Akamai Technologies, Inc. (AKAM) Earnings Call Transcript & Summary

Hi folks. Welcome to our webinar. We'll Hunt For You, where we'll introduce Akamai's new security service called Hunt. My name is Dan Petrillo. I'm the Director of Product Marketing for Akamai, and I'm really excited to be here today. Thank you all for joining. So to begin, for the folks who are not as familiar with Akamai, I want to touch on where this product fits within our larger portfolio. We won't spend a lot of time here. But Akamai is really proud to offer an extensive portfolio of Zero Trust products and services, helping you gain that coverage, visibility and control that you need to reach Zero Trust and to achieve your Zero Trust goals. If you look at the items around the circle, you'll see the overlapping bubbles for ZTNA, SWG, our Secure Web Gateway and Segmentation are red. And that's to indicate that these are areas of risk, areas where there's too much implicit trust and where our products offer solutions. But the topic of today's talk is our security service known as Hunt, and you'll see that overlap is blue. And that's to indicate that this is an area of synergy where our experts and automation, big data analytics and machine learning are all coming together to help find really evasive threats in your environment. At the end of this, we'll actually go through a couple of examples of where we've been able to achieve that. So first, what is Hunt. And in one sentence, it's a service that detects and remediates threats and risks in your environment. We're going to talk a lot more about what all that means and about why we're calling out threats and risks distinctly because they are different. If you look at the pyramid on the right, we like to visualize this service as sitting on top of Guardicore segmentation. You'll see when we get into the architecture of how this service and how this product works, that it's really pulling a lot of telemetry from the segmentation architecture, and it's leveraging the control of the segmentation architecture to detect things in a way that other detection and other hunting tools cannot and to give you the ability to remediate with great granularity leveraging policy from Guardicore segmentation. So the 3 reasons folks really leverage this service. First and foremost is always security. You're going to -- first, you're going to get the most out of Akamai segmentation. When you bring this product in, whether you're an existing segmentation customer or you're looking to bring Hunt in alongside Guardicore segmentation at the same time, it allows you to maximize the value of this technology in a really hands-off way. Second is it's immediate. As soon as these agents are installed or if you're an existing customer, as soon as you decide to become a Hunt customer, you're going to get value from this product. You don't have to have enforced policies. You don't have to have done anything with the product itself. Hunt is where we let our experts hunt for you and find things that need your attention. And then last, it's seamless. We are unlike other hunting tools because we're not going to force your team to learn some sort of new hunting syntax or a query language or something like that. We're not going to burden them with alerts, false positives. We're not going to require them to configure any detections or anything like that. And we're also, again, leveraging the agent of Guardicore segmentation. That's a huge, huge factor in this. So here's a little bit how that process kind of works from start to finish. First, we're always collecting data. We're collecting unique signals from various sources, and I'm going to spend a lot of time talking about what those sources are because that's a key way in which we're able to find things that other tools do not. Next, we're analyzing that data with a variety of detection algorithms. It's a lot of data that comes in, a lot of data from both customer environments as well as global threat intelligence that as Akamai, we have quite a lot of. And then from that analysis, we get a manageable amount of suspicious events that our team will investigate. Now if these events went right to your team, you would be in a scenario where you're bogged down like with many other tools with a lot of false positives. There are things that require hunting. They require a human behind glass to investigate the event, determine if, in fact, it is something that's malicious, and then we'll deal with that. Next is the alerting. So if our team of experts does determine that there's something that needs your attention, they'll provide an alert, and it's not just kind of something's wrong type alert. It's going to have all the details and steps that you need to take action. And then last but not least, we're with you through that mitigation process. Our team does not feel that they've dealt with the event until it's fully mitigated, and we'll be with you every step of the way. So I like this diagram. It might seem a little confusing at first, but I'll walk you through it and you'll be right there with me by the end. On the left, we have your environment where you see -- it says your network. That's going to be representing the data that we get about your environment. You can't really hunt without data about the environment that you're hunting in. And this data comes from our sensors that are on your agents, are on your devices, end user devices, workloads, network devices, et cetera. We're also leveraging third-party integrations for information from things like your active directory. And last and not least, we also have built in OS query capabilities. For those who aren't aware of what that is, it's a tool that allows you to ask questions of your operating systems. So we can ask very complicated questions, get some details and help us in our hunting. And one of the examples I'll get to at the end of this will show you just what I mean. We then bring in addition to the data that's specific to you. We bring in global data. Global data from our proprietary threat intelligence that Akamai has with our visibility of all these network events or of these events over the Internet. Our understanding of malicious DNS, IP, URL, that all gets fed into this detection engine alongside third-party threat feeds as well as global enterprise modeling. One of the things that really helps us find anomalous events is our understanding of what these applications and what these enterprise environments should be doing if they're functioning normally. The output of that detection engine is a number of suspicions that our experts will investigate. And if they determine that there's something that needs your attention, it falls into 2 buckets. On the right here, we have in the mitigation circle, threats and risks. Threats are if there is actually a threat actor or malware or something in your environment that is threatening your infrastructure right now. A risk, however is, there might not be a threat actor present, but there might be an open vulnerability or some sort of configuration that would leave you exposed and would make it so a threat actor would be able to achieve his or her adversarial goal in your environment. So I want to double-click on these signals because they are especially important to our ability to find really evasive threats. The first and foremost is segmentation data. There is no other detection threat hunting tool out there that leverages this type of data set that's focused on network flows, focus on the way you've labeled your assets and the policies that you have in place. It really helps us see the forest for the trees and understand the bigger picture instead of being myopically focused on any one asset, we see that how they're communicating with each other and how they're interacting. And if there's anomalous or suspicious activity, we can find that. The other thing that really helps us do, which is something that sets us apart is our ability to detect lateral movement. Lateral movement, as we all know, is a nonnegotiable step in the attack chain. If they can't move laterally, they're probably just going to be stuck on the first asset that they were able to breach, which is typically an end-user device through phishing or something like that, and that's not going to be able to garner a large ransom. Our ability to detect and deal with lateral movement is really enabled through the segmentation data. Next is OS query. We can really find things like vulnerabilities at large scale, pinpoint exactly where they are if they're exposed, and that's really important as well. And then last, we also have third-party integrations for active directory, orchestration tools, things like that, that help us to find out even more about what's going on and what might be -- you might be able to reduce your attack surface or deal with threats. And then on the right side, that global data that I mentioned before, our understanding of the modern Internet. We're a key part of it with our CDN, with our cloud infrastructure. We really have a great understanding and a lot of information about malicious DNS. We have 7 security research teams who are helping us understand the threat landscape. We are modeling and we have hundreds of production environments, which help us to model global enterprises. And then, of course, just to make sure that we cover all our [indiscernible] bases we bring in third-party feeds as well. So now I want to talk a little bit about some of the use cases, and then we'll do 2 of them as detailed examples. One of the use cases is just expert investigation, right? A lot of folks, if they have experts, they're really focused on investigating via certain tools or if they don't have experts who can do this type of investigation L2, L3 analysts, and with this tool, they can really simply basically flip a switch if you're already a customer or if you're bringing in, say, Guardicore, you can bring these experts alongside and get the capability to have experts investigating in your environment, something that's otherwise as we know, hard to achieve. Next is IT hygiene. A lot of what we find are misconfigurations, things that could be done to -- changes that you could do to your IT posture to really reduce the likelihood of a breach or of a damaging breach. And then on the right are the 2 examples that I'll actually dive into in more details, anomaly detection and virtual patching. And I'll start with anomaly detection. In this example, we're collecting data from a customer environment, and it typically looked as you can see in the screen shot. There was a machine, and it was communicating to a handful of other assets. Upon analysis, however, one day, our analysis engine detected this suspicious change in traffic. The machine went from communicating as it was on the left to the way it was on the right. Now if you were alerted of every single time a machine changed the way it was communicating, you would be buried in false positives. And this is where our experts come into play. We had our security analysts look at this exact machine and look at why it was communicating. And what they were able to determine in this case was that it was, in fact, compromised and attempting lateral movement. As soon as we made the realization that there was an active threat in the environment, we generated and sent the customer this alert. Dealer provided all kinds of details. Details about block policy rules they should apply, logs they needed to check to understand the infection vector, operating systems that needed patching and ways that they could check if machines were connecting to malicious domains. We then worked with that customer to actually enforce all of those policies, run all those checks and remediate everything and normal communication was restored. Now I really like this example because there wasn't really an obvious IOA or IOC that we could latch on to in this example, this threat actor was very sophisticated. They were living off the land. They weren't doing anything really noisy that could trigger an alert in an obvious way. It took our understanding of flows, which comes from being a micro segmentation tool focused on lateral movement and our ability to actually limit those -- the allowance of those flows to help us understand and mitigate this in a really precise way that didn't create a lot of disruption to the business, didn't cause a lot of downtime and allowed us to react really quickly because with micro segmentation in place, every single asset is a policy enforcement point. So we can enforce policy anywhere to deal with the threat. That's really powerful stuff. The next example that I want to talk about is virtual patching. So in this example, it's focused on Log4j. This was, of course, a global crisis. And in any global event like this of this scale, our team is going to build a specific query to find that type of vulnerability. In this case, we have a piece of the query here on the left. It was actually quite long and quite complicated. But what it did was it looked for any machines that had log4j. And we actually ran this in all environments by default, and we're going to always do this. Any time there's an event, a newsworthy event like this, we're going to make a custom tailored way to deal with that event as soon as possible. What happened was when we ran that query, our detection engine -- I'm sorry about the lights there, our detection engine would then determine which machines were vulnerable to an attack. Our investigators would take a look at each of those events and determine if any of those had been exploited. And then we would send an alert to customers. Now in this example, because it was a global crisis, a detailed report went to every customer, whether they had the vulnerability present or not and whether or not those vulnerabilities were being exploited or not. And this was really important because if you were, of course, under attack, we gave you the tools to deal with it, and we helped you deal with it. But if you were not under attack or not vulnerable, it really gave these security professionals peace of mind. They could go to their Board because this was clearly a Board-level issue unlike every other -- everyday security events, and they could tell them, we have actually actively scanned our environment for this, and we know that it's not here. Knowing that it was not there is a really hard thing to achieve, and it really helped our customers. So in any of the 3 examples, if they did have it, and it wasn't exploited, if it was being exploited or it wasn't at all, they -- and it wasn't at all, they got an alert and they got value from this scenario. And then, of course, the exposed customers were offered steps to virtually patch the vulnerability via segmentation policy. This is a great way to do virtual patching because you can, like I said, every asset is a PEP, a policy enforcement point. And you can very specifically and granularly block the attack vector without actually stopping these assets from being able to function. You don't have to do a full quarantine or isolation of the asset, you just block the attack vector and they go along with their day. So you might be wondering like how you'll receive these alerts. There's a few ways. One is you'll get a monthly report with an executive level summary as well as all the details of anything that might have happened that month. You'll also have statistics in that report and any new Hunt techniques that have been brought in to deal with newsworthy events. You also have this visibility in the Guardicore console, so you can bring this up at any time as well as the ability to customize who gets alerts and when. So to conclude, Akamai Hunt's benefits to the business. First and foremost is security. We're stopping threats that other tools are missing, and that's really important to us. We have lots of examples of this where folks have other detection tools in their environment. And we're finding things that they're not, whether it's an active threat or just a way to harden your environment and improve your security posture. All of our customers are getting a lot of value from day 1 from this product, which leads me into the next bullet here, immediacy. Leveraging the segmentation infrastructure allows you to immediately begin to collect rich telemetry and to act on that telemetry. You don't have to roll out any kind of infrastructure. If you're an existing customer, you say you want this product, we will immediately begin finding things. No need to write rules, no need to do anything. And if you're bringing in Guardicore, if you decide to bring Hunt along with it, then you're getting that value. It's kind of piggybacking it's along for the ride for that segmentation project you're doing. And then last, it's seamless. There's going to be no additional software, no agent rollouts, no upgrades. It's really a unique way to bring in threat hunting. Thank you all for tuning in to this session today. I was really excited to get to talk about this exciting new service that we have. If you have any questions, please contact us on akamai.com. We would love to talk to you more about this. And if you're an existing customer, we'd love to just go ahead and turn this on in your environment and start hunting for things. Thank you again. My name is Dan Petrillo, and I'll see you around. Take care.