Akamai’s security advantage
According to Akamai’s Security CTO in APJ, Michael Smith, the basic premise for a content delivery network (CDN), is that you have a deployment strategy designed so that your servers are located as close to the end user as possible.
What happens then if you combine the CDN with a web application firewall (WAF)? Smith believes that it could drastically minimise the impact of peak loads without having to use the red button, and is a unique advantage Akamai has over on-premise security offering.
Smith described, “Akamai’s Cloud Security Solutions are a suite of cyber security applications integrated into our industry leading web content and application delivery network.
“Our CDN and WAF are consumed as a cloud platform which gives the usual benefits of no CapEx, reduced time to integrate, on-demand scale, no outage to install, etc.”
Then on top of the security offerings are the CDN benefits like fault tolerance across different locations and improved user experience.
WAF accuracy – reducing false positives, false negatives
Smith said, “We have a project that we’ve been working on lately with WAF accuracy. If you take an attack like SQL Injection, what you’re looking for in a WAF is SQL reserved words and characters.
“But some of those such as “table”, “drop”, “alter”, a single quote (“ ’ ”) and “as” are in common English usage.”
In Akamai’s WAF solution, each of these words come with a corresponding score, or probability that the word or character is in common usage versus an attack.
Every match adds to the total score for SQL Injection and once it exceeds a certain threshold then it’s an SQL Injection attack.
“When you tune our WAF, you change the score for each of those to both reduce false positives—legitimate requests that get matched by WAF—and false negatives—malicious requests that get through WAF. We built a big-data solution—we call it Cloud Security Intelligence (CSI) —to take all of the hits from our WAF and analyse them.”
He also claims that this and them taking a large sample of legitimate web traffic from their customers, to test WAF rules and tune the default set of rules, now gives them the most accurate WAF on the market, which is customisable also for customers.
That isn’t all.
The information from CSI is taken to build a client IP reputation which at time of writing is in limited release. “We correlate and categorize the traffic matched by WAF into four categories: web attackers, DDoS attackers, web scrapers and scanning tools.”
Once again, each IP address has a score of one to nine and customers can set threshold for denying traffic from IP addresses for each category.
Smith explained that when they catch an IP address doing bad things, they raise their score by one for that category.
“If we don’t see them being malicious, then over time we reduce their score. IP reputation is a great way for customers to learn anonymously from their competitors and peers in the same industry, geography, etc to block known bad actors.”
A Customer Security Incident Response Team is also constantly monitoring customer alerts to learn new attacks. Advisories are issued along with new WAF rules or other controls to help customers protect them from attacks
According to Smith, they had learned some years ago that their customers were having a hard time finding security operations people with web application security skills.
“These people are rare and usually expensive. So we started offering a managed WAF product that provides monitoring, emergency support, and ongoing maintenance.
“We also offer a Rule Update Service that performs just the ongoing maintenance. Both of these are a good and cost-effective way for customers to get the expertise that they need and can’t find or to augment their existing capabilities,” Smith said in conclusion.