Context Adaptive Scanning Engine: Protecting Against the Broadest Range of Blended Threats



Similar documents
The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

IronPort C300 for Medium-Sized Enterprises and Satellite Offices

Emerging Trends in Fighting Spam

Recurrent Patterns Detection Technology. White Paper

IronPort C350 for Medium-Sized Enterprises and Satellite Offices

IT Sicherheit im Web 2.0 Zeitalter

IronPort C-Series Overview High performance security appliances. Carrier-proven technology, enterprise-class management.

Ipswitch IMail Server with Integrated Technology

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Intercept Anti-Spam Quick Start Guide

Comprehensive Filtering. Whitepaper

IronPort C10 for Small and Medium Businesses

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

IronPort C650 Security Appliance for Large Enterprises and ISPs

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

IronPort X1000 Security System

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Cisco Security Intelligence Operations

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

IronPort M-Series Security Management Appliance

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Cisco Reputation Filtering: Providing New Levels of Network Security. Solution Overview

Trend Micro Hosted Security Stop Spam. Save Time.

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Trend Micro Hosted Security Stop Spam. Save Time.

Cisco RSA Announcement Update

Spear Phishing Attacks Why They are Successful and How to Stop Them

IBM Lotus Protector for Mail Security 2.5. Empower users and extend your IBM Lotus Notes and Lotus Domino security features

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Cisco IronPort X1070 Security System

Commtouch RPD Technology. Network Based Protection Against -Borne Threats

IronPort X1060 Security System

Cisco IronPort C670 for Large Enterprises and ISPs

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

GFI Product Comparison. GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.0

CYBEROAM UTM s. Outbound Spam Protection Subscription for Service Providers. Securing You. Our Products.

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

Symantec Security.cloud - Skeptic Whitepaper

Defending Against. Phishing Attacks

Stop Spam. Save Time.

Anti-Phishing Best Practices for ISPs and Mailbox Providers

The spam economy: the convergent spam and virus threats

How To Protect Your Network From A Web Based Attack

IronPort Plug-in for Outlook VERSION 1.8 ADMINISTRATOR GUIDE

Top tips for improved network security

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Proactively protecting your messaging infrastructure with the IBM Lotus Protector for Mail Security solution.

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

Migration Project Plan for Cisco Cloud Security

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

Antispam Security Best Practices

Symantec Protection Suite Add-On for Hosted and Web Security

LastSpam is unique in the marketplace, due to its service-based approach to real-time protection.

An Overview of Spam Blocking Techniques

Stopping zombies, botnets and other - and web-borne threats

Firewall and UTM Solutions Guide

Get Started Guide - PC Tools Internet Security

Next Generation IPS and Reputation Services

WEBSENSE SECURITY SOLUTIONS OVERVIEW

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Putting Web Threat Protection and Content Filtering in the Cloud

IronPort Authentication

Comprehensive Anti-Spam Service

isheriff CLOUD SECURITY

Mailwall Remote Features Tour Datasheet

An Advanced Reputation Management Approach to Stopping Emerging Threats

WATCHGUARD IRONPORT KEY SALES PITCH TRUTH BEHIND THE PITCH

STPIC/Admin/002/ / Date: Sub: Quotation for purchase/renewal of Anti Virus Software Reg.

The Next Step in Outbound Protection. By Robert Mannal, CIPP, CISSP

Pattern-based Messaging Security for Hosting Providers

Securing the Small Business Network. Keeping up with the changing threat landscape

Fighting Advanced Threats

Attachment spam the latest trend

Cisco Cloud Security Interoperability with Microsoft Office 365

Transcription:

Context Adaptive Scanning Engine: Protecting Against the Broadest Range of Blended Threats W h i t e P a p e r Executive Summary The email and Web security problem can no longer be addressed by point solutions that focus on catching just spam or just viruses. Table of Contents 1 Executive Summary 2 Introduction 3 Detecting Blended Threats in Context 5 CASE in Action 7 High Performance, Low Cost 8 Summary Spam, viruses, phishing, spyware, and denial of service attacks are blending together. This evolution is being propelled by attackers efforts to shift their tactics and maximize their own profits. Individuals, and even cer tain corporations, are making money by using the unscrupulous, yet effective techniques of spam and spyware, to sell products and profit by defrauding unsuspecting victims. IronPort s Context Adaptive Scanning Engine (known as CASE) is a unique threat defense technology that detects and protects against blended threats. Today s malware uses advanced obfuscation techniques, which require a state of the art filter to examine incoming mail in its full context. IronPort s CASE is an advanced scanning technology that emulates the logic used by a human to evaluate the legitimacy of a message. D O C R E V 0 2. 0 8 1

INTRODUCTION The increase in the volume of blended threats has been dramatic. Many of the largest virus outbreaks in the past two years have been associated with spam delivery meaning the virus payload creates an army of zombie computers that are used to send spam, phishing, spyware, and even more viruses. Email-borne spyware has been doubling every six months, and it is not uncommon for spammed URLs to install keyloggers that steal usernames and passwords. Viruses can even be used to create a network of zombies to launch a massive distributed denial of service attack, such as when the Mydoom.B variant took SCO s website offline with a coordinated assault. What is driving the sudden increase in blended threats? In short, it s the money. As first generation anti-spam techniques (like blacklists and content filters) have been more widely deployed, traditional techniques (like sending spam from a fixed bank of servers containing an offer in the text of the message) have become less profitable. With more networks using some form of anti-spam technology, fewer "simple" spam messages make it past spam filters and into the recipient s inbox. This hurts spammers profit margins and has forced them to adapt to these changes. Spammers handled this situation in two distinct ways: 1. Sending even more spam with the hope that what they lose in delivery rates, they will make up in volume. 2. Turning to blended attacks to disguise their messages and increase their profit per message. The second technique often becomes a criminal activity. In fact, organized crime networks have been established to execute attacks and profit from viruses, phishing, and other threats. In 2004, an individual named John Dover was arrested after trading over two million credit card numbers, which were stolen through phishing attacks. The techniques used in blended attacks have also become increasingly sophisticated. The Sober.N virus employed email, Web downloads, Trojans, and zombies. Traditional content analysis filters are no match for these intelligent threats. Many users of first generation anti-spam filters have found that they need to spend increasing hours training their filters or writing new rules. However, in spite of these efforts, their catch rate and throughput are both declining. The result is that costs escalate as more systems are required to keep up with the load, while more administration time is used to manage each system. IronPort has addressed these threats with a unique blended threat defense technology known as CASE Context Adaptive Scanning Engine. IronPort s CASE technology is used to stop both traditional spam and sophisticated 2

zombie-based attacks. This same scanning technology is also used to stop viruses and malware as much as 42 hours ahead of signature availability with a single unified scan for efficiency. DETECTING BLENDED THREATS IN CONTEXT First generation filters were designed to look at the content of a message and make a determination. For example, if the word free appeared in a message more than twice, along with the word herbal, then it was probably spam. This approach is relatively easy for spammers to defeat by using hidden characters or numbers instead of letters, such as f0r y0u in place of for you. Second generation techniques, like Bayesian Filters, attempted to deal with this limitation by learning to automatically differentiate the characteristics of spam and legitimate email. But these techniques proved too difficult to train, too late to react, and too slow to scan. Given the advanced obfuscation techniques used with today s spam, state of the art filters need to examine incoming mail in its full context. The CASE uses advanced machine learning techniques that emulate the logic used by a human that is evaluating the legitimacy of a message. A human reader, as well as IronPor t's CASE technology, asks four basic questions: 1. Who sent me the message? 2. Where do the links in the message take me? 3. How was the message constructed? 4. What does the message contain? To follow, is an examination of each logical area evaluated. Who? As stated earlier, first generation spam filters relied primarily on key word searches to identify spam. In 2003, IronPor t revolutionized the email security industry by introducing the concept of reputation filtering. While content filtering asked the question, What is in the message?, reputation filtering asks the question, Who sent the message?. This simple but powerful concept broadened the context by which threats are evaluated. By 2005, nearly every major commercial security vendor had adopted some type of reputation system. Determining reputation involves examining a wide set of data about the behavior of a given sender (a sender is defined as an IP address sending mail). IronPort examines over 120 different parameters, including email volume over time, number of spamtraps hit by this IP, country of origin, whether the host is compromised, and many more. IronPort has a team of statisticians that develop and maintain algorithms, which process this data to generate a reputation score. This reputation score is then made available to the 3

receiving IronPort appliance, which can then throttle a sender based on their trustworthiness. In short the more spammy a sender appears, the slower it goes. Reputation filtering also addresses the problems associated with surging email volumes by either rejecting or throttling connections before the message is even accepted, thus dramatically improving the performance and availability of the mail system. IronPort Reputation Filters stop more than 80 percent of incoming spam, approximately twice the catch rate of competing systems. Where? While the combination of email content analysis and reputation was state of the art in 2003, the sophistication of spammer's and virus writer s tactics continues to grow. In response, IronPort has introduced the notion of Web reputation an important new vector to broaden the context in which a message is evaluated. Similar to the approach used in calculating an email s reputation, IronPort Web Reputation looks at more than 45 server related parameters to assess the reputation of any given URL. The parameters include: the volume of HTTP requests to the URL over time, whether the URL is hosted on an IP address with a poor reputation score, whether this URL is associated with a known zombie or infected PC host, and the age of the domain used by the URL. As with email reputation, this Web reputation is measured using a granular score which allows the system to deal with the ambiguities of sophisticated threats. How? Another novel approach of IronPort s contextual analysis is to examine the construction of a message. Legitimate mail clients, such as Microsoft Outlook, construct messages in unique ways using MIME encoding, HTML or other similar means. An examination of the construction of a message can reveal a great deal about its legitimacy. A most telling example of this occurs when a spam server tries to emulate a legitimate mail client s construction. This is difficult to do and an imperfect emulation is a very strong indicator of an illegitimate message. What? A full contextual analysis needs to consider the content of a message, but, as noted earlier, content analysis alone is not a sufficient approach to identifying illegitimate mail. IronPort's CASE technology performs full content analysis, using state of the art machine learning techniques. These techniques examine the content of the message and score it in various categories is it financial in nature, pornographic, or does it contain content that is known to correlate with other spam? This content analysis is factored 4

into the CASE along with the other attributes the Who, Where, How, and What to evaluate the full context of the message. A summary of these four techniques is provided in Figure 1. Figure 1: IronPort's Technology Goes Far Beyond Competitive Solutions IronPort Innovates with Web Reputation IronPort Anti-Spam Competitive Solutions What? Message Content What content is included in this message? How? Message Structure How was this message constructed? Who? SMTP Reputation Who is sending you this message? Where? HTTP Reputation Where does the call to action take you? CASE IN ACTION Because of the breadth of data analyzed by IronPort s CASE, the technology is used in a variety of security applications including IronPort Anti-Spam, IronPort Virus Outbreak Filters, and future filtering applications from IronPort. Figure 2 highlights how CASE technology is used to stop spam. The content of the message is nearly identical to the organization getting phished, so content analysis of the message would not identify any threats. To content-based filters, this message appears to be a legitimate communication. Filters that rely primarily on the What, to determine whether or not this message is spam, could easily be fooled into recognizing the message as legitimate. However, an analysis of the full context of the message paints a different picture. The IP address of the sending mail server is suspicious it has had a sudden surge in volume and the domain does not accept mail in return. The URL of the email points to a server that appears to be in a consumer broadband network. The URL advertised in the message is different from the actual URL that the user is navigated to when clicking on the link. When all three of these factors are considered in context, it becomes clear that this is not a legitimate message, but is in fact a spam attack. 5

QuickTime and a decompressor QuickTime and a are needed to decompressor see this picture. are needed to see this picture. Context Adaptive Scanning Engine (CASE) Figure 2: Detecting Spam Using CASE Technology Traditional Content Filters What CONTENT FILTERS Find Context Adaptive Scanning What CASE Finds What? Message content legitimate. What? How? Who? Message content legitimate. Message construction emulates Microsoft Outlook client. Sudden surge in volume of email being sent. Server does not accept mail in return. Mail server located in Ukraine. Where? Mismatch between display & target URL website domain registered a day ago. Website hosted on consumer broadband network. Whois data shows domain owner as known spammer. Verdict: UNKNOWN Verdict: BLOCK When the CASE is used in IronPort Virus Outbreak Filters, the same scoring and machine learning capabilities are applied albeit to a separately tuned data set. Virus Outbreak Filters are a preventive anti-virus solution offered by IronPort and powered by CASE technology. The Outbreak Filters solution scans messages against both "real-time" Outbreak Rules (issued by the IronPort Threat Operations Center for specific outbreaks) and "always on" Adaptive Rules (that reside on the CASE at all times), protecting users against outbreaks before they have had a chance to fully form. The CASE enables Virus Outbreak Filters to accurately detect and protect against virus outbreaks in several ways. First, the CASE has the ability to quickly scan messages based on parameters such as file extension of attachment, file size, filename, filename keywords, file magic (the true extension of a file), and embedded URLs. Because CASE technology analyzes messages to this level of detail, the Threat Operations Center can issue extremely granular Outbreak Rules, that accurately protect against an outbreak with minimal false positives. The CASE can dynamically receive updated Outbreak Rules, which ensures that it protects against the latest outbreaks. In addition to analysis of messages based on Outbreak Rules, CASE technology also scans messages based on Adaptive Rules. Adaptive Rules are finely tuned heuristics and algorithms that scan incoming messages for malformation and spoofing characteristics indicative of viruses. In addition to these parameters, Adaptive Rules score messages based on their SenderBase Virus Score (SBVS). SBVS is a score similar to a SenderBase Reputation Score, but with a ranking based on the likelihood that the sending party is sending viral emails, rather than spam. A majority of viral email is sent by previously infected zombie machines, so identifying and scoring these sending par ties is an impor tant factor in catching viruses.

IronPort's CASE technology enables Virus Outbreak Filters to stop virus outbreaks well before traditional anti-virus solutions, because the CASE examines messages in multiple ways. It has the ability to analyze numerous characteristics of message attachments, message content and message construction as well as the ability to analyze messages based on the reputation of their sender. And, because the CASE also acts as the Iron- Port Anti-Spam and Reputation Filters engine, a message only needs to be scanned once for all of these applications. HIGH PERFORMANCE, LOW COST The logic behind CASE technology can be very sophisticated, and therefore very CPU intensive to process. To maximize efficiency, the CASE uses a unique "early exit" technology. Early exit prioritizes the efficacy of the myriad rules processed by the CASE. CASE technology runs the rules with the highest impact and lowest cost first. If a statistical verdict is reached (whether positive or negative), no additional rules are run saving system resources. The elegance in this approach is having a good understanding of the efficacy of each rule. The CASE automatically monitors and adapts the order of rule execution as efficacy changes. The result of early exit is that CASE technology processes messages approximately 100 percent faster than a traditional rules-based filter. This has obvious advantages for large ISPs and enterprises. But it also has benefits for small and medium business. The efficiency of the CASE, coupled with the effectiveness of IronPort s AsyncOS operating system, means that IronPort appliances with AsyncOS and CASE technology can be implemented on very low cost hardware driving down capital costs. Another way CASE technology translates to low cost is by eliminating administrative overhead. The CASE is tuned and updated automatically, thousands of times each day. IronPort maintains a 24x7x365 Threat Operations Center (TOC) staffed by trained, multilingual technicians and statisticians. These TOC analysts have special tools that highlight anomalies in mail flow detected in any IronPort customer s network, or in global email traffic patterns. The TOC team generates new rules that are automatically pushed to the system in real time. The TOC team also maintains a massive corpus of spam and ham which is used to train various rules used by the CASE. IronPort has developed this corpus in partnership with thousands of the largest ISPs and corporations in the world. The automatically updated rules of the CASE mean that administrators don t have to be tuning and tweaking the filter, or spending time wading through spam quarantines. The technicians in the TOC are on duty at all times so system administrators don t have to be. 7

SUMMARY Spam, viruses, malware, spyware, denial of service attacks, and directory harvest attacks are all driven by the same underlying motive profits. These profits are attained either through the sale or advertising of merchandise or theft of information. Profits from these sales are driving increasingly sophisticated attacks, developed by professional engineers. To counter these threats, sophisticated email security systems need to analyze a message in the broadest possible context. IronPort s Context Adaptive Scanning Engine technology asks the four basic questions: Who, Where, What, and How to weed out legitimate messages from blended threats. Who is the email reputation of the sender who sent the message. Where is the reputation of the source hosting the website analyzing where the link would take you. What is an analysis of the content of the message what the message contains (first generation systems often rely solely on the What type of analysis). Finally, How is an analysis of how the message is constructed. This basic framework of analyzing Who, Where, What, and How works equally well for stopping spam as it does for stopping virus outbreaks, phishing attacks, email-borne spyware or other email threats. The data sets and analysis rule sets are tuned specifically for each threat. By processing these threats on a single high-performance engine, CASE technology allows the IronPort email and Web security appliances to stop the broadest range of threats with the highest possible efficiency. IronPort Systems 950 Elm Avenue, San Bruno, California 94066 tel 650.989.6500 fax 650.989.6543 email info@ironport.com web www.ironport.com IronPort Systems, a Cisco business unit, is a leading provider of anti-spam, anti-virus and anti-spyware appliances for organizations ranging from small businesses to the Global 2000. IronPort appliances utilize SenderBase, the world s largest email and Web threat detection network and database. IronPort products are innovative and easy-to-use providing breakthrough per formance and playing a mission-critical role in a company s network infrastructure. Copyright 2000-2008 Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice. P/N: 434-0203-2 2/08

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information