Using RapidSpike to Monitor Security

Keeping your site safe and secure is essential. Malicious hosts, threats and attacks are common with news stories coming to light daily making it essential to monitor security. But on a day to day basis, security is maintaining control over who has access to your site and where you are sending your data. Websites are extremely complex and have many functions. It is common for sites to use many third-party tools, work with external companies and conduct regular internal changes, making it difficult to keep track of everything going on with your site.

All of our tools are here to help you identify potential security issues, for example, our assurance monitors keep an eye on SSL and constant webpage test monitoring can identify load time spikes and third parties. But this method is more reactive and relies on you checking in regularly with your account.

To ensure your site is secure and not sending data to untrusted hosts we offer a few different tools to protect your site:

Assurance
Attack Detection
Vulnerability Scans

As we cover Assurance monitoring in a previous article we will start by looking at attack detection.

Attack Detection

Attack detection is at the core of our security monitoring and works with your user journey monitors and real user monitoring.

Before looking at the main dashboard we will start with the setting screen. If it is your first time using attack detection your monitor currently won’t be collecting any data and this panel lets you choose where you are collecting the data from. Below is a screenshot of the settings dashboard:

Real User Monitoring

Firstly we will look at the Real User Monitoring Attack Detection to monitor security. Once you have enabled RUM within RapidSpike it will begin collecting data (If you are unsure how to do this check out our KnowledgeBase article here). You can specify the pages you would like to protect and easily add, edit or remove pages depending on your needs. Attack Detection gathers all data sent by users when browsing your sites, allowing you to single out potentially malicious hosts.

We highly recommend protecting core functions on your site, in particular, pages with sensitive data such as:

Payment Pages
Login Pages
Forms collecting personal data

If you have a site with a significant amount of daily traffic this will generate a significant amount of data and setting the ‘Real User Request Filter’ allows you to cut through some of that noise. As standard, we recommend the filter to show hosts seen by at least 75% of traffic however you may want to decrease this to get more in-depth information. If our Real User Monitoring encounters a host that meets the threshold you set it will display in the untrusted host’s section and send you an alert (Which we will cover later).

Just below this, you will see a tick box that allows you to auto-trust hosts that we have flagged on our global safe list. This list will include well-known sites that you would expect to interact with your site which are likely to be safe however you can leave this unticked and manually approve each host as it appears.

User Journeys

User Journey can collect a vast amount of data and can be used to check functions, gather performance data and much more. Attack Detection will alert you immediately when we encounter a host on your site within the path you have scripted.

Our user journey best practices suggest that each step equals one page which makes ticking and unticking steps in your attack detection easier to navigate. Similar to our RUM recommendation we would suggest you protect pages with payment data or anything that sends/receives sensitive data. As soon as you have ticked the appropriate sections and updated your settings, the data will be collected as soon as the next test runs. This data will be extremely useful as you monitor security.

Attack Detection Overview Dashboard

The overview dashboard gives you a snapshot of all the data collected as well as highlights things to be investigated.

The bar at the top of the dashboard outlines how many Untrusted Hosts have been detected and the total checks made along with the total hosts that have been seen. If you have RUM and user journeys protected, these numbers will likely be high due to the amount of data being tracked.

The Hosts Seen graph provides a visual representation for when hosts have been detected. When changes are made to your site or there is an increase in traffic you may see spikes in the graph. This data can help identify specific time periods when your site saw an influx of hosts which may need investigating, especially if this is combined with new untrusted hosts.

At the bottom of this dashboard is a separate view of both monitors running and the hosts they have identified. You will see in the screenshot below that ‘Synthetic Browser’ (User Journey) has detected more untrusted hosts compared to the Real User Monitoring.

Untrusted List

Once Attack Detection comes into contact with a host which hasn’t already been trusted or flagged as safe, depending on your rules you should receive an alert. You will find this new host in the ‘Untrusted List’. This list contains all hosts that have not been trusted. It is worth noting that even if we have flagged something as a ‘Known Safe Host’ it still may need to be trusted to be removed from this list.

By going into the details of a host you can see the host URL, the site discovered on, step discovered on (if applicable) and requests made. If you are unsure if a host is safe we highly recommend speaking to someone with security knowledge but do also provide a few links to gather more information:

WhoIs
OTX
VirusTotal

Once you have investigated the host, you can either Trust it, Add a note or send it to the trash.

Trusted List

The trusted list houses all hosts you have identified as trustworthy as well as the date they were trusted. You can also edit hosts within this dashboard to set the attack detection to match the exact host or match to a pattern. You can also trust hosts on specific sites in case you didn’t want something trusted account-wide. To monitor security effectively, keeping this list up to date will ensure you have full visibility over hosts and get the most out of the data.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Categories

Using RapidSpike to Monitor Security

Start your free 30-day trial today

Start monitoring today, no credit card required. Or chat to our friendly team about your requirements.