One of the most commonly overlooked topics when selecting a DDoS protection solution relates to analytics and reporting tools. Many customers choose a DDoS solution based solely on either how effective they believe it will be or how well they’ve been told it protects against various attacks. However, customers often overlook the importance of critical tools, including real-time analytics, dashboards, reporting capabilities and others related to analysis and monitoring.
The following are common, day-to-day use cases and the tools you’ll need to address them.
First, You’ll Need the Right Dashboard
The first tool that is critical is that single, pane-of-glass dashboard. It provides overall, real-time visibility and different points of view, including:
- The current state of your network:
- Are you under attack? What are the current attacks?
- What are current and recent changes to your network?
- Which traffic is legitimate and what has been dropped due to an attack?
- How can I get real-time statistics to help me learn about the current state of our network, such as concurrent connections, connection rates, traffic composition, and more.
- The ability to drill down into a specific attack and analyze related properties, including:
- Attack category(ies), volume (bps/pbps), maximum traffic, dropped traffic, top sources, and more.
- A dynamic screen that provides visibility widgets and statistics based on the specific attack categories needing analysis.
- The ability to analyze the attack throughout its lifecycle and learn how it has evolved and is being mitigated.
- The ability to dynamically change the scope being analyzed based on user-defined changes to the dashboard. Here are two examples:
- Changing the timeframe within the dashboard.
- Reviewing changes in the scope of the network being analyzed.
- Top attacks by different criteria, including top sources, destinations, attacking geolocations, attacks by volume, attack categories, scanners, and more.
- A dedicated dashboard for analysis of IP reputation feeds and behavioral attacks by type.
Here are Two Very Common Scenarios In Which You May Find Yourself
Imagine an IT manager calls you and is concerned because customers are reporting that applications under attack are suffering from performance degradation.
How can you analyze and verify whether the concern is valid? Also, how can you provide answers, and fast?
Here’s what you’ll need:
First, you need a tool that enables you to analyze your attack database in (recent) minutes, hours, days, weeks, even months. This can require various, often complex, criteria, which can make it difficult to find answers. It’s similar to a forensics tool used at a crime scene.
Second, you need to find answers. This is an example of a very common analysis used to find them. Define a new query in which “Destination IP” equals the server hosting the application. The query results will identify several application attacks during the time frame you’ve selected and from the same attack source.
Now, you may ask yourself whether additional applications are being attacked by the same attack source. You can answer your own question; just update the query to include the source IP to help determine additional applications that may be under attack.
Again, this scenario is very common; in fact, it’s been brought to my attention many times over the years by IT professionals like yourself. In short, you need additional capabilities to address more complex analyses. For instance, you may need to analyze an attack lifecycle, identify mitigation throughout the lifecycle and learn about the impact of dropped traffic.
Imagine you’re out of the office and unable to view your DDoS management console. However, you want to be notified in real time when a user-defined attack occurs in your network. Of course, you always want to remain on top of things and be the first to know if there are any occurrences.
Here’s what you’ll need:
You need an alerting tool or engine with the ability to define rules based on multiple and flexible criteria that will instruct your DDoS management system to alert you via email.
Of course, you’ll be able to receive and read the email(s) from your mobile phone anywhere and at any time. And if needed, you’ll be able to open your laptop and begin handling the event.
Here’s an example of a rule you may need to define:
You will want required alert(s) to notify you each time an attack in a particular category occurs. In this example, we’ll define that category as “Behavioral DoS” and set the alert to occur when it is greater than 100Mbps.
Now you can define the alert and a rule that consists of two criteria — one for an attack category attribute AND a second for rate/bps that is greater than operator-set criteria. Please note, the “AND” is emphasized in ALL CAPS to denote that it is only when both criteria are met that the alert is generated. You can now customize the message and indicate how frequently it should be sent. Now, simply save it.
Once an attack meeting your definition is ongoing and on your network, you’ll be notified immediately. Now you are in control.
Here are reporting scenarios in which you’ll get to:
- Generate reports to assist you in identifying trends.
- Report to management at the end of each week the statistics related to last week’s traffic trends and attacks.
- Extract information that will enable you to achieve the above, and more.
- Gain the same visibility and information you get from your dashboards, including additional information, breakdowns and details.
- Generate a managerial PDF report in which you can add free-form observations. This can easily serve as the report’s executive summary.
- Generate report graphs only (excluding detailed tables, if desired) to be used when sharing with, or presenting to, management.
- Pull flexible, user-friendly reports you define that will successfully address your specific needs. As an example, you may want to define a report with the same graphics and visibility, but split them into different sections within the report. For example, one section can include statistics for one region and another section for a different one. Both will be included in a single report.
- Generate reports in a variety of formats, including PDF, HTML and CSV. Each format may be needed to serve different purposes. For example, a CSV report can be highly detailed and used to generate your own graphs in Excel.
- Schedule the generation of automated reports that you can easily share with others.
To properly handle these scenarios — and an array of others — you must ensure your DDoS management solution includes tools similar to the ones mentioned. To find a solution that includes them, you don’t have to go far. Radware has developed and deployed these and many other tools based on years of interactions with and feedback from thousands of customers large and small and from every industry.
For More Information
To learn more about Radware DDoS Protection solutions, click here. If you need more answers about how Radware protects organizations from DDoS attacks, contact our tenured and talented security experts. They would love to hear from you.
If you’ll be attending the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.