Transcription
Akamai Security Products
Key Areas of Cloud Security for AkamaiProtect Web AvailabilityInternet Infrastructure SecurityRemove Credit CardsPayment TokenizationWeb Application FirewallApplication Security 2011 AkamaiPowering a Better Internet
The Akamai EdgePlatformDaily Web traffic of over 4 Tbps 85,000 Servers 1,700 Locations 900 Networks 70 Countries Compliance/Security: PCI Compliant SSL (Data) Distributed WAF (Apps) Edge Tokenization (Payments) 2011 AkamaiPowering a Better Internet
DDoS Attacks on the Rise74% of surveyed companies experienced one or more DDoSattacks in the past year, with 31% of these attacks resulting inservice disruption Forrester July 2009―The Akamai network saw more DDoS attacks in the fourthquarter of 2010 than in the first three quarters of the yearcombined so as companies continue to push business-criticaldata and operations into the cloud, the need to protect theseassets from the growing number and increasing sophistication ofWeb attacks increases dramatically.‖ Akamai chief scientist and co-founder, Tom Leighton 2011 AkamaiPowering a Better Internet
Holiday Season 2010 – Coordinated DDoSAttacked IR50-250 eCommerce Web Sites Protected by AkamaiEstimated Potential Lost Revenue Impact 15 millionTimes Above NormalCustomer #1PROTECTEDPeak AttackTimeUS Customer #19,095x11/30US Customer #25,803x12/1US Customer #33,115x11/30US Customer #42,874x12/1US Customer #51,807x12/1Customer #2Highly distributed DDoS attacks from Asia-Pac,South America and Middle EastCustomer #3 2011 AkamaiPowering a Better Internet
One Customer, Different DDoS AttacksAttacked Top IR150 eCommerce Web Site Protected by AkamaiEstimated Potential Lost Revenue Impact 350,000PROTECTED#1Times AboveNormal PagesTimeAttack #1300xNov 18, 2010Attack #235xJan 14, 2011#2Attack#1 – Highly distributed, no recognizable patternAttack#2 - Highly distributed, concentration from EasternEurope – Russian Federation, Greece, Ukraine, Belarus,Latvia, KazakhstanPeak DDoS traffic of 300 Mbps#2 2011 AkamaiPowering a Better Internet
Korean Gaming CompanyMulti-Phase, Varying Signature Attack - Protected by AkamaiEstimated Unique Customers Impacted 1,500Estimated Missed Advertising Impressions 36,000PROTECTEDGaming SiteTimes AboveNormal Pages33xTimeJan 3 2011Phase#1 – repeated requests for non-existing objectPhase#2 – malformed HTTP requests w/o user-agents#1#2Attack traffic directed from South Korea 2011 AkamaiPowering a Better Internet
DDoS Mitigation with AkamaiWeb n 2011 AkamaiEnd UserPowering a Better Internet
Akamai Unveils New Architecture for DDoSDDoS specialists to assess infrastructureand develop a run-time playbookDoS ReadinessCustomer Support24/7 support with a response SLAIdentification of suspected BOTs from realusers to de-prioritize or blockUser ValidationGlobal Traffic ManagementBlocking of traffic by geographic regioneDNS w/DNSSECScalable protection for Domain NameSystem (DNS) attacksWeb Application FirewallWeb application firewalling at Layer 7(application layer)IP Blocking & Rate ControlAbility to cloak web infrastructure from theInternetSite ShieldCapped exposure to bursting fees related toan attackFee ProtectionAdvanced Caching, NetStorage Failover 2011 AkamaiIP blocking & rate limiting capabilities atnetwork layerAkamai’s edge absorbs traffic and canfailoverPowering a Better Internet
Key Areas of Cloud Security for AkamaiProtect Web AvailabilityInternet Infrastructure SecurityRemove Credit CardsPayment TokenizationWeb Application FirewallApplication Security 2011 AkamaiPowering a Better Internet
Application Layer ThreatsState of Application Security95% of corporate Web Apps have severe vulnerabilities Average enterprise website has 13 serious security vulnerabilities1 The average time-to-fix for large organizations is 15-weeks1Over 95% of corporate webapplications have severevulnerabilitiesWhy? Competition drives website innovation and complexity Migration of enterprise apps to the Web, outside firewall Introduction of many new technologies for programmers1WhiteHatWebsite Security Statistic Report— Fall 2010, 2 Aberdeen Group, 2010 2011 AkamaiPowering a Better Internet
Akamai’s Web Application FirewallLaunched in Jan’10 — distributed in the cloudHelping customers comply with Payment Card Industry — DataSecurity Standard (PCI-DSS) Web Application Firewall for PCI Section 6.6Provides on-demand scalable protection from malicious Webapplication attacks such as cross site scripting (XSS) and SQL injectionstyle attacks Example: eCommerce customer, 1-week 11 billion requests processed (110K/sec peak) Successfully alerted or blocked more than 8 million rules in a single week 2011 AkamaiPowering a Better Internet
Akamai Web Application FirewallWeb Application Firewall adds Layer7 & fast IP blocking IP blacklist/whitelist changes in 30-45 minutes Avoid Layer7 DDoS and injections Akamai WAF addresses PCI DSS 6.6 Compliance 2011 AkamaiPowering a Better Internet
Akamai Adds New Protection from Layer7(Application Layer) AttacksAddition of custom rules at the edge Augments existing core rule setPartnership with Qualys for vulnerability scanning Used by Akamai PS to populate WAF with customer specific rules andvirtual patching for web sites ―Partnering with Akamai was a clear choice for us, especially as moresecurity moves to the cloud. We look forward to helping enterprisecustomers with our vulnerability solutions in order to increase their defensesagainst malicious web activity.‖ - Philippe Courtot, CEO of QualysConfigurable IP rate limiting in the cloud Offloads unwanted bandwidth from BOT’s and scrapers 2011 AkamaiPowering a Better Internet
Key Areas of Cloud Security for AkamaiProtect Web AvailabilityInternet Infrastructure SecurityRemove Credit CardsPayment TokenizationWeb Application FirewallApplication Security 2011 AkamaiPowering a Better Internet
Edge TokenizationPCI ChallengesPCI rules govern any card information stored or processed in themerchant infrastructure. Level 1, Level 2 merchants need to undergo audits, scans Level 3 and Level 4 need to fill in questionnaireCosts for audit can be substantial, costs for breach can putcompanies out of business.Number of cardtransactions/year 2011 AkamaiAverage PCI AuditPreparation Expense*Level 1 MerchantMore than 6 Million 2.1MLevel 2 Merchant1 Million to 6 Million 1.1MPowering a Better Internet*Source: Gartner 2008 —numbers exclude PCI assessmentcosts
Akamai’s SolutionAkamai Operates the First PCI Compliant CDNSecure SSL Delivery — Akamai’s Dedicated SSL Network 2011 AkamaiServers placed in PCI compliant facilitiesStrict access proceduresLogs of physical entry and camerasKey Management InfrastructurePII decryption in memory only, never on diskAnnual audit to ensure PCI compliancePowering a Better Internet
Edge TokenizationHow it WorksPayment Gateway’sData VaultPayment GatewayCustomerDatacenterMerchant OrderManagementSystem 2011 AkamaiPowering a Better Internet
Benefits Reduces PCI scope for online transactions Leverages Akamai’s Level 1 PCI Compliant Network Enables web retailers to transact securely and at scale Tight integration with leading payment gateway providers Preserves Payment Gateway functionality Credit card data is never stored on customer infrastructure Easily integrates into existing workflow Accelerates critical commerce transactions on Akamai’s highperformance and highly resilient EdgePlatform 2011 AkamaiPowering a Better Internet
Key Areas of Cloud Security for AkamaiProtect Web AvailabilityInternet Infrastructure SecurityRemove Credit CardsPayment TokenizationWeb Application FirewallApplication Security 2011 AkamaiPowering a Better Internet
Used by Akamai PS to populate WAF with customer specific rules and virtual patching for web sites ―Partnering with Akamai was a clear choice for us, especially as more security moves to the cloud. We look forward to helping enterprise customers with our vulnerability solutions in
