WHITE PAPER SPON. Messaging and Web Security Best Practices for 2011 and Beyond. Published March 2011 SPONSORED BY. An Osterman Research White Paper

Transcription

1 WHITE PAPER N Messaging and Web Security Best Practices fr 2011 and Beynd An Osterman Research White Paper Published March 2011 spnsred by SPONSORED BY SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: inf@stermanresearch.cm twitter.cm/msterman

2 Executive Summary In an Osterman Research survey cnducted during January 2011, decisin makers and influencers demnstrated that they are decidedly pessimistic abut the future f spam and malware prblems fr 2011, as shwn in the fllwing figure. Predictins Abut Glbal Spam and Malware Prblems in 2011 They have little reasn t be ptimistic: despite recent, albeit temprary gd news such as reductins in the number f spam messages traversing the Internet there has been relatively little gd news in the cntext f threats directed against messaging and Web users. Further, while many decisin makers are taking messaging and Web security threats quite seriusly, a sft ecnmy cupled with threats that are rapidly increasing in sphisticatin and severity means that many rganizatins are nt keeping pace with the threats they face. Fr example: Symantec.clud reprted that 41.1% f all f the malicius dmains they blcked during January 2011 were new, representing an increase f 7.9% frm the mnth befre i. The Rustck btnet was mre r less shut dwn during the 2010 Hliday seasn. Hwever, GFI Sftware reprts that in January 2011 Rustck was reactivated and its spam vlume increased by 98% ii almst vernight. As f late March 2011, Rustck has been silenced nce again, but has the ptential fr cming back nline Osterman Research, Inc. 1

3 SpamTitan reprted results frm a 2010 survey that fund that 49% f small- t mid-sized businesses had nt taken even basic steps tward crafting a scial media plicy iii. Edgewave reprted that during the mnth ending February 23, 2011, there were anywhere frm 49 t 352 new spam campaigns launched every day iv. In 2010, Websense Security Labs fund that 61% f all data stealing attacks ccurred ver the Web r v. KEY TAKEAWAYS There are five key pints that readers f this white paper shuld understand and appreciate: Spam is still a majr prblem Despite sme recent gd news n the spam frnt, spam vlumes cntinue t increase and are expected t d s fr many years t cme. Because it saps strage, bandwidth and emplyee prductivity; and is increasingly used as part f malware-distributin campaigns, spam cntinues t be a very serius prblem. Malware is a rapidly grwing threat Malware infiltratin cntinues t be a vexing issue fr IT management because f a) the increasing sphisticatin f the threats, b) the financial and ther damage they can cause, and c) the sheer vlume f new malware that is being distributed acrss the Internet. There are mre places fr spam and malware t enter an rganizatin The number f venues fr unwanted cntent t enter an rganizatin is grwing. In additin t the nrmal channel, this cntent nw increasingly enters an rganizatin thrugh scial media tls like Twitter and Facebk, persnal Webmail accunts used fr wrk-related applicatins, Web-enabled smartphnes, ther mbile devices like ipads, the grwing number f clud-based applicatins used in the wrkplace, vice-ver-ip systems, real time cmmunicatin tls like instant messaging, flash drives, applicatins that users dwnlad that are nt sanctined by IT, and nrmal Web surfing t legitimate Web sites. The netwrk perimeter is disappearing, making rganizatins mre vulnerable Related t the pint abve is that the netwrk perimeter is rapidly disappearing. Where there used t be a clear distinctin between the crprate netwrk and the utside wrld, the grwing number f emplyees wh wrk frm hme, cupled with the increasing number f mbile devices used fr bth wrk and persnal applicatins, means that the netwrk perimeter ften des nt exist. Data lss is becming a greater risk The granularity and thrughness f the plicies t manage messaging and Web applicatins have nt kept pace with the threats that rganizatins face. This makes rganizatins mre vulnerable t data lss, financial lss, damage t crprate reputatin, higher remediatin csts and ther prblems. The risk f data lss thrugh the Web has been exacerbated dramatically with the rapid grwth f scial media and ther Web 2.0 applicatins Osterman Research, Inc. 2

4 ABOUT THIS WHITE PAPER This white paper discusses the threats that rganizatins face frm spam, malware and ther threats directed at their messaging and Web capabilities. It uses research frm recent Osterman Research surveys, as well as infrmatin frm a variety f ther data surces. It was spnsred by a leading vendr f messaging and Web security capabilities Websense; infrmatin abut and cntact infrmatin fr the cmpany is included at the end f this white paper. Electrnic Cmmunicatin and Cllabratin is Dangerus MOST ORGANIZATIONS HAVE EXPERIENCED MALWARE INFILTRATION Mst rganizatins have experienced sme srt f malware infiltratin thrugh a variety f surces, as shwn in the fllwing figure frm an Osterman Research survey vi cnducted during Security Prblems That Occurred During the Previus 12 Mnths The ccurrence f malware infiltratin has becme decidedly wrse ver the past several years. Fr example, in a 2007 survey cnducted by Osterman Research vii, we fund that malware had infiltrated thrugh in nly 25% f rganizatins surveyed, while nly 22% had 2011 Osterman Research, Inc. 3

5 experienced malware infiltratin thrugh the Web decidedly fewer than in the mre recent survey nted abve. McAfee reprted that their identificatin f new malware increased frm rughly 16,000 new samples per day in 2007 t 29,000 in 2008 t 46,000 per day in 2009 t 60,000 in 2010 viii an increase f 275% in just three years. SPAM CONTINUES TO BE A SERIOUS PROBLEM In additin t the rapid increase in malware penetratin ver the past few years, the spam prblem cntinues t vex rganizatins large and small. Fr example, Symantec.clud reprted that spam accunted fr 89.1% f in 2010, r rughly billin spam messages sent n a typical day ix. While spam levels have drpped significantly in recent mnths in part due t the clsure f pharmaceutical affiliate seller Spamit and btnets Xarvester, Rustck and Lethic in 2010 x there cntinue t be mre than 100 billin spam messages traversing the Internet each day a figure that will increase ver the lng term. WHERE DO THE PROBLEMS COME FROM? There are a large and grwing number f platfrms and venues frm which malware and spam can enter an rganizatin: was the dminant methd fr distributing malware frm the early 2000s t rughly 2009 befre it was vertaken by the Web as the primary attack vectr. Hwever, cntinues t be the primary methd fr distributing spam thrugh a variety f venues desktp , mbile phnes using SMS, etc. Tday, is used largely fr blended threats spam messages that cntain links t malware-hsting sites. Blended threats are a mre sphisticated frm f attack because they require a greater level f security integratin by cmbining traditinal and Web security capabilities. Websense fund that 89.9% f all unwanted s in circulatin during 2010 cntained links t spam sites r malicius websites xi. User mistakes Users will smetimes install malware r cmprmised cde n their systems, mstly ften inadvertently. This ccurs when they install ActiveX cntrls, dwnlad cdecs r varius applicatins that are intended t address sme perceived need (such as capability that IT des nt supprt r that a user needs when wrking frm hme), r when they respnd t scareware and fake anti-virus (Rgue AV r Fake AV) sftware. Rgue AV is a particularly dangerus type f malware, largely because it preys n users wh are attempting t d the right thing t prtect their cmputers frm threats. Even users wh are reasnably experienced can be fled by a well-crafted Rgue AV message. Underscring the seriusness f the prblem, Symantec fund that in the year ended June 2009, there were 43 millin Rgue AV installatin attempts frm mre than 250 different prgrams xii. Varius Web site threats There are a number f ways fr malware t enter an rganizatin thrugh Web surfing r the use f Web-based applicatins: 2011 Osterman Research, Inc. 4

6 Crss-cmpnent attacks ccur when tw inncuus pieces f malware cde appear n the same Web page. Separately, they are harmless and difficult t detect; hwever, when they appear simultaneusly n a single page, they can infect a user s machine with malware. With Crss Site Request Frgery (CSRF) attacks, inncent-lking Web sites generate requests t different sites. CSRF attacks have explited vulnerabilities in Twitter, enabling site wners t acquire the Twitter prfiles f their visitrs. As Web 2.0 applicatins ften leverage XML, XPath, JavaScript and JSON, Adbe Flash and ther rich Internet applicatins, thse applicatins are frequently vulnerable t injectin attacks using these envirnments. These technlgies are ften used t evade anti-virus defenses, mtivating attackers t leverage them. Crss-site scripting attacks embed tags in URLs when users click n these links, malicius Javascript cde will be executed n their machines. SQL injectin attacks ccur when SQL cmmands and meta-characters are inserted int input fields n a Web site, the gal f which is t execute back-end SQL cde. Smartphnes Anther surce f Web threats is the grwing use f Web-enabled smartphnes. Osterman Research has fund that few rganizatins require any srt f malware prtectin n these devices, making netwrks vulnerable t malware that enters thrugh a mbile device when users surf the Web, access r scial media, etc. Cmpunding the prblem is the fact that mbile devices are widely used (mre than 90% f crprate infrmatin wrkers als have an emplyer-prvided mbile device xiii ) and a large prprtin f users emply their mbile device as their primary client fr checking wrk-related frm hme. The grwth and imprtance f smartphnes is being explited by criminals. Fr example, ING custmers in Pland have been hit with a man-in-the-middle attack (a variant f Zeus) that will install malware designed t intercept passcdes sent t Blackberry and Symbian devices via SMS as part f a tw-factr authenticatin scheme xiv. The first malware that targets the Ggle Andrid OS was discvered in August McAfee reprted a 46% increase in mbile-fcused malware during 2010 cmpared t the year befre. Cmprmised search engine queries Cmprmised search engine queries are anther methd fr criminals t distribute malware. This frm f attack relies n users making typgraphical errrs when typing search queries, resulting in the presentatin f malware-laden sites during Web queries. Search engine pisning is particularly effective fr timely and ppular search terms, such as the latest celebrity gssip. Websense reprted that searching fr breaking trends and current news represented a higher risk (22.4%) than searching fr bjectinable cntent (21.8%) xv. Drive-by dwnlads Related t the blended threat is a drive-by dwnlad that ccurs when a user visits a Web site and has malware autmatically dwnladed t his r her cmputer. In sme cases, a user will visit a Web site and see a ppup windw upn clicking the OK buttn in the 2011 Osterman Research, Inc. 5

7 ppup, a Java applet, an ActiveX cntrl, etc. will be installed n the user s cmputer withut their cnsent. Direct hacker attacks Direct hacker attacks can include a variety f explits, including hackers attacking a knwn vulnerability in a Web brwser, r expliting an lder versin f a brwser r ActiveX cntrl. Cmprmised, legitimate Web sites Many legitimate Web sites have been hacked and have served up malware t unsuspecting visitrs. Kaspersky fund that ne in every 3,000 Web sites served up sme srt f malware in 2010 xvi, while the Online Trust Alliance reprted that in excess f 10 billin advertising impressins in 2010 cntained malware xvii, with a dramatic increased nted during the last quarter f 2010 xviii. Websense reprted that 79.9% f Web sites with malicius cde in 2010 were legitimate sites that had been cmprmised xix. Gelcatin A grwing number f applicatins use individuals real-time lcatin, permitting criminals t execute mre targeted attacks phishing attacks that emply gelcatin may be mre difficult fr users t discern as a threat. Many users seem unaware f the malware and ther threats they face frm revealing their lcatin, and ften will freely share this infrmatin withut cnsidering the cnsequences. Other prblems Off-netwrk users, such as emplyees wh wrk frm hme, are anther surce f Webbased threats. An unprtected user f a crprate asset, such as Outlk Web Access that is nt accessed via a VPN, r a laptp cmputer that becmes infected and later is cnnected t the crprate netwrk, can cnstitute a serius threat. Insufficient authenticatin cntrls will smetimes enable cyber-criminals t crack administrative accunts in rder t gain access t sensitive infrmatin. Fr example, BitDefender fund in a check f randmly verified accunts that three-quarters f users emply the same passwrd fr their and scial media accunts. GROWING USE OF SOCIAL MEDIA, WEB 2.0 INCREASES THE PROBLEM Scial netwrking tls are explding in ppularity. Fr example, Facebk had millin unique visitrs in December 2010 in just the United States, an increase f 38% frm December 2009 xx. December 2010 als saw 26.6 millin US visitrs t LinkedIn and 23.6 millin visitrs t Twitter, representing increases f 30% and 18%, respectively, cmpared t a year earlier xxi. Further, nt nly the access t scial media, but their penetratin is grwing: fr example, while the number f unique visitrs t Facebk increased by 38% during the year ended December 2010, ttal minutes spent n the site increased by 79% xxii. The grwth in ppularity f scial media tls has nt been lst n hackers and ther criminals, leading t active targeting f scial media tls acrss a wide spectrum. Fr example: 2011 Osterman Research, Inc. 6

8 While phishing sites that target scial media accunt fr less than ne percent f current phishing sites wrldwide, these sites received 62.4% f all phishing impressins in the six mnths ended June 2010 xxiii. Rughly 20% f the news feeds n Web sites cntain sme srt f malware infectin xxiv. The criminal rganizatin that perates Kbface maintains, as f late 2010, nearly 22,000 Facebk accunts (with 935,000 friends), mre than 350,000 Blgger accunts, and mre than 520,000 Ggle accunts xxv. Websense fund that 10% f links psted in Facebk are either spam r malicius xxvi. One f the fundamental prblems with scial media is that many mre rganizatins allw the use f scial media (ften ding nthing t prtect the rganizatin frm its threats) than cnsider it t be legitimate fr use in their rganizatins, as shwn in the fllwing table frm a recent Osterman Research survey. Organizatinal Views Abut Varius Scial Media Tls xxvii Tl Allw Use Cnsider t be Legitimate Difference LinkedIn 70% 64% 6% YuTube 52% 35% 17% Twitter 50% 34% 16% Facebk 48% 31% 17% MySpace 35% 17% 18% Peer-t-peer file sharing 22% 21% 1% Anther imprtant cnsideratin, albeit nt directly a security issue per se, is that strictly persnal use f scial media can represent an enrmus prductivity cst t an rganizatin. Fr example, if users are updating their persnal status n Facebk, lking fr a new jb n LinkedIn, r simply surfing fr funny cmments n Twitter, that represents an enrmus lss f prductivity. Using SpamTitan s calculatr, an rganizatin f 100 users, each f whm spends 20 minutes per day n persnal Facebk use at wrk and whse average annual salary is $45,000, will cst the rganizatin nearly $186,000 in lst prductivity each year. What this demnstrates is that scial media use is allwed in mre rganizatins than actually cnsider it t be legitimate, indicating that many in IT departments may nt accept its use, but they are ding little r nthing t prevent it frm being used, resulting in bth prductivity lsses and excessive expsure t malware Osterman Research, Inc. 7

9 The Cnsequences f Pr Cmmunicatin Security USERS NEED CONTINUOUS ACCESS TO COMMUNICATIONS Organizatins have lng struggled with hw they shuld r shuld nt manage the use f varius cmmunicatin tls like , the Internet in general, the Web and Web 2.0 tls. The emergence f scial media applicatins and services makes that questin mre relevant and als mre difficult. Given the range f security threats that can be received by and the Web, as well as launched frm scial media sites, rganizatins need t be extremely careful abut their emplyees use f thse sites in a wrk envirnment. The prblem is exacerbated by the grwing trend fr emplyees t wrk frm hme, at times n unprtected r inadequately prtected systems that can easily intrduce threats int the crprate netwrk. These are prblems that must be addressed. Cntinuing grwth in the use f , the Web, clud-based applicatins, and the grwing variety f Web 2.0 tls make emplyees mre prductive and efficient. Further, these capabilities supprt the greater cncept f mbility allwing emplyees t wrk frm hme r n the rad with the same capabilities they wuld have in the ffice. Mbility in its larger cntext will becme increasingly imprtant as rganizatins lk t drive dwn the cst f real estate, taxes and pwer by perating with the same number f emplyees, but with less ffice space. The last pint is ne that cannt be underestimated: as cmpanies seek t reduce their cst f peratins, they will fcus mre n having emplyees wrk remtely. Highly reliable cmmunicatins and infrmatin access will be critical t supprting these emplyees and rbust security will be even mre imprtant t enable these emplyees t wrk remtely. THE CONSEQUENCES OF POOR SECURITY The prblems assciated with security explits impact just abut every aspect f an rganizatin: Decrease in emplyee and IT staff prductivity Emplyees waiting fr malware t be remved frm their cmputers will be significantly less prductive during these dwntime perids in sme cases, 100% less prductive. Further, any srt f messaging r Web explit will require IT staff t address the issue as sn as pssible after the prblem is discvered. This can lead t IT staff wrking n weekends, the delay f varius IT prjects, rebuilding desktps, and ther csts that may be difficult t estimate. Security explits can als lead t extended r ther service utages that can have serius ramificatins n user prductivity. Financial lsses Lss f funds that arise frm the use f malware like Zeus that is designed t steal mney frm victims financial accunts can have a devastating impact n an rganizatin. Just ne f the many examples f Zeus victims is Parkinsn Cnstructin, a firm with $20 millin in annual revenue that lst $92,000 nearly 0.5% f its annual revenue simply because the wner f the firm clicked n claiming t be frm the Scial Security Administratin xxviii. Lss f custmer data Data breaches can result in the need t remediate them in expensive ways, such as ntifying custmers via pstal mail that their data was lst, prvisin f credit reprting services t the victims fr a year r lnger, lss f future business, embarrassing press 2011 Osterman Research, Inc. 8

10 cverage and lss f gdwill. The Pnemn Institute has determined that the cst f a single data breach ranges frm $98 in the United Kingdm t $204 in the United States xxix. Lss f internal data Trade secrets, cnfidential infrmatin and ther intellectual prperty can be lst as a result f pr security. These lsses can ccur acrss a wide range f venues and activities, including sensitive cntent that is mistakenly sent in an r an unencrypted file transfer, data that is lst n an unencrypted mbile device r flash drive, r data that is taken hme by emplyees and stred withut any IT cntrls. Vilatin f statutes and cmpliance requirements If adequate security defenses are nt maintained, rganizatins can run aful f a wide variety f statutes that require data t be prtected and retained. Hwever, ne study fund that decisin makers in ne ut f five rganizatins d nt knw which cmpliance laws apply t their rganizatin xxx. A small sampling f these statutes but by n means an exhaustive list include the fllwing: The Payment Card Industry Data Security Standard (PCI DSS) encmpasses a set f requirements fr prtecting the security f cnsumers and thers payment accunt infrmatin. It includes prvisins fr building and maintaining a secure netwrk, encrypting cardhlder data when it is sent ver public netwrks and assigning unique IDs t each individual that has access t cardhlder infrmatin. The Gramm-Leach-Bliley Act (GLBA) requires financial institutins that hld persnal infrmatin t transmit and stre this infrmatin in such a way that its integrity is nt cmprmised. GLBA requires financial institutins t cmply with a variety f Securities and Exchange Cmmissin and NASD rules. A keystrke lgger r crss-site scripting attack, fr example, that permits sensitive financial data t be expsed t a third party culd ptentially vilate GLBA. The UK Data Prtectin Act impses requirements n businesses perating in the United Kingdm t prtect the security f the persnal infrmatin it hlds. Japan s Persnal Data Prtectin Law is designed t prtect cnsumers and emplyees persnal infrmatin. It includes prvisins fr ensuring the security and disclsure f databases that cntain this infrmatin, amng ther requirements. The Persnal Infrmatin Prtectin and Electrnic Dcuments Act (PIPEDA) is a Canadian privacy law that applies t all cmpanies perating in Canada. Like many ther privacy laws, it requires that persnal infrmatin be stred and transmitted securely. Califrnia s SB1386 (the Database Security Breach Ntificatin Act) is a far reaching law that requires any hlder f persnal infrmatin abut a Califrnia resident regardless f where they are lcated t ntify each resident whse infrmatin may have been cmprmised in sme way. Since Califrnia passed this grundbreaking data breach ntificatin law, mst ther US states have passed similar laws. These laws require 2011 Osterman Research, Inc. 9

11 rganizatins t ntify custmers and thers fr whm sensitive data is held if their data is expsed t an unauthrized party an expensive prpsitin in almst every case. Other issues There are a number f ther prblems that can ccur frm malware and ther threats delivered via , the Web, Web 2.0 applicatins and ther capabilities, including: Internet service utages, which can create serius prblems fr cre business services such as , cllabratin, and clud-based CRM systems. Related t these utages are the ptential fr data leakage, and lack f cmpliance with mnitring capabilities and archiving requirements when emplyees use persnal Webmail systems t send crprate data. Web sites being taken dwn fr lng perids in rder t patch the cde t eliminate an explit. The expsure f FTP and ther lgin credentials t attackers and ther cybercriminals. The dwnlad f malware that can turn crprate and hme-based cmputers int zmbies used as part f a bt netwrk. Users dwnlading illegal cntent, such as cpyrighted wrks r prngraphy using crprate assets. Fr example, a study published by Cisc ScanSafe fund that the number f emplyees wh had attempted t dwnlad MP3 files and illegally btained sftware has recently increased xxxi. A BitDefender study fund that 63% f users seeking prngraphy nline had been infected with malware at least twice xxxii. What Shuld Yu D t Address the Prblem? DEFINE WHAT YOU MUST DO It may sund bvius, but IT and business decisin makers must determine exactly what they must prtect tday, and what they can reasnably expect that they will need t prtect ver the next few years. Fr example, this list shuld include things like: On-premise, IT-deplyed crprate systems, smartphnes, ipads and ther capabilities frm spam and malware. Threats intrduced by emplyee devices that are brught int the wrkplace and that are used t access crprate resurces. This shuld include ipads, persnal smartphnes, persnal laptps, etc. Mnitring and/r preventing what leaves the rganizatin via crprate , persnal Webmail, laptps, smartphnes and ther mbile devices, scial media psts, flash drives, prtable hard drives, etc. t prtect against data lss. Cnsider hw yur data plicies can be applied acrss all channels Osterman Research, Inc. 10

12 Encryptin f sensitive cmmunicatins t remain in cmpliance with bth regulatry requirements and best practices. Mnitring internal cmmunicatins fr sexually r racially ffensive cntent, as well as sensitive infrmatin that culd be stred n desktps, servers r ther systems withut apprpriate access cntrls. Mnitring emplyees activities when accessing crprate resurces frm persnally wned devices when wrking frm hme r remtely. Archiving business recrds that shuld be retained. While archiving may nt seem like a security issue per se, archiving systems shuld be cnsidered alng with spam- and malware-filtering systems because f the ramificatins that each has n the ther. Nn-traditinal security threats, such as cnfidential infrmatin that might be left n PCs at a htel s business center. Fr example, a senir manager at a leading anti-virus cmpany recently reprted that he fund the itinerary fr a general s visit t a military installatin n a htel business center s PC. DETERMINE WHAT NOT TO DO As imprtant as establishing what must be dne is t establish what must nt be dne. Fr example, a blanket prhibitin n the use f scial media tls like Facebk r Twitter, r preventing users frm emplying persnal Webmail systems at wrk can have negative ramificatins n a number f levels. Emplyee mrale may suffer as a result, as well as user prductivity if emplyees are nt permitted t use certain cnsumer-fcused tls that can help them get their wrk dne. Plus, emplyees will prbably use these tls anyway unless IT impses dracnian cntrls that will mst likely have the side effect f impairing emplyee prductivity. ESTABLISH DETAILED AND THOROUGH POLICIES Any rganizatin that seeks t prtect their users, data and netwrks frm Web-based threats must establish detailed and thrugh plicies abut acceptable use f all f their nline tls: , instant messaging, Web 2.0 applicatins, cllabratin tls, smartphnes, flash drives and the Web itself. Successfully addressing these prblems must start with an acknwledgement f the threat landscape and the crrespnding plicies abut hw tls will be used befre technlgies are deplyed t address the prblems. Further, there must be buy-in acrss the rganizatin in rder fr plicies t be effective. Fr example, a plicy against the use f scial media tls may seriusly impact a marketing department s effectiveness at building the crprate brand; similarly, nt allwing the use f unauthrized file transfer tls may prevent users frm sending large files t prspects r custmers in a timely manner. It is imprtant t nte that cmmunicatin plicies must be apprpriate and nt s brad as t prevent emplyees frm participating in lawful activities. Fr example, the Natinal Labr Relatins Bard has taken the psitin that plicies fcused n scial media are apprpriate t a pint. Hwever, crprate plicies that prevent emplyees frm discussing their emplyer n their wn time, sharing cmments abut unin rganizatin, etc. may nt be legal xxxiii Osterman Research, Inc. 11

13 DEPLOY A MULTI-LAYERED, MULTI-LEVEL DEFENSE STRATEGY It is als imprtant t deply a multi-layered, multi-level defense strategy. This is becming increasingly critical as the netwrk perimeter becmes less well defined ver time as nted earlier. Fr example, a traditinal security architecture had a clearly defined firewall that separated internal IT-managed resurces frm the utside wrld. Hwever, the increasing use f persnal devices that can cnnect as easily t a Starbucks Wi-Fi netwrk as they can t a crprate netwrk, Web 2.0 applicatins like Twitter, r emplyees using their persnal smartphnes t access crprate n weekends means that the netwrk perimeter is rapidly disappearing. This has made security a much mre difficult prpsitin fr IT decisin makers, largely because there are s many mre devices and data surces t prtect. Cnsequently, any rganizatin shuld cnsider deplying: -based defenses that include anti-virus, anti-malware, anti-spam and DLP capabilities. Web cntent mnitring capabilities that include basic URL filtering, granular remediatin capabilities that allw mre sphisticated threat management, and real-time security capabilities that will determine if requests frm users and applicatins cmply with security plicies. Integrated Web and security as a way t defend against mre sphisticated blended threats and reduce the cst f managing multiple systems. Endpint capabilities that include anti-virus capabilities n client machines, remvable media scanning capabilities, and prtectin fr emplyees persnal, hme-based platfrms. Clud-based threat intelligence, such as reputatin services, that can determine if cntent is likely t be acceptable r unacceptable befre it is delivered t the crprate netwrk. Real-time mnitring and reprting capabilities that will prvide visibility int emplyee activity in rder t reduce verall risk expsure. Feedback lp systems that will enable cmmunity-watch defenses and reprts n threats like spam and phishing attempts. CONSIDER VARIOUS DELIVERY MODELS There are a variety f ways in which messaging and Web security capabilities can be managed, including: Server-based systems On-premise slutins deplyed at the server level, where mst data typically resides, reslve many f the prblems assciated with client-side systems by allwing easier deplyment and management capabilities, as well as the ability t mre easily enfrce crprate plicies and changes thrugh a centralized management interface. Gateway-based systems Gateway security stps threats at the earliest pssible pint in the n-premise infrastructure and is a best practice fr rganizatins that manage n-premise defenses Osterman Research, Inc. 12

14 Client-side systems Client-based systems, such as URL filtering tls, anti-virus tls, spyware blckers and the like prvide useful capabilities and can be effective at preventing a variety f threats client-side anti-virus tls, fr example, are an imprtant best practice fr any rganizatin t prevent malware frm being intrduced via flash drives r ther lcal surces. It is imprtant t nte here that mst traditinal, cnsumer-riented anti-virus prducts are client-based tls. Client-side capabilities can be relatively inexpensive and are ften prvided as part f desktp prtectin suites that include anti-virus, anti-spam and ther capabilities. While client-side systems are effective in smaller rganizatins, they ften d nt scale well. They are time-cnsuming t install and update fr large numbers f users and can be quite expensive t deply in larger rganizatins. Centralized management and deplyment capabilities are essential t cst-effectively install, update and enfrce crprate plicies using client-based systems, particularly fr larger rganizatins. SaaS/clud-based services SaaS and hsted services are increasing in ppularity and ffer anther ptin fr rganizatins t implement a variety f threat-prtectin capabilities. The primary advantages f this mdel are that n investments in infrastructure are required, up-frnt csts are minimal, nging csts are predictable, and all management and upgrades f the system are prvided by the SaaS r clud service. A ptential disadvantage f SaaS r clud services, particularly fr Web traffic, is prxying all traffic t the hst and addressing latency issues. Their csts can be higher than fr npremise systems in sme situatins, althugh they will nt necessarily be mre expensive. Fr example, SaaS vendrs merely rent space n a server, prviding a very inexpensive methd fr accessing sftware and infrastructure technlgies. Althugh rganizatins may pay mre t a SaaS r hsted security vendr than they wuld fr an n-site slutin, the value f the hsted infrastructure and administratin prvided by the third party vendr can prvide a lwer ttal cst f wnership in many cases. Managed services Managed services are similar in cncept t hsted services, but a third party either with staff n-site r via a remte service manages the n-premise infrastructure, installs upgrades, updates signature files and the like. Csts can vary widely fr managed services depending n the size f the rganizatin, whether third-party management persnnel are lcated n-premise r in the third party s data center, and ther factrs. Virtual appliances Anther ptin, and ne that is finding significant uptake in security applicatins, is the virtual appliance mdel a pre-cnfigured cmbinatin f a dedicated perating system and security sftware that runs in a virtualized envirnment. Advantages f the virtual appliance apprach include the ease f deplying new capabilities, the ability t mve virtual appliances frm ne physical server t anther fr purpses f maintenance r failver prtectin, very high availability, reduced pwer cnsumptin and minimal IT staff time t manage Osterman Research, Inc. 13

15 Hybrid fferings A newer apprach that is increasingly ffered by vendrs is t cmbine n-premise infrastructure with hsted r clud based services. Fr example, an security vendr may prvide a malware-filtering appliance n-site, but cuple this with a hsted filtering service that acts as a srt f pre-filter; r they may rely n a hsted anti-virus service and desktp anti-virus tls. The fundamental advantage f this apprach is that the n-premise infrastructure is prtected frm spikes and verall increases in the vlume f malicius traffic ver time, thereby preserving the n-premise investment and maintaining acceptable perfrmance f messaging. A hybrid apprach may als be deplyed fr Web security, where n-premise infrastructure is used t secure larger ffices and clud-based services are used t secure smaller sites where n-premise infrastructure is t expensive t supprt. Enterprises still prefer in-huse ver hsted slutins, althugh this is changing ver time. Hsted slutins tend t be mre accepted in small- t medium-sized business with less develped IT staff and fewer resurces. These rganizatins ften need external expertise and can benefit frm the CAPEX and OPEX savings f clud slutins. Similarly, appliances als tend t ffer the SMB the cnvenience f an integrated slutin. Larger rganizatins tend t have well-staffed IT departments, and s gain less frm the benefits f appliances, unless thse appliances are fr remte r branch lcatins where there may be a lack f lcal expertise. Plus, large rganizatins tend t have extra server hardware enabling them t realize the CAPEX cst savings affrded by service prviders. Evidence t this pint is the ppularity f in-huse managed server sftware. Given the size f their requirements, large rganizatins can als justify internal persnnel and s may nt be realize the OPEX savings f clud services. Having said that, while large rganizatins may nt have been the ideal play fr clud service prviders in the past, the market is definitely shifting. As IT cntinues t dwnsize and utsurce, clud prviders are gaining tractin in larger rganizatins precisely because f the savings they can ffer. This is particularly true when the buy discussin is cnducted at the CIO level. When evaluating security capabilities, it is imprtant t keep in mind three key questins: Will there be the resurces available t cntinually maintain the infrastructure, either thrugh IT staff cntinually updating capabilities r via an autmated update prcess? If nt, anti-malware and anti-spam capabilities can becme utdated and leave rganizatins mre vulnerable t infiltratin by unwanted and damaging cntent. Related t the questin abve, will the in-huse persnnel have the training and time available t manage the infrastructure? This is a particularly imprtant cnsideratin fr SMBs that may lack the persnnel, training r time t prperly manage the security infrastructure. Organizatins whse IT staff may cnsist f a few hurs per week frm 2011 Osterman Research, Inc. 14

16 the ffice manager can end up with security capabilities that are nt prperly cnfigured because they are simply are t cmplex nt t be managed by a full-time IT staff member. Organizatins need t cnsider the cst f managing multiple layers f defense and multiple delivery mdels. D IT resurces exist t manage everything? If nt, cnsider slutins that cnslidate security capabilities, as well as delivery mdels. Spnsr f This White Paper Websense Srrent Valley Rad San Dieg, CA USA Websense, Inc., a glbal leader in unified Web, data and cntent security slutins, delivers the best security fr mdern threats at the lwest ttal cst f wnership t tens f thusands f enterprise, midmarket and small rganizatins arund the wrld. Distributed thrugh a glbal netwrk f channel partners and delivered as sftware, appliance and sftware-as-a-service (SaaS), Websense cntent security slutins help rganizatins leverage new cmmunicatin, cllabratin and Web 2.0 business tls while prtecting frm advanced persistent threats, preventing the lss f cnfidential infrmatin and enfrcing Internet use and security plicies Osterman Research, Inc. 15

17 2011 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statue, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i Symantec.clud MessageLabs January 2011 Intelligence Reprt ii iii iv v Websense 2010 Threat Reprt vi Messaging and Web Security Market Trends, , Osterman Research, Inc. vii Messaging, Web and IM Security Market Trends, , Osterman Research, Inc. viii ix Symantec.clud MessageLabs January 2011 Intelligence Reprt x RSSfeed_IWK_News xi Websense 2010 Threat Reprt xii xiii Mbile Messaging Market Trends, , Osterman Research, Inc. xiv xv Websense 2010 Threat Reprt xvi xvii xviii xix Websense 2010 Threat Reprt xx U.S. Digital Year in Review 2010, cmscre xxi U.S. Digital Year in Review 2010, cmscre xxii U.S. Digital Year in Review 2010, cmscre xxiii Micrsft Security Intelligence Reprt, Vlume 9, January thrugh June 2010 xxiv xxv Kbface: Inside a Crimeware Netwrk, Nvember 12, 2010 xxvi Websense 2010 Threat Reprt xxvii Messaging and Web Security Market Trends, , Osterman Research, Inc. xxviii xxix Five Cuntries: Cst f a Data Breach, Pnemn Institute LLC xxx Surce: Webrt Sftware, Inc. xxxi Illegal internet dwnlads at wrk skyrcket, IT Pr, January 13, 2010 xxxii xxxiii Hw t Stay n the NLRB's "Friends" List, Bullivant Huser Bailey PC 2011 Osterman Research, Inc. 16