of such attacks, gaining and retaining trust from customers, partners, and public opinion is of paramount importance to remain competitive in business. According to IDC’s global CXO survey, which was in the field earlier this year, trust is now the top priority new agenda item for CXOs over the next five years.

Trust introduces new variables that go beyond the traditional idea of “security” to include risk, compliance, privacy, social responsibility, and even business ethics.

In an organization with a strong digital trust posture, enterprises, users, and partners can interact and innovate without having to worry about security implications.

To get there, security teams must engage with lines of business and consider the evolving technology landscape to better support people and process. This is a clear means by which, if they get this right, security can support business outcomes and elevate their influence.

Security by Design: Milestone for Enterprise Security

This development is indicative of the rise of “native” security tools being offered by the big 3 cloud “hyperscalers” (AWS, Google Cloud Platform, and Microsoft Azure), as well as major SaaS providers such as Salesforce.com and ServiceNow, built into their platforms. In fact, the now well-established boardroom criticality of IT security means that cloud service providers (CSPs) cannot afford to go to market with solutions that are not “secure by design.”

While security by design is a major milestone for enterprise security, unfortunately the practice of working with secure-by-design CSPs is not a silver bullet. That is before we even consider that the number of organizations whose IT is based entirely on public cloud services is vanishingly small.

The vast majority of enterprises are operating across a complex “multicloud” blend of on-prem, private cloud, and public cloud infrastructures and applications.

Why DDoS Attacks Are Difficult to Negate

To further complicate the picture, there are two conditions that make DDoS attacks particularly difficult to negate. First, “DDoS for hire” services mean that anyone with sufficient motive can launch an attack, regardless of their capability.

Second, as many DDoS attacks achieve scale through botnets (such as the October 2016 Mirai Botnet attack on Dyn), enterprises cannot mitigate these attacks by remediating vulnerabilities in their own environment. Rather, they are dependent on the security hygiene of third-party connected devices that botnets prey on.

This shows the importance of the digital trust that comes from visibility into connected assets and the data they generate.

While DDoS attacks highlight the vulnerability of connected devices, this is far from their only risk factor. This is especially relevant when considering the interconnectedness of partner ecosystems that operate across shared infrastructures, such as those based on IoT and IT/OT convergence.

Varying approaches to tasks such as patch management, asset maintenance, and compliance make it tough to understand the provenance of data generated by third-party assets. Yet this exposure to third-party risk may be critical to the development — or indeed loss — of brand reputation.

This challenge is prompting interest in how trust can be distributed across partner ecosystems to foster transparency and confidence between partners to minimize risk, while simultaneously honing efficiencies through greater automation of transactions with trusted third parties.

IDC is launching a new research theme — Future of Trust — to shine a light on how enterprises can build trust, and the benefits that this can bring. Please visit our new dedicated European security and trust website to learn more.

Sharing