WHITEPAPER

Akamai

FromWAFtoWAAP:

Akamai’sApproach

toaHolisticAppandAPISecuritySolution

Akamai

Contents

Introduction04

TraditionalaWAF05definitionof

ChallengesWAF06withatraditional

Design—WAFtoWAAP07principles

Akamai’stoWAAP10approach

M10ovingbeyondrulesets

MDDoS10odernizingapplication-layerdefensesbeyondratelimiting

Single11solutionforcomprehensiveprotection

TheAdaptiveSecurityEngine12

Adaptive13threatdetection

A13utomaticupdates

Testingtoensureaccuracy14framework

Automaticself-tuning15

C15onfigurationandautomationflexibility

Verify16intherealworld

I16ntegratingmodernizedprotections

ApplicationsecurityandDDoS18defense

BehavioralDDoSEngine:How19itworks

Applicationaccuracy21security

ClientReputationscores22

Malware23protection

Application24securityanalytics

APIProfiling25Discoveryand

|2

Akamai

|3

Botvisibilityandmitigation27

Bot&APIProtector27visibilityandmitigationintrinsictoApp

Key28botcapabilities

MoreaWAF:29thanBenefitsfromtheAkamaisolution

Threat30intelligenceanddetection

A30kamaiplatformintelligence

Threatresponse31researchandincident

T31hreatresearch

Iresponse31ncident

R31apidthreatdetection

CVE32protection

Globallydistributededgeplatform33

R33eliabilityandresiliency

Global35scale

P35erformance

Edgepowers36platformprotection

ManagedAttackSupport37

SecurityOperationsCommandCenter(SOCC)37

Conclusion38

|4

Akamai

Introduction

Withincreasinglylargeanddiverseattacksurfaces,growingoperationalfriction

andcost,andcontinuouslyevasivemultidimensionalthreats,securityteamsneed

visibilitybeyondthetraditionalwebapplicationfirewall(WAF).Specifically,theyneedmoreautomatedtoolstoincreaseefficiency,anddeeperprotectionsintheappand

applicationprogramminginterface(API)ecosystem.Themoremodernterminology

fortheseprotectionsiswebapplicationandAPIprotection(WAAP).Discerning

organizationsprioritizingthesecurityoftheirbusinessandthesafetyoftheir

customersdemandcomprehensiveprotectionagainstseveralthreatsacrosstheir

entiredigitalestate.Inadditiontoprotectingappsfromknown,unknown,andzero-dayattacks,theseprotectionsinclude:

?Adaptivethreatdetection

?Automatedpolicyupdates

?RobustDDoSdefense

?APIdiscoveryandprotection

?Botvisibilityandmitigation

?Easyintegrationsfordevelopmentlifecycles

ThispaperdiscussesthetraditionalWAFtechnology,theshiftfromWAFtoWAAP,

andthecontinuedmarketdemandthatisevolvingWAAPsolutions.Asanestablishedleaderinthesecurityspace,Akamaifocusesourapproachoninnovatingsecurity

technologiesthatpowerandprotectlifeonlineforendusers.

Akamai

TraditionaldefinitionofaWAF

AtraditionalWAFsitsinthemiddleofthetrafficflowbetweenendusersandaweb

application.TheWAFinspectsunencryptedorencrypted

HTTPtrafficpassingthrough

itforanyattacksasdefinedbyalistofrules.

MostWAFsrelyonapredefinedlistofrulestoidentifymalicious

HTTPrequests

interspersedwithlegitimate

HTTPtraffictoguardagainstthousandsofpotential

knownexploits.Inaddition

,newattackvectorsoradditionalpermutationsofexistingonescontinuouslyevolveandareexploitedbythreatactors.ThisiswhereatraditionalWAFcontinuallyneedstohaveitsrulesupdatedandtunedtothelegitimatetraffic

characteristics,whichwilldifferonaper-applicationbasisandchangeovertime.

Asendusershavedemandedmoreprotectionandperformance,WAFshaveexpandedtheirscopetoincludeadjacentsecuritytechnologiesandserviceslikedistributed

denial-of-service(DDoS)mitigation,APIsecurity,andbotmitigationcapabilities.Thiscontinuingevolutionwarrantsanewdefinitionandnewterminology.

|5

|6

Akamai

ChallengeswithatraditionalWAF

OrganizationswithaWAFoftenclaimthatitfailstomeetinitialexpectationsintermsofeffectiveness,easeofmanagement,andimpactonprotectedapplicationsandAPIs.Duetowebperformanceissuesthatoftenoccurfrominspectingbillionsofweband

APIrequestsformaliciouscode,WAFshaveoftenbeenasourceofintraorganizationalfriction,performancedegradation,andobstructiontodeploymentduetosecurity

protocols.

SomeofthemostsignificantdeploymentchallengeswithtraditionalWAFsstemfromthefollowing:

?Inaccuratedetectionsandhighfalsepositivescreatealertfatigueandadditionalrisk

?WAFsrelyonmanualreview,tuning,andmaintenance

?Lackofgranularcontrolsleadtoheavy-handeddenypoliciesthatinterruptend-userexperienceandbusinessprocesses

?Out-of-datethreatintelligenceincreasesvulnerabilities

?Decreasedperformanceandcoverageduetorestrictionsandinflexibility

?Toolimitedtoprotectdigitalexpansion

TraditionalWAFsareapowerfulsecuritytool.However,theycanoftenleave

organizationswithoperationalpainsandunmitigatedrisksthatwillbeaddressedinthispaper.

OrganizationslookingtoupdatetheirWAFtechnologywithaWAAPsolutionshould

ensurethatthesolutiondeliversbothbusinessvalueandrobustsecurityprotections.TheconversionfromWAFtoWAAPcombinesthispowerofprotectionwith

functionality,efficiencies,andeaseofusetomeetbusinesses’needs,bothforsecurityteamsandotherteams.

|7

Akamai

Designprinciples—WAFtoWAAP

AsthetraditionalWAFproductfocusesonend-userrulecreation,anyvendorcan

buildaWAFsolutionandbringittomarketwithrelativeease,asdemonstratedbytheprevalenceofcommercialofferingsbuiltaroundtheopensourceOpenWorldwide

ApplicationSecurityProjectModSecurityCoreRuleSet(OWASPCRS).

However,itisdifficultforaprovidertodesignacomprehensiveWAAPsolutionthatcan:

?Bedeployedin-linetoprotectapplicationsandAPIsasnewvulnerabilitiesemerge

?Keepupwithmodernappdevelopmentpractices

?ProvideequallystronglayersofDDoSdefense,botmitigation,APIprotection,andclient-sidewebapplicationprotections

AsAkamaiapproachedthedesignofourWAAPsolution,webelieveditshouldbe

morethan“goodenough.”App&APIProtectorwascreatedtoaddresssecurityriskswhilekeepingourcustomerorganizationsfocusedonmajorbusinessobjectives.

Asablueprinttoourdesign,webelievedanidealWAAPsolutionshouldprovide:

Effectivesecurity

Applicationsruneveryaspectofthebusiness.Securingthemagainstmaliceis

thefoundationalgoalofacorporatesecurityteam.SecurityteamsarechallengedtofindaWAAPsolutionthatdeliversbest-of-breeddetectionsinaWAAPsolution.Theidealsecuritytoolprioritizesdetectionefficacy,asitisthemostimportant

aspectofaWAAPsolution,andhasastellartrackrecordofzero-day,exploit,

andCommonVulnerabilitiesandExposures(CVE)defense,aswellasanimpressiveavailabilityhistory.

Accuracy

Securityteamsneedtofindtherightbalanceofmitigatingriskswhileenablingthebusinesstomovewithspeed.Idealsolutionswillhaveself-tuningmechanismsthathelptoreducefalsepositiveswhilenotcompromisingend-userexperienceand

businessprocesses.

Akamai

|8

Modernprotections

Organizationsmustcontinuously(andoftenmanually)updateprotectionstothelatestrulestoaddressnewvulnerabilitiesastheyarediscovered.Todothis,theyneedtwokeyabilities:accesstothelatestintelligenceacrossattackvectorsandskilledsecurityresourcesthatcantailorthedefensestrategytomeetmalleableattacks.Anideal

solutionwillbealeaderinthethreatintelligencecommunityandprovidecapabilitiesthatsimplifysecurityoperationsacrosstheestate’sprotections.

Adaptivity

Thethreatlandscapeevolvesatarapidpace.WithAI-poweredattacksonthehorizon,securityteamsneedtobemoreefficientthaneverintheirsecurityoperations.IdealWAAPsolutionswillhaveacombinationofadvancedautomation,machinelearning,anddeepglobalintelligencetodeliverupdatesautomaticallyandprovidecustomizedrulemodificationsuggestionsthatareimplementedinaclick.

Visibility

TraditionalWAFsolutionstypicallyprovideanever-endingstreamofalertsandrelyonsecuritypractitionerstocarefullyanalyzeeachalertburningthroughin-house

resources.AmoreeffectiveWAAPsolutionprovidesmulti-solutionvisibilityand

proactivecontextaroundattacksbynotifyinganorganizationwhen,where,andhowtheyoccurredtoalleviatetheresourceburden.

Scalability

Asolutionwithoutenoughscaletohandleincomingtrafficcaneasilybecomea

bottleneckthatincreasesweblatencyandhasthepotentialtobreakunderload.AneffectiveWAAPapproachseamlesslyandautomaticallyscalestomatchtrafficdemandsandattacksastheyvaryovertime,andprovidecontinuousprotection

withoutinterruptionorreducedperformance.

Akamai

Cooperation

Aneffectivesecuritysolutionneedstobeintegrableintothecurrentstack,

programmable,simpletouse,andfrictionless.Anidealsolutionbuildsabridgebetweensecurityanddevelopmentteams.

Support

Duringdemandingsecurityevents,organizationsareoftenoverwhelmedbytheskillsandresourcesneededtoprovideatimelyresolution.Anidealsolutionwillhaveregularmanagedserviceoptions,aswellason-demandserviceoptions,thatcanprovide

expertiseandmitigationforcommonscenariosincludingactiveattacks,servicesissues,staffturnover,internalskillsetgaps,andmore.

Withthesedesignprinciplesinmind,let’sexplorehowAkamaiapproachesbuildingourleadingWAAPsolution,App&APIProtector,startingwiththecoretechnology.Oursolutioncombinesmanysecurityproductsinonetoholisticallyaddress

challengesinsecuringapplications,defendingagainstvolumetricDDoSattacks,protectingAPIsacrosstheestate,andcontrollingbottraffic.

|9

|10

Akamai

Akamai’sapproachtoWAAP

Movingbeyondrulesets

AsthemarketmovedfromtraditionalWAFdesignprinciplestothemodernand

effectivesecuritysolutionofWAAP,effectivedetectionandmitigationtechnologyremainedthefocus.

AkamaifirstintroducedourWAFin2009astheworld’sfirstedge-basedWAF.

SecurityvendorsatthistimewereofferingWAFsbasedonstaticrulesetsastheir

foundationfordetections.Akamaidifferentiatedatthattimebybuildingaproprietaryrules-basedenginecalledKonaRuleSet,whichemployedasmallnumberofflexiblerules(ratherthanstaticrules)inconjunctionwithananomalyscoringmodeltobetteraddressaccuracyandvisibilityintoattacks.

Thenin2017,Akamaiintroducedautomatedattackgroups,whicheliminatedthe

needfororganizationstocontinuallyconfigureandupdateruleswithAkamai-managedprotections.Automatedattackgroupswerearevolution,quicklyenabledacross

thousandsofactiveAkamaicustomerWAFpoliciestotakeadvantageofthisnewapproach.

Akamaicontinuedtoevolveourapproachtoapplicationsecurity,prioritizingcombinedapplicationandAPIprotection,includingbotdefensecapabilities,withthelaunchof

App&APIProtectorin2021—thisWAAPsolutionaimedtoreplaceKonaSiteDefenderWAFforenterpriseandgrowingglobalbusinesses.App&APIProtectorchanged

thewayAkamaiapproachedsecurityoperationsbymodernizingtheKonaRuleSettechnologyintotheAdaptiveSecurityEngine.

Modernizingapplication-layerDDoSdefensesbeyondratelimiting

WhenitcomestoDDoS,ratelimitingisaprovenandeffectivetool.Yettheriseof

sophisticatedLayer7DDoSattacks,multi-vectorassaults,andtheexploitationofAPIshaslefttraditionalDDoSdefensesstrugglingtokeepup.Staticdefenses,whichrely

onfixedthresholdsandpredefinedsignatures,arereactiveandpronetofalsepositives,especiallyasattackersincreasinglyblendmalicioustrafficwithlegitimaterequests.

ThisiswhereAkamaichangedtheapproachtoDDoSdefenseandintroducednewinnovationssuchasURLProtectionandtheBehavioralDDoSEngine.

Akamai

|11

The

BehavioralDDoSEngine

isacutting-edgeadditiontoAkamaiApp&APIProtector,joiningtheAdaptiveSecurityEngineasoneofitscoretechnologies.Together,theseenginesofferunprecedentedprotectionagainstmodernthreats,makingAkamaia

leaderinWAAP.Thisdual-engineapproachsetsAkamaiapartbydeliveringautomatedupdates,self-tuningcapabilities,andcontext-awaredetectionforahands-off

experience.

Singlesolutionforcomprehensiveprotection

Today,changecontinuestoredefineapplicationsecuritywithmoderndevelopmentpracticesviaserverlessedgecomputing,microservices-basedarchitectures,single-pageapplications,andSaaS/IaaS/PaaS/FaaSapproachesbeingusedthatshape

applicationsecurity.

ToprotectmodernapplicationsandAPIsincomplexITenvironments,Akamaire-architectedourapplicationsecuritytechnologywithamoreadaptive,flexible,andholisticapproach.AsAkamai’sWAAPsolutionmigratedfromWebApplication

ProtectorandKonaSiteDefendertoApp&APIProtector,moresecuritycapabilitiesandfeaturedtoolsetswereincorporated.

App&APIProtectornowprovidesmanyadditionalsecurityenhancements,allofwhicharevisibleandcontrolledviaasingleinterface.Akamai’sWAAPsolutioncombines:

1.AnAdaptiveSecurityEngine

2.Applicationsecuritywithgranularcontrols

3.DDoSdefense,includingadvancedLayer7DDoSprotection

4.APIprotection,includingdiscoveryandPIIprotectionfeatures

5.Botvisibilityandmitigationcapabilities

6.Aplatformforglobalscale,threatintelligence,andresiliency

|12

Akamai

TheAdaptiveSecurityEngine

TheAdaptiveSecurityEngineprovidesnext-generationprotectionattheintersectionofmachinelearning(ML),real-timesecurityintelligence,cybersecurityexperts,

andadvancedautomation.AsAkamai’scoretechnologyfordetectionanddefense,theAdaptiveSecurityEngineenablesahands-offapproachtoprotectentirewebapplicationsandAPIestates.ItalsoaddstoAkamai’sadvancementsfromWAF

toWAAP,whichincorporatecorrelatingsecuritysolutionsincludingbotmanager,DDoSprotection,DevOpsintegrations,andmore.

Machine

learning

Adaptive

SecurityEngine

Technologybeyond

aWAFrulesetfor

intelligent,proactive

modernization

9PBintelligencedatabase

Advanced

automation

threathunters

400human

TheAdaptiveSecurityEngineisuniquebecauseitlearnstrafficandattackpatterns

uniquetoeachcustomer,analyzesthecharacteristicsofeveryrequestinrealtime,

andusesthatknowledgetointerceptandadapttofuturethreats.Itusesthesame

platforminsightandintelligencetoreducefalsepositivesviatuningrecommendations.Thisself-tuningfeatureofferseaseofusebysecurityanddevelopmentteamsby

deliveringadaptivethreatprotectionsasproactiveupdates.

Akamai

|13

Adaptivethreatdetection

Theengineemploysamultidimensionalthreatscoringmodelthatcombinesplatformintelligencewithdata/metadatafromeachrequest.Thisdataisactionedwith

decision-makinglogictoaccuratelyidentifytrueattacks.

Adaptivedetectionsareespeciallyeffectiveinidentifyinghighlytargeted,evasive,

andstealthyattackssincesophisticatedattackersinvestmoretimeandeffortintheirapproach.Asattackersscanforvulnerabilitiesandmisconfigurations,theAdaptive

SecurityEnginecollectsandcorrelatesevidenceabouttheirtacticstomakeattackers’historicalfingerprintsmoreidentifiable.

Inadditiontotheactualpayloadanditslocationwithintherequest,otherexamplesofattackdimensionsitevaluatesforeachclientinclude:

?Ahistoryofreconnaissanceand/orattacks(e.g.,frequency,magnitude,severity)

?Anysignofmaliciousautomationandattacktooling

?Correlationtoknownsourcesofattacktraffic

Moreover,theAdaptiveSecurityEngineisenhancedwithtwoproprietarytechnologies:SmartDetect,whichtokenizestheinputintoafingerprintforhighlyaccuratedetection,andSmartSniff,whichdetectstherightcontenttypeoftherequestbodytoprevent

contentmanipulationandbypass.AkamaithreatresearchersleverageAkamai’sexpansiveinfrastructureandsystemstopassivelyrunnewdetectionsacrossallproductiontrafficandthenanalyzethoseresultsusingMLmodels.

Automaticupdates

Manyorganizationstodayhaveinsufficientresourcesorsecurityexpertiseto

continuouslytrackdevelopingthreats,updateconfigurations,andretestagainst

theirwebtraffictooptimizepolicies.Inresponse,AkamaicontinuouslyupdatestheAdaptiveSecurityEngineusinganAI/MLautomatictestingframeworktoaccountforchangingthreatswhilemaintaininghighaccuracy.Theseupdateshaveoften

protectedagainstzero-dayattacksbeforetheywereannounced.

|14

Testingframeworktoensureaccuracy

TestingaWAAPsolutionreliesonasimplepremise:Testdifferentattackvectorsandstopwebattacks.However,thefollowingfactorsneedtobeconsidered:

?Real-worldenvironmentsaremorecomplexthantestenvironmentsandoftenleadtofalsepositivesandfalsenegatives.

?Designingatestingframeworkwithaccuracyinmindrequiresadditional

verification—notjustattackdetection,butdoingsowithoutinadvertentlytriggeringfalsepositivesorfalsenegatives.

?Testingrequirestheuseofrealwebtraffic—bothlegitimateandattacktraffic.

AdaptiveSecurityEngineupdatesconsistofmultiplestagestoensurelegitimatetrafficisnotadverselyimpacted:

?Alldetectionsarelabtestedusingsynthetictraffictoensuretheyproperlycatchattackswhilenotintroducingfalsepositives.

?Updatesarethentestedonliveproductiontraffictoensurethesampleisvalidforcurrentplatformtraffic.Thisprocessinvolvesrunningtheupdateinshadowmodeonrealcustomertraffic.Runninginshadowmodeensuresnoimpacttocustomertrafficwhilestillrunningtestdetectionaccuracy.

?Onceanupdatehaspassedstagetwo,MLidentifiespatternsortriggersthathumananalysismayhavemissed,afterwhichtheThreatResearchTeam

manuallyreviewsresults.

?Onlywhenthesechecksarepassedateachphasecanachangemovetothe

nextphaseandbedeployedtoalargersegmentofthenetwork.After100%

deployment,self-tuningcapabilitieswilleliminateanyremainingfalsepositivesparticulartocustomers’trafficpatterns.

|15

Automaticself-tuning

Automaticself-tuningalleviatestheburdenofmanualtuning,whichcanleadto

outdatedpoliciesandhumanerror,foranear-hands-offexperience.TheAdaptive

SecurityEngineappliesML,statisticalmodels,andheuristicsacrossalltriggersforeachsecuritypolicytoaccuratelydifferentiatebetweenrealattacksandend-user

trafficmisidentifiedasattacks.Itisnotagenericplatform-widecheckthatisappliedonlyduringonboarding,butratheracontinuoustuningprocessperformed24/7/365withnoend-userconfigurationorintervention.

Self-tuningisfrictionlessandsimple.Securityadministratorscaneasilyreview

andacceptrecommendationswithoneclickviatheuserinterface,ortheycan

automateusingAppSecAPIs,command-lineinterface(CLI),orTerraform.Forgreatertransparency,apre-filteredlinktoWebSecurityAnalyticsshowsallrequestsdeemedasfalsepositiveswitharationaleprovidedforeachtuningrecommendation.

Configurationandautomationflexibility

WhenaWAAPsolutionvendormovespastthetraditionalrulesettechnology,

configurationandautomationbecomemoreflexible.TheAdaptiveSecurityEnginegrantstheabilityto:

?HavedifferenttypesofWAFupdates(autovs.manual)fordifferentapplicationsandtheirassociatedriskappetite

?Controlactionperattackgroupandcontributingrulenecessaryforcustomizationifapplication/trafficbehaviorisnotstandard

?SetupsimpleandcomplexconditionsfordifferentrequestcharacteristicssuchasIP,geo,header,payload,etc.

?ProactivelymitigatethreatsourcesthathavebeendetectedcarryingoutsuspiciousWAFattack/scanningforyourownapps,withPenaltyBox

?Modifydebugheader

?Modifyrequestpayloadinspectionsizeorattackpayloadloggingsettings

?Runsimulationsofchangeindetectionlogictoconfidentlypushthesechangesonproduction

Akamai

|16

Verifyintherealworld

EvaluationmodeprovidesAkamaicustomerswithflexibilityandgranularityin

configuringspecificAdaptiveSecurityEngineversionsandtestingupdatesornewrules/policies.Customerscanseenewupdatesorchangesbeforechoosingto

enableasappropriateornecessaryfortheirspecificwebapplicationenvironment.Foreffectivesecuritymodernization,Akamaibelievesthattestingonreal-timetrafficimprovessecurityoutcomesovertestingonpasttraffic.Evaluationmodeissimilartoapplyingashadowrulewhereyoucanseethereal-timeresultsasifthepolicy

wereenforced—yetwithnoimpacttocurrentendusers.Organizationscanoptforthismanual/evaluationmodeofoperationtominimizeunexpectedimpactonfalsepositivesandfalsenegatives.

Integratingmodernizedprotections

SecurityandDevOpsteamscanalsooperationalizesecuritybyintegratingcallstoAkamaiAPIsusingtheCLI,AkamaiTerraform,orscriptsintheirCI/CDautomation

pipeline.Configurationandautomationflexibilityensurethatpowerfulsecurityneverhindersdevelopmentvelocity.Theseintegrationscan:

?Enablerapidonboardapplications

?Provideuniformmanagementofsecuritypoliciesacrosslargeapplicationportfolios

?Centralizesecurityenforcementacrosshybridandmulticloudinfrastructures

?ImprovecollaborationbetweenDevOpsandsecurityteamsinaGitOpsworkflowforoptimalcoverage

Akamai

Additionally,securityinformationandeventmanagement(SIEM)allowsyoutocollectsecurityeventsthattakeplaceontheAkamaiplatform.Inturn,ourSIEMIntegrationsolutionpr