UPDATED 11:48 EST / JULY 29 2022

SECURITY

Majority of decision-makers prioritize performance over security, says F5 report

Which is more important: Security or performance? As security spend constantly tops information security budgets, the answer should be obvious. Surprisingly (and disconcertingly) it’s not.

According to cybersecurity consultant and services provider F5 Inc.’s “2022 State of Application Strategy Report,” three-quarters of information technology decision-makers place performance above security, saying they turn off safeguards if they are slowing their system down. This statistic should be “a call to action for all of us in security,” according to Haiyan Song (pictured, right), executive vice president of security and distributed cloud at F5.

“We have got to do better, because security shouldn’t be the one that prevents or adds friction to what the business wants to do,” Song said.

Song and Dan Woods (pictured, left), global head of intelligence at F5, spoke with theCUBE industry analyst Dave Vellante at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They revealed some surprising statistics and discussed ways security solutions need to evolve to reduce the profitability of cybercrime. (* Disclosure below.)

(Not fun) fact: Most of an organization’s incoming traffic is malicious bots

Another F5 findings that surprises many executives: On average, over 90% of an organization’s incoming traffic comes from automated bots hoping to hit a credential match. In one case, F5 scanned a social networking site and discovered that 99% of its login traffic was from malicious bots.

“Every time we go in into an enterprise, they underestimate the size of the problem,” Woods said.

This is because companies believe that they are protected by their captcha and two-factor authentication procedures. But, while 2FA has a very important role in security, it doesn’t stop automated attacks, and neither does captcha, according to Woods.

How do bots solve captcha confirmations? After all, they’re a well-known cause of frustration and many humans have to attempt them more than once. The answer is chilling: “The bots use an API into a human click farm,” Woods explained. Cybercrime is profitable enough that the criminals are outsourcing to humans who solve captchas on their devices for ridiculously low pay.

While 2FA does prevent these bots from accessing a company’s system, a bot can detect when a 2FA response is triggered, which confirms that the credential it just attempted is a good one.

“The purpose of a credential [stuffing] attack is to verify whether the credentials are correct,” Woods stated. “So if it’s a 2FA protected login, it’s done that.”

Armed with a list of valid credentials, a cybercriminal who specializes in defeating 2FA can successfully access a text message and obtain the 2FA code. Known tactics that can achieve this are port-out scams, SIM swaps, SS-7 compromises, and through social engineering or insiders at Telcos, according to Woods.

Sophisticated attackers bypass IP address blocks

Security teams fail to recognize these accounts, because the attacks avoid IP address blocks by being highly distributed, according to Woods.

“Security teams will typically identify the attack coming from the top 100 or 1,500 noisiest IP [addresses], but they miss the long tail of tens of thousands, hundreds of thousands of IP [addresses] that are only used one or two times,” he said.  Attacks can even come from residential IP addresses.

The complexity of the computing environment has increased so fast that these statistics should come as no surprise, according to Song. To combat this, F5 considers security as a multi-tier of defenses that cover infrastructure up to application and API security.

“You can’t just say, I only worry about one cloud. You cannot say, I only worry about [virtual machines.] You really need to think of the entire app stack,” Song said. “It’s really important to think holistically of telemetry, visibility, so you can make better decisions for detection response.”

A primary goal for F5 is improving security without introducing a lot of friction, according to Woods, who believes the solution could come from collecting client-side signals rather than external validations.

“You interrogate the users, interactions, the browser, the device, the network, the environment, and you find things that are unique that can’t be spoofed,” he said.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:

(* Disclosure: F5 Inc. sponsored this segment of theCUBE. Neither F5 nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU