Cybersecurity is a chess marathon with hackers: Carl Herberger

Yogesh Gupta December 21, 2016
Cybersecurity is a chess marathon with hackers: Carl Herberger

DDoS is fast becoming the top concern aspect for CSOs globally, says Carl Herberger, VP-Security Solutions, Radware.

Apps are an integral part of any business today. Radware, a security and availability solutions provider, is protecting the organizations globally from cybercrime, including DDoS attacks. “We have a phenomenal track record of innovating in security and bringing great partnerships on the table for our end customers. Also we lead the availability solutions area which is core to modern businesses,” says Carl Herberger, VP-Security Solutions, Radware.  In an extensive interview with CSO India, he spoke on DDoS threats, CSO role and competitive landscape.

Edited excerpt:

Security companies are investing millions in protecting organizations from all kinds of breaches. But hackers are mostly one step ahead.

There is no destination in cybersecurity. It is like destination means one birth and one death. which does not mean you can’t have good health in between. Security is like a gigantic chess match. Sometime you make a good move and sometimes they (hackers) make a good move. Security is very much constant practice to keep on moving and discipline against the current landscape. Hence security companies’ spending money in R&D shouldn’t be with the despair that the other side will always win.

We are losing right now as the return of bad guys is much in excess than good guys. On DDoS (Distributed Denial of Service) side, there are 18 year old kids making 3000 to 5000 dollars per year by putting a little code on cloud service and selling that. And the protection services that people buy run into tens of thousands. There is a clear disparity. It will be a long struggle as the bad guys are currently doing good job with finances aspect in their favor.

DDoS threat landscape has become murkier, proven by recent Mirai malware causing internet outrage. How do security companies like Radware combat that beast?

Organizations are still clinging to yesterday’s memories of security and yet not embracing on tomorrow’s defensive strategy. Projects around cloud, IoT, virtualization and the security models are nothing like the past.

DDoS used to high volume high rates only. However the other modern forms of DDoS were not considered by many other vendors. Radware does not feel that high rate is bad. In fact high rate can be good for many business models like airline’s surge prices after weather disruption for customer experience. High rates on stock exchange is desirable too. Radware’s technology stack addresses the legitimate versus illegitimate traffic patterns across companies.

DDoS concern has evolved as companies move to cloud and become more app-centric. Availability to App becomes everything. DDoS has risen in its value prop as the app is everything for business to drive customer experience, grow business and adopt digitalization. Businesses are transforming into App (which typically resides in cloud) centric companies. DDoS is really an availability problem and that’s the big play for Radware. We have been innovators on hybrid, SSL DDOS, web based application and DDOS conundrum to keep companies up, running and secure.

Doesn’t application economy opens up a newer and wider attack vector for hackers?

CSOs should acknowledge that the availability is a core attribute to your business. It’s like air to life or water to life. Without it, you cease to exist and it cannot be taken for guaranteed. That’s same with a clean App.

In a DDoS attack in Australia, the data for census hosted in third party datacenter was not impacted due to proper protection on the infra. However the census application went down causing tremendous disruption. During the very high available period and the most crucial time, the App become unavailable. The threat landscape for Apps is much targeted and it is reportedly far bigger than the network itself approximately ten times higher.

IoT is often perceived as Internet of Threats with the advent of wearables, ICS, machine learning. Are CISOs worried about today’s threats or the futuristic ones like IoT-related?

We have not seen anything yet when it comes to threats. There will be a day in not too distant future wherein cloud, IoT, virtualization was worth it because of the threat landscape. DDoS is moving into a direction wherein we see Ransom on IoT has just started on connected car, pacemaker etc. DDOS now percolates down the stack. With virtualization taking off, companies will buy less servers but they will buy powerful ones which will host lots of Apps. All the eggs in the basket can be vulnerable for DDoS attack.

Tomorrow’s DDoS on Apps will move also on hardware called PDoS (Permanent Denial of service). There have been four to five datacenter fires this year. I donts want to speculate much but the physical harm to the device or datacenter sounds extremely scary. Cloud to some degree becomes uncontrollable for CISO with less visibility and inadequate tools. The future of tech is driving more control and visibility for proactive companies across verticals like beer, manufacturers, airlines, cars migrate hundreds of apps to cloud.

Availability is like air to life or water to life. Without it, you cease to exist and it cannot be taken for guaranteed. That’s the same with a clean app for a business.

Radware has a massive portfolio that stretches across network security, ADC, load balancing, DDoS and more. Who’s your actual competition?

Our mission revolves around ensuring that companies freely consume applications from anywhere in the world. That includes dealing with bottlenecks of every day IT wherein our ADC stack comes to the fore.  We have tech stack that provides visibility, traffic steering, performance management, acceleration services rallied around consumption of a highly functioning app delivery. Our security portfolio addresses fraud, anti-bot, API security, layer 7, DDoS layer 3/ layer 4 and all are focused on availability to freely consume app

We have individual competition like Arbor on DDoS carrier grade, Imperva on web app firewall and then we compete with F5 and A10 networks on load balancing side. In terms of focus, we are an availability technology company. For companies who want high availability for business functionality with a security layer, Radware is the perfect partner.

It is the traffic bottlenecks more than the security that plagues the modern business. For example Pokémon Go App was clobbered by too many users due to traffic steering, load balancing, traffic management and their UI continues to drop till date. It was a pure app delivery engineering problem.

Do CISOs understand the sheer importance of DDoS? How can they ensure a robust security posture at their company?

The networking professionals understand DDoS far better than security folks. The availability domain has been with teams of network or apps and security people very rarely had task of ownership of availability. On other side, the networking people are ignorant to lot of security concerns. Therein lies gray area which the bad people navigate very well.

The yesteryear’s philosophy that CSOs should not be extra technical in security domain does not hold true. Today they have to be very knowledgeable in skillsets and re- familiarize with cloud technical infra, virtual infra and complexities around IoT. Many have fallen into the compliance trap through pen-test, vulnerability assessment, PCI reviews etcetera. DDoS testing is seldom on their priority list. In series of banks hacked in US recently, it was revealed that they never conducted DDoS test though they were compliant organizations.