Beat cyber adversaries with threat intelligence

Web security tools alone are not enough to protect the enterprise; organisations need meaningful threat intelligence to develop informed web security strategies.

Meaningful intelligence involves filtering through data to sift out real threats from false alerts and prioritising these threats for the enterprise. At the first Singtel TechTalks session ‘Protecting our Internet Business’, Akamai’s threat intelligence expert George Economou shared with security executives how data is gathered from its various platforms and organised to help enterprises make faster, informed decisions.

As a Content Delivery Network (CDN) and cloud security provider, Akamai’s platforms sit on the Internet between users and the services that they are trying to access, capturing data on trillions of transactions and attacks on a daily basis. This data is used in several ways to improve and augment Singtel’s Web Security Services.

Akamai uses most of the data from its cloud security platforms to enhance the accuracy of its security solutions, research new attacks and defensive technologies and build new products that help Singtel’s customers to protect their websites more effectively.

For example at the network layer, Akamai gathers intelligence on events such as network probing, scanning and reflection attacks. George cited the example of the Mirai worm which, as it propagates through network connections, uses a combination of commands which shows up in the Akamai data sets.

With this intelligence embedded in Singtel’s Web Security Services, enterprises will be able to uncover suspicious activities going on within their domain. For example, they will be able to see which IP addresses within Singapore or their organisation are engaged in malicious activities and then perform a clean-up on compromised devices.

They can also look at the trends within their industry to see if they are likely to be hit, and decide if they need to take on a more aggressive posture. For example, they may want to prioritise the refresh of their security tools to defend themselves across the most common attacks in their industry.

The intelligence also helps enterprises to better manage the risks associated with device hardware and software. For example, it helps shed light on things that are outside the norm such as old systems, unpatched browsers or equipment that is not supposed to be there.

While most IT security departments have a good understanding of network-layer threats and are already taking measures to protect their enterprises against these attacks, what is often overlooked are application-layer exploits that target web systems, services and software. Failure to address this could be the chink in your armour that allows hackers into your network, regardless of how well the rest of the network is secured. This is where threat intelligence can play a critical role in helping enterprises to identify and prioritise these threats.

Sharing use cases for application-layer threat intelligence, George said some enterprises use it as a reference data set in conjunction with other threat data sets to interpret risks and improve their security decisions. The intelligence can also be used to identify trends such as the industry that is being targeted and the characteristics of the attack. Based on this, enterprises can develop their own risk score and assess what is happening across their industry.

One of the simplest ways for organisations to make use of application-layer threat information is through the Client Reputation service which is available as an add-on module to Singtel’s Web Application Firewall. 

Akamai feeds attack data and normal user data into a big data engine to identify and list scrapers, vulnerability scanners, web attackers, and distributed denial of service (DDoS) bots.  Based on the threat intelligence analytics, the Client Reputation service enforces security measures at the gateway before a target website and allows web defenders to learn from their peers without having to create their own intelligence platform.

The incorporation of Akamai’s security platforms into Singtel’s Web Security Services portfolio marks another step forward in a collaboration which began in 2014, when the two companies were involved in providing protection to government agencies against DDOS attacks. The partnership was subsequently extended into the commercial space, to provide businesses with protection against cyberattacks, and Singtel became the first partner to be given the capability to provide Tier 2 support for Akamai’s solutions. Beyond this, the incorporation of Akamai’s threat intelligence analytics into the Client Reputation service is now helping Singtel’s customers to protect themselves against known attackers and stay ahead of adversaries.