personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Web Customer User Forum UK&I 2016 13th December 2016
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Michael Gooding, Enterprise Web Architect, EMEA, Akamai Technologies Trends in Web Performance
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Image Formats JPG 45% PNG 27% WebP 1% SVG 1% Other 1% GIF 25% http://httparchive.org
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Sites with Fonts 59% 60% 57% 57% 60% 61% 62% 63% 62% 63% 64% 50% 55% 60% 65% 70% 2016 http://httparchive.org % of Sites
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. We killed Flash this year!! Use sites with flash 18% 19% 16% 15% 16% 14% 13% 12% 11% 10% 0% -10% 0% 10% 20% 30% 40% 50% 2016 http://httparchive.org % of Sites
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Multiplexing H/2 uses binary framing HTTP/1.1
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. HTTP/1.1 H/2 uses HPACK Header Compression
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. HTTP/1.1 H/2 can push resources Server Push
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. HTTP/1.X H/2 Tomorrow H/2 Today Summary
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Is HTTPS a blocker?
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Problems with Push 1. Repeat users i. Objects in cache ii. What to push? 2. Browser Implementation i. Slow to issue RST stream ii. Inconsistent 3. Server side logic i. Content changes ii. Long lists https://tools.ietf.org/html/draft-ietf-httpbis-cache-digest-00
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Tools to help https://canipush.com/ https://shouldipush.com/
<link rel=preconnect> <link rel=preload> ü Add “as” for download priority ü Proper accept headers ü Content-security-policy ü Honours Cache ü Can load asynchronously ü Add media queries for responsive loading ü Can load different domains Still requires the HTML to be sent Still requires the HTML to be processed Or maybe not??
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. We Apps Easy to launch Nice load screens Work offline (kind of) Can consume space BUT …
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. But we also the web Simple Searchable Sharable Adaptable
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. What is a PWA? PWA = Web + App
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Offline support with service workers ü A built in browser proxy ü JavaScript based ü Decent support (no Safari…yet) ü Bonus of push notifications ü Cache assets on start up ü Use cache when no network ü Error handle when no cache and no network ü And more…..
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Should be fast ü Even in challenging network conditions ü Standard page load timings important ü As well as usability timings ü 60fps rendering ü No Jank ü Responsive touch inputs
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Progressive enhancement
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Secure TLS is a ranking index in it’s own right But TLS opens access to: ü Service workers ü Push notification API ü H2 for performance ü Other API’s ü Web Background sync ü Payment API
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Mobile Friendly ü Adaptive is also OK ü Applies to Tablets as well as mobile ü Viewport <meta> tags ü Correct sized content (think images) ü Big enough buttons ü Manual checks still useful
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Brotli (& Zopfli) v’s GZIP Up to 40% smaller files Time to compress?
have continued to grow 2. More traffic moving to mobile 3. 2016 has been a great year for performance 1. H2 adoption 2. Service workers 3. Compression 4. Expect 2017 to be even better
independent retailer of train tickets in Europe • Consumer / B2B platforms, as well as white-labeled products for Train Operators, e.g. Virgin, Greater Anglia, Northern and more • We sell train tickets worldwide, helping our customers travel by rail in and across 24 European countries • 30+ million visits to Trainline apps and websites each month • 100% year on year growth on app transactions • We process more than £2.3 billion in ticket sales annually 14 December 2016 49
• 160+ Production releases per week • 80+ hostnames in Luna properties, not including wildcards • Team of engineers managing Luna, as well as all other LB layers 14 December 2016 51
property Add the IP to the property (if new) Check you haven’t ruined everything with your simple change Save changes, push to staging and wait.. Push to prod and pray it succeeds and doesn’t break anything
types of change only – hostname changes out of scope • Reduces time to staging from 15 minutes to 5 minutes - 66% improvement • Reduces time to production from 60 minutes to 15 minutes- 75% improvement • Average of 35 changes per month • Time saved ~3 man days per month • Rolling back changes is much faster 14 December 2016 54
web driven process to a single source commit vMoved valuable engineer time from simple, repetitive tasks to important project work Also gives us • Source control to manage configuration • Coded QA checks • Automated feedback if there are any issues, to aid problem solving • A path to continuous delivery, with greater consistency and auditability 14 December 2016 55
continuous delivery of software components into Windows and Linux AWS environments http://tinyurl.com/envmanager • Blue/Green, Canary and Overwrite deployments • Multi-tenancy support, beyond CodeDeploy limits • Platform agnostic load balancer settings • Fully featured RESTful API • Audit capabilities suitable for a PCI Level 1 organisation. • Best suited to companies with between 100 and 5,000 servers running a mixture of legacy and modern applications. • Granular authenticated security 14 December 2016 57
and Environment manager to allow developers to manage their deployments end-to-end • Custom reports to each of our development teams for accurate and near time usage and billing / cross charging • Automated certificate management • Cache refresh as a part of some deployment scenarios 14 December 2016 58
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Luca Collacciani, Senior Director, Web Performance & Security, EMEA, Akamai Technologies From the Internet of information to the Internet of Experiences Web Performance Solutions Product Overview and Roadmap
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. • Security • Delivery of large files, with minimal consumer impact • Inherent Mobility: Vehicles might not always be in-range of good coverage • Tight window – updates can only occur when car is on Run or On • Scale - need to update 1000s of vehicles at the same time Connected cars challenges
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. > 50% of new vehicles in North America receive software updates via Akamai
Mobile • Mobile Networks are flaky • Speeds range from 80Kbps (GPRS/India) to over 10Mbps (LTE/US) • Last mile latency • Routing/peering issues • Frequent disconnects and degradation
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Network Awareness Adapt resources and app behavior based on network quality SureRoute for Cellular HTTP Multipathing to continuously identify the fastest cellular region Contextual Pre-Positioning Instant startup and seamless browsing, even offline Mobile User Analytics App insight through changing network & device conditions
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Web Vision Provide Instant & Secure Access to All Apps & Sites For Users Everywhere, On All Devices All Web Traffic Websites, Native Mobile Applications, APIs, Images All Networks Cellular, Wi-fi, Wired Broadband All Devices PC, Mobile Phones, IoT
Main page is requested 2. Resources are pushed immediately (while the main page response is pending) 3. Main page is sent to the user uninterrupted 4. Resources are already at the browser 1 2 3 4 0 40 80 120 160 200 240 280 320 360
• Reflection (UDP, NTP, DNS) • Easy to generate • Attacker overreliance • 98% of overall DDoS attack figures Layer 7 • GET, POST, PUSH Flooding • Traceable • Harder to generate • < 2% of overall DDoS attack figures Overall drop in attack frequency by 8% from Q2 to Q3.
remain consistent, but the way the attacks are delivered are diversifying. • Large flooding easy to mitigate under certain circumstances. • Attacker are starting to use different tactics • Evade off the shelf appliances and single vendor services.
are they coming from?! • China and the US ranks consistently in the top four. • Brasil, Mexico, Turkey ranked unexpectedly • South Korea may occasionally rank due to national infrastructure.
attack events between 20 – 21 September • Attack peaked at 623Gbps and 350Mpps • Attack make up - SYN Flood - GET Flood - ACK Flood - POST Flood - GRE Protocol Flood - UDP / NTP Flood
Vendors • Avoid shipping Internet devices with undocumented accounts • Disable SSH, unless absolutely required • Force a change on the factory default password • Disable TCP forwarding • Provide secure processes to users to update sshd config to mitigate future vulnerabilities without needing to wait for a patch
Users • Change the factory-default passwords! • Disable all SSH unless necessary. • If SSH require add ‘AllowTcpForwarding No’ into the sshd_config • Configure a firewall rule preventing outside ssh access to your devices. • Configure a firewall rule to prevent tunnel establishment.
2015 vs 2016 Web Application Attacks [Q3 2016 vs Q3 2015] • 19% decrease in total Web Application Attacks • 21% increase in SQI Injection Attacks • 67% decrease in Web Application attacks sourcing from the US Largest Attack Q3 2016 623 Gbps Q2 2016 363 Gbps Q3 2015 149 Gbps Average Attacks per Target Q3 2016 Q2 2016 Q1 2016 30 27 29
Hotel and travel • Low Hanging Fruit • Wealth of data • Varying degrees of Security Financials • Wealth of data • Banking details • Varying degrees of Security High Tech • New Ranking
• Different regions than DDoS attacks • US, Netherlands and Russia top ranking • US dropped by 13%, but still ‘Top of the Pops’ with 20% of all Web Application attacks sourcing from the US
Portugal • Akamai correlated WAF triggers to the match. • Compared to a month later from the same locations. • Significant decrease in attack traffic during matches • Shows that even with BOT automation, they are still governed by football loving hackers.
decreased, and size of the attack increased. • Attackers are trying new vectors. • DDoS vs Web attacks have different motivations. • Retail/Financials targets for Web App attacks • Gaming/High Tech targets to DDoS attacks • DDoS attacks now near 1Tbps
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Emmanuel Mace, Director Product Line, Security, EMEA, Akamai Technologies Cloud Security Solutions Product Overview and Roadmap
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Driving product innovation with security intelligence Simplify application security Web Application Protector 1.0 Improve bot detection Bot Manager 2.0 Improve DDoS mitigation Prolexic Routed / Proxy Protect APIs Kona Site Defender 5.0 Data TRILLION Internet transactions each day 3
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. new attack data daily 20TB Research Data Dedicated team of Threat researchers
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Test ü Implement Research Data 8,000 queries a day
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Improve Web Security Posture Kona Site Defender 5.0 Regular API Kona Site Defender Q3 2016 Beta Q1 2017 v5.0 GA Q4 2016 Q2 2017 Beta Parameter protection Positive / negative security DDoS protection MitM protection API Protection • DDoS protection • Data theft protection Multiple Security Configurations • Workflow separation • Access control separation • Cloning Advanced Detection & Mitigation • Custom Rule builder • CSRF and Clickjacking protection • Advanced actions Reporting, Analysis, & Monitoring • SIEM integration • Application security activity report • DDoS activity report Q2 2016 Q3 2016 Q4 2016 Q1 2017 LEGEND Tech Preview Beta IPv6 Rate Controls GA Multiple Configurations GA Custom Rule Builder GA App Security Activity Report GA DoS Activity Report GA API Protection GA SIEM Support GA CSRF and Clickjacking GA
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Simplify Application Security Web Application Protector 1.0 Yes (98%) No (2%) Have your web applications been compromised in the past 12 months? What best describes your approach to WAF? Not deployed (30%) Combination of in-line and out-of-line (25%) Out-of-line (23%) In-line (20%) Not sure (2%) Web Application Protector Beta Q4 2016 v1.0 GA Q3 2016 Beta Q1 2017 Q2 2017 Intuitive configuration Self-installation wizard Akamai-deployed protections
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. attacks every week Over 200 Research Data of every DDoS attack Real-time analysis
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. of every DDoS attack Real-time analysis Implement Research Data 150+ Security Operations Center staff
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 150+ Security Operations Center staff Test ü Implement Research Data 5000mitigations applied in Q2 Almost
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Improve DDoS Mitigation Prolexic Q3 2016 Q1 2017 Q4 2016 Q2 2017 Q3 2017 Network Infrastructure Detection Identification Orchestration Mitigation Network Monitoring London Frankfurt Ashburn Tokyo Hong Kong Ft Lauderdale San Jose Sydney Cambridge Krakow Bangalore Tokyo
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Joe DeFelice, Senior Director Enterprise Security & Infrastructure Engineering, Akamai Technologies Christopher Jen, EMEA Sales Manager – Cloud Networking, Akamai Technologies Enterprise Application Access Solution Q&A Session
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. What is access? 1. Who is trying to get in? 2. To which application(s)? 3. Is this action allowed?
Increases Risk 75% of enterprises 63% of all data breaches touch up to 14 network and app components when providing 3rd party remote access are linked to 3rd parties
Control Traditional Remote Access Can Increase Risk Network Access Control User Client App 2 Application Access Control App 3 > Hole in the firewall > Complex configuration > Client software > Lateral movement
designed for the networks of the 1990s and have become obsolete because they lack the agility needed to protect digital businesses.” Excerpt from Gartner's It's Time to Isolate Your Services From the Internet Cesspool
Apps App 1 Firewall User App 3 App 2 Enterprise Connector App 4 (AWS) Enterprise App Access > No hole in the firewall > No complex configuration > No client software > No lateral movement Active Directory
Secure third party and employee remote enterprise application access Multi-factor authentication for enterprise applications across data centers and IaaS Cloud & access architecture transformation App App App App App App
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Joe DeFelice Sr. Director Enterprise Security & Infrastructure
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Mike Dixon, Senior Service Line Manager, Akamai Technologies Global Services and Support Product Portfolio Overview
want to be supported? Customer wants guidance to self-service their Akamai solution Customers wants to do some task themselves, wants Akamai assistance for others Customer wants to offload everything to Akamai
Standard (unmanaged) or Manged basis • PS Enterprise Ø Access to Akamai’s Professional Services team for custom requirements on one-off or ongoing basis • PS Security Ø Access to Akamai’s specialised security specialists for customised security requirements • Technical Advisory Service Ø Technical consulting, program management, advocacy and business / operational reviews with a designated technical advisor
training program led by experienced Akamai technical consultants and professional services members. • London Classroom Training, Q1 2017: • Media Delivery: January Tue 24th, Wed 25th • Web Performance: February Tue 21st, Wed 22nd • Cloud Security: March Tue 21st, Wed 22nd • Full Schedule (including on-line trainings) to be published on Luna portal in next few days
zlatchfo
aleyda
aarron
takai
garrettdimon
akosma
lauravandoore
marketingsoph
tammyeverts
baasie
jonrohan
nwiizo
