Akamai Diversity
Home > Akamai

Recently by Akamai

The Akamai WAF - Now Protecting APIs

Kona Site Defender is our flagship Web Application Firewall and DDoS Mitigation solution at Akamai.  Back in the days of the Al-Qassam Cyber Fighters, Brobot ("It's not OK, bro"), and the "holy 100 Gbps attack!", we had a saying around Akamai:  "Kona Site Defender customers come for the DDoS, but they stay for the WAF".  The general idea was that it took a headline-grabbing DDoS attack to make customers and prospects aware that Akamai had a security offering. That was the end of 2012 and the beginning of 2013. In those days, analysts told us and our prospects that we had WAF customers *only* because we were good at mitigating DDoS attacks. We were only mildly offended, and we toiled on.  Our work seems to have paid off:  In 2017, cloud-based WAFs are more or less an industry standard, Kona is a perennial fixture in the Gartner WAF Magic Quadrant and analysts tell us that "Kona is on the short list of all Security buyers".

Matt Soares.jpg











When Matt Soares was offered a role at Akamai, it was the flexibility that sold him. "It allowed me to make it my own and I thought that was pretty cool!" he said. Today, Matt is the lifeline of the Akamai Americas campuses as the manager of facilities operations. If a employee's  office isn't below freezing, they can probably thank him. During his days at Akamai, he's involved in office functionality and in the planning of the new Cambridge headquarters building. He's also a chronic cereal wolfer and a big fan of his newest cooking accessory. Matt recently shared a little about his professional and personal experiences, his biggest challenge, favorite mistake and go-to winter pastime.

With the acquisition of Soha Systems, Akamai's vision of bringing a simpler, more secure access approach to the enterprise is now available. We have blogged about this, most notably an excellent piece penned by Lorenz Jakober titled "Secure Enterprise Access Needs to Evolve".

If this is a new topic for you, the case for enterprises needing a new access model is:

  • VPNs, a staple of IT Networking for more than twenty years, have failed to evolve to meet today's remote access requirements.
  • Today, employees are mobile, and need to access applications hosted in different clouds and physical datacenters.
  • In increasing numbers, enterprise contractors, partners and customers - the global partner ecosystem - are also accessing "behind-the-firewall" applications. 
  • Using traditional VPNs to support these requirements brings increased complexity and support overhead to both IT and InfoSec teams. 

Today, we published the Fourth Quarter, 2016 State of the Internet / Connectivity Report.  This issue of the report concludes its ninth year of publication.  Over that time, everyone involved with the report at Akamai has worked hard to make it one of Akamai's most successful thought leadership programs.  And of course, our readers have made the report a success through their ongoing interest in, and use of, its data, effectively making it a de-facto reference within the broadband industry.

State of the Internet / Security Q4 2016

The fourth quarter of 2016 was relatively quiet for web application attacks. The biggest sales season of the year usually signals a marked increase in the number of attacks for all customers - especially retailers. Many merchants breathed a sigh of relief at not being attacked during their most important shopping days.

A WAF for the Other Half

A WAF for the Other Half FIG_1.png

The other half asks "May I please have some more (application security)."

Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you".  In hindsight that conclusion was flawed for two reasons:  First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them?  By the same token, what if you don't trust a 3rd party to update your rules for you?  Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves.  Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested.  Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?

*Batteries not included

If you grew up in the 1970's and 80's, this simple statement could ruin your holiday - if Mom & Dad hadn't had the foresight to stock up on AA, AAA, C, D, and 9-volt batteries before you opened your presents, you had to put your handheld video games, animatronic animals, and talking dolls aside for a few days.  In contrast, today's gadgets tend to come with a USB charging cable, so needing to have batteries on hand is no longer a real issue.  (And if you find yourself in a *Cables not included situation, you probably have one or more stashed away somewhere in your office or house that you can use.)

Over the last 10 years, connected devices have grown in popularity and availability.  While keeping them charged remains an issue, keeping them connected has arguably become a bigger one.  These devices now rely on Internet connectivity for activation, for core functionality, and for content - without it, they essentially become expensive paperweights. (You *do* still have some paper around, right?)

At SOASTA, we collect a massive amount of real user data for many top retailers. This past long weekend, not surprisingly, saw an enormous surge in the amount of user experiences our customers monitored and measured. On Black Friday alone, we collected almost 2 billion beacons' worth of real user data.* By the end of Cyber Monday, we estimate that we will have collected between 5-7 billions beacons of data.

For citizens of the most advanced economies, it is hard to conceptualize what being entirely cut off from the Internet would look like, let alone how it could actually happen. Is it as simple as flipping a kill switch or pressing an 'Off' button? Though unlikely in countries like the United States that have numerous independently operated providers and redundant Internet infrastructure, total shutdowns are still possible in geographies where this is not the case. In this post, you will learn two ways the Internet gets shut off at a national level, the likelihood that such an event could happen in the United States, and what makes a country's network susceptible to a total disconnection.

620+ Gbps Attack - Post Mortem

On Tuesday, September 20, Akamai successfully defended against a DDoS attack exceeding 620 Gbps, nearly double that of the previous peak attack on our platform.

That attack and the recent release of the Mirai source code have generated a lot of interest in, and speculation about, the role of IoT devices in DDoS attacks. For several months, Akamai researchers have been looking into the code that is now known as Mirai. Much of that research was based on reverse engineering of the binary prior to the actual source code being released.