What's New in Web Security
With Akamai's web security portfolio, the top focus this October is on the web application firewall (WAF), with exciting new capabilities: API Discovery and Adaptive Security Profiles.
Along with the rest of the industry, Akamai has observed a long-term shift in the applications that we're delivering, from traditional websites to API-based microservices architectures. Akamai reported that API traffic composed 83% of all hits on our platform in 2019 and we've seen that level continue to grow 30% year over year. As the attack surface shifts to APIs, lack of visibility of API resources and their traffic profile remains a challenge for both security and development teams.
Akamai has introduced a number of API security capabilities over the years. In 2017, Kona Site Defender introduced new positive and negative security models for protecting APIs from volumetric and vulnerability exploit attacks. In 2018, Akamai launched an API Gateway to provide authentication and authorization for API traffic at the edge. And in 2019, we added automated API inspection for web application attacks to Kona Site Defender and Web Application Protector. These capabilities help security teams address many of the OWASP API Security Top 10 vulnerabilities today.
With this October's Akamai Platform Update, Akamai is providing continuous automatic discovery and visibility into API endpoints and their traffic profiles. This will empower development, security, and operations teams with new insight and provide a streamlined mechanism to register and protect APIs against distributed denial of service (DDoS), injection, credential stuffing, and other attack types -- all with a single click.
As the second marquee feature of this release, Adaptive Security Profiles builds on Automated Attack Groups to change the game for Akamai's WAF engine. Introduced in 2017, Automated Attack Groups provides a security profile maintained and automatically updated by Akamai. This dramatically simplifies the task of configuring and managing a WAF for customers that prefer the hands-off approach.
Adaptive Security Profiles now further increases the power and accuracy of WAF protections, by adapting protections based on the risk of each incoming request. The risk profile of the request is computed based on more than 10 different factors, including reputation of the threat actor on the Akamai platform, markers of malicious automation, a history of attacking the specific customer, origination from suspicious sources on the internet, and others. This added context allows us to further decrease false negatives without increasing false positives, continuing Akamai's innovation in driving the highest possible WAF accuracy for our customers. Adaptive Security Profiles is available for Kona Site Defender and Web Application Protector customers today.
Beyond the WAF, Akamai has introduced a number of other updates across our portfolio of web security products, including Bot Manager, Client Reputation, Page Integrity Manager, and Prolexic. To learn more about the updates for your products, continue reading below and on the Akamai blog.
Bot Manager helps organizations better manage the business and IT impact of good and bad bots, including the most sophisticated bots engaging in credential stuffing and web fraud.
Crypto challenge action (mobile): Adds support for applying the crypto challenge action to mobile clients.
Bot Endpoint Protection report -- challenge actions: The Bot Endpoint Protection report adds a new section on challenge actions to understand the number of challenges that were served or unsolved and better identify false positives
Akamai-categorized bots: Adds additional bot signatures to the following categories: Academic/Research, Business Intelligence, E-Commerce Search Engine, Enterprise Data Aggregator, Financial Account Aggregator, Job Search Engine, Media/Entertainment Search, Online Advertising, SEO/Analytics/Marketing, Social Media or Blog, Site Monitoring/Web Development, and Web Search Engine
Web Security Analytics -- additional dimensions: Web Security Analytics adds dimensions for Bot Manager, including API resource purpose name, bot type, referrer and/or referrer domain, rule, rule combination, and client type
Mobile SDK v3.0.0: Bot Manager Premier software development kit (SDK) plugin for iOS adds support for manual initialization and removes support for automatic initialization
Ion integration: Filter bot beacons from the mPulse dataset when creating Adaptive Acceleration policies; excluding bot data can improve the dataset used for performance optimization
Client Reputation provides an additional layer of protection based on Akamai's visibility into prior malicious activity from individual clients against all Akamai customers.
Shared IP intelligence: Provides visibility into shared IP addresses in order to investigate, establish reputation profiles, and inject reputation details into request headers forwarded to origin
Configuration APIs: New APIs to programmatically create and edit Client Reputation profiles or add reputation information to a request header
Kona Site Defender
Kona Site Defender provides comprehensive and customizable protection against DDoS and web app attacks for organizations with stringent requirements and complex application environments.
API discovery: Analyzes traffic on the Akamai platform to discover both protected and unprotected APIs -- including their endpoints, definitions, and characteristics -- and then provides a simple workflow to register and protect APIs from DDoS, injection, and credential stuffing attacks
Adaptive security profiles: Automated Attack Groups now has tailored security profiles for each customer's individual threat landscape; the characteristics of every request contribute to a threat score that dynamically modifies protections to detect the most-sophisticated attacks
Configuration APIs: New APIs to programmatically manage your WAF configuration, including changing rate control settings, updating WAF rules, configuring evaluation mode, configuring custom deny, and more
Page Integrity Manager
Page Integrity Manager provides a behavioral approach to script protection designed to detect malicious script activity, protect the integrity of your web pages, and safeguard your business.
Domain reputation: Improves vulnerability identification and remediation by providing additional details on how the risk score displayed in incidents and dashboards was derived
Script intelligence console filters: Through an expanded user interface, added abilities to filter on domain reputation, Common Vulnerability and Exposure (CVE), and other script intelligence variables to analyze scripts flagged by Page Integrity Manager
Payment card industry (PCI) compliance: To protect personally identifiable information (PII), Page Integrity Manager now proves integrity with a full-scope PCI-DSS certification
Single-page application support: Page Integrity Manager now provides in-browser threat protection for websites designed with a single-page application architecture
Managed Security Service: Optional service that provides event monitoring and alerting, attack support through the Security Operations Command Center (SOCC), configuration assistance, security posture validation, and enhanced advisory reporting through an aligned security expert
Prolexic helps organizations protect their entire infrastructure from DDoS attacks, including web and IP-based applications in data centers, cloud service providers, and co-location facilities.
IP Protect: New DDoS scrubbing solution onboards customer traffic for individual web- and IP-based applications using Domain Name System (DNS) redirection, allowing customers to protect IP address ranges smaller than /24.
Brazil scrubbing center: New Prolexic scrubbing center in São Paulo, Brazil, provides local mitigation and improved performance for Latin American customers
Flow anomaly detection: New detection technology identifies potential DDoS attacks based on flow anomalies and provides analysis data to SOCC staff to expedite mitigation and alerting in Security Center
Improved telemetry API: Updated API allows customers to retrieve telemetry and historical data for individual IP addresses
Web Application Protector
Web Application Protector simplifies application security with automated and continuously updated protections against DDoS and web application attacks.
Adaptive security profiles: Automated Attack Groups now has tailored security profiles for each customer's individual threat landscape; the characteristics of every request contribute to a threat score that dynamically modifies protections to detect the most evasive attacks
Hostname evaluation: Allows you to safely add new hostnames to an existing Web Application Protector configuration by evaluating the potential impact of WAF protections on that application
Seamless onboarding: New wizard allows you to easily onboard WAP with integration and configuration workflows designed to streamline and simplify the onboarding process
Configuration APIs: New APIs to programmatically manage your WAF configuration, including changing rate control settings, updating automated attack group actions, enabling and editing security information and event management (SIEM), and more
There will be more opportunities to engage with us on this and more at Edge Live | Adapt. Sign up to see how customers are leveraging these improvements, engage in technical deep dives, and hear from our executives how Akamai is evolving for the future.