Actionable Threat Intelligence, Tailored to You

2018-04-16T11:00:38
ID AKAMAIBLOG:5D79FA76818D87AC7070FCBE11F6066D
Type akamaiblog
Reporter Tsvika Klein
Modified 2018-04-26T18:55:03

Description

We are very excited to be launching the next generation of our Client Reputation product. This update takes Client Reputation a huge step further in providing our customers with truly actionable intelligence tailored for them. It computes an even better assessment of the real risk that every individual client device presents to the customer. We now enable significantly greater visibility into the activity performed by those clients on both their websites as well as across the entire Akamai platform.

What is Client Reputation?

Client Reputation provides an additional layer of protection based on crowdsourced intelligence and insight into the malicious behavior of millions of individual clients observed interacting with every customer website across the Akamai platform. It continuously computes and assigns dynamic risk scores to every malicious web client, identified by its IP address, based on its current propensity to engage in attacks in four categories:

  • Application layer attacks

  • Denial of Service (DoS) attacks

  • Vulnerability scanning

  • Web scraping activities

How does Client Reputation work?

Client Reputation computes a risk score on a scale of 1-10 for each category. A risk score of 1 forecasts a low likelihood of future attacks by that client, while a risk score of 10 forecasts a high likelihood that the IP address may be used by a malicious actor. As these risk scores are assigned to a client or updated, they are shared with the edge servers on Akamai's Intelligent Platform. Customers using Client Reputation can then choose how Akamai's edge Servers will handle clients with a specific risk score when they start interacting with your website. The risk score for every client will change dynamically, rising and falling based on recently observed malicious behavior.

In conjunction with the risk score, Akamai customers can further fine tune the security measures by applying additional conditions, like:

The source IP's Autonomous System Number (ASN)

  • IP or GEO network lists

  • IP address/CIDR

  • Specific HTTP header names and/or values

  • Specific HTTP cookie names and/or values

  • Target hostname

  • Target HTTP request path

Why is Client Reputation special?

The high quality of Client Reputation service is driven by the intelligence and threat insights provided by Akamai's Cloud Security Intelligence (CSI) big data analysis engine. CSI processes billions of security events and legitimate traffic logs per hour, analyzing that data to forecast the likelihood of a client to pose risk to our customers.

CSI's analytical processes include:

  • Sophisticated attacker behavioral profiling

  • Detection of malicious payloads and zero-day attacks

  • Analysis of common malicious traffic patterns

  • Clustering of malicious activities performed by botnets

Akamai's position as a central hub in the Internet ecosystem provides it visibility into massive amounts of data. No other vendor is able to match the breadth, depth, and scale of Akamai's data set. And unlike many other reputation services, Akamai's Client Reputation relies on both legitimate and malicious traffic traversing the Akamai platform. The amount and quality of data is one of the cornerstones around why we are able to provide a high degree of actionable insight with dynamic risk scores.

What is Client Reputation 2.0 doing for you?

In recent years, the threat landscape's complexity and sophistication has evolved dramatically. Malicious actors now leverage different attack tools and methods of operation. In addition, they use compromised or low-cost resources, like IoT devices, compromised servers, and cloud infrastructure to mask their activity or orchestrate mass-scale attack campaigns. Given the abundance of such cheap attack resources, these resources may only be used for a specific attack campaign and may not pose any risk to other customers (see figure 1). In addition, many attack campaigns last for a short time period (see figure 2). After that, the resources used for the attack campaign may not pose any further risk to customers.

As a response to these trends, Akamai developed a customized risk-based scoring model, which is capable of assessing the real risk each client poses to any individual Akamai customer at any given time.

Many reputation services available in the market today provide only a single client reputation score, which is the same for all customers. Client Reputation however uses a state of the art, proprietary risk analysis engine that computes a risk score for every source IP address, customized for every customer. Therefore, this custom risk-based scoring model is significantly more accurate than generic scoring, and has shown that actions taken based on this risk score are less likely to negatively impact legitimate clients and users.

To compute a risk score tailored for each customer, Client Reputation factors the severity, magnitude, persistency and distribution of attacks across the platform, as well as previous attacks on each customer and each industry. The risk score engine then calculates a risk score per customer to indicate the likelihood of the web client to attack that customer.

R2p1.png

Figure 1 - Attacker Distribution

R2p2.png

Figure 2 - Attacker Persistency

The new release of Client Reputation also provides greater visibility to the activity of malicious clients with enhancements to the Reputation Activity report and the Reputation Console. Customers can view the activity performed by clients with bad reputation on their applications and use the Reputation Console to investigate the kind of activity performed by those clients across the entire Akamai platform.

The enhancements made to the Reputation Activity report focus on providing greater visibility to the activity performed by clients with bad reputation and the additional value of Client Reputation on top of Kona Site Defender:

r2p3.pngThe enhancements made to the Reputation Console include additional contextual information on the industries and countries attacked, the number of hosts, domains and customers attacked and the malicious activity identified on the properties of the customer.

R2p4.png

What you need to do:

This new release is a free upgrade to all Client Reputation customers, and the new enhancements will be updated automatically. To learn more about tailored risk scoring, check out this white paper: 5 Phases of Custom Risk Scoring. Stay safe and Get Protected.