ENABLING FAST RESPONSES THREAT MONITORING

Transcription

1 ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING

2 Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger, more hands-on role in web security than ever before. To combat today s cybercriminals, IT managers need to gain insight into advanced threats and improve their responsiveness to the threats that most current defenses are missing. They need a tool that can provide visibility into infected systems, blended attacks, call-home communications, data exfiltration and other advanced threats via network threat monitoring and file sandboxing and such a tool needs to generate actionable data in ready-to-use dashboards and reports. Websense TRITON RiskVision is an unmatched threat monitoring solution. It combines real-time advanced threat defenses, global security intelligence, file sandboxing and data loss/data theft detection into a single appliance that is easy to deploy via a network TAP or SPAN port. TRITON RiskVision provides immediate visibility into advanced threats, data exfiltration and infected systems by unifying four key defenses into one platform: Websense ACE (Advanced Classification Engine) Websense ThreatSeeker Intelligence Cloud Websense Data Loss Prevention (DLP) Engine Websense Web File Sandboxing (ThreatScope) Websense TRITON ThreatScope TRITON RiskVision also includes robust business reporting, threat dashboards and forensic reporting. The Need for Network/Threat Monitoring An Invisibly Enemy Is Impossible to Fight The Websense 2013 Threat Report reveals a disturbing trend: the web became significantly more malicious in 2012, both as an attack vector and as the primary support element of other attack trajectories (e.g., social, mobile, ). Websense recorded a nearly six-fold increase in malicious sites overall, 85 percent of which were found on legitimate web hosts that had been compromised. More alarming were security executives reporting most threats were bypassing their traditional controls, and they feel unprepared to meet emerging threats such as spearphishing. This growth in threats and malicious web content has created a growing market for threat analysis, and stands in stark contrast to the decreasing effectiveness of most web security solutions deployed today. Industry analysts estimate traditional security defense technologies only protect against percent of today s threats, making them increasingly ineffective. Signature generation and traditional defenses simply can t keep up with the growth of new threats and advanced attacks. To take appropriate countermeasures, IT departments need the ability to see advanced threats and attacks that are invisible to their current defenses. Network and threat monitoring solutions can provide such a solution as long as they meet three key requirements: Advanced Threat Detection Data Theft or Data Loss Detection Forensic and Behavioral Analysis Key Requirement 1: Advanced Threat Detection Most current web security solutions provide signaturebased anti-virus (AV) or URL database defenses, with no additional analysis. The problem is the worldwide increase in threats makes the development 1

3 of effective signatures and databases almost impossible, leaving organizations vulnerable to attacks by advanced threats that don t have a signature. Dynamic redirects, exploit kits or other innovative technologies deployed by hackers can therefore escape notice and easily find their way into corporate networks. The abilities to see these threats and respond to them efficiently are crucial for today s IT professional. Web traffic requires analysis with powerful analytics that can expose previously invisible threats. Key Requirement 2: Data Theft or Data Loss Detection The question is not if an attacker will break through a network s defenses, but when. Once inside a network, most attackers are looking to steal valuable data. Unfortunately, most web security defenses today are focused only on inbound threats, and unable to effectively combat or even alert IT professionals of outbound data theft. with malware in a safe environment to see how it would behave in a company s network is quickly becoming a key requirement for many IT professionals. A solution that incorporates file sandboxing, and does so automatically, can offer security teams valuable insights about potential remedies. Introducing Websense TRITON RiskVision TRITON RiskVision combines realtime advanced threat defenses, global security intelligence, file sandboxing and data loss/ data theft detection into a single appliance. Easily deployed via a network TAP or SPAN port, it provides immediate visibility into advanced threats, data exfiltration and infected systems by unifying four key defenses into one The ability to detect suspicious activity or data theft as it happens provides IT departments with extremely valuable actionable insights into threat levels. platform: Websense ACE (Advanced Classification Engine) uses seven defense assessment areas with over 10,000 analytics to provide real-time threat analysis of web traffic. Websense ThreatSeeker Intelligence Cloud unites over 900 million endpoints and analyzes 3-5 billion requests per day, providing global threat... The ability to detect suspicious activity or data theft as it happens provides IT departments with extremely valuable actionable insights into threat levels. Advanced Threat Defenses Global Threat Intelligence File/Object Sandboxing Data Loss/Theft Detection WWW Key Requirement 3: Forensic and Behavioral Analysis File sandboxing the ability to play Figure 1: Four key technologies set apart TRITON RiskVision from competitors. 2 Market Analysis: Worldwide Specialized Threat Analysis and Protection: Forecast and 2012 Vendor Shares. IDC #242346, Volume 1, p. 13. August

4 awareness and vital defense analytics to ACE. The Websense data loss prevention (DLP) engine is recognized by analysts as an industry leader. It includes geo-location destination awareness and OCR of text within images, and detection of: data exfiltration for registered and described data; criminal-encrypted uploads; password file data theft; and slow data leaks. Websense TRITON ThreatScope online sandbox analyzes behavior of web files to uncover advanced threats and communications and provides forensic reporting. TRITON RiskVision Core Technologies Websense ACE Labs, provides the core collective security intelligence for TRITON RiskVision. It unites more than 900 million endpoints, including inputs from Facebook. In conjunction with ACE, ThreakSeeker Intelligence Cloud analyzes 3-5 billion requests per day. This expansive awareness of security threats enables ThreatSeeker Intelligence Cloud to offer real-time security updates that detect advanced threats, malware, phishing attacks, lures and scams, and provide the latest web ratings. ThreatSeeker Intelligence Cloud is unmatched in size and in its use of ACE real-time defenses to analyze collective inputs. Websense DICE (Data Identification and Classification Engine) Websense DICE combines rich classifiers with real-time contextual awareness of user, data and destination to provide high accuracy and consistent DLP for TRITON RiskVision. DICE supports three data categories: described, registered and learned. Figure 2: Third-party research proves ACE detects more threats than other technologies. ACE is the primary defense behind TRITON RiskVision, providing realtime, inline, contextual defenses for web, , data and mobile security by using composite risk scoring and predictive analytics to deliver the most effective detection capabilities available. It analyzes inbound and outbound traffic with data-aware defenses for data theft protection. Classifiers for real-time security, data and content analysis enable ACE to detect more threats than traditional anti-virus engines every day. ACE is supported by the ThreatSeeker Intelligence Cloud. Websense ThreatSeeker Intelligence Cloud ThreatSeeker Intelligence Cloud, managed by Websense Security Described data includes regular expressions, dictionaries, natural language classifiers and over 1700 policies and templates. Registered data includes fingerprinting, which can be compressed and stored on the endpoint for off-network protection. Learned data is enabled by advanced machine learning 4 Gartner Names Websense a Leader in the Magic Quadrant for Content-Aware Data Loss Prevention 5 The proof is updated daily at securitylabs.websense.com

5 technology that analyzes small samples of data to fill the gap between described and registered data for higher accuracy and efficiency. Data theft protection capabilities include OCR of text within images; detection of custom encrypted files, password file theft and slow data leaks; and geo-location awareness. File Sandboxing The file sandboxing capability of TRITON RiskVision is provided by the TRITON ThreatScope sandboxing solution. Using ACE analytics, TRITON ThreatScope monitors all malware activity and generates a detailed report including: The infection process. Post-infection activities including network communications. System-level events and processes. TRITON ThreatScope also correlates observed behavior with known threats to provide valuable information for even zero-day threats. Using TRITON RiskVision Policy Setting TRITON RiskVision enables unified web policy creation and management with the ability to control inbound and outbound security, advanced URL monitoring, and over 125 network applications and protocols. Security threats are grouped in different categories, such as phishing or bot networks. The real-time security scanning engine inside ACE goes beyond traditional AV analysis to identify script-based and other advanced attacks against web browsers and vulnerable applications. Figure 3: Policy creation is easy and intuitive with TRITON RiskVision.

6 Advanced Threat Dashboard with Forensic Reporting The TRITON RiskVision Advanced Threat Dashboard is organized in four tabs: Threats, Risks, Web Usage and Systems. The Threats tab presents front bumper visibility into the inbound and outbound advanced malware events that were detected, such as who was attacked, how, where the attack was destined, and what data was targeted. This provides actionable forensic data that allows users to quickly understand threat severity and take appropriate remediation steps. Severity alerts gauge the severity of each incident and enable users to separate critical events from less important ones. This dashboard displays the top events by geo-location, blocked events by categories and a tabular listing of events with details including severity, user, hostname, security category and other information. (This table is easily customizable as well.) Altogether, the Threats dashboard provides clear actionable information about malware incidents and guidance on possible remediation steps. The Risks tab displays a number of charts that provide different views of the security events. The Web Usage tab provides various charts and information on web activities, as well as a summary of policy monitoring results. The Systems tab provides a centralized view of system health events and monitoring service status. Figure 4: The advanced threat dashboard provides answers to who was impacted, where the data was destined to go, what data was impacted, and how the attacked was planned. It also links to forensic details.

7 Data Loss Prevention (DLP) Engine TRITON RiskVision includes DICE, a built-in enterprise-class DLP engine for monitoring and controlling communication of sensitive corporate data. This web DLP capability is managed through the TRITON Unified Security Center. Extensive policy wizards provide a prescription for implementing best practice compliance controls for a wide range of regulations worldwide by country and industry, and offers over 1,700 policies and templates kept current by Websense. Predefined data patterns deliver best-in-class accuracy without the need to manually craft and tune patterns with keywords or regular expressions. TRITON RiskVision also includes the latest data theft technologies, such as OCR for detecting data theft through images containing sensitive data. Other advanced capabilities include the detection of custom encrypted uploads, password file data theft, and slow data loss prevention (or Drip DLP), and awareness of geo-location destination. All of these DLP defenses are aimed at providing the greatest possible insight into data theft attempts or data loss. File Sandboxing Analysis The file sandbox included in TRITON RiskVision emulates typical endpoint environments. Files are executed just as they would in an actual victim s environment, providing the IT professional valuable feedback on system vulnerabilities. The behavioral analysis includes pre- and post-infection activity such as communications for botnet, data theft and other activities. Figure 4: The ThreatScope Analysis Report shows results of behavioral analysis in an easy-to-read format.

8 Reporting and Alerts TRITON RiskVision provides more than 60 predefined reports covering the full range of business and technical information. New reports can be generated and delivered with just a few clicks, and automatically generated and distributed. Customizable chart formats make it easy to communicate important information on workforce behavior to non-technical business stakeholders. To complement the presentation reports capabilities, investigative reports deliver detailed information for forensic analysis of an attack or policy violation. These also support ad hoc reporting for customers requiring special information. Customizable alerts can be set up to notify administrators about suspicious activity. These alerts can be a valuable tool for quickly addressing any threats detected in the network. Figure 7: Administrators can select to receive alerts via . This example shows an alert about a possible slow data leak.

9 Conclusion Faced with an evolving threat landscape, most existing web security solutions only protect against threats known to signature databases, leaving many unknown and invisible threats free to steal sensitive data or cause other damage. Visibility into previously unknown threats is crucial to harden network security and respond to attacks. TRITON RiskVision provides valuable insight into advanced threats with industry-leading technology and features. It enables IT professionals to respond to advanced threats and data theft attempts in a timely manner. Four key defense areas set TRITON RiskVision apart from network monitoring solutions. These technologies provide advanced threat detection, global threat awareness, built-in DLP functionality and file sandboxing services. To learn more about threat monitoring or the TRITON RiskVision solution, please visit TRITON STOPS MORE THREATS. WE CAN PROVE IT. Learn More at [email protected] 2013 Websense, Inc. All rights reserved. Websense, TRITON and the Websense logo are registered trademarks of Websense, Inc. in the United States and various countries. All other trademarks are the properties of their respective owners EN