The digital transformation taking place today has changed how organizations view security and challenged adversaries to evolve their attacks as they target governments, financial institutions and the healthcare sector. In this session, learn how automation, analytics and architecture are shaping security and better understand how these principles can be applied to your organization moving forward.
>> ANNOUNCER: Please welcome Senior Vice President and Chief Security Officer, Akamai, Dr. Boaz Gelbord.
>> BOAZ GELBORD: Hi there, everyone. It's great to be here at RSA. I realize that this slot is in a dangerous place between all a few and all of the many happy hours that are happening later. So, we will try to keep it light and we’ll ry to keep it entertaining.
You know, I've been coming to RSA for many years, not every year but kind of here and there, and each time it's so terrific to see old security colleagues, old friends, and to meet lots of new people. And, you know, as a Chief Security Officer at Akamai, we are tasked with protecting our corner of the internet from billions of users and it's just so energizing to be here in a place where so many other people share the same mission. I mean, part of the community of securing the internet.
You know, it's an incredible time in cyber right now. When I first entered this field 20 years ago, I couldn't have imagined what it would be like now with robotics and AI and machine learning and all of the advancements that are both opportunities and challenges from a cybersecurity perspective. And, of course, in 2023 no talk would be complete without talking about ChatGPT and AI. Can show of hands, who here is concerned about being replaced by AI? A couple hands going up there? Well, you know I was looking the other day and I was asking ChatGPT, how would you build out a cybersecurity strategy for the coming year? And you know, how would you go to your board and ask for budget? What are the kinds of things you should be concerned about? And I was really, really impressed with what came back. I mean, it is really on the money. And there is so much that we can leverage with these tools.
So, I also asked, what's the best way to give a presentation at the RSA Conference? It had a couple of tips for me. You know, it said couple of things. It said start strong, you have to have a start, you know a strong opening to your presentation. Because that's when you either kind of capture people's attention or you lose it. Second one was, use personal anecdotes. You got to kind of make yourself relatable. And the third one was, you need to use humor but it needs to be appropriate humor. So I promise you folks that if you stay in the room until the end, I will provide you with a ChatGPT selected joke related specifically to RSA. So, please hang in there with me and you will hear it.
You know, this slide here that shows all of the, kind of, bad things that can happen in cyber is something that I think everyone in this room has some version of, right? Folks who are selling security products, folks who are working on the policy side of security, people like myself who are securing our organizations. We all have this, you know, here are the egregious, bad, scary things happening in cybersecurity. This is why you should buy my product; this is why you should fund my project; this is why you should prioritize this security effort in your development cycle. So, I realize I'm, sort of, preaching to the choir here. And I'm not going to dwell too much on all of these different statistics that there are here.
But, you know, there are just a couple of trends that I want to focus on for a second. You know, when we think about all of the things that have happened, particularly over the last couple of years, in terms of the breaches and all of the personal data that's out there, it seems like almost a daily occurrence that we are seeing X million number of records were exposed or there was this data that is going out there. And it feels like we are, kind of, getting desensitized to that, right? It's almost not as big a deal as it was in the past. And for us as a security community it's important for us to focus and understand what are the important things that can happen to our organizations and what are some of the things where the whole security model is shifting, right, and we need to prioritize how we are going to focus our energies.
The changes in terms of the threats to critical infrastructure is, I think, one of the most concerning things for all of us looking to secure society in general. You know, power systems, financial systems, medical systems, all of these critical infrastructure areas are under increasing threat. And with the rapid, rapid digitalization and going online and interconnectedness, those threats are only going to increase. The other piece around transition to the cloud is really significant. The cloud is certainly no less secure than having things on-prem but with the transition to the cloud, a lot of the, kind of, time warned protections that we had in some of our on-premise environments are all of a sudden upended quickly. And that upending and that complexity and that transition creates risk. Attackers are moving fast and as a security community we are not always keeping up with that.
You know, in terms of just the evolution of the threat landscape, you know, if you go in the expo hall you’ll see there's hundreds and hundreds of solution providers who are trying address all of the many different threats that are kind of popping up and I want to focus on some of the trends that are driving just this evolving threat landscape. If you look, for example, at some of the physical crimes, car thefts have gone down in the last number of decades in the U.S. and internationally by a huge factor. And why is that? It's because it's just getting a lot harder to steal a car, monetize that theft, and get away with it.
In cybercrime, we almost have seen the opposite dynamic in recent years, right? If you look at three factors that have driven the increase in cybercrime, one is it's very easy to monetize with cryptocurrency. You know, you have this currency that you can kind of move around. You don't – it's anonymized. You don't have to worry about, you know, being identified and having that paper trail of money. The second piece is the ability to perform a crime in one jurisdiction from another jurisdiction and not face consequences, right? A lot of cybercrime is such that it just doesn't rise to the level where you are going to get that, kind of, international cooperation in order to really prosecute crimes.
And then the third piece and that's an area that a lot of us are so active in is just the sheer attack surface, the number of vulnerabilities out there, the thousands of CVEs that get published almost on an annual basis. You know, we have seen some improvements in this area. So for example, you know, there's a number of tools that are out there that can help you track digital payments to, sort of, deanonymize blockchains. We also have seen some cybercriminal gangs brought down by international cooperation. What we haven't seen in that third factor is any slowdown of the attack surface and the ability of attackers to exploit that. We are also seeing just a very complex supply chain where organizations are being breached through their critical providers and through their providers. You know, recently there was a breach in the news that relied on a second order of supply chain, supply chain breach. So, there's definitely an increasing sophistication that we as an ecosystem have to address.
So, let's double click on the data here for a couple of minutes. At Akamai, we carry a significant portion of the world's web traffic. And that gives us, sort of, a view that we publish in something called our state of the internet reports to see what the trends that we are seeing in terms of attack traffic. So just a couple of statistics I want to call out here. 137% growth in web app attacks year on year. Increasingly organizations, you know, face to the world is the web and attackers are taking advantage of that to attack and try to get a foothold into systems.
We are seeing an increase of attacks on certain sectors. So, for example we saw 30% of attacks on DNS in the manufacturing industry. One of the phenomena’s that we see that as certain industries improve their cybersecurity capabilities, sometimes it's due to the pressure of regulations, sometimes it's just due to the pressure of their businesses. Attackers will flow to areas that maybe aren't as far along on that journey, right. Maybe they don't have the level of regulation that is imposed cybersecurity requirements on them or maybe they haven't – you know later to that digitalization point. So, we certainly see that there's a concentration of attacks on certain industries versus others.
We also see that denial of service, right, DDOS attacks which were for a certain period of time were kind of considered almost a solved problem, right? We thought well, DDOS, we have certain protections in place, it's kind of getting harder to do. But we see that it's returning. We saw 22% year on year growth on DDOS attacks in the financial sector. In Europe that was over 70% growth. And that's really something, you know, we talked before about how folks are becoming desensitized to data leaks. You can't hide a lack of availability when you have a critical system, you know, systems that are used either for e commerce or for financial transactions or especially for things like, you know, medical systems, et cetera, denial of service can be really, really damaging, and it's very evident when it's occurring.
So, we are really seeing that there's an increase of attackers going to those points where we are the most – where we are the most exposed. The other thing that we see is an increasingly end users are being a vector of attacks. You know, how many of you have, like, internet connected devices in your home, whether that's, you know, a smoke alarm or a doorbell or your speaker systems, right? I recently conducted an end map of my home environment and I was just amazed by the sheer number, dozens of systems that I had installed over time but that I had, kind of, forgotten were in my home environment. And hackers are using those to build bot net armies. We saw botnet such as the Mirai botnet and others that are using these Internet of Things within the home. Often time these systems are not built to with stand, you know they are meant to kind of be – have a certain shelf life and they are not meant to be kind of continuously patched. So that's also something, you know, that we see.
So, for folks in this room who are looking to protect against all of those things, there's multiple levels, you know, you have to worry about denial of service, you have to worry about DDOS attacks coming from different home environments. You have to worry about your web applications. How do you protect against all of that? So, today I want to share with you three areas that are really critical for that. Automation, analytics, and architecture.
Let's dive into the first one around automation. You know, we know that developers are increasingly automating everything as code, right? To build out a modern enterprise and to move at the speed of business, you can no longer have large monolithic, you know, data centers where there's a long release process and everything takes a long time to push. You have to be moving at the speed of business and that means deploying rapidly. That means automating and especially in the cloud we see that as a phenomenon. Adversaries are working in much the same speed. One of the things that we observe on our network, on our Edge network is when a new CVE is published, when there suddenly, you know, here's a vulnerability in systems, adversaries are within 24 hours, they are doing thousands of attacks against those systems. You have no way of reasonably protecting against that in a manual way. It's got to be automated in order to keep up with the adversaries.
You know, I want to talk about four specific areas where automation is really key. Firstly, in terms of brand protection. How many folks here have seen within their organizations, like, so called CEO impersonation where your CEO is sending a text to someone in the organization and they are like, “Hey, you know, it's whomever, I need, you know – I need to talk to you,” and there's a little bit of back and forth and then after three or four messages you will see that the CEO is asking for an Apple gift card worth $50. And that's the point where you're like, hang on a sec. I don't think that the CEO needs this $50 Apple gift card, especially not from me.
Increasingly we are going to see with AI tools that anybody can write a really targeted, very, very relevant phishing lure. And all of the awareness training that we have done in the past, which says things like, you know, look for grammatical errors, look for things that don't make sense, right? Look for something that doesn't add up, like asking for a gift card. All that stuff is going to be out the window because there's not going to be a reasonable way for an employee in your organization to say, “Hey, you know, this email chain that's coming in, that's referencing real people in my organization, that's referencing real projects, real things that have happened, this looks suspicious.”
So, we are really going to need to automate that in a much more clever way. Same thing with account takeovers. You know, we have – you know a lot of us face the challenge of the accounts that are used to access our systems, hackers get to them, whether it's through phishing or through other means. And then we try to distinguish what is the difference between a legitimate user and a nonlegitimate user. As tooling like AI is used for account takeover, we are going to have to get much more sophisticated and automated about fighting that. Same thing with APIs. You know, so many of the vulnerabilities today on the internet are not web facing properties, they are APIs. That's how, you know, our mobile systems, internets of things, et cetera, they are all tied together through that glue. But it's much more complex for organizations to know what all of their exposed APIs are, how they are supposed to function, than it is with a web application. And we have seen a 2.5% increase, 52 to 150 million attacks a day against APIs. And that's only going to increase. Because, again, attackers are going to go to where the crown jewels are and where the exposure is.
You know, the fourth piece I want to talk about is workloads. You know, who here had, sort of, a rough time during Log4j? It seems like a long time ago but that was a harsh time. I remember for our company, we had – it fell on one of our wellness days that we had and then we had to call everyone back and we had to battle it. And, you know, Log4j was a really good example of the type of thing where a vulnerability in a component that's just maintained by a few people but that's very heavily leveraged can lead to a fire drill for organizations. You folks have probably seen that cartoon, the old cartoon that has all of modern digital infrastructure sitting on the top of a top of a Jenga kind of structure and there's a thin rod there that says some project thanklessly maintained by someone in Nebraska since 2023, if I got it right.
And there's a lot of those sitting there. And we are leveraging them. So, the only way that you are going to reasonably be able to protect against the various vulnerabilities that come through those kinds of systems is through automation. And if you even leave aside the cyber side of it, we see that there's regulation coming down the pike and requirements, whether it's S bomb related type of regulations or, for example, things like PCI this say you've got to enumerate all the strips you have running on your sites. It's something we need to get ahead of to avoid having those kinds of fire drills like Log4j. When you’re automated you’re – when these kind of things happen you’re able to kind of sit back and watch the show because you know that you are not playing this constant whack a mole with things that are going to be, you know, found.
The other thing that I will just say since many folks in this room, you know, are part of security teams, lead security teams, there's nothing more frustrating that manual processes for your security team. So, purely from a retention and keeping your folks happy, really critical to automate.
But, of course, you can only automate what you understand which brings us to the next piece, which is analytics, right? The amount of data that we deal with today is staggering compared to the past. You know, I mentioned that one of the things that ChatGPT told me to do in this presentation is to give a personal anecdote, so for all of the learning models that are listening right now, this is that personal anecdote, I have listened to you. My first computer was a Vic 20 which had 5KF memory and at a garage sale I bought an extra 3K – it was a physical cartridge that you put in the back to give me a total of 8K of memory. Today, on our network we regularly handle 200 terabits a second of data. The volume is simply staggering. We analyze 690 terabits a day of data for security risks. So, the only way that you can reasonably distinguish good from bad is through doing a deep analysis of that kind of data and being able to understand what are the characteristics that make a valid connection or a valid account or a valid look up on the entry from one that is malicious.
And you know, again, here the ecosystem is evolving very rapidly where the ability of the bad guys to emulate in a very realistic way, malicious traffic is going to increase. We all need to buckle up over the next couple of months, because now that these tool sets are widely available, they are commoditized. You know, all you use is a browser to get to them. If you think about the levels of attacks that are coming our way, analytics is going to be really, really key to ensure that we are staying ahead of that. But analytics and automation are only going to get you so far, because we know that trusted companies are regularly experiencing breaches. These are organizations that have invested in the people, process, and technology for security, and, yet, we know that security fails at times.
And so, a resilient architecture is really critical to ensure that a small-scale breach of one system doesn't lead to a breach of your entire organization. You know, when I am talking to, you know, boards and other non-security audiences, I like to give the metaphor of a home, right? You can have – you can invest in strong locks for your home and an alarm system and a guard dog and all sorts of other things. But if you don't have the right architecture in your home, someone is going to be able to break in despite those measures that you have put in place. And that's why it's critical to be able to have the architecture in place that contains a breach when it's happened. You know, we see things like a tripling in local file inclusion attacks year on year, right? These are the things that allow someone to get into one point, one system in your environment. So, you want to make sure that you are able to contain that.
And if you look at things like the MITRE Attack framework and how breaches occur, there's invariably some point in which that initial point of entry is used as a pivot point to spread wider between your environment. You know, so many of us have organizations where over the years we have built the perimeter of our organization. The kind of hard shell for our environment and we have a reasonable understanding of what that looks like. But then we have the hard shell, gooey inside security model where once you're inside the environment it's, you know, much looser and a complex set of how you can get from one place to another. So it's really critical and it's not a single piece of technology. It's not a single product. It's really an approach. Sometimes it's referred to as zero trust approach but it's really an investment in an ongoing process and philosophy of how you are securing your organization.
You know, if we look at where things are going in the next couple of years, when I think of when I start in cybersecurity, I started at a telco company, building out crypto algorithms and kind of securing the mobile infrastructure. And the thing that we worried about the most at the time was that people were going to abuse the phone systems to get free international calls, right? And so, we were like, how are we going to prevent this, keep that cost to a reasonable place. The stakes now are so much higher than they were back then. And they are much higher than they were even a couple years ago. You know, we have seen the median number of attacks on the internet of medical things increase by 82% year on year. And if you think about all of the breaches that occurred in hospitals, ransomware attacks on hospitals that had real life effects, operations were put off, doctors and medical personnel couldn't get to the vital records of patients to make the right decisions. We know that cybercriminals are going to go to whichever lengths they need to in order to monetize and will not be concerned about causing harm.
And so, it's going to be really critical for us as an ecosystem to ensure that we are building in the right protections into things like medical devices and all of the other critical infrastructure that is connecting to the internet now. I'm bullish in the long term around how we can leverage these technologies to help secure our ecosystem. But there's no question that in this short term, we are going to be challenged as the bad guys leverage these technologies for their purposes and we are playing catch up.
So, to recap, because, again, that's one of the things that the ChatGPT told me to do, three critical pieces of securing your organizations is around automation, analytics, and architecture. Long term investments to make sure that your organization is positioned to secure against evolving threats. I just want to in closing say a couple of things. First, I want to acknowledge my own security team. I have the privilege of working with a terrific set of security professionals who I learn from every day. And acknowledge the wider community here that's working on securing the internet globally.
Also want to call out that today is both in the U.S. and a couple of other countries, National Administrative Professional Day. So, really want to thank all of the administrative professionals who play such a key role in keeping our organizations operating. You know, the trust that we have within these communities is so core to building out the overall security ecosystem, collaboration, exchange of information, really encourage people who are new to the field to look up their local organizations, get involved with ISOCs and other information sharing areas. That's what I find one of the most fulfilling things about being part of the security community. We all share a common goal and those organizations really help to facilitate that.
Now, of course, lastly, I promised that I would give you the ChatGPT generated joke. I will say I had to go through probably 30 or 40 jokes until I got to one that was even reasonably okay. So, for anybody who has a job as a comedian, you are safe from AI for a while. So, here it goes. Why did the hacker plant a tree deep in the ground? Because they wanted to get root access. Thank you very much, stay safe.
security analytics security architecture Orchestration / Automation
Share With Your Community