The power of Big Data for security, operations and DDoS protection

automate PKI IoTDDoS atacks are costly to your reputation and your bottom line. In this podcast recorded at RSA Conference 2017, Avi Freedman, CEO at Kentik, discusses how to recognize attacks quickly and accurately, then shut them down with situation-appropriate mitigation.

big data ddos

Here’s a transcript of the podcast for your convenience.

I’m Avi Freedman, CEO of a startup called Kentik Technologies, I’m here today, on this podcast, to talk about the power of Big Data for security, operations, and DDoS protection.

DDoS has become a very hot topic last year, especially as people’s hunted homes are attacking the world. Your vacuum cleaner, toaster, microwave, your thermostat, television, you can go on and on, have been added to the wave of infected servers that are well-connected that are out there. And a lot of the companies that Kentik works with that make their revenue over the network, where they actually deliver to the end-users, they deliver to partners, they have APIs, are trying to understand how do we keep our business flowing in the face of all this noise on the Internet.

What’s been very interesting to see is that a lot of these customers with the legacy solutions that they had, had really very limited visibility. Without enough data storage and crunching to actually double click into events, they would think that what was an attack was a misconfiguration, they’d think a server was spiking because someone was generating load, and it was actually someone outside attacking them. And they’d often also, on the reverse side, think that things that they’d think they were under attack when it was actually a partner stressing their API.

So, all these things become really critical, they become alert. And without the proper tools to actually investigate, you just wind up wasting a lot of time. And one of the very visceral things for the folks we work with is they just don’t have enough people; they don’t have enough time. And that drives a lot of the tooling up. So we’ve seen a lot try to build in-house, but a lot of folks have been booking for vendors to take a more modern approach. And so, that’s been very fun and great for us.

In general, what do you see your customers most worried about?

Generally, it’s revenue. About half our business is service providers, and they want more revenue. Yes, they’re concerned about preserving revenue and about the cost of goods sold, but they’re trying to figure out, ‘How can I make services to sell security related things?’ Because they don’t want to be trapped in packet jail where they only make money on the packets that they transfer.

The web companies, and SaaS companies, and customers of ours like NewStar and OpenDNS, now Cisco, the people that make money and all their revenue flows over the network, they need to preserve that. Because they already are spending all the money they can to get more revenue. And if they’re impairing it on the delivery side – generally, they call it ‘the prod network’ – but the production network that delivers the revenue, that’s an impairment that can’t overcome. If they’re growing at 5%, but they’re leaking at 6%, then they’re actually going to shrink, and that’s no good. And cost of focusing well on the infrastructure and running it well is much less than the cost, typically, of the marketing budget, especially nowadays.

What Kentik was founded to do is take a Big Data approach, take all the network infrastructure layer traffic data, keep it, and make it fast to use; and to do that in a way that lets people, basically, kill all their appliances. We were asked to focus on Lancope first. We actually decided to focus on Arbor first, which is a leader in the DDoS space, just because I couldn’t find any happy customers. It was a 15-year-old technology, and a lot of people were very frustrated, because with Arbor, you have to actually define a managed object. You have to say, ‘Okay, this is what I want you to be able to tell me about’ But people don’t always know in advance, the attacker doesn’t send you a postcard and say, ‘This is where I’m going to attack, and here’s how.’ But there’s also the whole network performance management space, which was a little bit less on the security side, except that if your security is impaired, sometimes you have to shove things down, and that affects your revenue. So, again, it’s related.

We take a Big Data approach, we keep everything, and we typically run SaaS, but we do run for large customers run an on-prem copy of what we do. We have – to use, again, an operational analogy – more like a New Relic type technology, multitenant Big Data, but we have an app dynamics go-to-market, which is if you say, ‘I don’t trust anyone outside to have my data’ – ‘Okay. I can’t tell you what your security posture and policy should be, so we’ll go run it for you.’

Today we’re focusing on DDoS, and traffic planning, and peering, which is the inner connection between networks. And then, over the course of this year, we’ll be flushing out things that we’ve been doing with threat analytics and performance management that we’ve started to roll out, all on top of the same data and on top of the same platform.

big data ddos

How do you see IoT DDoS and blended attacks evolving in the next few years? This space is becoming very interesting.

Yeah, the IoT space is very interesting. Broadly, in security, it’s even more interesting, because you could do much worse than DDoS. If you have a haunted house, you could trip someone with a vacuum cleaner. Yeah, there’s a lot of interesting things that you could do. Explode the microwave – right?

I think we’ve just seen the beginning. And unfortunately – and I come from the Internet provider community – the Internet infrastructure is not really keeping up with… it’s not an advanced vulnerability. Anyone can send a packet of any IP address, and anyone of a hundred thousand different networks could advertise well and steal your traffic. We’ve been talking about this, and talking about this, and talking about this for 20 years, but the ability for people to hijack and attack the infrastructure, the ability for end-users to connect and the ISP to say, ‘Well, okay, there’s an attack coming, but I can’t do anything, it’s not my traffic’, I think it’s going to come to a head, because I think we’re going to see larger and larger attacks.

None of us, none of the vendors, none of the service parties want regulation, because that usually has what we call, at best, ‘unintended consequences’. Interestingly, maybe the Trumpian executive order, the FCC ruling that will be coming about net neutrality will actually help the situation. But providers have to get there to be willing and able to actually filter their customers. We’re hopeful, but right now there’s been mostly inaction. And all we can expect, I think, is larger and larger attacks that are more pervasively sourced around the edge of the network.

What does your roadmap look like for the rest of the year?

At Kentik, what we’re focused on is continuing our work with the carriers and web companies around analytics and peering. We integrate with five different ways of doing DDoS mitigation. We partner with Radware, can speak BGP, make API calls and configure. So we’re continuing to extend that. But a lot of the roadmap is one thing we’ve just talked about, ‘How do we let providers deal with protecting against the outbound attacks?’ Because DDoS mitigation is mostly about protecting inbound, but if you’re a service provider, any one IoT device is probably only doing a megabit, but if you have four hundred thousand of them, then all of a sudden, that’s a big problem. And the classic technologies haven’t been designed for that, so we’re working on that.

And threat intelligence. As I mentioned, we started on the operational and DDoS side, but we’re building something to take customers’ views of what the flats are that are out there, which plenty of people all over the security landscape sell, and integrate that in so if they’re a web company, they can understand which of their machines are compromised. And if they’re a service provider, they can use it for lead generation and say, ‘Hey, you’re compromised. Would you like some assistance?’ Even for free or for money.

And the third thing is, really, going deeper on the network performance side. Right now, we take performance data and can show people, ‘Here’s where the problem is in the network’, but going up the layer server stack to say, ‘Here’s where the problem might be in the application, as well’, really tying APM into NPM.

big data ddos

RSA Conference 2017