El enfoque holístico de la

Ciberseguridad

Carlos Villanueva Rustrián

AKAMAI ESG (Enterprise Security Group)

MEXICO

1 © 2023 Akamai | Confidential

 More than 25 years of digital innovation
WAF
DDoS
Unveils HD video at Announces
broadcast-level Launches blockchain-based
scale integrated WAF payment network
and DDoS
Shatters streaming Linode acquired,
Reaches $1B in creating world’s most
Delivers March records with Sochi annual revenue
Olympic Games and distributed compute
Madness for from security platform, cloud to edge
ESPN FIFA World Cup solutions
Introduces
Streams Site Shield Is recognized Akamai expands
Steve Jobs’ for sustainability serverless Sets new
Introduces
Founded Macworld initiative by functions at record for peak
first cloud
keynote Dow Jones the edge web traffic
WAF

1998 2002 2006 2010 2014 2018 2019 2020 2021 2022

Provides Is added to Reaches Reaches

$2B in revenue Guardicore
download S&P 500 $1B in revenue
acquired, adding
capability for Serves record microsegmentation to stop
iTunes Manages 2 trillion concurrent Mitigates largest
queries per day DDoS attack in ransomware
Distributes trailer streams
history
for “Episode I —
The Phantom Expands Opens centers of
Menace” operations in excellence in
EMEA and APJ Poland, Israel, and
Costa Rica

2 © 2023 Akamai | Confidential

 Akamai Connected Cloud
The world's most distributed platform for cloud computing, security, and content delivery

4,209 1,309 134 792 SSD

Locations ISP/MNO Networks Countries Cities Powered Hardware

Everywhere you do business, and anywhere customers come

online, Akamai is closer, with more capacity and integrated
security, acceleration, and computing capability than anyone.

‹#› 3 | ©©2023
2023Akamai
Akamai | Confidential
 Akamai today
We keep decisions, apps, and experiences closer to users than anyone —
and attacks and threats far away

Edge Compute Web & Mobile Media Delivery Cybersecurity Expertise

Create services Performance Deliver amazing Protect against Unmatched
and deploy code Deliver the best video experiences the largest and most global service and
serverless to digital experiences and download sophisticated support backed
focus on building automatically experiences attacks and by 1,900+ experts
and running great to meet rising with scale and evolve outdated and 24/7 proactive
applications. consumer agility at any approaches to monitoring and
expectations. level of demand. corporate access. response
troubleshooting.

4 © 2023
2021 Akamai
Akamai || Confidential
Confidential
TWO DECADES IN SECURITY
But security remains a persistent challenge

SOHA Systems
founded
ChameleonX
XEROCOLE founded founded
Akamai founded
Prolexic founded Akamai introduces Integrated WAF + Secure
first cloud WAF DDoS launched app access
introduced
Janrain founded Client Reputation
launched Managed bot
service introduced

1998 1999 2002 2003 2008 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

Credential abuse Secure

Origin obfuscation mitigation introduced
launched Curated WAF web
Authoritative DNS ruleset developed gateway
launched Cloud Security introduce
NOMINUM founded
Intelligence built Bot management d
introduced
Malware
protection
Akamai creates Managed WAF introduce
Security BU service introduced d

5 © 2023 Akamai | Confidential

WHY IS SECURITY SO HARD?
Everything is changing faster than you can respond Shifting attack surface
More apps, changing faster
New technologies
3rd-party / open source code
Migration to APIs
Changing threat landscape
Cloud computing
DDoS attacks
Dissolving perimeter
Web attacks YOU Changing workforce
Bot attacks
Corporate M&A
Credential stuffing
In-browser threats
Web fraud
People Process Tools Industry mega-trends
Malware
Digital transformation
Network intrusion
Mobile adoption
Social / phishing
Cloud adoption
Internet of Things

✔ Regulatory compliance

6 © 2023 Akamai | Confidential

OUR SOLUTIONS
Protecting a shifting attack surface from the edge

APPS & APIS CREDENTIAL ABUSE ZERO TRUST

Protect Internet-facing apps and Protect customer accounts from Control corporate application
APIs deployed anywhere—in your bot attacks and reduce fraud- access and protect users from
data centers or in the public cloud related financial losses targeted threats

DDoS protection Bot management Enterprise Access

Web application firewall Credential stuffing MFA

API security Identity management Microsegmentation

Script protection

DNS

7 © 2023 Akamai | Confidential

APP & API PROTECTOR
WEB APPLICATION FIREWALL - API SECURITY - BOTS - DDOS

SINGLE SOLUTION WITH BROAD PROTECTIONS + PERFORMANCE

● API attack surface mapping and protection

● NEW adaptive threat detections and ML-powered self tuning

● Real-time visibility and mitigation of bot traffic

● Detailed attack telemetry and analysis of security incidents

● Automate Management and integrate into CI/CD using APIs, CLI & Terraform

● Image and video optimization, API-X, and edge computing (free tier)

8 © 2023 Akamai | Confidential

 HOW IT WORKS

On-premise
● GLOBAL SCALE &
RESILIENCY
Visitors / Users

Multi-Cloud ● PERFORMANCE +
SECURITY
APIs

● INDUSTRY LEADING
Bots
Hybrid Cloud
SOLUTIONS

● CLOUD-AGNOSTIC
Attackers

SaaS

9 © 2023 Akamai | Confidential

THREAT INTELLIGENCE
GLOBAL TRAFFIC AND ATTACK VISIBILITY
BUSINESS VALUE

Proactive Threat Research

Human analysis of attack
Incident Response
Insight from CSIRT monitoring ● Stays up-to-date so you
patterns and trends to create and response across verticals don’t have to
and/or update protections added to protections

● Prevents mega breaches

● Crowdsourced attack
immunity
WAAP Triggers CDN Logs
Analysis of every attack
trigger seen targeting Akamai
Analysis of offline event logs
from every Akamai customer
● Added protection from zero
security customers across the edge platform
day attacks

Threat intelligence is automatically enforced via

the Adaptive Security Engine

10 © 2023 Akamai | Confidential

ADAPTIVE SECURITY ENGINE
SIMPLE and POWERFUL

SIMPLE TO OPERATE MAXIMUM PROTECTION

ZERO-TOUCH AUTOMATIC UPDATES THREAT-BASED ADAPTIVE PROTECTIONS

CONTINUOUS SELF-TUNING ENHANCED ANOMALY SCORING

CONFIGURATION & AUTOMATION FLEXIBILITY AUTOMATIC API INSPECTIONS

APIS, CLI, OR AKAMAI TERRAFORM ACTIVE ATTACK SESSION PROTECTION

EMBEDDED THREAT INTELLIGENCE ATTACK PAYLOAD TOKENIZATION

EASY-TO-USE USER INTERFACE ENHANCED DECODING CAPABILITIES

More robust detection with a 2X increase* in median number

of attacks detected across SQLi, XSS, RFI, and CMDi

More precise detection with a 5X reduction* in false positive triggers

* Tested on live production traffic across the Akamai platform as compared to KRS without customizations
11 © 2023 Akamai | Confidential
 BOT VISIBILITY & MITIGATION
App & API Protector offers bot visibility and mitigation controls for bot traffic that may adversely impact the
performance and/or security of web properties. It provides early visibility to proactively monitor for bot-related
anomalies and threats that can develop over time.

App & API Protector VISIBILITY & BOT Bot Manager

MITIGATION MANAGEMENT
● Access over 1,500 defined bots ● Advanced detections for sophisticated
● Real-time bot traffic visibility adversarial bots
● Create bot definitions ● Respond with advanced actions
● Allow good and deny bad bots ● Use cases include inventory hoarding,
● Bot visibility and trend reporting credential abuse and others

CUSTOMER APPLICATIONS

12 © 2023 Akamai | Confidential

APP & API PROTECTOR
LAYERED SECURITY MECHANISMS & CONTROLS

Edge DNS* Prolexic*

Protection from DNS-based DDoS attacks with DDoS protection for web and IP-based apps in
traffic throttling, DNSSEC, and a trust-based DNS data centers, cloud service providers, and co-
model location facilities

Site Shield Network Lists

Prevent attackers from bypassing cloud-based
Block or allow traffic from specific IP, subnet,
protections and targeting origin infrastructure
or geographic areas

Application DDoS Adaptive Security

Layer 7 DDoS mitigation - including those Protect against web application attacks
launched via APIs - at the edge alongside web including malicious file execution, SQL injection,
caching protections CSS, LFI, and more

Page Integrity Manager*

Website protection from JavaScript threats by Bot Visibility & Mitigation
identifying vulnerable resources and suspicious Bot and human behavior telemetry that allow
activities good bots through while stopping malicious bots

API Discovery & Security Client Reputation**

Discover and protect APIs with both positive and Intelligence-based reputation scores based on
negative API security models Akamai’s visibility into prior behavior of individual
and shared IPs

* Akamai solutions sold separately

13 © 2023 Akamai | Confidential ** Included with the Advanced Security Management module
Zero Trust. Definition

National Institute of Standards and Technology The National Security

(NIST) Telecommunications Advisory
Committee (NSTAC) describes Zero
Zero trust provides a collection of concepts and Trust as
ideas designed to minimize uncertainty in enforcing
accurate, least privilege per-request access decisions
in information systems and services in the face of a “a cybersecurity strategy premised on
network viewed as compromised.
the idea that no user or asset is to be
implicitly trusted. It assumes that a breach
ZTA is an enterprise’s cybersecurity plan that uses has already occurred or will occur, and
zero trust concepts and encompasses component therefore, a user should not be granted
relationships, workflow planning, and access policies. access to sensitive information by a single
Therefore, a zero trust enterprise is the network verification done at the enterprise
infrastructure (physical and virtual) and operational perimeter. Instead, each user, device,
policies that are in place for an enterprise as a application, and transaction must be
product of a ZTA plan. continually verified”

14 © 2023 Akamai | Confidential

Zero Trust Maturity Model (ZTMM) - CISA

15 © 2023 Akamai | Confidential Source: Zero Trust Maturity Model. CISA. April 2023.
Zero Trust Journey

The path to zero trust is an incremental process that may take years to implement

16 © 2023 Akamai | Confidential Source: Zero Trust Maturity Model. CISA. April 2023.
Zero Trust Maturity Evolution

17 © 2023 Akamai | Confidential

Holistic Zero Trust

Secure the User Secure the Network Secure the Access

Identity East - West North - South

Cover every access ● Deploy and manage uniformly ● Share threat signals

18 © 2023 Akamai | Confidential

Enabling Zero Trust
Akamai Zero Trust Portfolio

1 Complete Coverage

2 Deep Visibility

3 Granular Control

19 © 2023 Akamai | Confidential

Segmentation is Not a New Concept
A Better Strategy:
Build Ships

20 © 2023 Akamai | Confidential

 Microsegmentation - Key Business Drivers

Reduce Cost of
Reduce Attack Surface Simplify M&A Activity
Compliance

Ensure Business Improve Operational Securely Embrace

Continuity Efficiency Digital Transformation

© 2022
21 Akamai
© 2023 Akamai | Confidential
 Zero Trust Segmentation
Visualize

The microsegmentation process

begins with visibility.
With Akamai that means:
● Single pane of glass
● Real-time and historical
● Complete view of the environment
● All assets, any infrastructure
● Legacy and Modern OS coverage
● No changes in network required
● Infrastructure agnostic

22 © 2023 Akamai | Confidential

 Zero Trust Segmentation
Understand

Before we can enforce policy, we

must understand what is happening.
With Akamai that means:
● Visualize flows
● Map dependencies
● Flexible labeling (automated or custom)

23 © 2023 Akamai | Confidential

 Zero Trust Segmentation
Control

With a complete view and deep

understanding of our environment.
We can enforce policy.
● Fast and easy policy creation
● Intuitive templates and workflows
● Guidance based on machine learning
● Granular control (down to service level)

24 © 2023 Akamai | Confidential

Microsegmentation Use Cases

East-West Separation of Sensitive

Traffic Control Workloads from Users

Application Device Isolation for

Ringfencing Ransomware Protection

Segmentation Compliance Visibility,

Application
Microsegmentation Segmenting, Reporting

Environment Container Visibility

Microsegmentation and Segmentation

25 © 2023 Akamai | Confidential

Zero Trust Use Cases
Real World Problems Solved

Ransomware

Cloud Migration

Distributed Workforce

Compliance

26 © 2023 Akamai | Confidential

 “An ever evolving form of Malware, designed
to ecnrypt files on a device rendering any
files and the systems that rely on them
unusable.

Malicious actors then demand Ransom in

exchange for decryption.

Ransomware actors often target and

threaten to sell or leak exfiltrated data or
authentication information if the ransom is
not paid”

WHAT IS RANSOMWARE?

27 © 2023 Akamai | Confidential

 The Security Threat landscape is evolving...

Businesses suffer a ransomware attack every 11 seconds

Ransomware costs are expected to reach

$20 Billion in 2021

28 © 2023 Akamai | Confidential

 Winning Against
Simplify And Secure With Akamai Zero Trust

Ransomware
Akamai products will help with the key elements
required to win against ransomware attacks:

1 Strong Application Access Control with EAA

2 Lateral Movement Prevention & Ransomware

Response and Recovery with Akamai Segmentation

3 Employee Credential Theft Protection with MFA

4 Endpoint Protection against Malicious content

and Phishing Sites with SIA

5 Threat Detection with Hunt

29 © 2023 Akamai | Confidential

Zero Trust Use Cases
Real World Problems Solved

Ransomware

Cloud Migration

Distributed Workforce

Compliance

30 © 2023 Akamai | Confidential

 - EXAMPLES -
Meeting Compliance standards

Block or monitor content uploads that

SIA contain PII, PCI DSS, or HIPAA data. Akamai Segmentation
Implement controls to reduce the risk of
ransomware infections - Prevent access to
malicious websites HIPAA
PCI DSS - Use segmentation to scope regulated assets.

EAA GDPR: Control access of 3rd parties

to sensitive personal information
HIPAA - Isolate Clearinghouse Functions.
SWIFT - Restrict Internet Access and isolate Critical
Systems.

HIPAA - Protect patient information from

MFA attackers who might have obtained
passwords to healthcare systems.
SWIFT - Prevent Compromise of
Credentials.

31 © 2023 Akamai | Confidential

Cumplimiento, PCI, HIPAA, otros.

32 © 2023 Akamai | Confidential

33 © 2023 Akamai | Confidential