A security information and event management solution (SIEM) is an important part of any DevSecOps strategy. Analyzing security events and creating visualizations and reports allows you to fine-tune the security for your infrastructure and bolster the security of your applications, APIs, data and endpoints.
SIEM tools are often used to collect logs for origin servers, internal firewalls, or other sources typically part of a customer’s security infrastructure. A SIEM tool has 3 main functions in most organizations: detecting, investigating, and responding to threats. SIEM tools were mainly designed to make the process of collecting, storing, and analyzing log data easier.
Regularly monitoring your security incidents and events can help you strengthen your cybersecurity posture. SIEM helps you identify weaknesses in your infrastructure and allows you to adapt to new security threats that you discover through monitoring.
On top of this, many companies today also rely on Edge Security from Akamai. On a daily basis, Akamai inspects billions of requests for our customers and filters out malicious traffic targeting our customer's websites and API endpoints, adapting to the latest threats.
Traditionally, Akamai offered the ability for customers to manage their security events and get insights through the Akamai Control Center. Tools like the Security Monitor or Web Security Analytics are available to see what type of attack traffic Akamai has spotted or mitigated.
With the Akamai SIEM Integration, you can inject Akamai-as-data into your SIEM solution. If you use Kona Site Defender, Web Application Protector, or Bot Manager you can send security events generated on the Akamai platform to your SIEM alongside security events from other sources. The growth of DevSecOps and the adoption of SIEM tools has increased the need for customers to have direct access to security events without having to manually log in to Control Center.
By integrating Akamai-as-data with your SIEM tool of choice, security events that Akamai has inspected can be sent directly in real-time the tools you use. Even better, this allows your Security Engineers to review the data in the way they are used to reading, visualizing, and inspecting.
When you can easily access Akamai-as-data, your team can take better action to identify mitigate security threats. Of course, with a finely-tuned Akamai security configuration, Akamai will proactively mitigate threats while still providing you and your team with first-hand knowledge of what is going on with your mission-critical applications and APIs.
What is the Akamai SIEM Integration?
Simply put, the Akamai SIEM Integration consists of two main components: a Collector and a Connector.
The Security Events Collector is signalled by the Akamai Edge servers every time a security event occurs. This generates a security event in JSON format that contains all the relevant information from that particular request and security event.
This information can be collected from different Akamai solutions such as Kona Site Defender, Web Application Protector, Bot Manager and/or Client Reputation. The collector stores data for up to 12 hours so you can go back in time to retrieve your security events.
Second, the SIEM Connector is installed in your ecosystem. The connector makes periodic calls to an available Akamai SIEM API endpoint where the JSON security events can be retrieved and sent to the tools and endpoints in your ecosystems.
Akamai has developed two SIEM Connectors in collaboration with leading SIEM vendors: Splunk and Common Event Format Syslog.
Of course, if you're using a different SIEM vendor, you can still create a custom connection by using the Akamai SIEM API directly.
The SIEM Connectors are wrappers that use the Akamai SIEM API and handle the proper authentication with the Akamai SIEM API. Authentication is similar to the other Akamai API endpoints and is handled by Akamai EdgeGrid.
Once an Akamai API client is created, the client can be used to request security events directly from the API. You can see this process in action in the recording at the bottom of this post.
If your SIEM tool is based on any of the main programming languages Akamai supports today, you can easily use the Akamai EdgeGrid authentication packages which are available in our Akamai GitHub repositories. In our API catalog, you can find the full API definition for the SIEM API. As a quick recap on the functionality, you can request the security events with time filters and limit the amount of events returned.
All security events are returned in JSON format. Let’s take a look at a JSON example (above) that was retrieved with the SIEM API. You can see the security event here with the attack data. You can see the
Client IP, the security policy it triggered, the location of the IP address, the HTTP request, path, URL, and headers that were sent.
If you are using the Splunk connector, please ensure that you follow the steps outlined in the integration documentation. When it comes to installing the connector, it is important to have the right hardware and required software installed including the Java runtime environment.
While we currently have the Splunk and Syslog connectors available, you can also utilize the SIEM API to simply send the logs to a service in your environment. If your SIEM is able to connect on HTTPS and has the ability to interpret the JSON format, you're good to go. If this is not the case, you can always use an intermediary tool that retrieves the logs or you can transform JSON into another format that works with your SIEM.
Finally, while not immediately tied to SIEM Integration, we highly recommend keeping your security configurations up-to-date with the latest ruleset. This will help you protect yourself against new vulnerabilities.
Watch the Full Recording
You can watch the full Webinar recording from July 2020 below to learn more about Akamai SIEM Integration and see our demos.