big data intelligence - or katz, akamai and tsvika klein, akamai
DESCRIPTION
As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases exponentially, leaving security experts with a big data mess to analyze. Pinpointing real attacks in a sea of security event noise becomes an almost impossible tedious task. In this presentation, we will unveil a unique platform for collecting, analyzing and distilling Petabytes of WAF security intelligence information. Using the collected data, we will discuss the OWASP ModSecurity Core Rule Set project's accuracy, and reveal common attack trends, as well as our impressions and suggestions for how to wisely make the best out of the CRS project. See Or Katz and Tsvika Klein's Edge Presentation: http://www.akamai.com/html/custconf/edgetv-security.html#big-data-intel The Akamai Edge Conference is a gathering of the industry revolutionaries who are committed to creating leading edge experiences, realizing the full potential of what is possible in a Faster Forward World. From customer innovation stories, industry panels, technical labs, partner and government forums to Web security and developers' tracks, there’s something for everyone at Edge 2013. Learn more at http://www.akamai.com/edgeTRANSCRIPT
Big Data IntelligenceOr Katz, Principal Security Researcher
Tsvika Klein, Security Product Manager
©2013 AKAMAI | FASTER FORWARDTM
August 30 2013Cyber Attack
Origin: syria
target: major US media sitestype: Orchestrated & synced recon
scan & d.d.o.s
outcome: attacks blocked by akamai konaanalysis: further analysis made using
Akamai’s security big data platform...
©2013 AKAMAI | FASTER FORWARDTM
Aug-20 Sep-11Aug-30 Sep-4
Attacks from Syria (Aug-Oct)
Avg. Attacks from Syria (2013)
سوريا (Syria) Google Trends
Attacks from TOR Network
©2013 AKAMAI | FASTER FORWARDTM
The AUG-30 Syrian Attack Deconstructed…
©2013 AKAMAI | FASTER FORWARDTM
Big Data - Introduction
©2013 AKAMAI | FASTER FORWARDTM
Akamai is Big Data
30% of Internet traffic Delivered by Akamai
100K+ Edge servers Collecting data in real time
734 Million IPv4 addresses seen by Akamai (quarterly)
30 Billion Security events logged
260 Terabytes Compressed daily logs
Security Big Data Challenge #1
Security Big Data Challenge #2
©2013 AKAMAI | FASTER FORWARDTM
Rate Triggers
IP Table Logs
WAF Triggers
Akamai’s Big Data Platform – High Level Architecture
Big Data Platform
Geo InfoGeo Info
HTTPHTTP
IPIP
Client Reputatio
n
SARA Client Reputation Threat Reports
©2013 AKAMAI | FASTER FORWARDTM
Security Analytics with SARA
• Interactive Tool to Analyze Kona Events
• Reporting Engine to generate the WAF Analysis Report
©2013 AKAMAI | FASTER FORWARDTM
Client Reputation
Record past behavior and use the data to protect everyone
• Analyze activity over the Internet• We see majority of all Web users over period of one month
• Focus on the source of the attack
• Identify good and bad clients based on past behavior
• Define an attack reputation score for clients
• Filter malicious client based on reputation score
• Distributed to over 100K Edge servers
• Shared across our customers
©2013 AKAMAI | FASTER FORWARDTM
Client Reputation Definition
“To provide security intelligence … a reputation provider must take
action in three phases. It must collect relevant data, it must analyze this
data for security intelligence … and it must distribute the results quickly
and efficiently to security policy enforcement ...”
Source: Gartner, Dec 2012
©2013 AKAMAI | FASTER FORWARDTM
Big Data analysis – Use cases
•
•
•
©2013 AKAMAI | FASTER FORWARDTM
Web LOIC
©2013 AKAMAI | FASTER FORWARDTM
Web LOIC Attack
Attackers!
©2013 AKAMAI | FASTER FORWARDTM
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
©2013 AKAMAI | FASTER FORWARDTM
Scraping Bot Net
Attacker - $?$?$
©2013 AKAMAI | FASTER FORWARDTM
Anonymous Networks
• Tor
• Opera mini (cloud browsing)
• Blackberry infrastructure
• Cloud services
©2013 AKAMAI | FASTER FORWARDTM
Big Data - Summary
• Insight like never before
• Helps to address the evolving threat landscape
• Innovative security solutions to protect our customers
©2013 AKAMAI | FASTER FORWARDTM
Glance into the Future
Fraud Prevention
Risk Based Authentication
Adaptive Security Controls
Simplified Configuration