Akamai Security Summit World Tour | <Location>1

Start Your Zero Trust Security Journey

in the CloudRichard Meeus

EMEA Director of Security Technology & Strategy @ Akamai

Akamai Security Summit World Tour | <Location>2

Retail Attacks and API Traffic

[state of the internet] / security

Akamai Security Summit World Tour | <Location>3

© 2019 Akamai | Confidential4

Credential Abuse per DayMay – December 2018

Akamai Security Summit World Tour | <Location>55

ANATOMY OF INVENTORY THEFTExample from a Top Retailer

11,198 bot requests / second

248 human requests / second

©2018 AKAMAI | FASTER FORWARDTM

Online retailer with high profile sales

events with high demand, limited edition

goods being horded by bots

Human requests

130,914,857

Bot requests

501,907,868

IP addresses

1,806,348

ASNs

31,084

User agents

94,668

THE LARGESTtransactional bot attack ever seen

“To say we’re under attack would be an understatement. I can’t

stress enough the game-changing impact Bot Manager

Premier, and Akamai security solutions as a whole, have made

for us.”

Akamai Security Summit World Tour | <Location>66

Wide-ranging impacts of credential stuffing

0 10 20 30 40 50 60 70 80 90 100

Application Downtime from large spikes in logintraffic

Cost to remediate compromised attacks

Lower customer satisfaction

Compromised accounts leading to fraud-relatedlosses

Lost business due to customersswitching tocompetitors

Damaged brand equity from news stories orsocial media

Other

Akamai Security Summit World Tour | <Location>77

Amount of money lost to fraud

per compromised account

25%29%

22%

14%10%

Lessthan$100

$100 to$500

$501 to$1,000

$1,001to

$5,000

Morethan

$5,000

FINANCIAL IMPACTPonemon Institute – The Costs of Credential Stuffing

Number of accounts targeted

per credential stuffing attack

19%

35%

28%

11%7%

1 to 100 101 to500

501 to1,000

1,001 to5,000

Morethan5,000

Ponemon—The Cost of Credential Stuffing, Oct 2017

$1,628,185

$1,726,388

$2,673,648

Prevention, detection, and remediation

Downtime

Customer churn

Other annualized costs related to

credential stuffing

Akamai Security Summit World Tour | <Location>88

Credential Abuse Attempts by VerticalMay – December 2018

Akamai Security Summit World Tour | <Location>99

Credential Abuse Retail Organizations by Type May – December 2018

Akamai Security Summit World Tour | <Location>1010

Top 5 Credential Abuse Source Countries

Akamai Security Summit World Tour | <Location>11

No silver bullet to address credential stuffing, need multiple levels of defence:

• Bot solution & Web application firewall

Things you can do on your website:

• Implement a robust IAM solution; OWASP has great suggestions

• Make MFA mandatory. but not via SMS text

• Not allow email addresses as usernames for authentication

• Add a third informational proof element to login pages, such customer ID or last name

Akamai Security Summit World Tour | <Location>12

Rise of API TrafficBy Content Type

application/json

application/xml

text/html

text/xml

Akamai Security Summit World Tour | <Location>1313

API Hits Vertical and Organization (Millions)

Commerce

Enterprise

Gaming

High Tech

M&E

Media

Other

Public Sector

Market Segment

Akamai Security Summit World Tour | <Location>14

API Traffic by User Agent

Akamai Security Summit World Tour | <Location>15

Akamai Security Summit World Tour | <Location>16

© 2019 Akamai | Confidential17

© 2019 Akamai | Confidential18

Healthy device Healthy credentials

Healthy app

© 2019 Akamai | Confidential19

Akamai Security Summit World Tour | <Location>20

Akamai Security Summit World Tour | <Location>2121

Cyber Kill Chain

Reconnaissance Weaponization Delivery Exploitation Action

Threat Protection

• Ensures users are protected

from accidentally clicking on

link

Threat Protection

• Blocks traffic being sent to

C2 nodes

• Identify target

organization

• Identify individuals

• Whaling or Trawling?

• Build C2 infrastructure

• Build phish target

• Create fake email

accounts

✔

• Scan network for

machines with known

vulnerabilities

• Traverse network and

elevate privilege

• Exfiltrate data

OB

JE

CT

IVE

SS

OL

UT

ION

S

• Send phishing emails

• Compromise machine

with payload for users

who have clicked link

• Wait until machine is

connected to corporate

network

Application Access

• Massively reduces visibility

into network

• Blocks East-West movement

Akamai Security Summit World Tour | <Location>2222

Users & Apps Have Left The BuildingCORP NET

Office

No VPN =

No Security

Cafe

IaaS

SaaS

The WebApp #1 App #2

App #3 App #n

● Complex

● Slow

● High RiskDC

DC

© 2019 Akamai | Confidential23

“As businesses monetize information and insights across a complex business ecosystem, the idea of a corporate perimeter becomes quaint - even dangerous.”

Excerpt from Forrester’s Future-Proof your Digital Business with Zero Trust Securityodd, peculiar, or

inappropriate

Akamai Security Summit World Tour | <Location>24

Internet

External

User External

Firewall

Active

Directory

Front

End

443

53 and 443Internal

User

SQL

Server

Index, Query, Application,

Central Administration

Servers

Web

Servers

HWLB

FirewallFirewall

LDSLDS

(Domain Bound Servers)

Outer DMZ Inner DMZ Intranet

Internal NetworkPerimeter

Network

Traditional Trust Model TrustedNot

Trusted

Trust In The Corporate Network Is Not Inherent

Akamai Security Summit World Tour | <Location>25

Trust In The Corporate Network Is Not Inherent

Internet

External

User External

Firewall

Active

Directory

Front

End

443

53 and 443Internal

User

SQL

Server

Index, Query, Application,

Central Administration

Servers

Web

Servers

HWLB

FirewallFirewall

LDSLDS

(Domain Bound Servers)

Outer DMZ Inner DMZ Intranet

Internal NetworkPerimeter

Network

Zero Trust Model Not

TrustedNot

Trusted

© 2019 Akamai | Confidential26

That Idea & Zero Trust Are Catching On

https://www.usenix.org/conference/enigma2018/presentatio

n/hildebrandt

© 2019 Akamai | Confidential27

It’s time to move

security controls

to the Edge

© 2019 Akamai | Confidential28

Where can this take us?

• Internet is the corporate network

• Every office is a hotspot

• All apps feel like SaaS apps

Akamai Security Summit World Tour | <Location>29

Acceleration and Secured Delivery With Zero Trust

Secure Edge Identity Aware

Proxy

NO DMZ

INFRASTRUCTURECONNECTORS,

INTERNAL ORIGINS

Improved user

experience over VPN

• Simple

• Faster

Enhanced Security

Reduced

Infrastructure

A NEW PARADIGMWhat the edge offers for security

STRATEGIC PLATFORMSurrounds your applications, infrastructure, and people and enforces consistent security policy at a global scale

Industry’s largest capacity—over 80 Tbps

Massively distributed—2,400 global points of presence

A NEW PARADIGMWhat the edge offers for security

VISIBILITY into ATTACKSKeeps up with the latest threats with visibility into billions of attacks daily

2 trillion DNS requests

1.3 billion client devices

178 billion application attacks

© 2019 Akamai | Confidential32

© 2019 Akamai | Confidential33

© 2019 Akamai | Confidential34 © 2019 Akamai | Confidential3

4