Given the reality that any IT system can be breached if the attacker has enough time and resources, it must be daunting for the biggest targets around the world to find ways of reducing their vulnerability. Content delivery network Akamai Technologies this week outlined how it does it, which may provide lessons for CISOs who oversee mere ordinary environments.
OK, Akami has more resources than you do. But that doesn’t mean there are some things you could adopt.
To start, Akamai’s production (non-enterprise) environment has over 216,000 edge servers around the world running a custom version of Linux. But each is configured as a bastion host, which usually means a hardened server that runs a single application with unnecessary services removed.
That’s good news/bad news. While it cuts down on the number of possible vulnerabilities, when one is discovered that does apply to the environments patching the code is time-consuming.
Whenever possible vulnerability patches are tested and added into a regularly scheduled software release. But critical vulnerabilities are escalated through an incident management process.
In addition to patching there’s a vulnerability management process that includes a parser that automatically analyzes daily CVE reports and publicly available patches, compares them against code Bill of Material (BoM) files and opens Change Requests (CRs) if needed.
Security risks undergo a qualitative risk assessment, which evaluates the potential severity of a risk, as well as an assessment of attackers that could instantiate a risk, the column says. Based on these two factors, the vulnerability will receive a classification that indicates the severity of the risk. Risks caused by software defects are also scored using the Common Vulnerability Scoring System (CVSS).
Vulnerabilities rated as “Critical” or “High” become formal security incidents managed through an incident management process, which helps ensure staffing is available to address the problem and to decide whether the vulnerability applies to Akamai’s platform, the risks and how fast to fix it.
Because Akamai is a service provider to the U.S. government it also has to meet a federal IT standard that requires critical and high vulnerabilities to be patched within 30 days. There’s an internal goal of patching other vulnerabilities within 180 days.
Meanwhile each server is protected by additional rules and health checks, including Web application firewalls, a port hardening solution and randomized audits, to that ensure that known attacks are filtered out. Some of these defences can remediate the impact of vulnerabilities immediately, well before a patch can be deployed, says Akamai.
Finally, the environment is overseen from the company’s NOC, which can immediately suspend a server from the network for service or investigation and/or delete everything on a server while keeping the rest of the platform running.
That’s a simple outline of the company’s approach. The blog is more detailed. But it can be adopted by any CISO — test patches, identify and escalate critical vulnerabilities, decide how fast they need to be patched.