Web Application Firewall (WAF)
Our web application firewall (WAF) capability is configured via Cloudflare. Cloudflare’s enterprise-class WAF protects your services from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.
Network Intrusion Detection System (NIDS)
Internal NIDS plays an important role in any cyber security program. By detecting malicious network events, it provides vital information for correlation directives and cross-correlation rules. Combining this information with the events collected from other devices, the SIEM presents a complete picture of the malicious activity.
Host Intrusion Detection System (HIDS) & Monitoring
A host-based intrusion detection system (HIDS) gives you deep visibility of what is happening on your critical systems. With it, you can detect and respond to malicious or anomalous activities that are discovered in your environment. The SIEM agent provides the following:
- Detect Changes & Threats to Systems
- Implement File Integrity Monitoring (FIM) monitoring for key system changes
- Deploy and manage the agent through the central management platform
- Analyze all system network traffic and activity against IDS signatures and dozens of other security indicators
- The agent logs all critical system activities such as software installation/uninstall, configuration changes, log clearing, privilege changes, authentications, scheduled jobs and network activity. Those logs are stored for 1 year.
Next Generation SIEM Analysis
The SIEM solution compares up to 3,250 metadata points across nearly 40 supervised machine learning anomaly detections, 14 commercial threat intelligence feeds, 0-Day file sandboxing, IDS analysis, Asset Risk analytic scoring and many other correlations to determine malicious activity.
SIEM - Security Incident & Events Monitoring
We embed specialised SIEM components into our offering which provides the ability to start detecting from day one. Our professionally managed SIEM provider solution is shipped with an extensive and continuously growing library of correlation rules researched and written by a specialised SOC team. This team of seasoned security experts tracks emerging threats in the wild and continuously updates the platform with the latest security intelligence, so you have an always-up-to-date security monitoring platform. The threat intelligence database is updated several times per day and the platform is continuously upgraded to remain vigilant against modern threats, typically once every 6 weeks.
All backend access to Knox Grade servers is secured via VPN. SSH users are managed via our central configuration management tool Puppet. SSH is configured to deny root user access so only public/private key access for dedicated support staff is possible.
Encryption at rest and in transit
All data stored is encrypted at rest including EBS volumes attached to EC2 Virtual Machines instances, RDS database, as well as S3 document store. All network traffic is encrypted SSL communication channels.
Backups & Point-in-time-recovery
We configure RDS to create daily snapshots of the database and keep backups of the transaction logs for 35 days (created in 5 minute intervals). This transaction log can be used to roll back data to any day and time within the last 35 days and allows a RPO of only 5 minutes.
Additionally nightly snapshots of the database are created and stored for a minimum of 10 days.
Additionally we can configure the RDS instance to run in Multi-AZ replication & fail-over mode. This means that a separate database instance is running in a different availability zone within the same region with an exact copy of the primary database. Amazon guarantees automatic and instant fail-over to the secondary instance in case of an outage of the primary database instance.
Our Knox-grade offering adds several additional security components and features to our standard setup on AWS as outlined in the previous section. The following diagram outlines the high-level architecture of those components with separate sections describing each component in more detail. The VPC set-up, as well as the application server, RDS server, and S3 are set up similar to our standard deployment outlined in previous section.