At the recent HostingCon conference, I got a chance to talk with Sucuri’s Co-Founder Dre Armeda at their booth. Sucuri is one of the most respected names in the website security industry. We discussed both website security and web hosting. Here are the highlights from my interview with Dre.
Web Hosting Cat: What is the number one security concern in 2017 that all website owners should be aware of?
Dre Armeda: One, certainly password management is an important thing. And when we start to think about credentials and access, we want to be better about making sure we’ve got strong credentials—and we’re safeguarding those appropriately (minimizing access to only those that need it). But I think more importantly, these days what people tend to forget that there’s more to the risk war than just your applications. So let’s say you have your web server, your hosting environment, you’re running WordPress, Joomla, Drupal—often times we use that as a mechanism to go, hey look we’re insecure, we’re not secure, we’re doing the things we need to do there, but we don’t think about the rest of the items down the rest of the stack: So it’s the network, the hosting provider that you’re using, the server, the applications on that server, how you’re connecting to these servers (passing data there), and all those components that really make up the entire risk war that you need to be considering. So, we need to do better to make sure we’re looking a bit more holistically at our security posture. And that, in and of itself, will help us reduce risks overall.
WHC: What are some of the top security products and services that Sucuri offers?
DA: We started out in 2010 as a way to monitor for behavioral changes on websites and we were able to notify against those things. But what we found is that’s not really actionable and our clients that were actually finding value in that monitoring service wanted a way to remediate when issues were found. We found a way and a mechanism to automate a lot of that and put human influence and human intelligence into making sure that we were cleaning things up 100% when they were infected and getting websites back to a normal state. What we found beyond that is that’s still really reactive, so we built a web application firewall that sits on the edge. We see all traffic coming in. We do all sorts of checks on it against our definitions—against profiles we’ve built against existing platforms like WordPress for example. And we do these holistic checks to make sure that if any of that traffic coming in is from a bad act or some type of bad behavior, we stop that and thwart that at the edge before it ever reaches the environment–which is exciting because now you see that protection layer but also some performance increases because you’re not killing your server with all those requests that don’t need to be there. And, we found that it was important to build in some type of caching ability. So we also have a CDN layer that we built into our protection platform that gives us better performance. So overall, monitoring, remediation (or incident response), and performance–along with our protection platform, round out our main website security platform.
WHC: When shopping for web hosting, what security features should you look for in a web hosting plan?
DA: That’s a great question. What we find often is that the consumer that’s getting into the website world and wants its host has this connection with the host thinking that they protect them all the way through that experience, that entire workflow, from the beginning in terms of the architecture and the infrastructure that that hosting provider is renting to them in a sense or that space that they’re giving them, all the way through the applications that are on there—and that’s just not the case. The onus is on the administrator of that website to make sure that everything beyond that hosting layer and gets into the application, the plugins, and the things that you’re putting into that environment are taken care of. So one thing I would consider if I’m going now to go get hosting is one, understand really where that D mark is at: What is the host responsible for? What am I responsible for? And look for services out there that are integrating services like Sucuri that will give you that application layer website protection, the remediation capabilities and monitors, so that you’re getting a good idea of any security anomalies that are happening on the site at any time.