Transcript
Intelligent Security Model (ISM)
The world’s most secure managed cloud
THE MODEL APPROACH TO SECURITY AND MANAGED SERVICES
Tools have failed you. You’re ready for true security outcomes. It’s why Armor brings an absolutely unique approach to cybersecurity. It’s made possible by a blend of intelligence, defense and control that will reduce threat actor dwell time to near zero and protect sensitive data workloads, applications and intellectual property.
IP Reputation Management DDoS Prevention Web Application Firewalls Network Intrusion Detection Hypervisor Firewall Malware Protection OS File Integrity Monitoring
INTELLIGENCE
Vulnerability Scans
CONTROL
Armor Complete operates through our proprietary Intelligent Security Model (ISM) – a closed-loop system that actively learns how to combat threats. Through a combination of intelligence, defense, and control, Armor Complete’s ISM delivers the highest level of security and compliance. The architecture is purpose-built for security and performance, providing integrated security technologies to deliver real security outcomes.
Hardened OS Patch Management
DEFENSE
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor
NETWORK DEFENSE
Armor leverages threat intelligence curated from Armor’s IP space as well as public and private sectors to create tailored blacklists and policies. Data packets that enter Armor’s environment are inspected against those policies. Any packet that is identified to be malicious is blocked. What makes Armor Complete so effective is its ability to minimize unwanted and malicious traffic. Through a series of controls, it can block bad traffic from accessing your instances - effectively mitigating risks to your data security.
Armor leverages best-in-class solutions that operate seamlessly with one another to maximize the security stack. Each security measure is a key component of the Intelligent Security Model, fine-tuned and managed by our experts and supported by 50+ intelligence feeds from public and private sectors.
IP Reputation Management Internet protocol reputation management (IPRM) filters public internet traffic matched to an IP blacklist. The IPs that have been associated with malicious or disreputable behavior, such as botnets, bogon networks, Russian Business Network and other cybercrime will be filtered.
As part of the IPRM service, collected log data provides visibility into real-world network traffic and attack events. The information is used to improve coverage and accuracy of our data, and reduces the time to detect new malicious attacks. Armor continuously manages blacklists and whitelists to address emerging threats.
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor
NETWORK DEFENSE
Denial of Service Mitigation
Anomaly recognition and protocol analysis update the dynamic filtering and rate limiting modules in real-time to block newly identified attack traffic.
Denial of Service and Distributed Denial of Service (DoS and DDoS) protection is provided at every datacenter location. DDoS/DoS mitigation detects probes and/or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface (CGI), buffer overflows, server message block (SMB) probes and stealth port scans. Once an attack is identified, or sensed based on abnormal behavior, the alert is logged and our security team takes action. Armor’s DDoS solution integrates network-wide intelligence and anomaly detection with carrier-class threat management to help identify and stop volumetric, TCP state exhaustion and application-layer DDoS attacks. Armor’s implementation of DDoS mitigation is an always-on service and significantly reduces negative impact on customer environments. Once a DDoS attack is detected, Armor’s security team directs traffic through a series of filters effectively mitigating the threat.
Block Actions
Source blocking/source suspend, per packet blocking, combination of source, header and rate based blocking
Attack Protections
Flood Attacks
Application Attacks
TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS, Charge Amplification, DNS Amplification, Microsoft SQL Resolution Service Amplification, NTP Amplification, SNMP Amplification, SSDP Amplification
HTTP GET Floods, SIP Invite floods, DNS attacks, HTTPS protocol attacks, DNS Cache Poisoning, Vulnerability attacks, Resource Exhaustion Attacks (Slowloris, Pyloris, LOIC,)
Invalid Packets IPv4/IPv6 Address Filter Lists IPv4/IPv6 Black/White Filter Lists Packet Header Filtering IP Location Filter Lists Zombie Detection Per Connection Flood Protection TCP SYN Authentication TCP Connection Limiting TCP Connection Reset
Payload Regular Expression Filter Shaping IP Location Policing Inline Filter Blacklist Fingerprints Protocol Baselines HTTP Authentication HTTP Malformed HTTP Scoping HTTP Rate Limiting
DDoS Countermeasures
Fragmentation Attacks Teardrop, Targa3, Jolt2, Nestea,
TCP Stack Attacks SYN, FIN, RST, SYN ACK, URG-PSH, TCP Flags
Flash Crowd Protection. IPv4 and IPv6 attacks hidden in SSL encrypted packets HTTP/URL Regular Expression DNS Authentication DNS Malformed DNS Scoping DNS Rate Limiting DNS Regular Expression SIP Malformed SIP Request Limiting SSL Negotiation ATLAS Intelligence Feed (AIF)
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor
NETWORK DEFENSE
Web Application Firewall
Network Intrusion Detection System
The Web Application Firewall (WAF) is a key focus of the Armor Intelligent Security Model. It provides protection from layer-seven oriented attacks targeted toward customer applications. To accurately detect attacks, a WAF must understand application structure, elements and expected user behavior.
Armor creates policies on signature-based threats and based on the OWASP Top 10 list. Armor’s WAF is a global security service that protects the Armor ecosystem and its customers. Due to the multi-tenant nature of the Armor WAF, customer-dedicated custom WAF policies are not supported.
Dynamic profiling technology automates this process by profiling protected applications and building a baseline or “white list” of acceptable user behavior. It also automatically learns application changes over time. Dynamic profiling eliminates the need to manually configure—and update—innumerable application URLs, parameters, cookies and methods.
Armor enforces HTTP(S) standards to prevent protocol exploits and evasion techniques. Fine-grained policies allow administrators to enforce strict adherence to Request for Comment (RFC) standards or allow minor deviations. With more than 8,000 signatures, Armor safeguards the entire application infrastructure including applications and web server software. Flexible, automated XML security policies protect web services, SOAP, HTML 5 Web Sockets and Web 2.0 applications.
Catch threats targeting your systems through signature-based threat detection. Network intrusion detection provides real-time inspection of HTTP (port 80) network traffic that has passed through the Armor Complete perimeter for malicious and anomalous behavior. Armor uses custom signature-based policies to monitor network traffic. All traffic is subject to packet logging and traffic analysis. Through protocol analysis, content searching and matching Armor can detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes and OS fingerprinting. All security events generate an alert notifying Armor’s Security Operations Center to take action. Data collected is correlated and analyzed for remediation.
WAF: Identifies & blocks malicious traffic & requests
Database
NIDS IPRM
DDoS
Web Application Server
WAF
Database
The WAF inspects ingress traffic for HTTP (port 80) and HTTPS (port 443) only. Customers must submit to Armor a copy of their SSL certificates to be installed in the WAF for HTTPS protection.
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor
SERVER/OS DEFENSE
Beyond Network Security Armor does more than secure the network. Our experts monitor and secure your hosts. A defense in depth solution that secures your operating system up to the application layer.
Operating System Patching Armor employs a strict patching regimen to ensure the infrastructure and customers’ operating system is up to date, staying ahead of the latest security vulnerabilities and compromises. To achieve this, Armor provides both infrastructure and configuration at the operating system level as well as the support processes to manage and remediate new patch dispersal throughout the entirety of the Armor environment. Armor manages patching for all our servers, which includes system updates and security patches.
Anti-virus and Malware Protection Armor includes anti-virus and malware protection. The agent-based service is both proactive and reactive protection from malicious payloads and packages that find their way onto a customer server. Scans are performed three times a week. All customer servers are scanned against the latest definitions, heuristics, and honeypot discoveries. Armor’s definition database is sourced by internal, public and private resources. All servers report back to Armor’s management console enabling Armor Support to manage and report on malware prevention and remediation. Detected threats are monitored and alerted by our Security Operations Team and remediated as necessary.
OS File Integrity Monitoring OS file integrity monitoring (FIM) service is delivered through an agent and installed on all servers. The FIM agent provides monitoring for changes to critical system files such as directories, registry keys and values to detect suspicious behavior. FIM performs rule-based monitoring of critical operating system (OS) files and processes. Armor applies standardized monitoring policies for each server (Linux/Windows). The OS-level file integrity monitoring will record changes to critical system processes, files, and directories. Logs collected are scanned for any malicious activity. Monitoring events are fed into the security incident event manager (SIEM) for correlation and review by the security incident management team.
Log Management Armor conducts daily reviews of logs from customer virtual machines, so long as the customer has an agent located on their instance. This enables aggregation of system logs for review by our Security Operations Center, which is compiled and provided to the customer. In the event of a breach, our logs are preserved and readily accessible for forensics and analysis. All logs are archived for 13 months in full compliance with regulations.
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor
SERVER/OS DEFENSE
Firewall - Instance Segmentation Our hypervisor-level firewall is a virtual appliance installed onto the hypervisor and embedded around each virtual machine. This allows virtual machines to have their own private firewall policies, as well as offering the ability to create group network segments to both Armor and customers. It’s through this feature that customers can have fully segmented networks. The noisy neighbor issue that plagues commodity cloud providers doesn’t impact Armor customers. Access at the vswitch level is controlled by a full-featured stateful packet inspection firewall. The global and local firewall policies are stored on two virtualized appliances that are fully redundant and standalone per VM cluster. In the event there is a full failure, the appliances will fail closed rather than open for security reasons. To ease management of your firewall and for security best practices, Armor has ports 80 and 443 open by default for web servers. Armor can accommodate custom firewall policies. Customers can open additional ports through the automated Armor Management Portal (AMP). Access to customer environments is controlled by the account administrator via AMP.
Virtual Machine Failover Armor is a full VMware environment and leverages all the advanced features of VMware including vMotion, Distributed Resource Scheduler (DRS), Storage vMotion and High Availability. In a traditional firewall, the migration of VMs between hosts can potentially place a server in a non-secure destination. Our virtual firewall supports live migration by maintaining open connections and security throughout the event. The virtual firewall ensures the integrity of each server’s firewall rules during the migration.
Defend what is yours Defense comes in many forms, but the most effective form is delivered through Armor’s closed-loop ecosystem. The Armor Intelligent Security Model was developed and is supported by battle-tested security experts who understand threats and the actors behind them.
Vulnerability Scanning Armor provides an optional vulnerability scanning service for customers that have regulatory and compliance requirements for their workloads. Customers have the option to assess technical vulnerabilities of external and internal networks to mitigate risks and meet compliance requirements. The scanning console allows our customers to manage their scans and vulnerability reports. Armor reduces the time it takes for a customer to complete a compliance audit using Rapid Compliance Assessments. The assessment is pre-populated with all compliance controls that Armor meets.
armor.com (US)+1 844 682 2858 (UK)+44 800 500 3167
@armor