LIVE TECH WORKSHOP

Breaking Down
the Cloud Firewall
Deep dive into the modern-day Sarah Lim Boon Wah,
web application firewall (WAF) Tay
Senior Solutions Senior Solutions
Engineer Engineer

Akamai Technologies Akamai Technologies

 How would you best describe your
role?

2 © 2021 Akamai
AGENDA
WHAT TO EXPECT TODAY?

❏ Evolution of WAF
❏ Traditional vs Automated Approaches
❏ Understanding Akamai WAF
❏ What does it look like
❏ Live Q&A

3 © 2021 Akamai
CHANGING BUSINESS DRIVERS
SHAPING TECHNICAL EVOLUTION

More applications and logic are moving to the

cloud
Market dynamics are accelerating digital
transformation journeys

Customer expectations for privacy and

security continue to rise

Massive increase in the use of APIs and

microservices
Competition continues to impact business
strategies
4 © 2021 Akamai
CHANGING THREAT LANDSCAPE
WEB ATTACKS CONTINUE TO EVOLVE
Multi-vector attacks using intelligent and
automated orchestration tools via weaponized
Multi-vector attacks on web apps, machine learning and AI
infrastructure, APIs, and browsers

Attacks on web applications and

infrastructure

Web application attacks

• Deep learning and AI
Complexity

• Offensive + Defensive security

Protections
posture
• Bot management & mitigation
• API security
• Client-side protections
• Bypass prevention • Session monitoring
• DoS/DDoS mitigation • Human + Device Signals
• DNS protection

• Firewall rules
• Reputation analysis
• Allow lists & blocklists
• Traffic optimization
TODAY

Time

5 © 2021 Akamai
TRADITIONAL WAF
WHAT WE ARE FAMILIAR WITH

X Cloud WAF

Y Cloud WAF

Create a policy Monitor Tune Block & Filter

Z Cloud WAF

Traditional WAF Build your own rules or

Monitor incoming traffic and Optimize and tune rules Protect against exploits and
technologies deploy managed rules
attack metrics for request based on metrics and log vulnerabilities such as SQLi
maintained by security
details. data. and XSS attacks; and filter
vendors and/or cloud
out unwanted traffic.
providers.

6 © 2021 Akamai
NEXT GEN AKAMAI WAF
AUTOMATED & FRICTIONLESS OPERATIONS

Choose mode Discover & Monitor Self-Tune Adaptive Security

WAF
Automatically identify Proactive self-tuning* with 1- Filter and block unwanted
Protect your web applications Choose to manage
and APIs from web exploits unknown, changing, or click update or tools to traffic; and dynamically
predefined protections or deprecated APIs; and evaluate new or updated modify protections based on
fully-managed protections monitor detailed attack protections before each customer’s threat
maintained by Akamai. telemetry and traffic. activation. landscape.

* Q1/Q2 2021

7 © 2021 Akamai
WAF CHECKLIST
WHAT TO LOOK FOR IN A WAF

❏ Visibility
❏ Accuracy
❏ Adaptability
❏ Performance/Scale
❏ Operational Simplicity
❏ Service and Support

8 © 2021 Akamai
 WAF Deep Dive Sarah Lim
Senior Solutions Engineer

9 © 2021 Akamai | Confidential

 Security at the Edge
AKAMAI’S INTELLIGENT EDGE PLATFORM

Akamai Intelligent Edge Platform

Over 4,100 PoPs connecting the Internet

Web & API Clients Application Origin

Users connect to your applications On premise, edge, multi-, and/or hybrid-
and APIs through the closest Akamai cloud application origins and API
edge server endpoints

Reverse HTTP/S Proxy Cloud Security Intelligence Integrated Performance

Globally distributed edge platform is Crowd-sourced attack intelligence, machine Seamlessly scale to match traffic demands
architected as a reverse proxy to only learning, and threat research provide the latest as they vary over time, distribute CPU and
accept traffic via ports 80 and 443 protections based on evolving attacks memory, deliver cached content, and offload
from origin servers

10 © 2021 Akamai | Confidential

DEFENSE-IN-DEPTH
AKAMAI’S LAYERED SECURITY MECHANISMS AND CONTROLS

Edge DNS Prolexic

Protection from DNS-based DDoS attacks with DDoS protection for web and IP-based apps in
traffic throttling, DNSSEC, and a trust-based DNS data centers, cloud service providers, and co-
model location facilities

WAF - Site Shield WAF - Network Lists

Prevent attackers from bypassing cloud-based
Block or allow traffic from specific IP, subnet, or
protections and targeting origin infrastructure
geographic areas
DNS D
DoS
DDoS
WAF - Application DDoS Infras
tructu
re
WAF - Adaptive Security
Layer 7 DDoS mitigation - including those Direct- Protect against web application attacks including
to-Orig
launched via APIs - at the edge alongside web in malicious file execution, SQL injection, CSS, LFI,
g
Filterin
caching protections Traffic and more
Appli
cation
DD oS n
pectio
Page Integrity Manager Clien HTTP
In s
Bot Manager
t-side
Website protection from JavaScript threats by Prote
c tion Bot and human behavior telemetry that allow
identifying vulnerable resources and suspicious e ment
anag good bots through while stopping malicious bots
activities Bo t M
API S
ec urity
tory
k His
A tta c Client Reputation
WAF - API Discovery & Security
Discover and protect APIs with both positive and Intelligence-based reputation scores based on
negative API security models Akamai’s visibility into prior behavior of individual
and shared IPs

11 © 2021 Akamai | Confidential

 When was the last time your WAF
rules were updated?

12 © 2021 Akamai
NEXT GEN AKAMAI WAF
AUTOMATED & FRICTIONLESS OPERATIONS

Choose mode Discover & Monitor Self-Tune Adaptive Security

WAF
Automatically identify Proactive self-tuning* with 1- Filter and block unwanted
Protect your web applications Choose to manage
and APIs from web exploits unknown, changing, or click update or tools to traffic; and dynamically
predefined protections or deprecated APIs; and evaluate new or updated modify protections based on
fully-managed protections monitor detailed attack protections before each customer’s threat
maintained by Akamai. telemetry and traffic. activation. landscape.

* Q1/Q2 2021

13 © 2021 Akamai
 INTELLIGENT WAF
AUTOMATING BOTH MAINTENANCE AND SECURITY

• Adaptive security that automatically modifies protection profiles

• Advanced anomaly detection algorithms and scoring model
• Automatic API discovery and inspection of JSON/XML

SECURITY

• Advanced machine learning & data mining Automatic Update

• 130TB of daily attack data processed • Automatic updates for the latest protections
• 15% - 30% of global internet traffic data THREAT
• Automatic self-tuning to further reduce false
MAINTENANCE
• Automatic reputation analysis INTELLIGENCE positives and false negatives
• Historical attacks, severity, frequency,
business verticals, etc.
• Intelligence augmentation by Akamai Threat
Research

Evaluation Mode
• Automatic updates (activated by the customer)
• Evaluation Mode to test new or updated rules

14 © 2021 Akamai
 ADAPTIVE SECURITY ENGINE
AUTOMATED AND DYNAMIC THREAT PROTECTION

• Adaptive protections
get stronger over time
Protocol Anomaly &
Attack History Reputation Malicious Source ID • Security is tailored to
your unique traffic

• Detect zero-day and

THREAT
sophisticated attacks

• Highly accurate with

Threat Based Threat
Profile Based Threat
Profile BasedThreat
Profile Based Threat
Profile Based Threat
Profile BasedThreat
Profile Based Profile ultra-low false
positives and false
Rules Rules Rules Rules Rules Rules Rules
Heuristics Heuristics Heuristics Heuristics Heuristics Heuristics Heuristics negatives
SmartDetect SmartDetect SmartDetect SmartDetect SmartDetect SmartDetect SmartDetect …
Thresholds Thresholds Thresholds Thresholds Thresholds Thresholds Thresholds

15 © 2021 Akamai
 Do you have visibility into
your web facing APIs and is
securing APIs a priority ?

16 © 2021 Akamai
 API SECURITY
FROM VISIBILITY TO PROTECTION

VISIBILITY DDOS PROTECTION +/- API SECURITY & GOVERNANCE

Request Rule Inspection

API Discovery Network Authentication
Rate Limiting Constraints
& Profiling & Authorization

Rate controls for API

Set API network lists Predefined API Secure
Automatically endpoints based on Automatic inspection
(allowlists and/or authentication and
discover and profile API key. Protection specifications to of JSON and XML
blocklists) based on authorization via
unknown and/or from low and slow block abnormal requests to detect
IP/Geography JSON Web Token
changing APIs attacks (slow POST) requests attacks
(JWT) validation

SECURITY CONFIGURATION APIs & AUTOMATION TOOLS

17 © 2021 Akamai | Confidential

 API Discovery and Profiling Discover
Problem Statement - Lack of visibility into API Attack Surface exposed to the web
Deliver
&
Protect

Analyze

Discover APIs
automatically

API data includes details like:

● Hostname
● Basepath Current Threat
● Resource path level
● Parameters and
their data type
● Methods
● Response type
● Format of the API One click to
registration
workflow

18 © 2021 Akamai | Confidential

Highlights from Visibility - 750 top enterprises

● 996,000 unique resources discovered

● 5 trillion calls observed in a 30-day period across those resources
● 101 average number of resources per customer related to login, account and registration
functionality
● 68 average number of resourced per customer belonging to lower environments like Dev, QA,
and UAT
● 14% average number of API calls from known bad actors for web attacks, scraping, scanning,
and DoS
● 2.3% of 5T API calls resulted in either client- or server-side error responses
● 32% of API calls came from end clients that were not identified as a browser or mobile
device/application
● JSON was by far the most dominant API format observed

* Beta - Q1 2021

19 © 2020 Akamai | Confidential

API REQUEST CONSTRAINTS

Enforce Positive Security Model

Validate API requests at the Edge by inspecting
JSON & XML bodies, and filtering improperly
formatted API requests

20 © 2020 Akamai | Confidential

AUTOMATE YOUR APPSEC WORKFLOW
Integrating Security for DevSecOps

Delivery & Security Settings Release Automation and

Change Management

Continuous integration and

automated protection of new Infrastructure Configuration &
application versions Management

Package all Akamai changes Monitoring and Reporting

for single roll-out to staging
Continuous and automated
testing of Akamai configurations

21 © 2021 Akamai | Confidential

AKAMAI-AS-CODE
CONFIGURATION APIs & THE CLI

Example functions:
APPLICATION SECURITY APIs
• Rate controls
• CI/CD pipeline integration
• Slow POST • Terraform WAF module*
•
•
Kona Rule Set
KRS conditions and exceptions
• Akamai AppSec API Postman files
• AAG actions and exceptions
Application Security API
Network List API
•
•
Evaluation mode
Client Reputation BENEFITS
• IP/Geo Firewall
Site Shield API • Custom deny • Secure-by-design best practices
SIEM API & Connectors • SIEM integration • Reduce risk of human error
• Create security configurations
• Create security policies • Operationalize Web Application Security
• Configure WAP settings • Faster time-to-market
• Request constraints
• API match targets • Faster onboarding
• And more..

* Beta - Q1 2021

22 © 2020 Akamai | Confidential

 Demo Sarah Lim
Senior Solutions Engineer

23 © 2021 Akamai | Confidential

24 © 2021 Akamai | Confidential
32 © 2020 Akamai | Confidential
33 © 2020 Akamai
34 © 2020 Akamai
35 © 2020 Akamai
36 © 2020 Akamai
37 © 2020 Akamai
38 © 2020 Akamai
39 © 2020 Akamai
40 © 2020 Akamai
41 © 2020 Akamai
EXPERTISE
OUR CORE CAPABILITIES

Technical Professional Problem Technical Training &

Advisory Services Prevention Support Education
Deliver on business Execute your day-to- Create more 24/7 global support Courses and training
outcomes and day with ease, create, confidence in your to troubleshoot programs to help
maximize efficiency to test and deploy with operations, prevent issues and maintain users and admins
adopt and innovate experts by your side. issue recurrence, and availability and learn all things
with Akamai. protect from performance. Akamai.
sophisticated threats.

42 © 2021 Akamai
WAF CHECKLIST
AKAMAI WAF
✓ Visibility
- Web Security Analytics

✓ Accuracy
- Lowest FP & FN

✓ Adaptability
- Adaptive Security Engine

✓ Performance / scale
- Globally distributed platform in 4100+ locations & 136 countries

✓ Operational simplicity
- Self-Tuning & DevSecOps

✓ Service and support

- 1900+ engineers, 24x7 expertise

43 © 2021 Akamai
LEARN MORE

Visit our solutions page:

- Cloud Security
- Web Application Protector

Read Gartner’s latest Magic Quadrant

Report
For a fourth year in a row, Gartner named Akamaii
a Magic Quadrant Leader for WAFs

Request for a personalized demo of

our Web Application Firewall:
Get a live product demo with a security expert and
access to the demo environment to understand how
Akamai identifies threats and protects your growing
attack surface.

44 © 2021 Akamai
45 © 2021 Akamai | Confidential