Blog

Akamai and Splunk

Build and Automate Actionable Threat Intelligence With Akamai and Splunk

April 13, 2018 · by Ajay Mishra ·

It’s no secret that security threats and events are increasing in frequency and complexity with each passing nanosecond. Organizations of every size and in every geography understand that minimizing the time to detect and respond has become more important than ever.

Exhibit A: Last year, one of the most notable security breaches involved Equifax, wherein 145+ million people were affected by an attack that exploited a struts vulnerability and, in the end, forced Equifax’s CEO to resign. Notably, this attack was carried out over time, as the attacker managed to upload 30 malicious web shells over the course of four months.  

Ultimately, this catastrophic breach resulted from Equifax’s failure to monitor and take action on security events early enough in the attack lifecycle. Equifax’s response was simply too late. Adapting the terminology of the “Cyber Kill Chain” framework developed by Lockheed Martin, we’d like to show you how a better security information and event management (SIEM) strategy can help you identify attacks in the initial stages of the kill chain rather than the final stages.

In this blog post, we will explore how you can build and automate actionable threat intelligence by using technologies from both Akamai and Splunk in a SIEM architecture. The benefits of this approach include:

  • Greater context on cyber attacks
  • Reduced detection time
  • Reduced response time in the overall threat lifecycle

First, let’s start with an overview of Akamai’s approach to SIEM.

Akamai and SIEM

The Akamai SIEM Integration is a powerful tool for capture, retention, and delivery of security information and events in real-time to SIEM applications (e.g., Splunk). Akamai SIEM Connector for Splunk maximizes security and event insights with the ease of integration with the robust Akamai SIEM API. Following is the architecture of Akamai SIEM Connector:

As shown above, the data flow takes place as follows:

  1. SIEM Connector retrieves Akamai security events via pull request through the API exposed by the Akamai Security Events Collector (ASEC).
  2. Security events are delivered to SIEM Connector in JSON format.
  3. Once SIEM Connector receives the security events from ASEC, it processes and sends the events to the SIEM solution.

 

An overview of Akamai security events

There are three major components included in the Akamai security events that get delivered in JSON format:

  1. Source of attack
  2. Context of attack
  3. Nature of attack

Let’s briefly take a look at each component.

  1. Source of attack: Akamai provides location data on the attack source, leveraging EdgeScape capability for superior accuracy regarding the attacker’s location. Here’s an example of the data you’d see:

 

Here’s an explanation of the data:

 

Geo Data
NameValueExample
continentA 2-letter code for the continent that the IP address maps toAS
countryAn ISO-3166, 2-letter code for the country where the IP address maps toCN
cityCity that the IP address maps toBEIJING
regionCodeAn ISO-3166, 2-letter code for the state, province, or region where the IP address maps toBJ
asnThe AS number or numbers that the IP belongs to4808

 

  1. Context of attack: Akamai provides context and details on each HTTP request. Here’s an example:

 

Here’s an explanation of the data:

 

HTTP Message Data
NameValueExample
requestIdA globally-unique ID created to identify this specific messagef7f359
startThis is the time, in epoch format, to millisecond precision, when the Edge Server initiated the connection for the message exchange being monitored1520556215
protocolProtocol of the transaction being monitoredHTTP/1.1
methodMethod of the incoming requestGET
hostValue of the incoming client request's host headertest20.*******.net
portPort number used by the incoming request. Should be equal to the value of AK_IN_PORT80
pathPath used in the incoming URI from the client, not including query strings/
queryThe query strings passed in the incoming URI from the clientid=a&msg=a
requestHeadersAll request headers collectedHost: test20.*******.net

 

User-Agent: curl/7.55.0

Accept: */*

X-Forwarded-For: 123.120.23.157

statusHTTP response status sent to the client503
responseHeadersAll response headers collectedServer: AkamaiGHost

 

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 272

 

3. Nature of attack: Akamai characterizes the nature of each attack and provides details on the set of configuration rules that intercepted it. Here’s an example:

Here’s an explanation of the data:

 

Attack Data
FieldDescriptionExampleNotes
configIdThe ID of the Security Configuration applied to the request16167 
policyIdThe ID of the Firewall policy applied to the requestt20_51596 
clientIPThe IP address of the client that connects to make the request119.72.199.211 
slowPostActionIf a Slow POST attack is detected, this shows the action taken: either W for Warn or A for deny (abort)WAbove attack is Bot Attack , so the flag did not appear
slowPostRateIf a Slow POST attack is detected, this shows the recorded rate of the Slow POST attack10Above attack is Bot Attack , so the flag did not appear
Rules idRule IDs of rules triggered for the request, base64-encoded3000036It include on rule or multiple rules.
ruleVersionsVersions of rules triggered for the request, base64-encoded2Representsversion
ruleMessagesMessages of rules that triggered for this request, base64-encodedDetected LOIC / HOIC client request based on query string 
ruleTagsTags of rules that triggered for the request, base64-encodedAKAMAI/DDOS/LOIC_HOIC_1_v1 
ruleDataUser data of rules that triggered for this request, base64-encodedLOIC/HOIC based on query string 
ruleSelectorsSelectors of rules that triggered for the request, base64-encoded  
ruleActionsAcitons of rules that triggered for the request, base64-encodedalert 

 

So, that’s the kind of data you see once you have this solution implemented. Now let’s talk about how to get you started.

 

Four steps to connect Splunk and Akamai security events

 

To get started, follow these four basic steps:

Step 1: Enable SIEM Integration

Set the toggle switch to “On” in your security configuration:

After enabling SIEM Integration, you’ll need to activate it on the production network.

Step 2: Create a new user with “Manage SIEM” role

Step 3: Provision credentials to work with the SIEM API

Search for “SIEM” in the search box and the SIEM API will pop up.

Finally, you’ll get the API credential (aka “client secret”) as follows:

Step 4: Install and configure your Akamai SIEM Splunk Connector

There are a few sub-steps to get Splunk working with Akamai. First of all, you’ll need to download the Akamai SIEM Splunk Connector:

 

And install the connector on Splunk as follows:

 

Finally, configure the connector to get Splunk working by fetching the username and password of the Splunk server and all the credentials that we obtained earlier in step 3.

Click “New”:

Then, fill in your credential info:

Once this is complete, Splunk can capture the attack data and display it within the Splunk dashboard. Just for demonstration purposes, we have attacked our site with web-based attacks as well as bot-based attacks. The attacks have been carried out globally by spoofing IP addresses in the XFF Header, as you can see here:

 

Example of a Splunk dashboard showing attack activity

 

The dashboard in Splunk can be easily edited or added directly by changing XML source code, as seen here:

At this point, actionable alerts can be triggered within Splunk during attacks. So that brings us to our next subject: the alerting capability in Splunk.

 

Leveraging Splunk’s alerting capabilities for actionable threat intelligence

 

Splunk has a very robust and user-friendly alert workflow. For starters, you can create alerts in the “Save As Alert” window, which looks like this:

There are several interesting and helpful items in this window that I’d like to highlight. First is the “Alert type” control:

You can adjust the alert type to configure how often the search runs. Use a scheduled alert to check for events on a regular basis, or use a real-time alert to monitor for events continuously.

Scheduled alerts offer granular date/time/frequency control:

The next item I’d like to highlight here is the “Trigger Conditions” control. An alert does not have to trigger every time it generates search results; you can set trigger conditions to manage when the alert triggers, whether that’s “Per-Result” or “Number of Results” or other conditions shown here:

You can also throttle an alert to control how soon the next alert can trigger after an initial alert; your throttling intervals can be set to minutes or even seconds:

When an alert triggers, it can initialize one or more alert actions. An alert action can notify you of a triggered alert and help you respond appropriately. You can configure alert action frequency and type in the “Alert Actions” window:

From the “Alert Actions” window you can take actions such as:

 

  • Send a log event to a Splunk receiver endpoint
  • Send an email notification to specific recipients
  • Create a generic HTTP Post to a specified URL
  • Output the results of the search to a .csv lookup file
  • Invoke a custom alert action

 

Conclusion

The SIEM approach described above provides a centralized view of security information from a large number of sources so you can easily access and analyze that information. This approach then enables you to quickly prioritize your mitigation efforts based on risk profiles. In addition, it can help you meet security log analysis and incident/event reporting requirements.

Whether you're using Splunk, IBM, RSA, or any other SIEM solution, you can build and automate actionable threat intelligence by integrating Akamai security events within your SIEM. This gives you greater information on the source, context, and nature of cyber attacks, and enables you to reduce the time to detect and respond in the overall threat lifecycle.

For more information, watch the “Connecting Your SIEM Tool with Akamai Security Events” video presentation from the Developer Zone at Edge 2017.

Also, check out the new Akamai Enterprise Application Access App for Splunk.

Ajay Mishra is a senior enterprise security architect at Akamai Technologies.