Cyber threats continue to evolve at an alarming pace, pushing organizations to refine their defense strategies. In the latest episode of CISO Insights, Steve Winterfeld, Advisory CISO at Akamai, discusses the company’s latest State of the Internet (SOTI) report, “Defenders’ Guide 2025: Fortify the Future of Your Defense.”

The report marks a shift in focus for Akamai, from traditional 20-30 page reports to a more in-depth, 50-page guide that provides defenders with practical insights and best practices to stay ahead of emerging threats.

Key Takeaways from the Report

The report is divided into three main sections: risk management, network and architecture security, and host security. Winterfeld highlights the importance of risk scoring methodologies, which help defenders identify, quantify, and mitigate threats across different environments. “We’re really taking a look at how to help those that are out there actually doing the defense, understand what’s going on and best practices to use,” Winterfeld explains.

The report also delves into the world of malware, with a focus on SSH, open protocols, and the most impacted regions, including the US. Winterfeld notes that “there’s over 20 million machines just facing the internet”. This level of exposure makes it easier for cybercriminals to exploit common vulnerabilities, particularly those linked to SSH, SMB, and RDP protocols.

Winterfeld also discusses the rise of bots, including Note, FritzFrog, and RedTail, each with its own unique business model and attack vector.

Understanding the behavior of these botnets is essential in determining the right defense strategies. As Winterfeld explains, different types of attacks require different approaches: “The more I understand the enemy, the better I understand which tools and techniques I need to use. So, as you look at bots, understanding when you need a simple WAF versus when you need a specialized tool is critical.”

Network Architecture and Host Security

The report explores the vulnerabilities of VPNs, which are often considered legacy technology, and the importance of securing appliances and infrastructure.

While once a cornerstone of remote security, VPN appliances have increasingly become a liability. Attackers are actively exploiting weaknesses in authentication bypass mechanisms, remote code execution flaws, and default configurations that leave sensitive data exposed. “VPNs, for most of us, are almost a legacy technology,” Winterfeld notes. “Some of them have very specific vendor vulnerabilities, while others are more protocol-based. Understanding these risks is crucial for organizations moving forward.”

Beyond traditional network risks, JavaScript-based attacks—specifically cross-site scripting (XSS)—remain a significant threat. As businesses rely more on web applications for customer interactions, transactions, and analytics, securing JavaScript environments is becoming increasingly important.

Winterfeld emphasizes the need for defenders to understand the common types of attacks, including authentication bypass, remote code execution flaws, and extraction of configuration data. “Some of these, if it’s a zero day, you may need to do mitigation. If it’s not a zero day, it might be the way you configure things,” Winterfeld explains.

Emerging Trends and Technologies

Winterfeld notes that emerging technologies, such as containers and Kubernetes, are often targeted by attackers due to their relative immaturity and lack of security guardrails. “As we move into APIs, containers, and large language models, we’re just not as mature,” Winterfeld says. He also highlights the importance of understanding the OWASP Top 10 and how to apply its principles to web pages, APIs, and large language models.

The Role of AI in Security

While the current report does not specifically focus on AI, Winterfeld acknowledges the growing importance of AI and machine learning in security. “We are looking at that in some of our products—both in terms of our own products, and how to defend large language models in GenAI—as well as how to put them in our products,” Winterfeld adds.

Actionable Insights for Defenders

Winterfeld emphasizes the importance of taking action on knowledge and provided several key takeaways for defenders, including:

• • Understanding the enemy: Learn about the latest threats and attack vectors to inform your defense strategy.
  • Implementing basic cyber hygiene: Ensure that fundamental security practices are in place across all environments.
  • Layering defense: Consider the MITRE ATT&CK framework and ensure that security controls are in place across all 14 tactics and techniques.
  • Focusing on business-critical services: Prioritize risk management and scope to protect the most critical assets.
  • Building relationships: Establish trusted incident response partners and ensure that you have a plan in place for responding to attacks.

“Every day, I want to know how I can take action on knowledge,” Winterfeld says. “So, I think the first step is understanding a bit more about bots. The more I understand the enemy, the better I can determine which tools, techniques and methodologies to use.”

Overall, Akamai’s State of the Internet report provides defenders with a comprehensive guide to staying ahead of emerging threats and fortifying their defenses. By understanding the latest trends, technologies, and attack vectors, defenders can take proactive steps to protect their organizations and stay ahead of the evolving threat landscape.

Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show: CISO Insights