Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
| Intelligent Edge Security | © 2019 Akamai1
경계로부터 다시 시작하는 보안
A new paradigm for protecting businesses from Internet-facing threats
Akamai Intelligent Edge Security
Akamai Technologies 한국지사
백용기 상무
2019년 3월 7일
20172016201520142013201220101999 2003 20081998
Akamai founded
NOMINUM founded
Authoritative DNS
launched
Prolexic founded
Origin obfuscation
launched
Cloud Security
Intelligence developed
XEROCOLE founded
Integrated WAF +
DDoS launched
Curated WAF
ruleset developed
SOHA Systems founded
Managed WAF
service introduced
Bot management
introduced
Client Reputation launched
Credential abuse
mitigation Introduced
Secure application
access introduced
Malware & Phishing
Protection Introduced
Akamai introduces
first cloud WAF
2018 2019
Janrain
TWO DECADES IN SECURITYBut security remains a persistent challenge
| Intelligent Edge Security | © 2019 Akamai2
| Intelligent Edge Security | © 2019 Akamai3
20172016201520142013201220101999 2003 2008
NOMINUM founded
Origin obfuscationlaunched
Cloud SecurityIntelligence developed
Curated WAF ruleset developed
Managed WAFservice introduced
Client Reputation launched
Secure applicationaccess introduced
Authoritative DNSlaunched
Prolexic founded
XEROCOLE founded
Integrated WAF + DDoS launched
SOHA Systems founded
Bot managementintroduced
Credential abuse mitigation Introduced
Malware & Phishing Protection Introduced
Akamai introducesfirst cloud WAF
| Intelligent Edge Security | © 2019 Akamai3
5M+ SQLi attacks/day
First SQLi attack
Akamai founded
TWO DECADES IN SECURITYBut security remains a persistent challenge
1998 2019
| Intelligent Edge Security | © 2019 Akamai4
Process ToolsPeople
YOU
WHY IS SECURITY SO HARD?Everything is changing faster than you can respond
| Intelligent Edge Security | © 2019 Akamai5
Process ToolsPeople
YOU
| Intelligent Edge Security | © 2018 Akamai5
WHY IS SECURITY SO HARD?Everything is changing faster than you can respond
Changing threat landscape
Web attacks
Bot attacks
Malware
Web fraud
Network intrusion
DDoS attacks
Credential stuffing
Social / phishing
Shifting attack surface
More apps, changing faster
New technologies
3rd-party / open source code
Migration to APIs
Cloud computing
Dissolving perimeter
Changing workforce
Corporate M&A Industry mega-trends
Digital transformation
Mobile adoption
Cloud adoption
Regulatory compliance✓
Internet of Things
| Intelligent Edge Security | © 2019 Akamai6
WHAT THAT MEANS FOR YOUChallenges to your security posture
INCREASED RISK
The probability and business impact of cyber attack is higher, while confidence in your ability to respond is lower than ever before
Can’t keep up with the evolving threat landscape
Traditional corporate perimeter is broken
!
Potential impact of attacks on apps and IT assets going up$
HIGH COMPLEXITY
Rapid and constant change in the assets that you are responsible for protecting is reducing your ability to do so
Expanding but poorly understood attack surface
Apps in multiple places(DC+Cloud) with inconsistent security posture
Not enough visibility into everything that’s happening
LESS AGILITY
Ability of security organizations to
respond to the needs of business
partners is declining
Not moving as fast as the business you support
Constantly responding to fires; not being strategic
| Intelligent Edge Security | © 2019 Akamai7
SECURITY SKILLS GAPWhy you cannot address those challenges
25%of security leaders listed lack of trained
personnel as their top hinderance.
SOURCE: Cisco 2017 Annual Security Report
40%of security leaders spend most of their time
focused on critical threats
Source: Dark Reading” Cybersecurity Staffing Shortage Tied to Cyberattacks, Data Breaches”
1.5 millionFrost & Sullivan estimated security
workforce shortage by 2020
SOURCE: Frost and Sullivan study
Biggest Skills Gaps
Ability to understand the business
52%
Technical Skills
25%
Communications Skills
17%
46%
FEWER THAN HALFof leaders are confident
In their teams’ ability to handle anything beyond simple cyber incidents
Source: Data science central, 2018
| Intelligent Edge Security | © 2019 Akamai8
A NEW PARADIGMWhat the edge offers for security
STRATEGIC PLATFORMSurrounds your applications, infrastructure, and people and enforces consistent security policy at a global scale
Capacity way beyond any single provider
Massively distributed global security perimeter
Instant mitigation of terabit-scale attacks(Tbps)
| Intelligent Edge Security | © 2019 Akamai9
A NEW PARADIGMWhat the edge offers for security
VISIBILITY into ATTACKSKeeps up with the latest threats (so you don’t have to) with visibility into billions of attacks DAILY
2.2 trillion DNS requests
1.3 billion client devices
178 billion application attacks
| Intelligent Edge Security | © 2019 Akamai10
A NEW PARADIGMWhat the edge offers for security
Protects your apps, infrastructure, and people anywhere—in your Offices and Data Centers, in the Cafe, or in the Cloud
ADAPTS to BUSINESS
Global presence and availability
On-premises, hybrid cloud, or multi-cloud
On-net or off-net
| Intelligent Edge Security | © 2019 Akamai11
APPs & APIs
Protect Internet-facing apps and APIs deployed anywhere—in your data centers or in the public cloud
CREDENTIAL
ABUSE
Protect customer accounts from bot attacks and reduce fraud-related financial losses
EDGE SECURITYProtecting your business from the edge
DDoS protection
Web application firewall
ZERO TRUST
Control corporate application access and protect users from targeted threats
Identity management
Secure app access
DNS
Malware prevention
Bot management
Credential stuffing
API governance
Client reputation Ransomware prevention
| Intelligent Edge Security | © 2019 Akamai12
DDoS protection
Web application firewall
Identity management
Secure app access
DNS
Malware prevention
Bot management
Credential stuffing Web application firewall
API governance
Client reputation
| Intelligent Edge Security | © 2018 Akamai12
EDGE SECURITYSecurity without compromise
APPs & APIs CREDENTIAL
ABUSEZERO TRUST
DDoS protection
Web application firewall
Identity management
Secure app access
DNS
Ransomware prevention
Bot management
Credential stuffing
API governance
Client reputation
Application acceleration
Malware prevention
| Intelligent Edge Security | © 2019 Akamai13
Threat ProtectionMalware protection using
recursive DNS & Cloud Security
Intelligence
Application AccessSimple, unified & secure
corporate application access
A Complete Edge Security PortfolioAdaptive threat and access protection with identity management to combat fraud
Protect your apps
& APIs
Protect your
infrastructure
Protect your
people
Secure DNSScalable authoritative DNS
service with DDoS protection
DDOS MitigationManaged volumetric DDoS
protection
Bot ManagementMachine learning to manage
bots & protect against
credential abuse
WAFAdvanced WAF with API
protection, client reputation &
managed options
Application AccessSimple, unified & secure
corporate application access
API GatewayGovernance to manage access,
authentication & rate controls
for API access
Threat ProtectionMalware protection using
recursive DNS & Cloud Security
Intelligence
Identity CloudSecure Customer Identity and
Access Management
| Intelligent Edge Security | © 2019 Akamai14
A Complete Edge Security PortfolioAdaptive threat and access protection with identity management to combat fraud
Application AccessSimple, unified & secure
corporate application access
Protect your apps
& APIs
Protect your
infrastructure
Protect your
people
Secure DNSScalable authoritative DNS
service with DDoS protection
DDOS MitigationManaged volumetric DDoS
protection
Bot ManagementMachine learning to manage
bots & protect against
credential abuse
WAFAdvanced WAF with API
protection, client reputation &
managed options
Application AccessSimple, unified & secure
corporate application access
Threat ProtectionMalware protection using
recursive DNS & Cloud Security
Intelligence
API GatewayGovernance to manage access,
authentication & rate controls
for API access
Identity CloudSecure Customer Identity and
Access Management
| Intelligent Edge Security | © 2019 Akamai15
Users● Mobile
● Digital ecosystem
● Global distribution
● Remote workers
Applications● IaaS & SaaS
● Hybrid
● Inconsistent visibility, security & control
● Confusing end-user experience
Users & Applications Are Moving OutsideThey have left the building!
App #2
App
#1
App
#3
Cafe
IaaS
SaaS
The Web
No VPN =
No Security
▪ Complex
▪ Slow
▪ High Risk
Home
| Intelligent Edge Security | © 2019 Akamai16
Threats Are Moving InsideTargeted attacks are more common
App #1
App #2
App #3
● Security architecture
vulnerabilities leveraged in
complex attacks
● Malware, phishing & data
exfiltration
● Credential theft
● Single factor authentication
● Lateral network movement
| Intelligent Edge Security | © 2019 Akamai17
There is no
INSIDE
©2017 AKAMAI | FASTER FORWARDTM
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Zero Trust is not a product
- it’s a security model*
| Intelligent Edge Security | © 2019 Akamai19
Zero Trust is the new approach
Key principles:
● The network is always assumed to be hostile.
● External and internal threats exist on the network at all times.
● Network locality is not sufficient for deciding trust in a network.
● Every device, user, and network flow is authenticated and authorized.
● Policies must be dynamic and calculated from as many sources of data as possible.
| Intelligent Edge Security | © 2019 Akamai20
User
Client
Firewall
App 1
App 3
App 2
Application
Access Control
?
Application
Access Control
Firewall
App 1
App 3
App 2
Application
Access Control
?
Application
Access Control
Datacenter
AWS/Azure
High Cost
Buy, Deploy, Manage
Global LB
DDoS
FW/IPS
RAS/VPN
WAN Opt
Internal LB
MFA
DMZ
Global LB
DDoS
FW/IPS
RAS/VPN
WAN Opt
Internal LB
MFA
DMZ
User
Experience
Slow – depends on location of apps,
users accessing from various locations
and number of VPN gateways
Inconsistent – Different on-prem and off-
net experience
Complex
Many DMZs, Site-to-Site
VPNs
Access to Enterprise Apps:
Traditional Architectures
VPN
| Intelligent Edge Security | © 2019 Akamai21
Different Approaches To Implement Zero TrustNetwork centric or identity centric?
Option #1
Network Segmentation
Option #2
Software Defined Perimeters
Option #3
Identity Aware Proxies
| Intelligent Edge Security | © 2019 Akamai22
Network Segmentation
Advantages
● Great for Protection from East-West lateral movement
Drawbacks
● Fragile● Operational nightmare to maintain● Expensive● Shared resources used by entire
Enterprise● Even more complex to implement in
hybrid IaaS/ On-prem● Often implemented within Corp WAN
Advantages
● Familiar: Most Similar to legacy Remote Access VPN
● Relatively Fast to Eliminate VPN
Drawbacks
● Limited Architecture: A tunnel is just a tunnel
● Service Insertion not possible due to tunnel architecture
● Push Complexity with Legacy Auth down to Each Application
Software Defined Perimeter
| Intelligent Edge Security | © 2019 Akamai23
Identity Aware Proxy (IAP)
• Cloud-based Proxy architecture
• Identity verification and authorization occur in the cloud based on least access principles
• Unlike SDP which uses tunnels, IAP provides access to applications, whitelisted for authenticated and authorized users, at the application layer (Layer 7) using standard HTTPs or websockets over TLS
• Trusted Identity Store to verify users and devices before allowing them access to applications.
• Cloak the applications and assets in the cloud or behind the firewall
• Clientless for Web apps
| Intelligent Edge Security | © 2019 Akamai24
User
Cloud
Perimeter
App 2
Enterprise Connector
Firewall
App 1
Datacenter
• No hole in the firewall – outbound only
• No complex configuration – cloud managed
• No client software – browser based
• No lateral movement – app specific access
Global LB
DDoS
FW/IPS
RAS/VPN
WAN Opt
Internal LB
MFA
DMZ
Simpler, Secure Access to Enterprise AppsAccess and security controls move from static on‐premise to the cloud
| Intelligent Edge Security | © 2019 Akamai25
Build up Trust Layers and
Secure individual assets
Authorised
ApplicationsIdentified Individual
- Username / Password
Trusted Device
(optional)
- Client Certificates
Verified Individual
(optional)
- MFA OTP
Support for ALL application types
Data Center or Cloud
BrowserEnterpriseConnector
Enterprise App
Access
Preview
Cloud Zone
Clie
ntless
With C
lient
Web App
IdP Akamai OktaOne
Login...
DNS
}
ExchangeRDP Server
Jump SSH
Server
MAPI, RDP, SSH...
Destination
SSH Server
Citrix
SAP
⚙️ TCP app
⚙️ Tunnel app
Apps
resolve
"internal
hostname"
Decapsulate and send to
the app server / internal
hostname
EAA ClientEncapsulates
packets and send to external hostname
What does this mean in reality? Try a network scan!
Your
Apps
EnterpriseConnector
• Identity and app access (Auth-N,Z)
• MFA, SSO & Auth Bridging
• Secured data path
• Inline data inspection
• Application performance (content acceleration)
Auth &Data Path
Access
DPoP
Internet
Your
Apps
EnterpriseConnector
Internet
SaaS
IaaS
Data Center
VPC
AD/LDAP
TLS
Edge Server
Edge Server
Integrated Cloud Perimeter
ZERO TRUST ARCHITECTURE
IDaaS
MFA
SAML 2.0
Cloud Perimeter
Any Device/Where
| Intelligent Edge Security | © 2019 Akamai28
Edge Server
| Intelligent Edge Security | © 2019 Akamai29
A Complete Edge Security PortfolioAdaptive threat and access protection with identity management to combat fraud
Application AccessSimple, unified & secure
corporate application access
Protect your apps
& APIs
Protect your
infrastructure
Protect your
people
Secure DNSScalable authoritative DNS
service with DDoS protection
DDOS MitigationManaged volumetric DDoS
protection
Bot ManagementMachine learning to manage
bots & protect against
credential abuse
WAFAdvanced WAF with API
protection, client reputation &
managed options
Application AccessSimple, unified & secure
corporate application access
Threat ProtectionMalware protection using
recursive DNS & Cloud Security
Intelligence
API GatewayGovernance to manage access,
authentication & rate controls
for API access
Identity CloudSecure Customer Identity and
Access Management
DNS
lookup
Time to first
byte
Initial
connection
Content
download
malware.com 70 ms 60 ms 60 ms 140 ms
91.3% of known bad malware uses DNS
PHISHING
DNS Exfiltration DNS requests containing data<obfuscated SSN><obfuscated PII>.com
Command & Control
InfrastructureCompromised
System
Blacklist Evasion:
Domain Generation
Algorithms (DGA)
Command & Control
InfrastructureCompromised
System
More Exposure : New Attack Vectors
Blacklist Evasion:
Fast FluxDNS requests to multiple domains,
IP addresses, NameServers
Command & Control
InfrastructureCompromised
System
DNS requests to C&C/DGA domains
10.01-10.09AM: sdg43ts.com
10.09-10.18AM: sf903lc.com
ETP
Recursive
DNS
C&CAkamai Cloud
Security
Intelligence
Threats
Device
Device
Device
Internet
5. Inline File / Payload
Inspection
2. HTTP(s)
Redirect
3. URL Threat Intel
DNS Threat
Intel
1. Suspicious
Domain
ETP
Proxy
4. Request Content
X Block
Off-Net
On-Net
ETP Client
Security
Connector
Always On Client
Protects and IDs
Devices
32
Advanced DNS SECURITY
Cloud Based Security IntelligenceAkamai’s PLATFORM
Up to 30% of daily web traffic
71+ Tbps
DNS DATA
2.2 Trillion daily DNS queries
Global Surface Area
THIRD PARTY DATA
Raw threat data
Premium threat intelligence
PUBLIC DATA
WHOIS data
Registrar data
- Big data analytics delivering
cloud-based threat intelligence
that is continuously updated
- Multi-layered approach of
machines and people
- Fuelled by enterprise and
consumer traffic that is
augmented with third party
sources
- Off-line behavioural analysis
of customers’ DNS logs
Akamai
CLOUD
SECURITY
INTELLIGENCE
Human InteractionAkamai SWAT & Data Scientists fuse,
clean, and scour data for actionable
threat intelligence
Machine LearningAutomated statistical, trend, and pattern
analysis of structured and unstructured
data
Akamai CSI
DNS SECURITY: Effective across the Kill Chain
Recon
&
Creation Delivery Exploitation Installation
Command &
Control
Action
on
Objectives
Block clicks on phishing, malware,
and ransomware links in emails and
embedded on web pages.
Block access to domains that have
been compromised to deliver malware
and ransomware.
Block CnC connections used to
request further instructions,
download updates, and transmit intel
out of the enterprise.
This is especially important for IoT
devices making CnC callbacks.
Detect
DNS-
based data
exfiltration
| Intelligent Edge Security | © 2019 Akamai35
Why Akamai Zero Trust ?
Security
✓ Attack surface moved to cloud
✓ Application infrastructure "hidden" from bad guys
✓ Reduce risk by providing application specific access VS full network access with
traditional solutions
✓ Lock Down firewall or security group to inbound traffic
✓ Integrated MFA & Full logging of all access activity including SSH
Simplicity
Productivity
Performance
✓ Clouded based access as a service can be deployed in minutes VS days/months for
traditional solutions(Publishing Applications within 15 mins or one time use)
✓ No appliances/No clients
✓ No complex whitelisting or network segmentation required
✓ Includes SSO & IDP support with single management portal
✓ No latency & improve UX by delivering faster enterprise applications globally
✓ Leverage resources with basic Enterprise IT skills VS architects/engineers with advanced
Enterprise IT skills for traditional solutions
✓ Streamline IT productivity with simple cloud based service
1. No Inside
2. No VPN
3. No Passwords
4. Every app seems like SaaS
5. Every office is a hotspot
The New Akamai
Akamai has always believed
that the Internet is
THE NETWORK
| Zero Trust Architecture | © 2019 Akamai | Confidential37
340+ Applications
6500+ Users
Akamai Intelligent EDGE SecurityThe market leader in edge-based security
PROTECT APPS & APIs
MOVE TO ZERO
TRUST
STOP CREDENTIAL
ABUSE
Akamai has had the strongest and broadest edge security offering for quite some time<IDC>
DDoS & WAF
LEADERBot Management
LEADER
Zero Trust eXtended Ecosystem
STRONG PERFORMER
Winner of the 15th Annual 2019 Info Security PG's Global Excellence Awards®
| Intelligent Edge Security | © 2019 Akamai39
EDGE SECURITY: A NEW PARADIGMThe Edge should be your perimeter
Akamai Intelligent Edge Security A platform of security services at the edge that can be used to move towards a Zero Trust security model
Protect your infrastructure
Protect your People in any Where, any Device
Protect your Corporate Data Assets