Akamai Diversity
Home > Professional Services

Recently in Professional Services Category

STEM Professions - Share your Passion!

I recently attended an Akamai Women's Forum where Tom Leighton (Akamai co-founder & CEO) and Jim Gemmell (Chief HRO) came to discuss diversity in Akamai. Jim talked about the overall availability of STEM (Science, Technology, Engineering and Mathematics) candidates, and it made me reminisce about how I got interested in a technology career.

Next Akamai Meet-Ups in February

UPDATE: Due to scheduling conflict the Reston Meetup event has been moved to Wednesday, March 19th, 2014. Our sincere apologizes for any inconvenience"

Akamai's Professional Services team is hosting two new security-focused meet-ups in February. These interactive technical sessions cover key trends and tips for Akamai customers. To learn more about our upcoming events, read below.

Anomaly scoring is a better way to detect a real attack

The following is a guest post from Principal Enterprise Architect David Senecal and Principal Product Architect Ory Segal.


Internet security is constantly evolving and it's a challenge for all companies generating online revenue. Not only do they need to constantly reinvent themselves by adding more functionalities to allow their user to do more, but at the same time they need to protect their online transactions.

How to block a threat and not a real user?

One of the key problems in any security solution is how to handle false positives and false negatives - that is, how to avoid blocking valid users, while not missing malicious activity against the system. Web application firewalls (WAF) are no exception.

At Akamai, I have been working with the OWASP ModSecurity Core Rule Set for quite some time and to gain extensive mileage with the system, and the problem we've had with previous Core Rule Sets (CRS) was dealing with exactly this problem.

In some scenarios, a single rule firing on an HTTP request is often not deterministic enough to indicate a real attack. For example, finding the word "script" or "alert" independently in a request is not a good indication that a Cross Site Scripting attack is taking place.

However if you find both keywords together with some special markup characters in-between (something like "<script>alert("xss");</script>") malicious intent becomes more obvious.

Scoring 1.png

Improving the threat detection accuracy

In version 2.x of the CRS, OWASP introduced the concept of anomaly scoring as a better way to detect attacks more accurately. Each rule is built in such a way that it only holds one piece of the puzzle and is assigned a score. As a WAF parses a request through the multiple WAF rules that make up the CRS, it keeps track of the rules that fire and adds the score of each rule to compute the total anomaly score for a request. The WAF will then compare the request anomaly score with an inbound risk score rule threshold. If the score exceeded, the request is more likely to be malicious, otherwise the request is judged to be safe.

At a high level, the principle is simple, but to make it efficient there are some rules to follow:

  • Each rule in the rule set should look for specific keywords or patterns that are typical for an attack
  • Each rule cannot hold all the keywords typically used and found in an attack payload
  • Each rule must be given a score between 1 (informational) and 5 (critical). The score should then be assigned based on the risk

ModSecurity 2.x comes with 2 risk score rules: one that keeps track of all rules that fired during the request stage and another that adds to the score of the rules firing during the response stage. In practice, we discovered that it is very difficult, if not impossible, to find a single threshold that would work across the different types of attacks. The graph below shows the ideal threshold (highlighted in blue) for each type of attack.

Scoring 2.png

Akamai's Threat Research Team went back to the drawing board, and took this concept a step further, introducing attack specific risk score rules (Cross Site Scripting, SQL Injection, Command Injection, PHP Injection, HTTP Anomaly, Trojans and Remote File Include Attack). The result is the new Kona Rule Set that aims to reduce false positives and more accurately detect true attacks.

CRS 2.x in action

In order to put the new Kona Rule Set to the test, and do so by using proper methodology, Akamai's threat research team compared the accuracy of:

  • Akamai Kona Rules
  • A WAF policy running the CRS 1.6.1 ruleset with all rules in deny mode
  • A WAF policy running a standard 2.2.6 CRS rule (Vanilla OWASP CRS 2.2.6)

The testing process used both valid traffic (to measure false positives), as well as attack traffic (to measure false negatives).

We have been running an opt-in beta program with some of our customers to improve WAF accuracy for them.  As a result, we've been able to create a valid traffic sample that includes real world Internet traffic from some of the world's top 100 websites - including large amounts of real world traffic known to cause false positives. Attack traffic was also included from popular hacking tools, exploit tools, and web security scanners. These attack test cases represented 5% of the total sample set.

We consider the following measures:

  • Precision: % of blocked requests that were actual attacks
  • Recall: % of attacks that were actually blocked
  • Accuracy: % of decisions that were true
  • MCC*: Correlation between WAF decision and the actual nature of requests

* MCC is Matthews Correlation Coefficient: http://en.wikipedia.org/wiki/Matthews_correlation_coefficient

The table below shows the results of the experiment.

Scoring 3.png

Why should you use Anomaly Scoring?

The results clearly demonstrate that the policy running the Kona Rule Set blocked more real attacks than any other policy, and overall the Kona rule set is more in sync with reality and better able to detect actual attacks with a lower level of false positives.

It is worth mentioning that the measurements were done against an "out of the box" non-tuned configuration - specific WAF deployments are expected to have even better results using custom rules and more application-specific tuning.

Akamai Professional Services can help you to participate to the Kona Rule Set Beta program, we are always looking for customers to partner on our security research to improve our KONA security suite and reduce false positives even further.


David Senecal is Principal Enterprise Architect and Ory Segal is Principal Product Architect at Akamai.


There's still time to register for next week's webinar! Join IDC's Greg Ireland and Akamai's Frank Childs on Wednesday, December 11th from 11-11:45am EST to learn how Operators can better service their subscribers with the implementation of CDNs.

 As stated above, the topic will be How CDN and Video Strategies Impact Subscriber Retention and Market Share Shifts. Greg and Frank will discuss key takeaways and actions based on recently completed research from IDC. In particular, they will cover how multiscreen services impact subscriber loyalty, how caching impacts broadband speeds and user satisfaction, and how online video expectations of the all important millennial demographic have changed.

Here's a glimpse of what you'll learn by attending the webinar...

  • What percentage of subscribers that consider TV Everywhere an important complement to Pay TV
  • Video usage expectations of the millennial demographic
  • Who viewers blame when OTT video streaming fails
  • How multiscreen is affecting subscriber loyalty
  • The financial impact of every 50,000 subscribers gained or lost per year

To learn more and register for this webinar please go to:
http://reg.dispeak.com/c/akamai/car/dec13/r.html#register

We hope you can join us. If you can't make it on the 11th but you're interested in the topic, please register and we'll send you a link to the recording of the session.

The Akamai Meetups

Holiday season is approaching and things are slowing down?  Not us here - the professional services team at Akamai.  We have been working round the clock to bring you face-to-face meetup events with our technical experts from the Akamai's Advance Solutions Group (ASG).  Our goal is to provide you with insights and expertise on the hottest topics this season.  Here's what's on the schedule as we conclude this year and we are excited for you to join, share, interact and immerse - now isn't that what the holidays are truly all about?

  • Dec 5th, New York: Addressing the challenges of online media with Akamai Sola: More than ever, audiences are consuming their entertainment online - and over an expanding array of devices.  Join our media experts David Sztykman & Frank Paolino to talk about video delivery challenges and see how Akamai can help you reach a global audience without headaches.
  • Dec 5th, Chicago: Performance Angle to Responsive Web Design - FEO design patterns and tools: The move to Responsive Web Design has put more emphasis on ensuring that users receive a high quality experience regardless of the device used to surf the web.  Our seasoned technologists Colin Bendell & Austin Thornburg will share front-end development patterns, best practices, optimizations and tools that you can use to keep your site flying through the cloud.
  • Dec 5th, San Mateo: Web Performance Best Practices - Fast Sites for a Global Audience: Come learn what industry experts are telling developers to do to optimize their web sites, and what Akamai solutions are doing to complement these efforts.  Our Web Perf specialists Javier Garza & David Bartosh provide the scoop.
  • Dec 12th, San Mateo: Learn how to improve your security posture with the latest features available in the Kona Site Defender: Keeping pace with attack trends and defense strategies while ensuring users can access the web site can be a daunting task.  In this session, we bring forth our security experts David Senecal & Harish Jakkal to talk about the latest features available in Kona site defender and how to use them to improve your security posture and avoid false positive.

Akamai's Advance Solutions Group (ASG)

Since May 2013, the ASG team has been organizing Meetups for our customers in NYC, Cambridge and San Mateo.  These "No Selling Zone" events provide unadulterated technical knowledge to our customers.  The events have been a tremendous success, as evidenced by direct feedback or the crowd of 44 people at our Cambridge office (video).

The Advance Solutions Group helps Akamai's customers meet their critical business goals and complex technological challenges by providing Akamai's innovation, thought leadership and education.

ASG services include:

  • Architecture Design: Identify and translate advanced requirements into creative out-of-the-box cloud solutions.
  • Assessment Services: Value-add consulting to provide customers with expertise and best practices in the areas of user experience, infrastructure reliability and security.
  • Education Services: Hands-on, in-depth training for customers to make them more self-reliant and increase their Akamai ROI.

Manuel Alvarez is Enterprise Architect at Akamai

So...just how important are Operator CDNs?


Of course WE'RE going to say that Operator CDNs are important, we're Akamai. But what do the operators think? And further to that, what do the consumers think? In IDC's recently released white paper -- Broadband and Pay TV Operators Adopt CDN Strategies to Manage Changes in Consumer Video Behavior -- we find out.
 
This white paper draws on extensive interviews with leading communications service providers in the US as well as a survey of US consumers. The paper dives into the topics of multi-screen video services, network capacity management, improved video experiences and its impact on both revenue and customer satisfaction.
 
The research uncovered some enlightening statistics including:
 
  • How many subscribers consider TV Everywhere an important offering
  • How many viewers place the blame on operators when OTT video streaming fails
  • The revenue impact of every 50,000 subscribers gained or lost per year
  • The number of subscribers who would switch providers if their pay TV provider did not offer multi-screen services but another did
 
You will learn this and a lot more by reading the white paper which can be found on our website at: http://www.akamai.com/html/ms/cdn-strategies-whitepaper.html.
 
You can also learn about the findings in a live webinar being held on December 11th at 11am EST with the author of the paper, Greg Ireland and Akamai's Frank Childs. Register to attend at: http://reg.dispeak.com/c/akamai/car/dec13/r.html#register.
 
In the meantime, check out this fun infographic that summarizes some of the findings.

Part 2: A practical guide to web resource caching

The first part of this series reminded our reader on the best practices for caching and emphasized the need to isolate personal data from any page view content.

In this second blog post, we will provide actual caching value recommendations for client browsers and edge servers. We categorize each resource by time sensitivity, list the main observed use cases for each of them, and propose TTL values for the client as well as for the edge server. When appropriate, we differentiate recommendations based on the edge invalidation policy.  

Resource is not time sensitive, points to static content. 
PL2.png

This is the best caching scenario. Always strive to make resources time-independent.

  • Images
  • Any versioned content: www.example.com/v13/js/main.js

Recommended TTLs: Edge and Client TTLs: 3 months

Resource has low time sensitivity ( Staleness > 1 hour)

PL3.png

  • Search result listings
  • User reviews
  • Backward compatible resources, e.g. JS or CSS
  • Search engine targeted pages
  • Generic ads

Recommended TTLs:
  • Edge TTL: 1 hour to 1 day if no invalidation, else 2x the refresh period, e.g. 2 days for content updated daily
  • Client TTL: 2x median user session duration , or 15 min if unknown

Resource has medium time sensitivity (15 m. < Staleness < 1 h.).

PL4.png

  • Social updates, user comments 
  • Category listings
  • Flight and other schedules
  • Weather forecasts
  • Context sensitive ads
  • Product prices or availability. (Upon purchase/reservation, non-cacheable requests to pricing/availability must be made to guarantee the transaction)

Recommended TTLs: 
  • Edge TTL: 15 min. to 1 hour if no invalidation, else 2x the refresh period, e.g. 2 hours for content updated hourly.
  • Client TTL: 10 min. or less.


Resource has high time sensitivity (Staleness < 15 mins.). 

PL5.png
  • Breaking news 
  • Finance tickers
  • Sports scores

Recommended TTLs:
  • Edge TTL: 30 sec. to 15 min. Invalidation is discouraged
  • Client TTL: 0. Validation with edge server must be performed for each request


Resource has personal information.
 PL6.png
  • Origin system generated: recommendations, messages
  • User generated, e.g. personal settings, shopping cart

Recommended TTLs:
  • Edge: Do not cache
  • Client TTL: If origin generated: 2x median user session duration, else do not cache


Resource cannot be served stale, yet is cacheable
Non-personal, popular and time-critical large objects that change at unpredictable times

Recommended Edge and Client TTLs: 0. Resource can be cached, however validation with Edge (from client) and Origin server (from Edge) must be performed for each request

If you would like to understand how to best implement these recommendations or present a use case that is not covered here, please contact Akamai professional services.

Pierre Lermant is an Enterprise Architect at Akamai

A practical guide to web resource caching, part 1

Web resource caching provides the dual benefit of reducing load on the origin infrastructure while accelerating the content delivered to the clients. Yet, because of business and technical requirements, it is often difficult to select the best caching rules for the client browser and the Akamai edge servers. In this 2-part blog I will review industry's best practices and offer recommendations for common use cases.

 

Part 1 will walk you through all the parameters impacting caching policies. Part 2, to be published soon, will provide actual TTL recommended values for various contexts and use cases.

 

Terminology

●    TTL: Time to live of a cached resource.

●    Cache keys: Define a set of parameters that scope the caching of a resource. The client cache key is typically the full URL, including the query parameters. Akamai edge servers cache keys can be tailored to the application and resource at hand, and allow for dynamic caching, based on cookies, headers, query strings and other parameters.

●    Resource time sensitivity, or staleness: The amount of time a resource can be served stale without breaking any significant functionality or user experience. It is not to be confused with the object rate of refresh, which indicates how often the object is changed at the origin. Time sensitivity, and not refresh rate, is a main TTL driver.

●    Personal information: Hold data that is unique to a given user.


PLPost.png

What is cacheable?

●    Edge caching: Everything can be considered for caching at the edge, except for content that is personal or must reach the origin for critical logging or business reasons. Even a few minutes TTL can enhance the user-experience and avert origin breakdown in case of request bursts.

●    Client caching: While providing the shortest path to a given resource (no N/W traffic), it must be used with caution, as it cannot be invalidated. Personal information can be considered for caching. 

It is highly recommended to not embed personal information in the page view (i.e. html) so it can be cached at the edge and shared amongst users. Instead, have the client fetch personal data through ajax calls or by reading dedicated cookies.

When to use Edge caching invalidation?

Invalidating a piece of content is enticing as it can be automated and extended TTLs can be prescribed. However it must be used with the following in mind:

●    The purge/invalidation process can create significant traffic spikes on the origin. If many resources are invalidated concurrently, or if it is performed during traffic peak hours, this may negatively impact the origin's ability to serve the requests in a timely manner.

●    It is most beneficial if automated and synchronized with the underlying systems updating the content. e.g. CMS or code release process.

●    It should only be considered for content that can be served stale for up to 10 min, as the invalidation/purge process is not immediate.

Client vs Edge caching

For each resource, business rules define a permissible overall staleness, which cannot fall below the sum of its client and edge TTLs. We will address how to partition the 'staleness budget' between the client and edge servers in our next post.  We will also provide actual TTL values for both the client and the edge server. Stay tuned and please check back on this blog.


Pierre Lermant is an Enterprise Architect at Akamai

The following is a guest post from Director Global Service Delivery Patrice Boffa and Solutions Architect Harish Jakkal.


Locking down access to a Web application based on information from the Network Layer of the Open Systems Interconnection (OSI) model is the most basic level of request filtering mechanism available. There are many network firewalls in the market that inspect the source/destination IP address of the request to making routing decisions on whether to forward or deny requests.

Using Network Layer Controls within these firewalls, you can either allow or disallow end-user access to the Web application.  At the Network Layer, the parameter available to make the decision is the advertised IP of the end-user.  Many firewalls ship with a geo-location database that lets you correlate an IP to a geographical region.  This provides the flexibility to allow or deny end-users based on their advertised geographical location rather than listing all IP spaces for each geographical region. 

Network Layer Controls are typically maintained using a rather long list of IP/CIDR/Geo whitelist or blacklist.  However, this approach has the following limitations:

  1. Many firewalls are still on-premise devices that may not be able to scale up to volumetric attacks like Distributed Denial of Service (DDoS).
  2. Firewall configurations can be cumbersome to maintain and lack flexibility in the conditional logic that you wish to apply.
  3. Some firewalls club policies into one single configuration file.  As a result, each update to a policy requires deploying the configuration, which could be challenging from a change management perspective.  Many firewalls still require manual intervention when updating the access control list, which is more likely to be prone to human errors.

How do we solve these problems?  The Akamai KONA Network List Management feature provides a cloud-based, scalable alternative to controlling access to your Web application that is both easy-to-use and flexible.  Network List Management allows you to create and maintain logical lists of blacklists or whitelists. 

Akamai at Velocity New York and WebPerfDays


While some of you are attending and enjoying the Edge conference, some of us are preparing for other great Web Performance conferences where you can listen and meet some of the members of the Akamai's Advance Solutions Group.


Velocity NYC

Colin Bendell will be speaking at Velocity NYC on the topic "Performance Impacts of i18n, l10n and m18n" on Wednesday, October 16, 2013.  If you are planning to expand your target demographic by adding multiple language support, multiple currency support or other locale specific functionality, you won't want to miss this presentation.  Colin will be sharing his insights about scaling your site while maintaining high page performance and cache hit rates, and exploring how to govern the complex business rules that comes with internationalization and localization.  Check back later for Colin's post conference post.  


WebPerfDays

David Sztykman will be speaking at WebPerfDays on "How to scale large live events to millions of end users" on Thursday, October 17, 2013.  This ignite session will cover key points to make your next streaming event successful.  He will talk about the site surrounding the stream and how it affects the live event.  As a follow up, David will be presenting on the topic with more details during the upcoming November Meetup event.


Advance Solutions Group

The Advance Solutions Group (ASG) helps Akamai customers meet their critical business goals and complex technological challenges by providing Akamai innovation, thought leadership and education.  ASG services include :

  • Architecture Design: Identify and translate advanced requirements into creative out-of-the-box cloud solutions.
  • Assessment Services: Value-add consulting to provide customers with expertise and best practices in the areas of user experience, infrastructure reliability and security.
  • Education Services: Hands-on, in-depth training for customers to make them more self-reliant and increase their Akamai ROI.


We hope to see you at our next Meetup event and enjoy Conferencetober!


Manuel Alvarez is Enterprise Architect at Akamai

1 2 3 4