White Paper. In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? Table of Contents

Transcription

1 White Paper Secure Computing is a global leader in Enterprise Gateway Security solutions. Powered by our TrustedSource technology, our award-winning portfolio of solutions help our customers create trusted environments inside and outside their organizations. Table of Contents In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? Web Gateway Security: Protect. Enforce. Comply. Introductory Overview: Boundaries No Longer Physical, but Virtual...2 Inbound Security Threats...2 Outbound Threats...3 Legacy Security Solutions Are an Incomplete Solution to Web 2.0 Security Threats...3 Meeting Web 2.0 Security Threats Head on with Comprehensive Web Gateway Security...4 The Major Components of Web Gateway Security: What Is Required?...5 Reputation-Based Web Filtering...5 Proactive Behavioral Based Anti-Malware Protection...5 SSL Traffic Scanning...6 Enterprise Reporting...6 The Webwasher Web Gateway Security Solution: Technology and Architecture...7 An Award-Winning Web Gateway Solution...9 Summary...9 Secure Computing Corporation Corporate Headquarters 4810 Harwood Road San Jose, CA USA Tel Tel European Headquarters Berkshire, UK Tel Asia/Pac Headquarters Wan Chai, Hong Kong Tel Japan Headquarters Tokyo, Japan Tel Secure Computing Corporation. All Rights Reserved. WW-WGS-WP-Feb07vF. Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail, SofToken, Enterprise strong, MobilePass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, CyberGuard, Total Stream Protection, Webwasher, Strikeback, and Web Inspector are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, SmartReporter, Security Reporter, Application Defenses, Central Management Control, RemoteAccess, IronIM, SecureWire, SnapGear, TrustedSource, On-Box, Securing connections between people, applications, and networks and Access Begins with Identity are trademarks of Secure Computing Corporation.

2 Introductory Overview: Boundaries No Longer Physical, but Virtual The Internet today is a different mechanism than it once was. Widely referred to as Web 2.0, today s Internet is a place where the boundaries of the enterprise are no longer clear and this has had a ripple effect on network security. Applications are now enabled over the Internet and the use of corporate intranets and extranets are now critical components of business. Indeed, organizations now build their businesses on Web infrastructures, and we ve even seen the proliferation of completely virtual companies that have no physical headquarters at all. Today s business model includes inbound access for remote employees, partners, and customers. Internal employees also reach beyond the edge of the internal network to communicate and gather information across the Internet. This bi-directional aspect of IP-based application access creates significant security challenges for enterprises, however. Communication methods are both inbound and outbound, and so too, threats have also become both inbound and outbound in nature. The enterprise must be protected from malware (malicious software), regulatory compliance must be ensured, data leakage prevented, and employee productivity must be managed. These security issues exist for all IPbased traffic, whether , VoIP, instant messaging, Web access, file transfers, or other enterprise applications communicating over IP. In short, business use of the Web and Web 2.0 applications expose organizations to both inbound and outbound security threats which transcend the legacy security measures for Web 1.0. The new generation of emerging security threats now consists of malicious attacks led by cyber criminals targeted at specific organizations for personal or financial gain. This paper outlines these new threats and discusses the limited effectiveness of legacy Web security solutions against those threats. The paper then outlines the new proactive security paradigm that is necessary for securing Web 2.0 applications and protecting the enterprises that use them on a daily basis. Let s begin by outlining today s Web 2.0 threats. Inbound Security Threats As noted above, gone are the days when the primary cause for concern was a broad-based Internet virus attack. Those attacks were launched to gain notoriety with the hacker s peers. Web sites were defaced much like graffiti is posted on a public wall or highway overpass, and political or personal messages were sometimes embedded in Web pages or disseminated to desktops. These attacks were a nuisance, required clean-up, and were often designed to embarrass the recipient. These broad-based attacks often caused a drain on productivity, sapped bandwidth, and created potential liability problems. The attackers however, were often unsophisticated with the virtual equivalent of a spray can. Today s attackers, on the other hand, are sophisticated and organized, and financially motivated. They are cyber-criminals who use technology to commit targeted attacks against specific persons or organizations for profit. The security risk, and potential for substantial loss, is much greater. One tactic used by these cyber-criminals is to leverage their sophisticated knowledge to plant worms on host machines. These compromised machines, known as zombies, are rented out to carry out phishing, spam or other attacks 1. In addition to for-hire zombie networks ( botnets ) cyber-criminals also use sophisticated tools to deploy seemingly innocent content which actually contains Trojan horses with malicious functions. These targeted Trojan horses present a threat to the organization in that on the surface, they appear harmless and innocuous, and may even take the form of a useful application or an entertaining game. Often these attacks utilize commonly used productivity tools like MS Office files transmitted via work or via personal that employees access via encrypted Web mail. Once opened by the recipient, the Trojan is released, opening the door for corporate data espionage, data theft, and the release of additional malware. Traditional anti-virus (A/V) solutions are ineffective in stopping the attack because there is no known signature. Targeted attacks are increasingly brief in duration and small in number of samples sent out. Often it consists of malware that is designed to by-pass the targeted company s signature-based anti-virus protection. Since the attack can end in just a few hours, your data may have already been stolen before anyone knows it has happened. 2, White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 2

3 And it is not just files coming into an organization hidden in Trojans that can introduce malware. Seemingly innocent Web pages that employees may access for legitimate purposes can introduce malware or spyware into a network. This is potentially much more dangerous. Users can be educated not to click on suspicious attachments, but malicious Web sites may contain active code that launches automatically as soon as the Web page is viewed. This is a common drawback of the Web 2.0 applications, like blogs, Wikipedia, and social networking sites like MySpace, that allow users to post code as part of the permissible content posting. For example, in November 2006, the popular Wikipedia reference site was compromised and used to distribute malware to unsuspecting users who thought they were getting information on a security patch 4. One example of how signature-based anti-virus protection and category-based URL filtering have become obsolete due to the dynamic nature of Web 2.0 threats, is a program now available called evade o Matic Module, or VOMM for short, that automates the creation and modification of code so that it constantly changes its signature to avoid anti-virus detection while taking advantage of the same browser vulnerability. VOMM enables malicious code to literally have millions of possible signatures, so that the malware can always stay a step ahead of the anti-virus software. In short, its purpose is to make an intrusion attempt undetectable by signature-based anti-virus protection 5. Malicious attacks are also now utilizing the very technologies that were created to provide security. For example, to secure financial transactions, encrypted HTTP was created (HTTPS) to ensure that financial data was not in the clear on the Internet. This is now widely used for financial and healthcare information transactions. However, attackers can also use this secure connection to transmit malware, and carry out a malicious attack that is undetectable by legacy security solutions like anti-virus 6. Because most legacy security solutions cannot be applied to encrypted traffic, we refer to this portion of network traffic as the SSL blind spot. Outbound Threats In addition to inbound threats, there are also outbound data leakage threats that an organization must be aware of. Attackers aren t always outsiders in faraway countries; more often they are right inside your own organization. Data thieves, industrial spies, and cyber-vandals can operate within a company s own boundaries. But outbound threats aren t always the result of an intentional attack by an insider, sometimes they occur when an employee unintentionally opens or allows a back door to be open, by downloading a rogue application that has not been approved by IT. Outbound data leakage is a concern for two reasons: 1) risk of intellectual property loss and 2) compliance with regulatory requirements (e.g. SOX, HIPAA, GLBA, etc.). Many organizations think that filtering their is sufficient to provide protection. While doing so is a key factor in a leakage prevention strategy, a multi-protocol approach to data leakage security, where network security administrators also pay attention to Web protocols as well is best: encrypted traffic (HTTPS), instant messaging use (HTTP), and file transfers (FTP) 7. All of these protocols can be used to convey proprietary information out of the enterprise. Legacy Security Solutions Are an Incomplete Solution to Web 2.0 Security Threats As security threats appeared along with development and adoption of the Internet, point solutions were developed to address those threats. Viruses appeared in the late 1980s and anti-virus vendors began to appear in the early 1990s. The first anti-virus solution became available in 1991, when a medical doctor (Peter Tippett) applied the same approach to attacking human viruses to viruses that were attacking computers: identify the virus by its behavior and then inoculate against it. The first viruses were identified by what they would do (e.g. attack the boot sector) and this was called their signature. The first anti-virus engine worked by using a list of virus signatures 8. These programs were designed as client solutions to protect the desktop from virus infection that was commonly passed via the exchange of portable media (like 5.25 and 3.25 inch diskettes). Initially, this worked well, because the total number of viruses was White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 3

4 not as large as it is today. These anti-virus solutions are still used today to protect the desktop even though computers are networked. Gateway versions of these anti-virus (A/V) solutions are now available from these vendors in both software and appliance form factors. Their primary approach to providing security remains the same reactive, signature-based model first invented by Dr. Tippett. Unfortunately, with new viruses (and mutations of old ones) appearing by the thousands, this reactive model can no longer keep up, and a more proactive solution is required. One threat not detected by signature-based A/V solutions is spyware. Spyware, software that collects user information without their consent and sends it to the spyware creator, usually for marketing purposes, is a term that was coined in 1995 but not widely used until One version of spyware, called adware, displays advertising, typically as a pop-up window, and installs itself to send information back to the advertiser on the infected machine s Web usage and the user s Web surfing habits. The first anti-spyware solution became available in early 2001 and an entire segment of the security industry was born, all providing point solutions to stop the spyware threat. Spyware vendor software is typically a desktop installation and works on the same paradigm as anti-virus software: once spyware is identified, a signature is created and those signatures are downloaded to the desktop installation of that vendor s software. The desktop anti-spyware software then is run to remove the spyware. The widespread adoption of instant messaging (IM) applications (AOL, Yahoo, MSN, etc.) has created another set of problems for organizations that legacy security solutions cannot address. IM applications open organizations up to infections from malware and to data leakage from message and attachment content transfer. Since files can be easily transferred via IM, it has largely replaced FTP as the preferred method of file sharing amongst individuals. The downside to this is the increased chance of data leakage and a wide open door for malware to transmit any file on a user s hard drive without their knowledge or consent. Now, distributors of viruses, Trojans, and other malicious applications do not have to rely on as a means of dissemination, they can instead push malware through using HTTP-based instant messaging. To address these new threats, a slew of vendors with new point solutions to this problem emerged in late It is clear from the events of the last 15 years that as threats emerge, vendors with new solutions are created and they find success in the marketplace selling point solutions to these threats. Often these solutions started as desktop applications and, as the cost of networking hardware has dropped over time, they have been ported first as gateway server software and now as dedicated gateway based appliances. The result in 2007 is organizations with lots of point solutions from lots of vendors with lots of user interfaces. These point solutions lack inter-application integration and policy has to be implemented by IT in multiple places. Yet in spite of all this complex infrastructure, the threat from malware is still not addressed, since the signature-less targeted attack and the SSL blind spot are not adequately addressed by this cornucopia of point solutions. Meeting Web 2.0 Security Threats Head on with Comprehensive Web Gateway Security In order to address the security threats posed by targeted malware, spyware, adware, and outbound data leakage, a new paradigm of proactive, reputation-based security needs to be applied to Internet traffic entering and leaving the enterprise. This new approach needs to reduce the number of point solutions deployed, which in turn results in lower support, subscription, and employee training costs. It needs to overcome the limitations of other point solutions with a proactive approach that can detect both known, signature-based and unknown attacks before they can penetrate the network. These Web 2.0 security threats are addressed with an appliance-based platform that offers protection in the following areas: next-generation reputation-based Web filtering, gateway anti-virus, proactive anti-malware, data leakage protection, and scanning of SSL traffic. This solution must include a unified administrative interface with common policy management and enterprise class reporting on all functionality along with an executive dashboard providing at a glance status on network security and system health. This appliance-based solution is referred to as Web Gateway Security. 9 White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 4

5 The Major Components of Web Gateway Security: What Is Required? Each of the following protective measures are required to ensure complete, comprehensive Web Gateway Security. Reputation-Based Web Filtering Just as legacy anti-virus solutions that utilize signatures are not adequate to stop malware, legacy URL filtering solutions that rely only on categorized databases of URL entries that update a few times a day are also not adequate to protect organizations from Internet threats that occur as the result of employee Web use. What is needed is a reputation system that assigns global reputations to URLs, and works alongside the categorized databases for the ultimate protection. This Reputation System provides a mechanism for determining the risk associated with receiving data from a particular Web site. This reputation can be used in conjunction with categories in an organization s security policy, allowing them the ability to make the appropriate decision based on both category and reputation information. This reputation-based URL filtering solution needs to be global in scope and internationalized to handle Web sites in any language. This is especially true considering the global nature of the Internet security threat 10. In addition to reputation-based filtering, real-time classification of uncategorized Web sites is required as well as the ability to enforce the safe search feature of the leading search engines. Lastly, it is important to block access to Web sites based on the content of the URLs themselves. This is called expression filtering and is vital in preventing access to sites that serve as anonymizers and proxies. These sites present security risks to the organization as they circumvent filtering of access to sites known to host malware, spyware, and other security threats. Figure 1: Reputation-based filtering uses global intelligence, advanced behavior analysis, and dynamic reputation scores to detect malware and proactively stop it from entering the enterprise. Proactive Behavioral-Based Anti-Malware Protection Organizations should not rely solely on either a pure client or pure gateway solution. The typical boot sector virus that used to reside on a floppy is extinct because there are no more floppy drives. The risk of a virus being present on USB memory devices (or on CDs/DVDs) still remains and therefore there is still a need for anti-virus protection at the client. In addition, client-based protection is recommended as a second layer of protection, in the rare event that a known virus should break through the gateway anti-virus protection layer. However, the need to address the gateway itself is becoming more important as it is the primary entry point for malware. It is widely agreed that enterprises should deploy a client side anti-virus solution and deploy gateway anti-virus as well. But these solutions are reactive (signature-based) and don t scale to meet the multi-protocol malware threats posed by deployment and use of Web 2.0 applications White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 5

6 When adding anti-malware protection at the gateway, it is important to insure that a wide range of protocols are covered. All application protocols entering a network need to be under close scrutiny. Most enterprises today have some form of anti-spam and anti-virus combination for but what about protecting the Web gateway? It is as valuable as a mail gateway. In addition to standard HTTP traffic, encrypted HTTPS traffic, instant messaging, Peer-to-Peer applications, and Web mail, which are increasing in traffic volume, are also vulnerable and must be protected and controlled. For more information on Webwasher s Anti-Malware solution, please see our Stopping the Targeted Attack white paper ( wgswp). SSL Traffic Scanning A Web Gateway security solution should offer the following features to ensure security and prevent data leakage via SSL tunnels: Gateway anti-virus, anti-malware, and anti-spyware scanning: Encrypted content has traditionally been impossible to scan at the gateway, making SSL a dangerous virus carrier. By decrypting HTTPS content at the gateway and scanning for viruses, companies can leverage the same anti-malware protection offered by the Web gateway for HTTP and FTP traffic, while still enjoying the benefits of HTTPS. Outbound content scanning to stop intellectual property loss and support regulatory compliance: By first decrypting HTTPS file transfers and applying filtering policy, enterprises can filter files and media types which previously passed freely in and out of their network. Media type and content filtering: Many organizations seek to enforce policies for media file (MP3) sharing, and downloading of executables, ActiveX, JavaScript, or other potentially malicious content regardless of which network protocol these threats use. As the amount of content transmitted via SSL grows, bandwidth and content filters become as important for HTTPS as they are for HTTP. Certificate management: Centralizing certificate policy at the gateway removes the burden of this decision from employees (as well as the potential for costly mistakes), and allows administrators to enforce a consistent policy. Flexible policy enforcement: While in general all SSL encrypted traffic should be inspected, most businesses will want to deploy flexible policies on exactly what traffic is decrypted or for which user range. For example, executive level management might be completely exempt from SSL scanning, while for the general user, only SSL scanning to certain trusted banks or trusted categories of Web sites is deactivated. No decrypted content on the wire at any time! Figure 2: Effective SSL scanning enables enterprises to apply their existing security and Internet usage policies to the HTTPS protocol and prevents certificate misuse. Enterprise Reporting Effectively securing and managing enterprise networks requires an understanding of the status, trends, and events relating to all network activity, and the ability to generate reports to meet both internal and external requirements. A Web Security Gateway requires reporting that provides a full breakdown of cache, streaming media, and Web usage in your company and it must scale to the largest of enterprises 20 GB of daily log files and more! Web Gateway reporting should support a customer s choice of enterprise class RDBMS in use, and require virtually no maintenance from IT staff by offering robust automated log file collection, report White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 6

7 generation, and distribution. Furthermore reports should be easily customizable and also conform with data privacy legislation throughout the world. Lastly but most importantly, it must provide at a glance information on network security and Web gateway performance through a dashboard interface that immediately informs administrators of any problems. The Webwasher Web Gateway Security Solution: Technology and Architecture The Webwasher Web Gateway Security appliances protect enterprises from malware, data leakage, and Internet misuse, while ensuring policy enforcement, regulatory compliance and a productive application environment. Webwasher analyzes traffic bi-directionally. Inbound, it isolates and eliminates threats from all types of malware zero-day threats, viruses, Trojans, spam, phishing, and the like. Webwasher employs the most sophisticated heuristic and signature-based techniques for stopping malware and zero-day attacks, as well as patented content analysis software to achieve regulatory compliance and for stopping data leakage on outbound traffic. Webwasher uses a deep knowledge of the underlying protocols and application behavior combined with global intelligence to make security decisions. Webwasher Web Gateway Security is a truly integrated solution that replaces legacy point solutions. Webwasher has a unified interface that combines all the content protection applications enterprises need into one solution: reputation-based Webwasher URL filter, Anti-Malware, Anti-Virus, SSL scanning, anti-spyware, and enterprise-level reporting on all Web traffic. Webwasher Web Gateway integrates with Secure Computing s Messaging Gateway solutions as well: IronMail for protection, IronNet for privacy compliance and data leakage prevention, and IronIM for regulating IM usage. Integration between Web and Messaging Gateways is critical since many of today s attacks utilize multiple modes. The attack may begin with a seemingly innocent with an embedded URL that, when accessed by the recipient, launches a Web-based attack. Web Gateway Requirement Next-generation Web Filtering Webwasher URL Filter Gateway Anti-Virus Protection Webwasher Anti-Virus Anti-Malware Protection Webwasher Anti-Malware SSL Scanning Webwasher SSL Scanner Reporting Webwasher Content Reporter Webwasher Protection Reputation-based filtering powered by TrustedSource Utilizes both URL category & Web reputation Real-time classification of uncategorized sites Safe search enforcement Mechanisms in place to prevent users from circumventing filtering Up to 2 signature-based anti-virus engines can run simultaneously PreScan functionality ensures a responsive gateway Complements existing gateway AV scanners & firewalls Proactive filters provide immediate protection for blended threats, unknown malware, spyware, Trojans, or day-zero attacks. Signature-based anti-malware engine for known threats Covers wide range of protocols Existing security & Internet usage policies applied to HTTPS traffic Certificate management Inbound & outbound scanning Flexible policy enforcement Safely deployed no decrypted content on the wire Enterprise-class reporting on inbound & outbound traffic Highly scalable, customizable Reports on multiple third-party proxies, firewalls & caching devices Automated log collection, report generation & distribution Informative dashboard for immediate network snapshots White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 7

8 As part of Secure Computing s vision to provide comprehensive enterprise gateway security, Webwasher incorporates global intelligence from the company s industry-leading reputation system, TrustedSource. Like a credit agency provides credit scores to enable reliable commerce, TrustedSource provides real-time reputation scores for URLs, domains, and IPs based on Web page content, images and behavior as well as historical information such as knowledge that a site has been repeatedly compromised in the recent past. Using this realtime scoring, Webwasher allows organizations to detect and prevent security threats such as spyware, phishing, or other malware. Traditional URL filtering solutions stop users from visiting certain sites that cause liability risks, loss of productivity, or sap bandwidth, but do very little to protect against compromised legitimate Web sites. Secure Computing has defined a new standard in URL filtering with its integration of the TrustedSource reputation technology with each of the millions of URLs in its award-winning SmartFilter database, now used to power Webwasher URL Filter. Instead of relying solely on a static list of categorized URLs, Webwasher enhances protection by adding Internet reputation to what is known about the URL and enables a block or allow decision based on realtime information. The ability to implement security policy based on both URL category and its Web reputation dramatically improves filtering accuracy and protection. To help continually improve security for all customers, Secure Computing collects information on Web traffic and new malware by accumulating data from the thousands of Webwasher Web Gateways deployed throughout the world. This information is then fed back in real-time to all Webwasher Gateways. As Webwasher discovers and stops malware, the breadth and depth of the TrustedSource protection improves for all. Moreover, TrustedSource security protection is here now. Secure Computing has integrated TrustedSource s Web-reputation technology with its Webwasher Web Gateway version 6.5, providing feedback to the TrustedSource network on uncategorized URLs, providing feedback on the existence of new or mutated malware, and providing reputation scores for all URLs, IPs, and Web pages visited by end users protected by Webwasher. Figure 3: Webwasher incorporates real-time global intelligence from TrustedSource to provide comprehensive Web Gateway protection. For more information on TrustedSource, please visit White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 8

9 An Award-Winning Web Gateway Solution Webwasher Web Gateway Security has won numerous awards including SC Magazines Best Content Security solution of In another test, Webwasher and 31 other anti-virus and anti-malware competitors were tested in late 2006 by AVTEST, an independent test organization. The results of these tests were published in eweek magazine in October 12. The lab tested all the products against a collection of almost 300,000 Trojan horses and measured each solution s effectiveness in stopping an attack by each piece of malware. Webwasher scored #1 in test, catching 99.97% of the malware in the sample. Additionally, in January 2007 Webwasher received ICSA labs certification for protection against malware and viruses. Summary Today s Internet is vastly different than it was 10 years ago, or even 2 or 3 years ago. Web protocols like HTTP and HTTPS are being used today by Web 2.0 applications in ways never envisioned when these protocols were developed. These new Web 2.0 applications expose the enterprise to new and fast evolving security threats. Traditional reactive, signature-based approaches to filtering and malware are inadequate to meet this new challenge. Reputation-based security, including malware detection and URL filtering, are needed to meet this challenge. Webwasher Web Gateway Security meets the bidirectional security needs of the Web 2.0 Internet. Webwasher provides immediate protection against malware hidden in blended content or hidden in encrypted SSL traffic. Webwasher also protects organizations from outbound threats such as loss of confidential information that can leak out on all key Web protocols. Webwasher provides this outbound security by performing unique outbound scanning of content even content transmitted via SSL. Thus, Webwasher is an important tool in an organization s arsenal to prevent intellectual property loss, comply with regulatory requirements, and provide reporting for compliance as well as forensics in the event of leakage. To meet the needs of the Web 2.0 environment, Webwasher Web Gateway Security is reputation-based. Reputation-based Web filtering, powered by TrustedSource, provides superior security when compared to legacy URL categorization solutions. Webwasher also provides unique real-time feedback to TrustedSource on uncategorized sites or on malware that does not yet have a signature. This real-time feedback system leverages the installed base of Webwasher Web Gateways as its data collectors. Thus all Webwasher customers benefit from the network and the network improves as more Webwasher Gateways are deployed. Finally, since today s security threats are very sophisticated, with cyber-criminals leveraging , Web sites and malware to pull off a complex attack, Webwasher Web Gateway Security provides the integration with Messaging Security through Secure s IronMail appliances, with common policy, compliance, and reporting to maximize the effectiveness of Secure s enterprise gateway security solutions or White paper In Today s Web 2.0 Environment, Proactive Security Is Paramount. Are You Protected? 9