WIXLIB

WHITEPAPERSucuri SecurityTechnical OverviewProduct and Service Description

Table of ContentsSucuri SecurityCompany Overview 3Products/Service DescriptionMonitoring 4Protection 4Response 7Backup 7ExhibitsExhibit A: Holistic Network Diagram (Sucuri Firewall) 8Exhibit B: DDoS Mitigation 9Exhibit C: Exploit Prevention 10Exhibit D: HTTPS/SSL/TLS Support 12Exhibit E: Installation and Configuration 13Exhibit F: Performance Optimization and Caching 14Exhibit G: Infrastructure Security and Compliance 162Whitepaper - Sucuri Technical Overview

Sucuri SecurityCompany OverviewSucuri is a globally-recognized security company, specializingin providing comprehensive security to website owners. Apresence with employees in over 23 countries distributed acrossPeople, Process, andTechnologythe major continents to ensure support is accessible 24/7/365.There is no single turnkeyUS-based company founded in 2010, Sucuri maintains a globalIt provides website security services to over 500,000 customersaround the world, remediates over 700 infected websites a day,monitors over 2 million websites and handles over 30 billionunique page views a month.All of Sucuri’s technology is proprietary, built by our team ofsecurity engineers and researchers. The technology is designedto address the growing online security threats as they emerge.Our team is dedicated to ensuring the confidentiality, integrity,solution to security; insteadit’s a combination of people,processes, and technologythat help create a dynamicand scalable approach tosecurity for any organization.Sucuri’s products aredesigned to reduce a brand’sand availability of every website within the Sucuri network.risk of a breach throughAt Sucuri, we care and treat every website as if it’s our own.proactive and reactiveThe solution we offer is built on three core pillars – protection,mechanisms addressing eachdetection, and response. We take a defense-in-depth approachof the elements describedto website security, in which we employ multiple layers ofabove. Sucuri’s solution is asecurity to provide the most comprehensive solution available.complementary offering thatCombining people, process, and technology ensures thatbolts onto an organization’swebsites are protected and attacks are mitigated as quickly andexisting security controls,efficiently as possible.satisfying a number ofThese pillars allow Sucuri to deploy a defensive solution tostop the attacks before they start. This prevention solutionis coupled with a continuous scanning engine designed toidentify rogue elements that might prove to be indicators of apotential compromise. Sucuri provides a professional IncidentResponse Team (IRT) in the event that an attack is successful,giving businesses peace of mind through our obsessive attentionto current and emerging threats within the website securitydomain.3Whitepaper - Sucuri Technical Overviewthe deployment of bothgovernance requirementswhile alleviating and enablingsecurity teams to continueto focus on their coreresponsibilities.

Product/ServiceDescriptionSucuri provides a comprehensive security solution for websiteswith the website security platform. It is comprised of fourcore functions designed to provide organizations a holisticend-to-end security solution for their website needs.MonitoringThe monitoring technology is a cloud-based Software as aService (SaaS) Intrusion Detection System (IDS) built on theconcept of a network-based integrity monitoring system. Themonitoring system is a remote and local (server-side) continuousscanning engine, providing near real-time visibility into thesecurity state of a website.The monitoring feature includes an alerting engine in the event anIoC is detected. Then the appropriate Security Operations GroupOur IRT is designedto detect multipleIndicators ofCompromise (IoC),to include, but notlimited to: Malware Distribution Blocklisting Incidentschanges. All sites are added and configured via the Sucuri SEO Spamdashboard. To enable the server-side scanning, a PHP agent Phishing Lure Pagesis required at the root of the main domain. SSL CertificatesProtection DNS Changes(SOG) is notified to take immediate action by the security IRT.Activating monitoring requires no installation or applicationThe Sucuri Firewall is a cloud-based SaaS Website ApplicationFirewall (WAF) and Intrusion Prevention System (IPS) forwebsites. It functions as a reverse proxy by intercepting andinspecting all incoming Hypertext Transfer Protocol/Secure(HTTP/HTTPS) requests to a website, stripping it of maliciousrequests at the Sucuri network edge before it arrives at yourserver. The Sucuri Firewall includes both Virtual Patching andVirtual Hardening engines that allow for real-time mitigation ofthreats with no impact to the website.4Whitepaper - Sucuri Technical Overview

The Sucuri Firewall is built on a Content Distribution Network(CDN) that provides performance optimization features to awebsite. The CDN utilizes a proprietary approach to cachingdynamic and static content across all nodes in the network toensure optimal performance around the world.Additionally, the Sucuri Firewall offers full Domain Name Server(DNS) services.The Sucuri Firewall runs on a Globally Distributed AnycastNetwork (GDAN), built and managed by the Sucuri team. TheGDAN configuration allows for high availability and redundancyin the event of any failures in the network. Sucuri currentlymanages twelve Points of Presence (PoP).The firewall is supported by the Sucuri Security OperationsPoints of PresenceCenter (SOC) which provides 24/7/365 monitoring and response San Jose, Californiato all attacks. Some of the features that the Sucuri Firewall offers Washington, DC Dallas, Texasa website owner include: Mitigation of Distributed Denial of Service (DDoS) Attacks Chicago, Illinois Prevention of Vulnerability Exploit Attempts (i.e., SQLi, XSS, Miami, FloridaRFI / LFI, etc ) London, United Kingdom Protection Against the OWASP Top 10 (and more) Amsterdam, Netherlands Access Control Attacks (i.e., Brute Force attempts) Sofia, Bulgaria Performance Optimization Frankfurt, Germany Mumbai, India Tokyo, Japan SingaporeThe Sucuri Firewall requires no installation or applicationchanges. It is done via DNS by adding an A record or switching toSucuri nameservers.5Whitepaper - Sucuri Technical Overview

Increased Performance withthe People’s CDNThe Sucuri Firewall runs on a Globally Distributed Anycast Network, built andmanaged by the Sucuri team. Your site benefits from high availability andredundancy in the event of network failure.We focus on useful metrics to optimize speed, like total time, not first byte or serverresponse time. Our growing network outperforms competitors and offers all theservers you need to get optimal speed and performance.6Whitepaper - Sucuri Technical Overview

ResponseThe response system offers a professional Security IncidentResponse Team (IRT). This team is available to respond to allwebsite-related security incidents identified by Sucuri and its’customers. The team is highly trained and capable of mitigatingall website infections and malware-related issues.This solution exists because of the complex nature of websitesecurity. Intrusions occur for a variety of reasons. Althoughour various technologies are being employed to assist in theprevention of such compromises, there are things beyondResponse addressesall website infections,including but notlimited to: Infections Website MalwareInfectionsSucuri’s control. Examples include, poor user/passwordmanagement or creation, poor security configurations, andServer Level Malware SEO Spam Injections Malicious User Redirects Website Defacementsto assist in the identification and eradication of any successful Removal of all Backdoorscompromises. This would include analysing the cause, assisting Removal of Websiteother similar environmental issues. Because of the expandedattack vector outside of Sucuri’s control, the response featureis designed to provide organizations a complementary teamin the patching of the issue, and restoring the environment tooperational order.Our response solution requires no installation, or applicationchanges. It does require direct access to the web server /application via FTP/SFTP or SSH.BackupThe backup system provides an organization continuousoperations in the event of an emergency. It offers storageof all website files and databases in a remote location onSucuri’s network. If an event does occur, the backups areavailable to an organization.Backups require no installation or application changes. All sitesare added and configured via the Sucuri dashboard.7Whitepaper - Sucuri Technical OverviewBlocklist Annotations

Exhibit A: Holistic NetworkDiagram (Sucuri Firewall)8Whitepaper - Sucuri Technical Overview

Exhibit B: DDoS MitigationMitigation of Distributed Denial of Service (DDoS) attacks is a key feature the SucuriFirewall offers its customers.Network-Based DDoS (n-DDoS) Attacks(A.K.A Volumetric Attacks)Sucuri’s approach to mitigating network-based attacks includes investing inresources across all PoP locations. It’s built on an Anycast network that allows thedistribution of all inbound traffic across the network, explicitly blocking all nonHTTP/HTTPS-based traffic. The current network capacity exceeds 250 Gigabytes PerSecond (GPS). Each PoP has multiple 10G and 40G ports from different providers,all designed to absorb and scale to very large inbound traffic requirements andattacks.Application-Based DDoS (a-DDoS) AttacksThese attacks are designed to disrupt a website’s availability by attacking theserver resources directly. Flooding a server with requests, an attacker is able toconsume local server resources to the point where the server becomes incapableof responding to legitimate requests. In these cases, the website will becomeunresponsive. The order of magnitude is very different; these attacks are measuredin Requests Per Second (RPS) and can begin at 100/200 requests per second formany web servers.Sucuri’s approach to mitigating these attacks is part technology, part human, andpart artificial intelligence. The firewall employs technology that allows the team andengine to profile and analyse requests across the entire network, allowing us toaccurately strip malicious requests from benign requests. Additionally, within theSucuri network websites can support 300k RPS per website.9Whitepaper - Sucuri Technical Overview

Exhibit C: Exploit PreventionThe firewall prevents remote exploit attempts that try to abuse softwarevulnerabilities, such as those identified by the Open Web Application SecurityProject (OWASP). These attacks may include exploit attempts against the websitedirectly and target things like injection (e.g., SLQi, XSS, etc.), remote code execution(RCE), security misconfiguration, remote file inclusion (RFI), and other vulnerabilities.The Sucuri Firewall uses a proprietary multi-tiered approach to identifying andstripping malicious application requests.Tier 1Application ProfilingThe first tier uses a deny-all approach andallowlist model, where all requests that don’t fitan application’s profile are blocked explicitly atthe edge. This profile is built dynamically on thetechnology/CMS a website is using. No third-partyservices are used.Tier 2Blocklist EngineThe second tier uses a custom-built blocklistsignature blocking model built by the Sucuri teamto account for any potential outliers or evolvingthreats. No third-party services are used.Tier 3Correlation EngineThe third tier analyzes all requests across the Sucurinetwork to profile attacker behavior and apply itglobally to all sites protected by Sucuri. This is alearning engine that proactively applies updates tothe network as the threat landscape evolves.10Whitepaper - Sucuri Technical Overview