It’s no secret that security threats and events are increasing in frequency and complexity with each passing nanosecond. Organizations of every size and in every geography understand that minimizing the time to detect and respond has become more important than ever.
Exhibit A: Last year, one of the most notable security breaches involved Equifax, wherein 145+ million people were affected by an attack that exploited a struts vulnerability and, in the end, forced Equifax’s CEO to resign. Notably, this attack was carried out over time, as the attacker managed to upload 30 malicious web shells over the course of four months.
Ultimately, this catastrophic breach resulted from Equifax’s failure to monitor and take action on security events early enough in the attack lifecycle. Equifax’s response was simply too late. Adapting the terminology of the “Cyber Kill Chain” framework developed by Lockheed Martin, we’d like to show you how a better security information and event management (SIEM) strategy can help you identify attacks in the initial stages of the kill chain rather than the final stages.
In this blog post, we will explore how you can build and automate actionable threat intelligence by using technologies from both Akamai and Splunk in a SIEM architecture. The benefits of this approach include:
- Greater context on cyber attacks
- Reduced detection time
- Reduced response time in the overall threat lifecycle
First, let’s start with an overview of Akamai’s approach to SIEM.
Akamai and SIEM
The Akamai SIEM Integration is a powerful tool for capture, retention, and delivery of security information and events in real-time to SIEM applications (e.g., Splunk). Akamai SIEM Connector for Splunk maximizes security and event insights with the ease of integration with the robust Akamai SIEM API. Following is the architecture of Akamai SIEM Connector:
As shown above, the data flow takes place as follows:
- SIEM Connector retrieves Akamai security events via pull request through the API exposed by the Akamai Security Events Collector (ASEC).
- Security events are delivered to SIEM Connector in JSON format.
- Once SIEM Connector receives the security events from ASEC, it processes and sends the events to the SIEM solution.
An overview of Akamai security events
There are three major components included in the Akamai security events that get delivered in JSON format:
- Source of attack
- Context of attack
- Nature of attack
Let’s briefly take a look at each component.
- Source of attack: Akamai provides location data on the attack source, leveraging EdgeScape capability for superior accuracy regarding the attacker’s location. Here’s an example of the data you’d see:
Here’s an explanation of the data:
|continent||A 2-letter code for the continent that the IP address maps to||AS|
|country||An ISO-3166, 2-letter code for the country where the IP address maps to||CN|
|city||City that the IP address maps to||BEIJING|
|regionCode||An ISO-3166, 2-letter code for the state, province, or region where the IP address maps to||BJ|
|asn||The AS number or numbers that the IP belongs to||4808|
- Context of attack: Akamai provides context and details on each HTTP request. Here’s an example:
Here’s an explanation of the data:
|HTTP Message Data|
|requestId||A globally-unique ID created to identify this specific message||f7f359|
|start||This is the time, in epoch format, to millisecond precision, when the Edge Server initiated the connection for the message exchange being monitored||1520556215|
|protocol||Protocol of the transaction being monitored||HTTP/1.1|
|method||Method of the incoming request||GET|
|host||Value of the incoming client request's host header||test20.*******.net|
|port||Port number used by the incoming request. Should be equal to the value of AK_IN_PORT||80|
|path||Path used in the incoming URI from the client, not including query strings||/|
|query||The query strings passed in the incoming URI from the client||id=a&msg=a|
|requestHeaders||All request headers collected||Host: test20.*******.net|
|status||HTTP response status sent to the client||503|
|responseHeaders||All response headers collected||Server: AkamaiGHost|
3. Nature of attack: Akamai characterizes the nature of each attack and provides details on the set of configuration rules that intercepted it. Here’s an example:
Here’s an explanation of the data:
|configId||The ID of the Security Configuration applied to the request||16167|
|policyId||The ID of the Firewall policy applied to the request||t20_51596|
|clientIP||The IP address of the client that connects to make the request||126.96.36.199|
|slowPostAction||If a Slow POST attack is detected, this shows the action taken: either W for Warn or A for deny (abort)||W||Above attack is Bot Attack , so the flag did not appear|
|slowPostRate||If a Slow POST attack is detected, this shows the recorded rate of the Slow POST attack||10||Above attack is Bot Attack , so the flag did not appear|
|Rules id||Rule IDs of rules triggered for the request, base64-encoded||3000036||It include on rule or multiple rules.|
|ruleVersions||Versions of rules triggered for the request, base64-encoded||2||Represents version|
|ruleMessages||Messages of rules that triggered for this request, base64-encoded||Detected LOIC / HOIC client request based on query string|
|ruleTags||Tags of rules that triggered for the request, base64-encoded||AKAMAI/DDOS/LOIC_HOIC_1_v1|
|ruleData||User data of rules that triggered for this request, base64-encoded||LOIC/HOIC based on query string|
|ruleSelectors||Selectors of rules that triggered for the request, base64-encoded|
|ruleActions||Acitons of rules that triggered for the request, base64-encoded||alert|
So, that’s the kind of data you see once you have this solution implemented. Now let’s talk about how to get you started.
Four steps to connect Splunk and Akamai security events
To get started, follow these four basic steps:
Step 1: Enable SIEM Integration
Set the toggle switch to “On” in your security configuration:
After enabling SIEM Integration, you’ll need to activate it on the production network.
Step 2: Create a new user with “Manage SIEM” role
Step 3: Provision credentials to work with the SIEM API
Search for “SIEM” in the search box and the SIEM API will pop up.
Finally, you’ll get the API credential (aka “client secret”) as follows:
Step 4: Install and configure your Akamai SIEM Splunk Connector
There are a few sub-steps to get Splunk working with Akamai. First of all, you’ll need to download the Akamai SIEM Splunk Connector:
And install the connector on Splunk as follows:
Finally, configure the connector to get Splunk working by fetching the username and password of the Splunk server and all the credentials that we obtained earlier in step 3.
Then, fill in your credential info:
Once this is complete, Splunk can capture the attack data and display it within the Splunk dashboard. Just for demonstration purposes, we have attacked our site with web-based attacks as well as bot-based attacks. The attacks have been carried out globally by spoofing IP addresses in the XFF Header, as you can see here:
Example of a Splunk dashboard showing attack activity
The dashboard in Splunk can be easily edited or added directly by changing XML source code, as seen here:
At this point, actionable alerts can be triggered within Splunk during attacks. So that brings us to our next subject: the alerting capability in Splunk.
Leveraging Splunk’s alerting capabilities for actionable threat intelligence
Splunk has a very robust and user-friendly alert workflow. For starters, you can create alerts in the “Save As Alert” window, which looks like this:
There are several interesting and helpful items in this window that I’d like to highlight. First is the “Alert type” control:
You can adjust the alert type to configure how often the search runs. Use a scheduled alert to check for events on a regular basis, or use a real-time alert to monitor for events continuously.
Scheduled alerts offer granular date/time/frequency control:
The next item I’d like to highlight here is the “Trigger Conditions” control. An alert does not have to trigger every time it generates search results; you can set trigger conditions to manage when the alert triggers, whether that’s “Per-Result” or “Number of Results” or other conditions shown here:
You can also throttle an alert to control how soon the next alert can trigger after an initial alert; your throttling intervals can be set to minutes or even seconds:
When an alert triggers, it can initialize one or more alert actions. An alert action can notify you of a triggered alert and help you respond appropriately. You can configure alert action frequency and type in the “Alert Actions” window:
From the “Alert Actions” window you can take actions such as:
- Send a log event to a Splunk receiver endpoint
- Send an email notification to specific recipients
- Create a generic HTTP Post to a specified URL
- Output the results of the search to a .csv lookup file
- Invoke a custom alert action
The SIEM approach described above provides a centralized view of security information from a large number of sources so you can easily access and analyze that information. This approach then enables you to quickly prioritize your mitigation efforts based on risk profiles. In addition, it can help you meet security log analysis and incident/event reporting requirements.
Whether you're using Splunk, IBM, RSA, or any other SIEM solution, you can build and automate actionable threat intelligence by integrating Akamai security events within your SIEM. This gives you greater information on the source, context, and nature of cyber attacks, and enables you to reduce the time to detect and respond in the overall threat lifecycle.
For more information, watch the “Connecting Your SIEM Tool with Akamai Security Events” video presentation from the Developer Zone at Edge 2017.
Also, check out the new Akamai Enterprise Application Access App for Splunk.
Ajay Mishra is a senior enterprise security architect at Akamai Technologies.