What is the Signal Sciences architecture?
The Signal Sciences platform is an application security monitoring system that proactively monitors for malicious and anomalous web traffic directed at your web servers. The system is comprised of three key components:
- A web server integration module
- A monitoring agent
- Our cloud-hosted collection and analysis system
The module and agent run on your web servers within your infrastructure, analyzing and acting on malicious traffic in real-time as it is detected. Anomalous request data is collected locally and uploaded to our collectors, allowing us to perform out-of-band analysis of malicious inbound traffic.
Additional details can be found here: Architecture
Getting started with Signal Sciences typically takes less than five minutes and is just a few simple steps depending on your web server (NGINX, Apache).
To get started jump over to our Install Guides
Unlike other security products you may have seen before, Signal Sciences’ customers actually use our product in blocking mode.
What is a decision?
Instead of the legacy approach of blocking any incoming request that matches a regex, Signal Sciences takes an alternative approach by focusing on eliminating attackers’ ability to use scripting and tooling. When an incoming request contains an attack, a snippet of that request is sent to the Signal Sciences backend (see the Privacy FAQ to learn how this is done in a safe and private manner). The backend aggregates attacks from across all of your agents, and when enough attacks are seen from a single IP, the backend reaches a decision to flag that IP. Agents will pull those decisions and either log (when the agent mode is set to “not blocking”) or block (when set to “blocking”) all subsequent requests from that IP that contain attacks.
For more information, see blocking.
The Overview Page
The overview page gives you an immediate idea about activity for attacks or oddities against the sites that are being managed by Signal Sciences. These include graphs for OWASP Injection Attacks and different types of Anomalies. From any of these graphs you can drill in by clicking requests or highlighting the time period you are interested directly on the graph itself. This page mainly serves as the jumping off point to drill down into more granular detail.
The Requests view of Signal Sciences is a very powerful interface for finding information on the different types of requests that are coming through. The requests that are sent to Signal Sciences are going to be either threats or anomalous tagged requests. If you’re familiar with the Elastic Search syntax the syntax for Signal Sciences search is very similar. For more advanced search information, see search syntax.
Here is an example search where we are looking at results from within the last 6 hours, returning a 404 code, the response time being greater than or equal to 2, and the path contains “mainfile.php”
from:-6h httpcode:404 path:~mainfile.php responsemillis:>=2
In the Signals Dashboard view Monitor > Signals Dashboard there are breakdowns of the individual signals that are being tracked in your Signal Sciences deployment. There are the out of the box Attacks and Anomalies plus any custom signals that are being tracked. These Dashboards give you a more detailed view into the activity that is happening in your environment.