Hewlett Packard, 2011 Top Cyber Security Risks Report
A session is a measure of user activity on a website. A single user visit to a website may consist of one or several sessions depending upon how the web server assigns session IDs and the design of the website. Depending on the website design, accessing multiple applications on a website may create several sessions within the same user visit.
After the xyberShield script is installed on a website, the script makes a connection to the nearest data center in our global network. The script sends session data to the data center for detailed traffic analysis and threat assessment using a combination of xyberShield’s proprietary Behavioral Analysis Correlation Engine along with known threat signatures and rules. If a session receives a sufficiently high threat score, the data center instructs the xyberShield script to terminate the session. It is important to note that xyberShield does NOT use nor store any personally identifiable information in its traffic analysis or threat assessment.
In addition to 20 regional data centers, the xyberShield Global Security Platform includes two central data centers. These two Tier 4 data centers handle account administration and report generation so that the regional data centers can be dedicated to traffic analysis from protected websites around the world. The central data centers also run Behavioral Analysis Correlation Engine to analyze and correlate data at a global level.
BACE uses a sophisticated set of algorithms to evaluate every user session, correlating all the data it collects against evolving statistical norms for each individual user and individual application on your website. BACE analyzes behaviors including duration on a page, repetition of action on a page or within a web application, recurrence and navigation patterns, as well as HTTP header content. BACE takes into account session behavior that is typical on your site as well as normal sessions for an aggregation of similar web applications and pages across our network of customers. BACE analyzes and profiles website traffic in real time, distinguishing between normal and suspicious traffic. Suspicious traffic is subjected to in-depth monitoring and inspection, and blocked when it’s determined to be a threat. Normal traffic, which accounts for over 95% of a typical website’s volume, is inspected but flows through without restriction or delay. BACE is xyberShield’s “secret sauce” – the ingredient that blocks attacks before they can be successful - and lets hackers know they’re wasting their time trying to attack your site.
Depending on the platform (.NET, Java, or PHP), the script is between 10k and 20k in size.
The script runs within every process on the web server that handles a client request and monitors user actions on every page of the website. For .NET and Java environments, the xyberShield script needs to be placed only at the root level of the website hosting a particular application – it does not need to be placed on every page or URL. For PHP, the script only needs to be on the main template if the web application uses dynamic pages. However, if the web application uses static pages, then the script may need to be on every page.
xyberShield was designed to have minimal impact on a website both in normal operation and when a website is under attack. xyberShield uses just a fraction of a single percent of your website’s CPU and bandwidth resources. Its impact on website and application performance is effectively undetectable.
Yes. xyberShield analyzes behaviors such as duration on a page, page repetition, recurrence and navigation patterns, yielding data specific to individual pages and normal usage patterns by user sessions. You can use this information to create both global and page-specific protection against DoS attacks. For example, you can create page level rules to allow up to a maximum number of repetitions of a given behavior such as accessing a page or a specific link on a page. Once that limit is exceeded, xyberShield terminates that session.
Yes. xyberShield works independently of the web server so it works with virtually any web server including Apache, IIS, Sun, nginx, Google and jigsaw. XyberShield’s script is installed on the application layer and supports .NET, Java, and PHP.
By developing a script that runs at the web application level, xyberShield is insulated from any underlying changes in the HW, OS, and web server and all the various patches and modifications that can affect those systems. By limiting the script’s functionality and minimizing integration, we also have minimal impact on a website’s performance. Finally, with this approach we see traffic after it has been decrypted so we do not need access to a site’s SSL certificate.
For a load-balanced environment, the xyberShield script needs to be installed on every web server behind the load balancer. The script works at the session level; each session is monitored regardless of which web server handles the request or the number of web servers running a website.
You need administrator or root access to the web server on which your website is running to install the xyberShield script. If a third-party hosting company does not provide you with this access, then you should request that they install the xyberShield script on the appropriate server(s) for you.
Yes. Attacking via the IP address of the server does not affect xyberShield’s ability to protect a website. xyberShield works at the session level so any session established to the website/server is monitored and protected.
xyberShield can export and email data in any format you request. Our near-term product roadmap includes direct export of alert data to Common Event Format (CEF).
All data is stored online for six months; offline storage is for two years. If necessary, a longer period for offline storage can be arranged.
You can configure xyberShield to use three types of alerts/actions for violations of any rule or xyberFrame threat module. With an alert level of Low, Medium, or High you receive an email with notice of the violation. With a Medium setting, xyberShield issues a warning to the site visitor that their behavior is suspicious and is being monitored. With a High setting, xyberShield terminates the session and informs the visitor of this action.
Yes. xyberShield works at the session level so any session established to the website/server is monitored and protected regardless of the device used to access a website.
Yes. A browser does not need to accept cookies because the cookies reside on the web application. However, in unusual cases where the xyberShield cookie cannot be bound to a session, then xyberShield will use the IP address to track a session. Your site will still be protected.
No. xyberShield examines website traffic only after it has been has decrypted so you don’t need to provide your existing SSL certificate to xyberShield or change it in any way.
Yes. xyberShield works with any indexing service. Indexing services use bots that crawl and index a website and then display the results on their own web servers. If a bot is crawling your website and exhibiting excessive or unauthorized resource usage, then you can create a rule in xyberShield to stop this behavior. These rules can be set by site, page, page sequence or type of navigational behavior.
Yes. xyberShield can help protect against unauthorized or excessive web site scraping of your website. Since web scrapers use many techniques to mine data from your website, xyberShield provides various options to create rules to stop unwanted scraping behavior at the site, individual page, page sequence and navigational level.
As soon as xyberShield is installed, you have the benefit of “out-of-the-box” protection using both xyberShield’s Behavioral Analysis Correlation Engine and known threat modules. Behavioral Analysis Correlation Engine bases its initial protection on its knowledge of user and hacker behavior over billions of sessions on similar web applications and pages across our worldwide customer base. In addition, Behavioral Analysis Correlation Engine immediately begins observing traffic on your website and gradually tailoring its behavior-based protections to your web applications. Usually within a few weeks, xyberShield will have observed enough traffic to have fully adapted its behavior analysis protection to your website.
xyberShield never tracks the user ID or other personally identifiable information about a user but it does record the originating IP for every session. When xyberShield determines that a session is an attack, it terminates the session but does not the block the IP address associated with that session.
xyberShield treats hits from backlinks the same way as any other hit to a website. If a hit violates any rules that you’ve configured or is otherwise deemed suspicious, xyberShield takes the appropriate action, warning or blocking the visitor as it normally would.
Because xyberShield is a SaaS solution, all customers immediately get the benefit of any updates or modifications that we make to it. xyberShield researchers update threat signatures on a frequent and regular basis against the latest attack techniques. In addition, we tune xyberShield’s behavior analysis engine and predictive-analysis algorithm at least once every quarter. Updates are made to the web-based product console whenever new features require an interface change. Finally, as part of its core functionality, xyberShield continually and automatically adapts to attacks and behaviors that it observes on all protected websites around the world.