Hi, folks. Welcome to our webinar, We'll Hunt For You, where we'll introduce Akamai's newest security service called Akamai Hunt. My name is Dan Petrillo. I'm the Director of Product Marketing for Akamai, I'm really excited to be here today. Thank you all for joining. To begin, for the folks who are not as familiar with Akamai, I wanna touch on where this product fits within our larger portfolio. We won't spend a lot of time here, Akamai is really proud to offer an extensive portfolio of Zero Trust products and services, helping you gain that coverage, visibility, and control that you need to reach Zero Trust and to achieve your Zero Trust goals. If you look at the items around this circle, you'll see the overlapping bubbles for ZTNA, SWG, our Secure Web Gateway, and segmentation are red.
That's to indicate that these are areas of risk, areas where there's too much implicit trust and where our products offer solutions. The topic of today's talk is our security service known as Hunt, and you'll see that overlap is blue. That's to indicate that this is an area of synergy where our experts and automation, big data analytics, and machine learning are all coming together to help find, really evasive threats in your environment. At the end of this, we'll actually go through a couple of examples of where we've been able to achieve that. First, you know, what is Hunt? In one sentence, it's a service that detects and remediates threats and risks in your environment.
We're gonna talk a lot more about what all that means and about why we're calling out threats and risks distinctly because they are different. If you look at the pyramid on the right, we like to visualize this service as sitting on top of Guardicore Segmentation. You'll see when we get into the architecture of how this service and how this product works, that it's really pulling a lot of telemetry from the segmentation architecture, and it's leveraging the control of the segmentation architecture to detect things in a way that other detection and other hunt-hunting tools cannot, and to give you the ability to remediate with great granularity, leveraging policy from Guardicore Segmentation. The three reasons folks really leverage this service, first and foremost is always security. You're first, you're gonna get the most out of Akamai Segmentation.
When you bring this product in, whether you're an existing segmentation customer or you're looking to bring Hunt in alongside Guardicore segmentation at the same time, it allows you to maximize the value of this technology in a really hands-off way. Second is it's immediate. As soon as these agents are installed, or if you're an existing customer, as soon as you decide to become a Hunt customer, you're gonna get value from this product. You don't have to have enforced policies. You don't have to have done anything with the product itself. Hunt is where we let our experts hunt for you and find things that need your attention. Last, it's seamless. We are unlike other hunting tools because we're not gonna force your team to learn some sort of new hunting syntax or querying language or something like that.
We're not gonna burden them with alerts, false positives. We're not gonna require them to configure any detections or anything like that. We're also, again, leveraging the agent of Guardicore Segmentation. That's a huge factor in this. Here's a little bit how that process kinda works from start to finish. First, we're always collecting data. We're collecting unique signals from various sources, and I'm gonna spend a lot of time talking about what those sources are, because that's a key way in which we're able to find things that other tools do not. Next, we're analyzing that data with a variety of detection algorithms. It's a lot of data that comes in, a lot of data from both customer environments as well as global threat intelligence that as Akamai, we have quite a lot of.
From that analysis, we get a manageable amount of suspicious events that our team will investigate. If these events went right to your team, you would be in a scenario where you're bogged down, like with many other tools, with a lot of false positives. They're things that require hunting. They require a human behind glass to investigate the event, determine if in fact it is something that's malicious, and then we'll deal with that. Next is the alerting. If our team of experts does determine that there's something that needs your attention, they'll provide an alert, and it's not a just kind of something's wrong type alert. It's gonna have all the details and steps that you need to take action. Last but not least, we're with you through that mitigation process.
Our team does not feel that they've dealt with the event until it's fully mitigated, we'll be with you every step of the way. I like this diagram. It might seem a little confusing at first, but I'll walk you through it, and you'll be right there with me by the end. On the left we have your environment, where you see it says your network. That's going to be representing the data that we get about your environment. You can't really hunt without data about the environment that you're hunting in. This data comes from our sensors that are on your agents or on your devices, end user devices, workloads, network devices, et cetera. We're also leveraging third-party integrations for information from things like your Active Directory.
Last and not least, we also have built-in osquery capabilities. For those who aren't aware of what that is, it's a tool that allows you to ask questions of your operating systems. We can ask very complicated questions, get some details and help us in our hunting. One of the examples I'll get to at the end of this will show you just what I mean. In addition to the data that's specific to you, we bring in global data. Global data from our proprietary threat intelligence that Akamai has with our visibility of all these network events or of these events over the Internet. Our understanding of malicious DNS, IP, URL, that all gets fed into this detection engine alongside third-party threat feeds, as well as global enterprise modeling.
One of the things that really helps us find anomalous events is our understanding of what these applications and what these enterprise environments should be doing if they're functioning normally. The output of that detection engine is a number of suspicions that our experts will investigate. If they determine that there's something that needs their, your attention, it falls into two buckets. On the right here, we have under, in the mitigation circle, threats and risks. Threats are if there is actually a threat actor or malware or something in your environment, that is threatening your infrastructure, right now.
A risk, however, is there might not be a threat actor present, but there might be an open vulnerability or some sort of configuration that would leave you exposed and would make it so a threat actor would be able to achieve his or her adversarial goals in your environment. I wanna double-click on these signals because they're especially important to our ability to find really evasive threats. The first and foremost is segmentation data. There is no other detection, threat hunting tool out there that leverages this type of data set that's focused on network flows, focused on the way you've labeled your assets and the policies that you have in place. It really helps us see the forest for the trees and understand the bigger picture.
Instead of being myopically focused on any one asset, we see that how they're communicating with each other and how they're interacting, and if there's anomalous or suspicious activity, we can find that. The other thing that it really helps us do, which is something that sets us apart, is our ability to detect lateral movement. Lateral movement, as we all know, is a non-negotiable step in the attack chain. If they can't move laterally, they're probably just gonna be stuck on the first asset that they were able to breach, which is typically an end user device through phishing or something like that, and that's not gonna be able to garner a large ransom. Our ability to detect and deal with lateral movement is really enabled through this segmentation data. Next is osquery.
We can really find things like vulnerabilities at large scale, pinpoint exactly where they are, if they're exposed, that's really important as well. Last, we also have third-party integrations for Active Directory, orchestration tools, things like that that help us to find out even more about what's going on and what might be the ways you might be able to reduce your attack surface or deal with threats. On the right side, that global data that I mentioned before, our understanding of the modern Internet. We're a key part of it with our CDN, with our cloud infrastructure. We really have a great understanding and a lot of information about malicious DNS. We have seven security research teams who are helping us understand the threat landscape.
We are modeling we have hundreds of production environments which help us to model global enterprises. Of course, just to make sure that we cover all our bases, we bring in third-party feeds as well. Now I wanna talk a little bit about some of the use cases, and then we'll do two of them as detailed examples. One of the use cases is just expert investigation, right? A lot of folks, if they have experts, they're really focused on investigating via certain tools, or they don't have experts who can do this type of investigation, L 2, L 3 analysts.
With this tool, they can really simply, basically flip a switch if you're already a customer or if you're bringing in, say, Guardicore, you can bring these experts alongside and get the capability to have experts investigating in your environment, something that's otherwise, as we know, hard to achieve. Next is IT hygiene. A lot of what we find are misconfigurations, things that could be changes that you could do to your IT posture to really reduce the likelihood of a breach or of a damaging breach. On the right are the two examples that I'll actually dive into in more details, anomaly detection and virtual patching. I'll start with anomaly detection. In this example we were collecting data from a customer environment, and it typically looked, as you can see in this screenshot.
There was a machine, and it was communicating to a handful of other assets. Upon analysis, however, one day our analysis engine detected this suspicious change in traffic. The machine went from communicating as it was on the left to the way it was on the right. If you were alerted of every single time a machine changed the way it was communicating, you would be buried in false positives. This is where our experts come into play. We had our security analysts look at this exact machine and look at why it was communicating. What they were able to determine in this case was that it was in fact compromised and attempting lateral movement. As soon as we made the realization that there was an active threat in the environment, we generated and sent the customer this alert.
The alert provided all kinds of details. Details about block policy rules they should apply, logs they needed to check to understand the infection vector, operating systems that needed patching. Ways that they could check if machines were connecting to malicious domains. We then worked with that customer to actually enforce all of those policies, run all those checks, and remediate everything, normal communication was restored. I really like this example because there wasn't really an obvious IOA or IOC that we could latch on to in this example. This threat actor was very sophisticated. They were living off the land. They weren't doing anything really noisy that could trigger an alert in an obvious way.
It took our understanding of flows, which comes from being a microsegmentation tool focused on lateral movement and our ability to actually limit those, the allowance of those flows to help us understand and mitigate this in a really precise way that didn't create a lot of disruption to the business, didn't cause a lot of downtime, and allowed us to react really quickly. With microsegmentation in place, every single asset is a policy enforcement point. We could enforce policy anywhere to deal with the threat. That's really powerful stuff. The next example that I wanna talk about is virtual patching. In this example, it's focused on Log4j. This was, of course, a global crisis, and in any global event like this, of this scale, our team is gonna build a specific query to find that type of vulnerability.
In this case, we have a piece of the query here on the left. It was actually quite long and quite complicated, but what it did was it looked for any machines that had Log4j. We actually ran this in all environments by default, and we're gonna always do this. Anytime there's an event, a newsworthy event like this, we're gonna make a custom-tailored way to deal with that event as soon as possible. What happened was, when we ran that query, our detection engine. Oops, sorry about the lights there. Our detection engine would then determine which machines were vulnerable to an attack. Our investigators would take a look at each of those events and determine if any of those had been exploited, and then we would send an alert to our customers.
Now, in this example, because it was a global crisis, a detailed report went to every customer, whether they had the vulnerability present or not, and whether or not those vulnerabilities were being exploited or not. This was really important because if you were, of course, under attack, we gave you the tools to deal with it, and we helped you deal with it. If you were not under attack or not vulnerable, it really gave the security professionals peace of mind. They could go to their board because this was clearly a board-level issue, unlike every other, you know, everyday security event.
They could tell them, "We have actually actively scanned our environment for this, and we know that it's not here." Knowing that it was not there was a, is a really hard thing to achieve, and it really helped our customers. In any of the three examples, if they did have it and it wasn't exploited, if it was being exploited or it wasn't at all, Or, and it wasn't at all, they got an alert, and they got value from this scenario. Then, of course, the exposed customers were offered steps to virtually patch the vulnerability via segmentation policy. This is a great way to do virtual patching, because you can, like I said, every asset is a, is a PEP, a policy enforcement point.
You can very specifically and granularly block the attack vector without actually stopping these assets from being able to function. You don't have to do a full quarantine or isolation of the asset. You just block the attack vector, and they go along with their day. You might be wondering, like, how you receive these alerts. There's a few ways. One is you'll get a monthly report with an executive-level summary, as well as all the details of anything that might have happened that month. You'll also have statistics in that report and any new Hunt techniques that have been brought in to deal with, you know, newsworthy events. You also have this visibility in the Guardicore console, so you can bring this up at any time, as well as the ability to customize who gets alerts and when.
To conclude, Hunt's benefits to the business, first and foremost, is security. We're stopping threats that other tools are missing, and that's really important to us. We have lots of examples of this where folks have other detection tools in their environment, and we're finding things that they're not. Whether it's an active threat or just a way to harden your environment and improve your security posture, all of our customers are getting a lot of value from day one from this product. Which leads me into the next bullet here, immediacy. Leveraging the segmentation infrastructure allows you to immediately begin to collect rich telemetry and to act on that telemetry. You don't have to roll out any kind of infrastructure. If you're an existing customer, you say you want this product, we will immediately begin finding things.
No need to write rules, no need to do anything. If you're bringing in Guardicore, if you decide to bring Hunt along with it, you're getting that value. It's kind of piggybacking. It's along for the ride for that segmentation project you're doing. Last, it's seamless. There's gonna be no additional software, no agent rollouts, no upgrades. It's really a unique way to bring in threat hunting. Thank you all for tuning in to this session today. I was really excited to get to talk about this exciting new service that we have. If you have any questions, please contact us on akamai.com. We would love to talk to you more about this.
If you're an existing customer, we'd love to just go ahead and turn this on in your environment and start to start hunting for things. Thank you again. My name is Dan Petrillo, and I'll see you around. Take care.