Digital transformation has been underway for decades, but in a fast-changing world, digital resiliency and application delivery are now a matter of survival. As the lines between office and home blur, so have the user expectations for each part of daily life. Whether people are working, taking care of personal needs, or relaxing, they need a high-quality application delivery experience for the applications they use, and security they can count on. And the impact of downtime can be devastating.

Below are five key digital resiliency challenges for application delivery that organizations are facing today and tips on how they can be addressed:

Step #1 – Delivering a Great Experience Every Time

• Manage Performance with Visibility and Analytics – Today’s more complex infrastructures make it harder to keep applications running at their best. To simplify management, it is important to choose an application infrastructure that is consistent across every environment, with holistic visibility into devices, applications, policies, users, and more across data centres and clouds. A layer of analytics can help reduce downtime, meet SLAs, and make changes quickly to keep pace with user expectations.
• Act Fast on Early Warnings to Solve Problems Proactively – By the time users report a problem, the damage to the business has already begun. An application delivery solution should provide early alerts to emerging issues while avoiding false positives and reducing signal noise.
• Global Server Load Balancing – With applications, users, and data centres distributed around the world, it is all too easy for server bottlenecks to get in the way of performance. What is recommended is the use of global server load balancing to intelligently guide application traffic to the best available site for each user, so they get the best possible service.

Step #2 – Ensure No-Excuses Application Availability

Both within the workforce and with customers, business continuity depends on keeping applications available to every user, every time. Without high availability, disaster recovery, and rapid failover across cloud providers, employees are less productive, and customers are less satisfied—and the business can go off track.

• Manage Traffic to Avoid Potholes – If a company’s servers are slow and it is unable to re-route traffic quickly, users will be affected. When a site or server slows—or fails—re-routing its application traffic quickly before users are affected is needed. Companies should use global web traffic management to assess the health and response time of each site in the environment and make intelligent adjustments on the fly for uninterrupted application availability.
• Be Prepared for Disaster Recovery and Capacity Surges – Is a redundancy plan in place that can help the organization recover quickly from a data centre failure and provide extra burst capacity in case of a surge? By using a public cloud environment as a backup for the on-premises data centre, enterprises can provide high availability even more cost-effectively.
• Keep Clouds Redundant too – Redundancy isn’t just for on-premises infrastructure. To protect against a failure or service problem in public cloud environments, is there a secondary environment ready to go in a different provider’s cloud, with the ability to fail over seamlessly when needed?

Step #3 – Protect Customer Data and Privacy

Make sure to maintain effective threat protection, data protection, customer privacy, and compliance across every on-premises and cloud environment.

• Unify Security Policies Across Clouds and Data Centers – Managing security policies separately across different clouds and data centres makes it all too easy for gaps and compliance lapses to sneak in. Instead, companies should leverage a unified policy infrastructure across every platform they use, so services and applications have the same, consistent protection wherever they are deployed.
• Carefully Manage User Application Access Across Platforms – A Zero Trust approach needs to be taken by ensuring management of authentication consistently in every user scenario while providing employees with the right level of access for their needs, especially when moving applications from tightly controlled local on-premises data centers to public clouds.
• Build Threat Protection into the Infrastructure – It is important to weave protective measures throughout an organization’s multi-platform environment, including security analytics, DDoS protection, web application firewalls (WAFs), authentication, modern TLS/SSL encryption standards, and threat intelligence.

Step #4 – Operate More Simply and Efficiently

• Work Smarter to Work Cheaper – Use analytics to determine the most cost-efficient ways to use available resources both on-premises and in the cloud. By providing actionable intelligence to staff, organizations can help even less experienced team members work more quickly and effectively.
• Automate, Automate, Automate…and Simplify – Manual effort can be costly, error-prone, and inconsistent. It is important to find opportunities for automation wherever possible, across every type of environment, for more effective management at a lower cost. At the same time, simplifying operations can be done by looking for portable, customizable capacity, and self-service licensing options to provide agility to application services.
• Put it all Behind a Single Pane of Glass, and Control – A more complex network environment calls for an efficient view into network activity. Admins should be given a single pane of glass for visibility and policy control across every part of the infrastructure, regardless of cloud provider or form factor, so they can manage it more easily and consistently to avoid mistakes.

Step #5 – Innovate at Digital Speed

• Use a Single Set of Tools and Skills Across Platforms – It is hard to be nimble if different things are being done in each environment an organization uses. By standardizing automation tool sets, the learning curve for new staff can be shortened, building more consistent best practices, and working more efficiently.
• Support DevOps and SecOps Efficacy – Digital success depends on being fast without sacrificing quality. Automation can help streamline DevOps and SecOps tasks while preventing costly errors so better applications can be brought to market faster.

For the critical functions that A10 provides, including Thunder Application Delivery Controller (ADC), Thunder Convergent Firewall (CFW), and Thunder Carrier-grade Networking (CGN), customers are managing their Thunder appliances or virtual machines throughout this massive change using A10 Harmony Controller. The A10 Harmony Controller provides centralized management and analytics for A10 secure application services including A10 Thunder ADC, SSLi, CFW, and CGN in multi-cloud environments for application configuration and policy enforcement. It is available on self-managed (on-premises/cloud) and as-a-service.

Harmony Controller as-a-service has key advantages over self-managed systems, providing organizations a centralized management interface for installation, configuration, monitoring, and troubleshooting of physical and virtual devices wherever they are deployed. Adding or changing Thunder devices used to require manually intensive processes for installation, licensing, and registration of devices. Harmony Controller-as-a-service makes those processes simple and easy to use. The service is operated by A10 to ensure its security and availability. The service creates simpler elastic capacity with a management interface that automatically scales as the system grows, supporting millions of users and thousands of devices.

Harmony Controller as-a-service, Release 5.4, includes the following enhancements:

1. Stronger Security with Multi-Factor-Authentication (MFA): Now, administrators can enable MFA for all the users in the account. MFA is available when the users are authenticated locally in Harmony Controller. Users need to install the Google Authenticator app on their mobile devices for a one-time setup of MFA. While users can postpone set-up, the administrator can set an enforcement deadline. The device communicator role is created for users who use Harmony Controller to register Thunder devices.
2. Local Authorization after Remote Authentication: Now, users can authenticate on remote servers, such as LDAP, TACACS +, or RADIUS, and authorize locally in Harmony Controller. The user privileges and access information are stored in Harmony Controller.
3. Flexible Device Configuration Backup: Now, users can schedule periodic device configuration backups with precise time-zone and frequency.

“With the Harmony Controller, organizations can efficiently automate deployment and operations of application services, increase operational efficiency and agility, enhance end-user experiences and reduce TCO, simplify the management of distributed application services to dramatically shorten troubleshooting times, receive alerts on performance or security anomalies, improve capacity planning and optimize IT infrastructure and cloud environments,” concludes Amr Alashaal, Regional Vice President – Middle East at A10 Networks.

Of all the security issues that have appeared over the last few years, none has had the impact of the Log4j exploit. Also called the Log4Shell, it was reported to the developers, the Apache Software Foundation, on 24 November, 2021, by the Chinese tech giant Alibaba and it took two weeks to develop and release a fix.

The existence of the Log4j exploit was first publicly published in a tweet by Chen Zhaojun, a cyber security researcher with the Alibaba Cloud Security team on December 9, 2021 and formally announced by the U.S. Institute of Standards (NIST) under identifier CVE-2021-44832 on December 10, 2021 with a follow-up reanalysis, CVE-2021-45046, published on December 14, 2021. The Apache Software Foundation gave the exploit the highest Common Vulnerability Scoring System severity rating of 10.

The exploit allowed cyber threat actors to mount remote code execution (RCE) attacks on the widely used Apache Log4j Java logging library. An RCE exploit allows an attacker to run whatever code they please on a remote device. In the case of the Log4Shell vulnerability, which was particularly easy to exploit, successful execution allows the attacker to obtain full access to the computer.

What is Log4j?
Log4j is a subsystem for recording events such as error and status reports, an important component of modern applications. Developed by the Apache Software Foundation, Log4j is a free, open-source software package (also referred to as “FOSS”) written in Java. First released on January 8, 2001, the package became a foundational component of an extremely large number of projects due to its lightweight and easy to use characteristics.

How Does the Log4j Vulnerability Work?
The Log4j vulnerability is due to the use of the Java Naming and Directory Interface (JNDI), which allows additional Java objects from remote naming services during runtime execution. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) were all vulnerable to Log4Shell. The first completely fixed Logj4 release was version 2.17.0, published on December 17, 2021.

To mount an attack, cyber threat actors send web servers specially crafted HTTP/HTTPS requests to log an event that includes a JNDI request in the header that might get logged as, for example, a user-agent string:

If the attacker is lucky, the server passes the user-agent string to Log4j to be logged. Log4j interprets the string and, finding a JNDI request, queries the specified LDAP server. This is where the problem lies in vulnerable versions of Log4j because of inadequate verification and “cleaning” of the request. The LDAP server, which is controlled by the attacker, responds with directory data that contains the malicious Java object. The data is received by the server and executed and the system gets compromised.

How Bad is the Log4j Exploit?
Some of the most notable services affected by the vulnerability included Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and Twitter. Cloudflare’s CEO, Matthew Prince, tweeted on December 11, “Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”

Of course, after public disclosure, cyber threat actors swung into action. An article posted on the Google Security blog updated nine days after the Log4Shell vulnerability was announced, wrote that “The ecosystem impact numbers for just log4j-core [the Apache Log4j Implementation], as of 19th December are over 17,000 packages affected, which is roughly 4 % of the ecosystem. 25% of affected packages have fixed versions available.” As the Google article pointed out, that was the proverbial “tip of the iceberg” because those packages were used by other packages resulting in over 35,000 Java packages being vulnerable.

The Google blog post also pointed out that “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”

The reason Log4j became such a big deal was due to the enormous number and popularity of products that used the library; hundreds of millions of devices were, and many still are, affected as a consequence. A contemporaneous article in The Guardian described the vulnerability as “a major threat to organizations around the world” and noted that it “may be the worst computer vulnerability discovered in years.” Those assertions proved to be correct.

In mid-December 2021 Glen Pendley, deputy chief technology officer at Tenable, commented, “[the Log4Shell vulnerability] … is in a league above every other vulnerability we’ve seen in the last few decades. It gives flaws like Heartbleed and Shellshock, a run for their money because of just how pervasive and devastating it is. Everything across heavy industrial equipment, network servers, down to printers, and even your kid’s Raspberry Pi is potentially affected by this flaw. Some affected systems may be on-premises, others may be hosted in the cloud, but no matter where they are, the flaw is likely to have an impact. Cybercriminals are already rubbing their hands with glee as early signs of ransomware activity have started to emerge. The worst part is, we aren’t even in the thick of it yet. Don’t be surprised when some major disruptions occur over the next few weeks and months, pointing at Log4j as the root cause.”

The bottom line is that the Log4Shell vulnerability is a systemic problem due to its appearance in tens of thousands of libraries used by thousands of programs. The resulting complexity makes fixing enterprise-class applications very difficult. A list of applications affected by Log4j can be found on GitHub.

Who’s Using the Log4j Exploit and How?
Once the Log4j vulnerability was publicly announced, multiple cyber threat actors immediately began to use it. For example, starting on December 15, 2021, an Iranian state-sponsored hacking group named Charming Kitten or APT35 launched multiple attacks against Israeli government and business sites trying to exploit the Log4j vulnerability.
While attacks using the Log4Shell vulnerability can be effective for state actors focused on specific politically targeted websites, the really dangerous use of the exploit is when botnets perform large scale scanning for vulnerable sites to create crypto mining and DDoS platforms. Given that there are still millions of unpatched sites using out of date Log4j code, it’s fertile ground for hackers.

As early as December 2021, security researchers identified Mirai botnets adopting the Log4j vulnerability to suborn IoT devices including IP cameras, smart TVs, network switches, and routers. Since then two botnets, Elknot (also known as the BillGates trojan) and the Gafgyt (AKA BASHLITE), have also been detected using the Log4j exploit.

A relatively new malware named B1txor20 by researchers at Qihoo 360’s Network Security Research Lab also exploits the Log4j vulnerability. The malware, which deploys backdoors, SOCKS5 proxy, malware downloading, data theft, arbitrary command execution, and rootkit installing functionality was first identified in March of 2022 and attacks Linux ARM, X64 CPU architecture devices. Using the Log4j exploit, the malware infects new hosts and uses DNS tunneling to receive instructions and exfiltrate data to and from the botnet’s command and control servers. Fortunately, B1txor20 has non-functional features and is buggy but, of course, the cyber threat actors behind the malware are expected to fix and improve the software.

How to Prevent Log4j Exploits
There are four ways that enterprise cyber security teams can prevent Log4j exploits in vulnerable systems:

1. Upgrade or disable Log4j libraries. As noted earlier, fixing enterprise-scale applications while minimizing service downtime can be an engineering nightmare.
2. Deploy a web application firewall (WAF) to filter out unauthorized sources and content such as JNDI requests from unknown IP addresses.
3. Disable JNDI lookups.
4. Disable the loading of remote Java objects.

Today’s enterprises have faced many challenges with the pace of change over the last few years because of digital transformation, and the need for that transformation to be resilient and secure. These challenges have been amplified by the disruption of the global pandemic. There have been massive global macro-economic shifts that have fundamentally changed the way companies operate, from the rise of remotely working employees to the adjustments of customer engagement strategies.

Remote work was in full swing before the pandemic and it already had an impact on IT strategy and the shift to cloud, including hybrid cloud. This trend has only accelerated due to the ease of remote deployment and accessibility of software, SaaS, and cloud options. With all these changes, the specter of security breaches is high. This explains the rise and popularity of Zero Trust as a framework for securing networks in these new realities, and as an effective tool to drive cybersecurity initiatives within the entire enterprise.

All this means that in a post-pandemic era, digital resilience is a top priority and cyber threats are only accelerating. As a result, we are witnessing a broad spectrum of concerns as enterprise organizations look to shore up their defenses. Analyzing the events of the last two years, it is an ideal time to explore enterprise perceptions about the future. To gain these insights, we surveyed 2,425 senior application and network professionals from ten regions around the globe. Not surprisingly, we found high levels of concern around all aspects of digital transformation solutions and resilience with a strong focus on business continuity. The top findings we uncovered included:

Private Clouds are the Preferred Enterprise IT Environment
|Even though we witnessed a rapid pivot to cloud in the last couple of years, plenty of on-premises environments remain. Twenty-three percent of respondents have retained an on-premises environment and this is unlikely to change in the future. Private clouds were the preferred environment for 30 percent of respondents, while just under one quarter said their environment was in a public cloud with a similar percentage in SaaS environments.

New Working Patterns and Digitalization Prompt Rethinking the Strategy
Resilience is a board-level discussion as senior leaders look to ensure that the business can cope with any future disruption. Our enterprise respondents said that digital transformation solutions, business continuity (technically and organizationally), and stronger security requirements have all become paramount. This puts tremendous pressure on IT professionals to rethink their architectures and IT strategies to meet the challenge.

Asked to rate their concern about 11 different aspects of business resilience, nine out of 10 respondents expressed some level of concern about every issue. The top concerns were around the challenge of optimizing security tools to ensure competitive advantage, utilizing IT resources in the cloud, and enabling remote access and hybrid working while ensuring that staff feels supported in whatever work style they wish to adopt.

Top Cyber Threat Concerns for Enterprise IT
Without a doubt, the escalating threat landscape is causing a broad array of concerns from respondents. Chief among them is the loss of sensitive assets and data followed by the disruptive impact of downtime or network lockdown. In response, there was an evident shift to a Zero Trust security approach. One-third (30%) of enterprise organizations said that they had already adopted a Zero Trust model.

Looking to the future, we expect the adoption of cybersecurity initiatives to not only remain high but to become higher. This includes a more pervasive adoption of the Zero Trust model within the enterprise as all employees become more aware of the benefits of such a strategy and approach.

It’s clear that there is unlikely to be any relief from the pressures for enterprises and their IT practitioners, whether in infrastructure or security domains. We will be dealing with the impact of these recent pandemic-related changes for years to come, including the continuing integration of newer technologies and evolving standards. Therefore, IT organizations must continue to invest in modern technologies that support ongoing digital transformation initiatives but strike the balance between strong Zero Trust defense and operational agility for their multifaceted digital resiliency needs.

Furthermore, A10 Networks continues to work with strategic alliance partners, Dell and Ericsson. These alliances will be a key focus in 2022 driving combined technology solutions that deliver better business outcomes for customers. New business development initiatives are underway within the distribution community with joint-funded resources assigned in territories such as the Middle East, UK&I, Benelux, DACH, Africa and Scandinavia working with distributors such as Exertis, Ingram, Netex, V-Valley, 2SB, MUK and others.

A10 Networks also launched its new Affinity Technical Ambassador programme in EMEA in 2021 which is gaining great traction with strong technical collaborations within key partners underway to harness and enrich the knowledge level of partners. The company has also focused on taking partners on a progressive journey and its Elevate to Elite initiative has been successfully enabling partners to make the transition to Elite partner status.

Chris Martin, Channel Sales Leader for EMEA & APAC at A10 Networks comments: “We’ve seen real positive momentum in the channel in 2021 despite the pandemic. In fact, our virtual offering has meant that we have consistently grown with no negative impact from COVID-19. But this isn’t just off the back of our offerings but also demonstrates how important the channel is in helping customers to protect against the evolving nature of cyberattacks. This increase in attacks combined with the need to operate in a new environment that encompasses both remote and office working and spans both the digital and physical world. It demonstrates just how important it is for enterprises to work with trusted partners. We are also hiring new talent to support our growth. With our programme now firmly established we can concentrate on developing deeper relationships as we focus on working with quality partners.”

The COVID-19 pandemic has created significant challenges and changes to the world as we know it. As enterprises quickly moved to remote working also implementing a new hybrid set-up, adversaries have seized the opportunity and we have witnessed significant growth in the number of cyberattacks. In particular, DDoS attacks have grown – not only in size and frequency – but adversaries have also swivelled to focus on low-volume, persistent attacks that run for longer periods of time, frequently injecting attack traffic. These low-volume attacks enable adversaries to evade basic defensive measures, yet they still have significant impact on enterprise systems and operations.

Modern malware is hijacking IoT devices
As the name indicates, DDoS attacks are distributed in nature. A single attack may employ multiple DDoS weapons to overwhelm the victim’s network and defences. Our security research team have been tracking DDoS weapons and their behaviours and reporting on their frequency and impact over the last several years. Our latest H1 2021 DDoS Attack Mitigation: Global State of DDoS Weapons Report provides detailed insights into the origins of DDoS activity, highlighting how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets. The report also provides some helpful guidance on what organisations can do to protect against such activities and act rather than sit and wait for the inevitable to happen.

What we can see is that with new attacks and new malware variants, we are witnessing new layers of sophistication in how IoT and smart devices are being weaponised. Cybercriminals are recruiting IoT devices into their botnet armies, aided by Mozi malware and spreading this around the world. Here I’ve summarised some of the key findings:

DDoS weapons are steadily growing
The total number of DDoS weapons increased by 2.5 million during H1 2021 this was the same as previous quarters, meaning the number of DDoS weapons has been steadily growing with a total number of 15 million weapons tracked. SSDP (Simple Service Discovery Protocol) remains the largest reflected amplification weapon with 3.2 million potential weapons exposed to the internet. This is an increase of over 28 percent compared to the previous reporting period.

And while DDoS attackers have been increasingly focused on smaller attacks launched persistently over a longer period, these larger-scale attacks might not occur as frequently, but they cause a lot of damage and make significant headlines as a result. The rest of the amplification weapons remained virtually the same with SNMP, Portmap, TFTP and DNS Resolvers as the top five. It is important to note that all these weapons experienced growth in numbers except for DNS Resolvers. 

China leads the way
DDoS attacks are not limited to a specific geographic location and can originate from and attack organisations anywhere in the world. However, what we found in this report is that China (for the second reporting period in a row) continues to lead the way in hosting the highest number of potential DDoS weapons including both amplification weapons and botnet agents. This was closely followed by the U.S. which remains the second-largest source of DDoS weaponry, particularly amplification weapons, followed by South Korea.

This edition of the threat intelligence report takes a deeper look at how botnets work. Botnets or drones are compute nodes like computers, servers, routers, cameras and other IoT devices infected by malware and are the tools controlled and used by DDoS attackers. Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. Subsequently, these botnets are used to launch large-scale DDoS attacks. The increase or decrease of botnets can be attributed to factors such as the growth of IoT, new vulnerabilities, as well as CVEs exploited by attackers, large-scale security updates to patch CVEs and botnet takedowns.

Botnet agents halve in H1 2021
In H1 2021, the total number of botnet agents almost halved with 449,509 tracked and China hosting 44% of the total number of drones available worldwide. This is likely due to the high-profile takedown of the Emotet botnet, one of the largest botnets in the world, dubbed “the internet’s most dangerous malware”. In early 2021 international law enforcement took down Emotet’s command and control infrastructure in more than 90 countries. While this takedown was a contributing factor to the large-scale reduction in botnet agents, it is important to note that these changes may be temporary as attackers can quickly build their infrastructures back up and exploit network systems and vulnerabilities.

One other particularly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilises a large set of Remote Code Executions (RCEs) to leverage Common Vulnerabilities and Exposures (CVEs) in IoT devices for infection. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Our report found that in the first half of 2021 Mozi reached 360,000 systems from manufacturers including Huawei, Realtek, NETGEAR and many others. The Mozi botnet includes infected bots around the globe with China, India, Russia, Brazil leading the list of countries and regions.

Strategies for protecting the network against DDoS attacks
So how do organisations protect their networks and resources against such attacks? Organisations should invest in Zero Trust models and create micro-perimeters within the network to limit access to resources. They should also look to invest in modern AI and machine learning solutions that will not only defeat attacks but also protect against the unknown.

Likewise, organisations should investigate whether they are already infected. If network devices suddenly start generating abnormal amounts of traffic this might be because they are infected and, in this instance, they should immediately isolate suspicious devices and limit the traffic originating from these devices.

It is important to observe and block commonly exploited ports, and potentially block, payloads and any BitTorrent traffic coming into or going out the network. Above all, organisations should make sure that their security infrastructure is regularly updated and that IoT devices are running the latest firmware with all the necessary security patches. And finally, they should use modern DDoS techniques like baselining to see anomalous behaviour versus historical norms. Additionally, AI/ML techniques for detection and zero-day attack prevention can really help security teams.

As we prepare for 2022, it is commonly acknowledged that hybrid and remote working environments are here to stay, and security teams will need to look at how they secure a mix of on-premises, multi-cloud and edge-cloud environments. Sophisticated DDoS threat intelligence combined with real-time threat detection, AI and ML capabilities as well as automated signature extraction allow organisations to defend against all kinds of DDoS attacks, no matter where they originate.

CSOs, CIOs, and CISOs have never had it so tough. Alongside their traditional responsibilities of safeguarding the corporation’s physical assets on a day-to-day basis and preparing crisis management strategies, they must now face a cybersecurity threat environment that is growing exponentially. Today, ransomware has become one of the greatest network security threats organisations have to deal with. Increasingly sophisticated and distributed at a high speed via the internet and private networks using military-grade encryption, today’s ransomware attacks demand multimillion-dollar ransoms.

But ransomware is only one of the many threats organisations have to deal with. There are also distributed denial of service (DDoS) attacks, Man in the Middle (MitM) attacks, social engineering, insider threats, malware, and advanced persistent threats (APTs) to contend with – and those are just the most common network security threats. Below are seven strategies to make cybersecurity professionals’ organisations safer from the countless network security threats they’ll be facing in the near future:

Create a “Security-first” Culture
The problem for CSOs is that, while most employees have some basic knowledge of cybersecurity best practices, that is pretty much all they have. Without ongoing training, knowledge testing, and awareness, staff behaviour is one of the biggest cybersecurity risks that organisations face.

A study by Accenture revealed that less than half of new employees receive cybersecurity training and regular updates throughout their careers. Just four in ten respondents said insider threat programs were a high priority. Organisations must look to create a robust and distributed digital immune system with a radical re-engineering of staff behaviour. Business leaders need to have accountability for cybersecurity; security teams need to collaborate with business leaders to create and implement policies that will actually work, and those policies need to be routinely re-evaluated and tested.

Create a Continuous Security Education Program
A “security-first” culture requires that all members of the culture appreciate the concept of network security threats. For this to actually have an impact on culture, however, staff must be trained routinely to ensure that their knowledge is current.

Implement a Zero-Trust Model Throughout the Business
Well-trained staff and a monitored environment are crucial to the successful protection of any organisation but without a foundational Zero Trust environment, defenses will be intrinsically weak. The Zero Trust model is a strategy for preventing network security threats that all enterprises and governments should be using to defend their networks. It consists of four components:

• Network traffic control: Engineering networks to have micro-segments and micro-perimeters ensures that network traffic flow is restricted and limits the impact of overly broad user privileges and access. The goal is to allow only as much network access to services as is needed to get the job done. Anything beyond the minimum is a potential threat.
• Instrumentation: The ability to monitor network traffic in-depth along with comprehensive analytics and response automation provides fast and effective incident detection.
• Multi-vendor network integration: Real networks aren’t limited to a single vendor. Even if they could be, additional tools are still needed to provide the features that a single vendor won’t provide. The goal is to get all of the multi-vendor network components working together as seamlessly as possible to enable compliance and unified cybersecurity. This is a very difficult and complex project but keeping this strategic goal in mind as the network evolves will create a far more effective cybersecurity posture.
• Monitoring: Ensure comprehensive and centralised visibility into users, devices, data, the network, and workflows. This also includes visibility into all encrypted channels.

At its core, the Zero Trust model is based on not trusting anyone or anything in the company. This means that network access is never granted without the network knowing exactly who or what is gaining access.

Implement SSL Visibility – “Break and Inspect”
TLS/SSL inspection solutions that decrypt and analyse encrypted network traffic are key to ensuring policy compliance and privacy standards in the Zero Trust model. Also called “break and inspect”, TLS/SSL inspection bolsters Zero Trust in three major ways. It allows for the detection and removal of malware payloads and suspicious network communications, prevents the exfiltration of sensitive data, and enables the Zero Trust model to do what it’s supposed to do – provide in-depth and rigorous protection for networks from internal and external threats. For any organisation that hasn’t adopted a Zero Trust strategy combined with deep TLS/SSL traffic inspection, now is the time to start rethinking its cybersecurity posture.

Review and Test DDoS Defences Regularly
Routine testing against a checklist of expected configurations and performance standards, as well as random tests of security integrity, is crucial to detecting a distributed denial-of-service attack. Network performance testing should be executed daily because a distributed denial-of-service attack isn’t always a full-bore assault. It can also be a low-volume attack designed to reduce, but not remove, connectivity.

Secure all Inbound and Outbound Network Traffic Using SSL/TLS Encryption
When users’ computers connect to resources over the internet, SSL/TLS creates a secure channel using encryption, authentication, and integrity verification. Encryption hides data communications from third parties trying to eavesdrop, while authentication ensures the parties exchanging information are who they claim to be. The combination ensures the data has not been compromised. Any un-secured traffic must be constrained to specific secured network segments and monitored closely.

Establish and Test Disaster Recovery Plans
A key part of a disaster recovery plan involves backups. However, it is surprising how often restoring from backup systems in real-world situations doesn’t perform as expected. It’s important to know which digital assets are and are not included in backups and how long it will take to restore content. CSOs should plan the order in which backed-up resources will be recovered, know what the start-up window will be, and test backups as a routine task with specific validation checks to ensure that a recovery is possible.

Staying Secure
The CSO’s job isn’t getting any easier, but solid planning using the seven strategies will help ensure an organisation’s digital safety. In addition, partnering with top-level enterprise cybersecurity vendors will ensure that critical security technology and best practices are central to the organisation’s cybersecurity strategy.

Suzanne Al Najjar, the Channel Manager for the Middle East at A10 Networks, says that there’s nothing in the world that is free of challenges

Tell us about yourself and your current job role.
I have always been very passionate about the technology industry which leads me to choose a career in this field. Currently, I lead the regional channel business for A10 Networks in the Middle East. The role involves developing and implementing a channel strategy and strengthening relationships with our partners.

As a company, we focus a lot on education and training and I oversee our partner enablement program. What I love most about my job is networking and face-to-face interactions with partners, but with the current pandemic, this has been a big challenge over the past year and a half.

Tell us about your journey into the security industry. Was the security industry your first choice?
I wouldn’t say that security was my first choice, but the progression through my career in the technology field led me to where I am today – in the highly fascinating world of IT security. I started working in the IT field in 2014 with a distributor for network and network security products.

I then joined a system integrator as a territory sales manager, tasked with the role of expanding their market coverage. Following that, I joined Micro Focus to support the company in growing its business in Saudi Arabia. I then landed a Channel Account Manager role at A10 Networks in March of last year – a position that I currently hold and am perfectly suited to.

During your tenure in the security industry have you experienced major changes the industry has gone through?
I believe that there are at least three major things that have changed:

• The rapid advancement of the Internet of Things (IoT) has had a huge impact on the security industry over the past decade. Millions of connected devices are creating new entry points to the network and therefore posing increasing security and privacy risk.
• The current pandemic has accelerated the digital transformation plans for a majority of regional enterprises and as they embrace technologies like the cloud to enable the hybrid workplace, there is an increased sense of urgency to implement the latest technologies and practices to secure the organizational network.
• In my experience women have had to work very hard to prove themselves. Especially in male-dominated industries like technology, for instance, this has historically been a challenging task. But this is changing and today, women are embracing major roles across all fields, including IT security.

Are there any challenges you face on a day-to-day basis working in this industry?
Actually, there’s nothing in the world that is free of challenges, but I am a positive and competitive person and the thought of overcoming a difficult task greatly motivates me. I see challenges as a stepping stone in my journey to becoming stronger and more successful.

What sort of future do you foresee for the security industry as a whole?
No doubt, cyberattacks will increase in frequency and sophistication in the future. One of the major innovations driven by 5G is the implementation of multi-access edge computing (MEC). Building intelligence into the edge will boost the availability and efficiency of 5G networks. However, keeping the global cybersecurity trends in mind, we can see that the intelligent edge might be hijacked by attackers for launching different kinds of attacks.

2020 was the year of understanding what the Zero Trust model is in a practical sense. We believe that the concept of Zero Trust has reached a level of maturity and clarity where it will be effectively adopted and implemented by many organizations in 2021 and beyond and that it will become the go-to security model for all types and sizes of organizations.

Since 2020 forced most of the workforce to work remotely, attackers have been experimenting with new ways of exploiting security loopholes or shortcomings exposed by these rapid changes. This accelerated and will continue to accelerate the development and adoption of Secure Access Service Edge (SASE) solutions.

What more needs to be done to welcome more and more women into the security industry?
As mentioned earlier, the age-old mindset of technology being a male-dominated field is breaking down. Women today in most developed countries across the globe are given equal opportunities when it comes to education and careers. We as women have to change our mindsets and believe that we can be dominant in any field that we choose, including IT security, if only we are well educated, innovative in our outlook, and persistent in our desire to reach the top!

Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. These botnets are then used to launch large-scale DDoS attacks. One highly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilizes a large set of Remote Code Executions (RCEs) to leverage CVEs in IoT devices for infection. These IoT devices include readily available and commonly used DVRs and network gateways.

Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Mozi was first identified in 2019 and has been evolving and increasing in size ever since. It can now persist on network devices by infiltrating the device’s file system, remaining functional even after the device has been rebooted. During the first half of 2021, Mozi topped out at over 360,000 unique systems using more than 285,000 unique source IP addresses, likely due to address translation.

In order to protect their networks and resources, organizations need to take the following steps to block systems infected by Mozi and the malicious traffic generated by them:

• Never Trust, Always Verify: Incorporate the Zero Trust model and its key principles into your security strategy. Create micro-perimeters within your networks. Limit access to your resources and invest into modern, AI/ML-based solutions. Ensure visibility into not only the endpoints and network nodes, but also into users, their activities, and workflows.
• Investigate Whether You are Already Infected: The initial infection of Mozi comes in the form of RCEs sent using ports 80, 8080, 8443, etc. This can make initial infections stand out, which can help in tracking them with low false positives. If your network devices suddenly start generating abnormal amounts of TCP or UDP traffic, immediately isolate suspicious devices and limit the traffic originating from them. If this is not possible, then apply global rate limiting on all traffic until you track the source.
• Observe and Block Commonly Exploited Ports: Incorporate the Zero Trust Closely monitor any traffic using TCP ports 60001, 37215, 5555, 52869, 49152, both before or after a suspected infection. While these aren’t the only ports Mozi uses, they may help find the needle in the haystack. As a general good practice, monitor and block sources that send TCP SYNs to ports 23 and 2323 as most malware use Telnet to initiate IoT device infections.
• Take a Closer Look at the Payloads: If your network devices are generating large amounts of traffic, look at the payloads (i.e., the HTTP POST as shown on page 13). RegEx can be used to filter these malicious traffic requests out and block them before they infect other devices.
• Block BitTorrent: Since BitTorrent is one of the most common peer-to-peer networks used by Mozi for Command and Control (C2) communications, any BitTorrent traffic coming into or going out of the network should be blocked. The sheer amount of BitTorrent traffic could be a dead giveaway of an infection depending on your customer type.
• Ensure Your Security is up to Date: Make sure your security infrastructure is updated regularly and that your IoT devices are running the latest version of firmware with all the necessary security patches applied. Keep track of CVEs for your network devices and seek out help if there are any patches available. If fixes are not readily available, take appropriate action based on the particular CVEs.
• Employ or Review DDoS Baselining and AI/ML Techniques: Using modern DDoS techniques like baselining to see anomalous behavior versus historical norms, and AI/ML techniques, for detection and zero-day attack prevention, can be a force multiplier for your security team as manual tasks can be discovered and dealt with efficiently and 24×7.