Akamai Platform Update: New Security Enhancements That Intelligently Automate Application and API Security, Mitigate Online Fraud, and Reduce Burden on Security Professionals

Today is Day 2 of Akamai’s Platform Update. Yesterday, we talked about the acceleration of modern app development and how we’re empowering users to shift more compute and data to the edge. From the core to the cloud to the edge, the applications and APIs that power modern web experiences must also be protected from threats. That’s the focus for today. Let’s shift gears and discuss Akamai’s platform improvements to application and API security, abuse and fraud prevention.

Change is the only constant in security.

Exploits change, applications change, developers change, and it seems like change is the only constant in application and API security. Some examples of change, in addition to serverless edge computing, include the modernization of app development with microservices, containerization, single-page applications, and DevOps; other examples include server-side functionality moving client-side and back-end data (never intended to be accessible via the internet) being exposed via APIs. 

Change continues to redefine security boundaries and has the potential to expose reams of business logic and sensitive data. Software is also released faster than ever, sometimes daily, and the ability for security teams to protect their applications, systems, and data amidst this change has proven to be extremely difficult. And ultimately, as security tools get better, attackers get smarter and use technologies that leave fewer traces — setting off the constant race to innovate and stay ahead. 

Yes, it’s true. Simplicity can equal better security.

You may have heard that security is only as good as the most recent update. Failing to update protections may perhaps be the single most widespread threat to organizations today. But effective tuning and constant monitoring often require skilled operators and can be time-consuming and complex. And let’s face it — security teams are exhausted. Security solutions must not only adapt with change but also make it easy for practitioners by reducing the burden on overworked security professionals. If not, the trade-off between chasing false positives and potentially blocking legitimate users often means security takes a back seat. At least until the next attack.

“A crucial problem in cybersecurity is the inability to automatically and effectively tune policies. Being unable to accurately distinguish between false positives and false negatives can be very frustrating for security analysts, who have to spend hours analyzing alerts that end up being false threats.” — Patrick Sullivan, VP & Chief Technology Officer, Akamai

Akamai VP and CTO Patrick Sullivan provides an overview of the Platform Release

At Akamai, our latest platform update is intended to manage this tension between security and ease of use with key capabilities centered on automation and machine learning (ML) specifically designed to intelligently augment human decision-making. We know that automation adds value, but smart automation empowers users with the right tools to generate insight and context to make faster and more trustworthy decisions. 

But what makes Akamai’s ML unique?

The sheer magnitude of our platform — with over 300 TB of daily attack data and petabytes of daily internet traffic — doesn’t just give us unique visibility. It powers our ML systems to learn how to classify anything it sees as new or different; it then shapes the learning with newly detected anomalous behavior. And unlike other solutions in the market, our ML algorithms are not based on open source data, processing frameworks, training data, data libraries, etc., but rather on clean firsthand data that contributes to higher-quality, consistent, reliable outputs. 

Now, let’s unpack some of the details of our platform update.

How Akamai is automating the security function.

1. Adapt to Evolving Threats with App and API Security That Is Simple to Use

With Akamai’s new Adaptive Security Engine, strong security and operational simplicity are not mutually exclusive. The core technology powering both Kona Site Defender and Web Application Protector was overhauled and re-architected to drive greater insight and automation that scales with the sophistication of attacks, all while simultaneously reducing the effort needed to maintain strong protections. What does this mean for you? Less business disruption, fewer frustrated customers, and less operational complexity. Enjoy greater confidence that you’re stopping real attacks while providing uninterrupted access and optimal web experiences to your customers.

Technically, the adaptive engine was redesigned from the ground up with newly enhanced anomaly risk scoring, adaptive threat profiling, and self-tuning. The reason why this technology is different from others is that it’s able to learn from its experience; it learns traffic and attack pattern idiosyncrasies, analyzes the characteristics of every request in real time, and uses that knowledge to intercept and adapt to future threats.

Sophisticated threat actors, however, are persistent. They adapt their techniques and use creative means to seek new vulnerabilities in an attempt to circumvent firewalls. But as attacks evolve, so do our protections. Last year, we were the first edge-based web application and API protection (WAAP) solution to introduce API discovery. Today, our engineers are hard at work to include new bot mitigation capabilities with WAAP to filter out unwanted bot traffic from hitting your applications.

Adaptive Security Engine

Dynamic security logic adjusts its aggressiveness based on threat intelligence correlation gathered for each customer’s unique traffic. Automatic self-tuning then analyzes every trigger — whether a true positive or false positive — and applies ML to identify and recommend tuning exceptions on a policy-by-policy basis. 

Bot Visibility and Mitigation

Detect and mitigate unwanted bots with integrated bot capabilities built directly into Akamai’s WAAP solutions. As needs evolve, easily upgrade to a full-featured bot mitigation or account takeover solution with just a few steps.

2. Expand Client-Side Protections with Page Integrity Manager
A coordinated and integrated WAAP defense — against diverse entry points and complex multi-vector attacks — must extend beyond applications and APIs and include client-side protections. As functionality continues to shift from servers to clients, threat actors are exploiting new browser attack surfaces and vulnerabilities. Page Integrity Manager has proven extremely effective in detecting and mitigating malicious client-side behaviors and identifying high-risk vulnerabilities in first- and third-party supply chain scripts. 

The latest enhancement to Page Integrity Manager uses ML to detect and stop malicious behaviors that lead to ad fraud, as well as browser plugins and extensions abuse that is designed to hijack your buying audience. Our objective is to empower you with deeper insight; better control over what’s happening with customers; and the tools to protect revenue, maintain trust, and comply with regulatory mandates.

Audience Hijacking

Detect and block unauthorized activity from malicious browser plugins and extensions that can result in unwanted ads, pop-ups, and affiliate fraud.

3. Anticipate and Thwart Future Bot Evolutions with Bot Manager

As attackers try to circumvent security defenses or reverse engineer bot mitigations, Bot Manager anticipates those efforts by leveraging its ML to stay one step ahead. Bot Manager customers will now benefit from two major architectural leaps designed to maintain high efficacy against rapidly evolving threats and evasive bot operator techniques. 

Bot Score lays the foundation for ongoing innovations in bot management, including the ability to take action against bots aligned with corporate risk tolerance. It allows customers to simulate the impact of changes and automatically learns your unique traffic and bot patterns to ensure long-term effectiveness. 

 JavaScript Obfuscation solves a problem as old as bots — that once the system detects a bot, the bot operator discovers the detection and begins reverse engineering. Bot operators who attempt to reverse engineer a detection must now successfully complete the task and execute a new attack in a very short window before it changes. And if the operator fails, all the knowledge from the prior effort becomes useless and the operator must restart. Ultimately, they will fail in their reverse engineering attempt or spend so much effort that the attack becomes unprofitable to execute.  

These major enhancements grew out of Akamai’s deep intelligence and insights into bot threats, traffic patterns, and technology innovations.

Bot Score

Analyze every request against all detections without adding latency. This new approach provides a scoring model that drives more sophisticated mitigation decisions and enables self-tuning so detections stay accurate over time, even as bots evolve. 

Customers can set thresholds and actions to align with corporate risk tolerance and apply different thresholds/actions to different endpoints. Bot Score’s response tuning simulator allows customers to visualize the impact of changing thresholds based on past traffic before putting changes into action.

JavaScript Obfuscation 

New JavaScript with hardened obfuscation and built-in reverse engineering countermeasures is designed to prevent bot operators from deciphering the bot detection triggers. Given the dynamic nature of the solution, attackers would need to invest in reverse engineering the solution constantly — making it frustrating, laborious, and expensive for bot operators. This allows Bot Manager to neutralize attackers and sustain long-term efficacy. 


4. Stop Human Fraud and Account Takeover Attacks with Account Protector

Fraud and account takeover are difficult and expensive problems for companies. Bad human actors can follow up bot-led credential stuffing attacks or simply acquire individual stolen account credentials to wage highly targeted manual attacks. And if a user is a human with valid credentials, companies may accept suspicious logins to avoid the risk of upsetting legitimate account owners. Akamai’s new Account Protector solution is designed to eliminate this trade-off and keep your security protections high without increasing false positives or harming your users’ web experience. 

Account Protector leverages ML and behavioral  analytics to create a full picture of legitimate users’ behavior, continuously analyze signals to determine the risk that someone logging in is an impersonator, and then take action based on the organization’s preset risk thresholds. We’re able to detect known and emerging signs of fraud by identifying risk at critical steps and taking action when suspicious activities are identified — all without affecting site performance or adding friction to the user experience. With Account Protector, you can protect consumers, reduce manual review, and minimize the cost and frustration of investigating and fixing stolen accounts. 

Account Protector

Evaluate risk and trust signals to determine the likelihood that a request is not coming from a legitimate account owner. Key capabilities include the ability to compare user and population behavior profiles with anomaly detection, analyze and score user sessions for risk in real time, detect sophisticated bots that support human account takeover attacks, and the ability to take action at the edge.


For more information on the Platform Update, please visit our website, watch the video, or read the community post to learn more about all of the new capabilities across the Akamai application and network security products.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Charles Choe. Read the original post at: