Holiday Readiness, Part One — What you Should be Thinking About Four Months Out: Security
This is a blog series about Akamai solutions that can help you manage the surge of traffic (both good and bad) that will be hitting the retail industry during the holiday season. Read part two and part three.
The beginning of August is upon us, and if you haven't already started thinking about the busiest time of the year, now is a good time to do so. Whether you're an experienced veteran of managing peak traffic or new to the game, Q4 can bring surprises when it comes to performance and security. And while it's nearly impossible to prepare for every situation, there are a number of options and solutions available at Akamai to help manage the surge of traffic (both good and bad) that will be hitting the retail industry during the holiday season, especially on Black Friday and Cyber Monday.
Over the next few months, we'll be releasing a series of articles that all share one common theme: holiday readiness. These articles will cover the following topics:
- Updating and maintaining your security posture (This one!)
- Managing flash crowds/disaster recovery strategies
- General performance tuning recommendations
The order in which they will be released is purposeful, as some changes and things to think through can take more time than others depending on the organization. You can think of this series as a checklist of topics to consider each month.
Security first
Year over year, the threat landscape is constantly changing and evolving (and sometimes that can actually be measured month over month!). Malicious actors are getting smarter and more relentless, and are continuing to try new techniques to evade detections. We've also seen some of the largest DDoS attacks ever recorded against our platform in just the past two years.
Attackers' goals can range from attempting to benefit monetarily (see: ransomware attacks) to just simply wanting to wreak havoc for any number of reasons, may it be political, a rivalry, or "just because." And what better time to try causing the most panic than during the peak time of the year? Maintaining an optimal secure posture should be paramount during your holiday preparation, as well as throughout the year in general.
Below, we'll talk about some critical solutions within Akamai's security portfolio, including App and API Protector, Bot Manager, and Client Reputation. Within each of these solutions is a suite of features that you should be considering, tuning, and making sure are updated and in good standing. There are also topics related to reporting and support procedures that you should familiarize yourself with so you can identify attacks quickly and work toward a quick resolution. With that being said, let's dive right in, starting with App and API Protector.
Security checklist
App and API Protector
App and API Protector is Akamai's world-class, industry-leading security solution that helps our customers protect their infrastructure from DDoS and application-layer attacks. Here are some major areas you should start to think about as we're four months out from the holiday season:
DDoS rate controls
Rate controls are an essential part of a security solution. They are meant to mitigate and block volumetric attacks against your website/application to ensure your infrastructure doesn't come under duress. Making sure your thresholds are properly tuned (based on your existing traffic levels) and in Deny mode should be a top priority.
Application-layer rules
Whether you are using Akamai Kona Rule Set (KRS), Automated Attack Groups, or the new Adaptive Security Engine, ensuring that SQLi, XSS, RFI, and other application-layer attacks are blocked should be top of mind to prevent information leakage and to protect your end users. For customers leveraging KRS, make sure you are updated to the latest rule set version. You can also enable Evaluation mode to compare your current version to the latest.
API protection
Consider adding constraints to your API endpoints to protect your API traffic from excessively large requests and prevent excessive information leakage.
Network lists
Now is a good time to double-check that the correct blocklists, allowlists, and bypass lists are tied to the appropriate firewall policies. For customers that have multiple lists of each type, identify which ones are critical should the need arise to add IPs or CIDRs to the respective lists quickly.
Bot Manager
Bot Manager delivers advanced bot detection to spot and avert the most evasive threats, so you stay ahead of the evolving bot landscape and stop the most sophisticated bots at the edge -- keeping them away from your business.
Transactional endpoints
Begin reviewing your critical transactional endpoints. Make sure you've identified all areas of your website/application that have the potential to be targeted by credential stuffing or account takeover attacks. Given that Bot Manager primarily protects against sophisticated automated bots, if you believe that manual fraud has been an issue, it may also be worth taking a look into Akamai Account Protector.
Review overall Bot Manager (non-transactional) rules
For the not-so-sophisticated bots, Bot Manager will detect "good bots" like search engine crawlers vs. "bad bots" by observing various anomalies in the HTTP request. Bots like web scrapers fall into this category. Consider tuning these rules to reduce bot-related noise and further tighten your security posture.
Client Reputation
Client Reputation provides an additional layer of protection on top of App and API Protector. It provides a reputation score for each IP address with respect to the potential risk it poses to each individual customer. Utilizing our intelligence gathered from observing up to 30% of all web traffic, Akamai is uniquely positioned to help protect our customers from known bad sources.
Thresholds
Start to review the scoring thresholds for each category that Client Reputation covers: web attackers, web scrapers, scanning tools, and DoS attackers. The default thresholds are generally acceptable for most customers, but it's worth double-checking just in case.
Review actions taken
If Client Reputation rules are still in Alert/Monitor mode, consider changing these to Deny mode to begin actively blocking known bad IP addresses.
Miscellaneous
Now that we've covered the solution-based suggestions, there are also a few other areas that should be top of mind so that they're not forgotten:
Review your TLS certificates
Check the expiration dates on the edge certificates managed in Akamai's Certificate Provisioning System as well as the certificates that are deployed on your origin infrastructure. It may be worth renewing them early if the expiration dates fall within a code freeze or too close to a peak traffic day.
Lock down your origin firewall
Check if there are any updates required to your Site Shield implementation. Site Shield helps prevent direct-to-origin attacks by skilled attackers who may try to bypass cloud-based protections.
Don't forget DNS
Review your DNS infrastructure and its ability to sufficiently handle the surge of holiday traffic. (If you're using Akamai Edge DNS, you'll be just fine!) Double-check current time-to-live (TTL) values for your critical DNS records. Generally, the longer DNS resolvers can cache your records, the better. Less hits = less stress.
Caching plays a role in security
When it comes to security, caching is often forgotten about, most likely because it's thought of as a performance enhancement (which it definitely is). However, enabling Akamai to cache and deliver your website's content from the edge can drastically reduce the load on your infrastructure in the event of an attack. We'll cover this topic in much more detail in part three of this series; however, now is a good time to start reviewing your current caching rules and methodology to identify gaps.
Monitoring and alerting
Akamai's Security Center (within the Akamai Control Center) is your one-stop shop for all things reporting and alerting for security-related traffic. Start to familiarize yourself with the following dashboards so you can jump in quickly to find the data you need for your analysis or investigation:
- Web Security Analytics (real-time security reporting)
- While you're in here, review any configured alerts or create new ones
- Trend Reports
- Denial of Service
- Web Application Firewall
- Reputation
- Bot Endpoint Protection
- Client Reputation Console
Security support procedures
For customers that have access to Akamai's 24/7/365 Security Operations Command Center (SOCC) via one of Akamai's Security Services packages, understanding when and how to contact the SOCC is critical to ensure that your issue is addressed in the shortest amount of time possible. You should start thinking about the following:
- Review and update your runbooks with your aligned Akamai Services team as needed
- Identify who is authorized to contact the SOCC
- Review your escalation contacts for if the SOCC contacts you when a proactive alert triggers
- Understand the difference in response times between Severity 1, 2, and 3 tickets (Pro tip: For the quickest response and time-to-resolution for emergency situations, always call the Akamai SOCC to open a ticket)
Wrapping up
As mentioned earlier, Akamai has a number of security solutions available to help prepare for one of the most critical quarters of the year. This is by no means an all-encompassing list as each customer is unique, but by beginning to think about these topics now and putting a plan in place to tackle the ones most important to you, you'll only be setting yourself up for success.
Next month, we'll be talking about how to manage flash crowds and also some things to think about around disaster recovery strategies. Wishing you a successful holiday season!