start your zero trust security journey in the cloud...25 akamai security summit world tour | trust...
TRANSCRIPT
Akamai Security Summit World Tour | <Location>1
Start Your Zero Trust Security Journey
in the CloudRichard Meeus
EMEA Director of Security Technology & Strategy @ Akamai
Akamai Security Summit World Tour | <Location>2
Retail Attacks and API Traffic
[state of the internet] / security
Akamai Security Summit World Tour | <Location>3
© 2019 Akamai | Confidential4
Credential Abuse per DayMay – December 2018
Akamai Security Summit World Tour | <Location>55
ANATOMY OF INVENTORY THEFTExample from a Top Retailer
11,198 bot requests / second
248 human requests / second
©2018 AKAMAI | FASTER FORWARDTM
Online retailer with high profile sales
events with high demand, limited edition
goods being horded by bots
Human requests
130,914,857
Bot requests
501,907,868
IP addresses
1,806,348
ASNs
31,084
User agents
94,668
THE LARGESTtransactional bot attack ever seen
“To say we’re under attack would be an understatement. I can’t
stress enough the game-changing impact Bot Manager
Premier, and Akamai security solutions as a whole, have made
for us.”
Akamai Security Summit World Tour | <Location>66
Wide-ranging impacts of credential stuffing
0 10 20 30 40 50 60 70 80 90 100
Application Downtime from large spikes in logintraffic
Cost to remediate compromised attacks
Lower customer satisfaction
Compromised accounts leading to fraud-relatedlosses
Lost business due to customersswitching tocompetitors
Damaged brand equity from news stories orsocial media
Other
Akamai Security Summit World Tour | <Location>77
Amount of money lost to fraud
per compromised account
25%29%
22%
14%10%
Lessthan$100
$100 to$500
$501 to$1,000
$1,001to
$5,000
Morethan
$5,000
FINANCIAL IMPACTPonemon Institute – The Costs of Credential Stuffing
Number of accounts targeted
per credential stuffing attack
19%
35%
28%
11%7%
1 to 100 101 to500
501 to1,000
1,001 to5,000
Morethan5,000
Ponemon—The Cost of Credential Stuffing, Oct 2017
$1,628,185
$1,726,388
$2,673,648
Prevention, detection, and remediation
Downtime
Customer churn
Other annualized costs related to
credential stuffing
Akamai Security Summit World Tour | <Location>88
Credential Abuse Attempts by VerticalMay – December 2018
Akamai Security Summit World Tour | <Location>99
Credential Abuse Retail Organizations by Type May – December 2018
Akamai Security Summit World Tour | <Location>1010
Top 5 Credential Abuse Source Countries
Akamai Security Summit World Tour | <Location>11
No silver bullet to address credential stuffing, need multiple levels of defence:
• Bot solution & Web application firewall
Things you can do on your website:
• Implement a robust IAM solution; OWASP has great suggestions
• Make MFA mandatory. but not via SMS text
• Not allow email addresses as usernames for authentication
• Add a third informational proof element to login pages, such customer ID or last name
Akamai Security Summit World Tour | <Location>12
Rise of API TrafficBy Content Type
application/json
application/xml
text/html
text/xml
Akamai Security Summit World Tour | <Location>1313
API Hits Vertical and Organization (Millions)
Commerce
Enterprise
Gaming
High Tech
M&E
Media
Other
Public Sector
Market Segment
Akamai Security Summit World Tour | <Location>14
API Traffic by User Agent
Akamai Security Summit World Tour | <Location>15
Akamai Security Summit World Tour | <Location>16
© 2019 Akamai | Confidential17
© 2019 Akamai | Confidential18
Healthy device Healthy credentials
Healthy app
© 2019 Akamai | Confidential19
Akamai Security Summit World Tour | <Location>20
Akamai Security Summit World Tour | <Location>2121
Cyber Kill Chain
Reconnaissance Weaponization Delivery Exploitation Action
Threat Protection
• Ensures users are protected
from accidentally clicking on
link
Threat Protection
• Blocks traffic being sent to
C2 nodes
• Identify target
organization
• Identify individuals
• Whaling or Trawling?
• Build C2 infrastructure
• Build phish target
• Create fake email
accounts
✔
• Scan network for
machines with known
vulnerabilities
• Traverse network and
elevate privilege
• Exfiltrate data
OB
JE
CT
IVE
SS
OL
UT
ION
S
• Send phishing emails
• Compromise machine
with payload for users
who have clicked link
• Wait until machine is
connected to corporate
network
Application Access
• Massively reduces visibility
into network
• Blocks East-West movement
Akamai Security Summit World Tour | <Location>2222
Users & Apps Have Left The BuildingCORP NET
Office
No VPN =
No Security
Cafe
IaaS
SaaS
The WebApp #1 App #2
App #3 App #n
● Complex
● Slow
● High RiskDC
DC
© 2019 Akamai | Confidential23
“As businesses monetize information and insights across a complex business ecosystem, the idea of a corporate perimeter becomes quaint - even dangerous.”
Excerpt from Forrester’s Future-Proof your Digital Business with Zero Trust Securityodd, peculiar, or
inappropriate
Akamai Security Summit World Tour | <Location>24
Internet
External
User External
Firewall
Active
Directory
Front
End
443
53 and 443Internal
User
SQL
Server
Index, Query, Application,
Central Administration
Servers
Web
Servers
HWLB
FirewallFirewall
LDSLDS
(Domain Bound Servers)
Outer DMZ Inner DMZ Intranet
Internal NetworkPerimeter
Network
Traditional Trust Model TrustedNot
Trusted
Trust In The Corporate Network Is Not Inherent
Akamai Security Summit World Tour | <Location>25
Trust In The Corporate Network Is Not Inherent
Internet
External
User External
Firewall
Active
Directory
Front
End
443
53 and 443Internal
User
SQL
Server
Index, Query, Application,
Central Administration
Servers
Web
Servers
HWLB
FirewallFirewall
LDSLDS
(Domain Bound Servers)
Outer DMZ Inner DMZ Intranet
Internal NetworkPerimeter
Network
Zero Trust Model Not
TrustedNot
Trusted
© 2019 Akamai | Confidential26
That Idea & Zero Trust Are Catching On
https://www.usenix.org/conference/enigma2018/presentatio
n/hildebrandt
© 2019 Akamai | Confidential27
It’s time to move
security controls
to the Edge
© 2019 Akamai | Confidential28
Where can this take us?
• Internet is the corporate network
• Every office is a hotspot
• All apps feel like SaaS apps
Akamai Security Summit World Tour | <Location>29
Acceleration and Secured Delivery With Zero Trust
Secure Edge Identity Aware
Proxy
NO DMZ
INFRASTRUCTURECONNECTORS,
INTERNAL ORIGINS
Improved user
experience over VPN
• Simple
• Faster
Enhanced Security
Reduced
Infrastructure
A NEW PARADIGMWhat the edge offers for security
STRATEGIC PLATFORMSurrounds your applications, infrastructure, and people and enforces consistent security policy at a global scale
Industry’s largest capacity—over 80 Tbps
Massively distributed—2,400 global points of presence
A NEW PARADIGMWhat the edge offers for security
VISIBILITY into ATTACKSKeeps up with the latest threats with visibility into billions of attacks daily
2 trillion DNS requests
1.3 billion client devices
178 billion application attacks
© 2019 Akamai | Confidential32
© 2019 Akamai | Confidential33
© 2019 Akamai | Confidential34 © 2019 Akamai | Confidential3
4