Hear about the smart toaster that got attacked three times within an hour after its IP address first appeared on the Internet?
That experiment conducted by a reporter for The Atlantic crystalizes the seemingly intractable security challenge businesses face today.
Related: How 5G will escalate DDoS attacks
Caught in the pull of digital transformation, companies are routing ever more core operations and services through the Internet, or, more precisely, through IP addresses, of one kind or another. This trend has greatly expanded the attack surface for malicious botnets to automatically probe and infiltrate company networks, at scale. And in a double-whammy, the efficacy of legacy cybersecurity defenses — which were deployed, at great expense, mainly to protect on-premises data centers – by many measures is rapidly eroding.
I had the chance to discuss this with Joakim Sundberg, founder and CEO of a cybersecurity startup, Baffin Bay Networks, based in Stockholm, Sweden. We met at Black Hat USA 2019, where Baffin Bay touted its cloud-first, full-stack suite of threat protection services. For a full drill down on our conversation, give a listen to the accompanying podcast. Here are my key takeaways:
Formula for poor practices
Launched in 2017, Baffin Bay has attracted VC funding of $6.4 million and grown to 42 employees, winning customers in leading media firms, financial services companies and government agencies in the Nordics.
“We’ve been in production about 19 months and we have a 100 percent retention rate,” Sundberg told me. “We’re protecting about 220 different brands, everything from companies with two people and an app, to big European banks.”
There’s room for Baffin Bay’s cloud-first approach to security because in today’s cyber threat landscape, low hanging fruit – like the smart toaster — does not go unnoticed by threat actors for very long. The business equivalent of the toaster probe might well be two categories of automated attacks: Distributed Denial of Service (DDoS) attacks and SQL injection (SQLi) hacks. Both DDoS and SQLi have been around for quite some time, are well understood and, by now, should be well defended.
Best security practices and high-tech detection systems have long been established and are readily available to help companies mitigate DDoS and SQLi attacks. Yet both categories of attacks continue to turn up, hour-to-hour, on a daily basis, Sundberg says.
A recent report from Akamai shows that SQLi attacks represent about two thirds of all web application attacks. SQLi attacks involve inserting arbitrary SQL code into a database query, thereby enabling the attacker to take full control of a web application data base.
Meanwhile, DDoS attacks are renowned for causing massive outages. But what many companies, especially SMBs, don’t realize is that short-duration, low-threshold DDoS attacks today are quite frequently launched as a smokescreen to hide a more singularly invasive activity, such as deploying ransomware.
What’s happened is that complexity and inertia are getting in the way of organizations doing security basics. On the one hand, the shift to cloud computing and the Internet of Things have combined to introduce vast new tiers of vulnerabilities; and on the other hand, companies don’t relish the expense and headaches of replacing legacy on-premises security systems, even as the effectiveness of those technologies decline.
It was while flying back and forth over the strait between Greenland and Baffin Island that Sundberg and a few colleagues mulled over these developments – and conjured the idea for Baffin Bay Networks. They came up with a platform of security services, delivered exclusively through the cloud, that leveraged machine learning.
Baffin Bay’s Threat Protection Service is designed to get increasingly smarter at identifying known and emerging anomalies, specifically at the web application layer. The platform doesn’t just detect anomalies and block attacks, it also provides detailed intel about each attack back to the company.
“We put lots of effort into making sure that the customer’s staff understands what sort of security risks they’re facing,” Sundberg told me. “When an attack occurs, we’re really good at visualizing the attack in an easy way that enables the customer to understand what happened . . . we’ll block it for you in real time, and then email you or text message you to inform you when something bad has occurred.”
One of the complaints I heard when MSSPs first appeared on the scene a few years back was that many of them provided a one-size fits most package of defenses for SMBs; another was that transparency about what, if anything, actually ever got detected and mitigated was sorely lacking. That’s improved as MSSPs incorporate advanced services. Baffin Bay, which supplies its technology to partner MSSPs, is part of this shift.
Given we’re just at the start of IoT systems taking over our lives, it seems inevitable that SMBs, in particular, will have to pay closer attention to daily attacks at the application layer. The logical place they’ll be able to do this effectively is via a cloud service.
“In the long run it’s not going to be optimal to run security in your own data center, on your own hardware,” Sundberg opines. “If you put some hardware in your data center, maybe a web application firewall, or something to do DDoS mitigation or to identify bots, then you’re going to need one solution for everything you do.”
It’s not possible for a company to install physical hardware security on operations it is running in Amazon Web Services or Google Cloud or Microsoft Azure. But security is needed even more so in the cloud, because that’s where operations are shifting. That’s why Sundberg believes a software shim is required. “It has to be some sort of controller sitting in between,” he says, “and it has to be a cloud-based solution.”
Makes sense. It will be interesting to see how quickly and pervasively the advanced cloud-first security solutions Baffin Bay and others are introducing will truly begin to help the SMB sector materially improve security. I’ll keep watching and reporting. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-baffin-bay-networks-takes-a-cloud-first-approach-to-securing-web-applications/