Solution Overview
Table of Contents Executive Summary...3 Dangerous Threats on the Rise...3 Traditional Defenses Unequal to the Level of Sophisticated Attacks...4 Cisco s Response Cloud-Based Global Intelligence Operations...4 Unbeatable Reputation Filtering in Action...5 Web Reputation Filtering...6 IPS Reputation Filtering...6 Malware-Infected Endpoint Detection...7 Why Cisco Has the Most Comprehensive Security Solution...8 2
Executive Summary Today s sophisticated, blended threats can exploit three or four different communications vehicles before they launch full-scale attacks on unprepared enterprise networks. This white paper, written for IT managers and executives, examines the new security risks for today s borderless enterprise networks, and describes how cloud-based Cisco Security Intelligence Operations and powerful, comprehensive reputation filtering capabilities built into Cisco security appliances and services can help you protect your network from known and unknown threats. Dangerous Threats on the Rise Today s borderless enterprise networks are more exposed to outside threats than ever before. Due to the rising dependence on mobility, virtualization, cloud computing, and social networking applications in the workplace, hackers have virtually unlimited opportunities to get around traditional network defenses. And they are quick to exploit vulnerabilities, creating network threats specifically designed to avoid detection. The exploits are often so targeted that there are no signatures to stop them. Cisco Security Intelligence Operations (SIO) is a cloud-based security service a web-based global network of shared resources, software, and information provided to Cisco customers and devices on demand. According to data collected from Cisco SIO, exploit and attack threat levels increased by 57 percent in 2009. Approximately 50 percent of malware attacks are committed by serial offenders for financial gain. Exploiting networks is a business with unlimited opportunities for growth. It s estimated that there are approximately five connected devices per person in operation today around the world. Industry analysts predict that this number will swell to 140 connected devices per person by 2013. Security threats are a similarly dramatic trajectory, from 2.6 million identified threats this year, to 5.7 million in 2013. 3
At one time, exploits could often be traced to a small number of software weaknesses that were being widely exploited. In the last few years, however, Cisco SIO has observed a greater and broader number of vulnerabilities and attacks that require a more patches, mitigations, and wider monitoring activity. Traditional Defenses Unequal to the Level of Sophisticated Attacks The data is reflected in anecdotal evidence from our customers. Enterprise IT managers tell us they are spending more time cleaning up infected PCs and servers, preventing data loss, and securing their networks. In response to increasingly complex attack techniques, filtering technology continues to develop, peering deeper into network- and application-layer traffic, and performing more processing on every byte. However, even deeper inspection with signature matching and behavioral analysis is still not able to handle the latest threats, because the latest generation of malware uses multiple protocols, applications, and vectors to propagate. No two attacks are exactly the same binary containers, method of infection, and other attributes change each time they replicate. It s also important to note that threat attacks are no longer confined to one vector. A perfect example is the highly publicized Storm worm. Storm propagates itself using both web and email, along with social engineering techniques. Storm has been around since 2007; the latest outbreak targets users by sending spam emails that use a fake YouTube logo and video links. When unsuspecting users clink on the link, an embedded JavaScript routine launches via browsers that exploit unpatched devices to infect them with the W32/Nuwar Trojan. If the devices are patched, users are presented with a link that appears to be from YouTube, enticing them to click on it. Layered defenses using scanning engines from multiple vendors do improve catch rates, but that is not enough to halt the most sophisticated threats. Signatures have proven to be reliable in identifying behavior, but they have not proven so useful in determining intent, which is more easily determined by past behavior. Zero-day outbreaks pose a particular hazard. These malware variations do not match available existing rules, patterns, or behaviors, and so are able to remain undetected until new rules or patterns are installed. Cisco s Response Cloud-Based Global Intelligence Operations Reputation filtering analyzing the location and behavior of email host/ip/domain addresses and source URLs is a fairly common practice. Most security vendors get the majority of their data from their antivirus footprints, but they catch only a percentage of malware attacks. For example, security researchers at Trusteer discovered that the Zbot botnet that promulgated the Zeus Trojan was detected just 23 percent of the time by up-to-date antivirus applications. (Antivirus Rarely Catches Zbot Zeus Trojan, Sept. 2009.) Cisco provides a level of breadth and depth in its reputation filtering not found anywhere else. Cisco Iron- Port pioneered reputation technology with their SenderBase network a global traffic monitoring network to measure, in real time, the reputation, or trustworthiness, of a given server. The company began collecting information about email server behavior in 2002; in 2006 it added data about websites referenced in spam. Cisco SIO has since expanded its comprehensive reputation analysis implementation by integrating firewall and intrusion detection and prevention data for a more robust network view of dynamic threats. 4
Think of Cisco SIO as the world s largest cooperative global security ecosystem, using more than 700,000 live feeds from linked Cisco email, web, firewall, and intrusion prevention systems (IPSs). 1) Cisco SensorBase collects raw event data from more than 700,000 globally linked sensors in Cisco IPS devices, firewalls, and web security and e-mail security devices, as well as data from more than 600 third-party feeds. SensorBase examines more than 30 percent of the world s e-mail, thanks to strategically located honey-pot accounts equipped with e-mail addresses publicized on lists that spammers might use. 2) The Cisco SIO Threat Operations Center weights and processes the data. When necessary, Cisco security experts reverse-engineer malware and other Internet threats. Engineers also collect, research, and supply information about security events that have the potential for widespread impact on networks, applications, and devices. 3) When the data is ready for deployment, Cisco SIO mechanisms dynamically deliver updates to Cisco firewall, web, IPS, and email devices, and Cisco IntelliShield vulnerability aggregation and alert services. Cisco SIO also sends security best practice recommendations and community outreach services to Cisco customers. Unbeatable Reputation Filtering in Action Reputation filters are valuable because they examine parameters that are hard to manipulate. Reputation data is also truly dynamic, reacting in real time to subtle changes in Internet behavior. Scoring is proactive and granular, covering both positive and negative aspects. Cisco IPS and ASA Appliances SensorBase Cisco IronPort Email Security Cisco IronPort and ScanSafe Web Security 5
Email Reputation Filtering Cisco email security appliances retrieve reputation information in real time, as incoming messages arrive. These Cisco devices query DNS text records in SensorBase and retrieve a reputation score associated with the IP address of the sending server. The score can range from 10.0 for the worst email senders to +10.0 for the best. The reputation score is based on more than 200 aggregated and weighted parameters. Cisco email security appliances reject email from servers with low scores (below 3.0.) and rate-limit senders that have medium to low reputation scores. They can also white-list high reputation senders, such as IP addresses with +9.0 scores from Fortune 1000 organizations. Because spam is so prevalent, most of our customers report that our default settings block more than 90 percent of incoming message attempts. This first line of defense improves the efficiency and overall block rate of downstream virus and spam scanners. Web Reputation Filtering Cisco web security appliances connect to Cisco SIO every five minutes for database updates. These rulesets contain lists of compromised web hosts as well as information about infected URLs and pages. Rapid, granular scanning of each object on a requested webpage, rather than just URLs and initial HTML requests, significantly reduces the chance of infection. The appliances dynamically calculate the risk of each web request and response using reputation data to block high-risk transactions and safeguard users from attacks such as IFrame and cross-site scripting. Web reputation filtering is used in conjunction with signature and behavior-based scanners to provide much faster and stronger multi-layered web protection. What do Reputation Scores Mean? An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Almost guaranteed to be spam. An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits. Some spending history, low, or moderate complaints. A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history. -10-5 0 +5 +10 Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Almost always spam. May be dynamic IP (e.g., dial-up) sending direct to Internet or email marketer with poor practices, or legitimate enterprise with an open server. Long sending history, few complains. IPS Reputation Filtering Cisco intrusion prevention systems connect to Cisco SIO every 30 minutes and retrieve updated reputation data based on parameters such as whether the IP address is a Dynamic Host Configuration Protocol (DHCP) address, whether the IP address has a Domain Name System (DNS) entry, and how often that information changes. 6
Real-time reputation feeds from Cisco SIO provide unique context information for Cisco IPSs. Using Global Correlation to factor reputation into dynamic threat assessments, Cisco IPS is able to determine the probability of malicious intent associated with a network event and modify the response action accordingly. For example, the IPS sensor may detect an event that is often but not always associated with malicious activity. Without Global Correlation, the sensor will send an alert about the activity, but no action is taken on the network traffic. With Global Correlation, however, the sensor can access a wealth of historical data on the source of the traffic. If the reputation is low, the sensor can take direct action and thwart the potential attack without the risk of blocking valid traffic. The sensor can also use reputation data to pre-filter traffic from sources with extremely low reputations, saving processing power for additional inspection. Malware-Infected Endpoint Detection Cisco adaptive security appliances connect to Cisco SensorBase every hour and retrieve the latest list of known botnet command and control hosts. Hosts listed in the botnet traffic filter database earn a reputation of 10.0. While traffic volumes to botnet networks may be small, the added protection is extremely valuable. Firewall botnet traffic filters also automatically detect when infected systems in an organization try to phone home to their controllers. Cisco Web Security Appliances include a Layer 4 Traffic Monitor, in addition to web reputation filters and multiple malware scanning engines, which detect website malware activity. Even with the best defenses in place, some threats will always manage to breach the network. That s where the integrated Layer 4 Traffic Monitor proves its value. It scans all ports at wire speed, detecting and blocking spyware phone-home activity. By tracking all 65,535 network ports at the network data center, the Layer 4 Traffic Monitor effectively stops malware that attempts to proliferate through the network. In addition, the Layer 4 Traffic Monitor can dynamically add IP addresses of known malware domains to its list of Reputation Filtering and IPv6 In recent months, Cisco Security Intelligence Operations (SIO) has witnessed a rise in criminal activity on IPv6, particularly as sources of email threat messages and in channels used by botnet command-and-control infrastructures. In 2008, Time Magazine was hosting voting for its 100 Most Influential People of the Year award. To provide legitimacy and deter users from ballot stuffing, Time created a system whereby each IP address received one vote. The hacker team that pushed the winner, Moot, to the top of the charts faked out the system by using an IPv6 address that didn t work with the application. Although this hack was acknowledged by Time and was not harmful, it still shows that security is a critical aspect of deploying IPv6 protocol. While the threat volume to date has been relatively low, Cisco SIO expects this trend to only continue as IPv6 implementation increases. As the backbone of Cisco s threat collection and correlation system, Cisco SIO has been investing in reputation scoring for IPv6 traffic. For more information on IPS, email, and web security and how it can protect your organization, visit www.cisco.com/go/threatdefense. ports and IP addresses to detect and block. Using this dynamic discovery capability, the Layer 4 Traffic Monitor can monitor the movement of malware in real time even as the malware host tries to avoid detection by migrating from one IP address to another. 7
Why Cisco Has the Most Comprehensive Security Solution Through the combined intelligence in Cisco SIO SensorBase reputation filters for e-mail, web, IPS, and firewall devices, IT security mangers gain control over multivector threat signatures, networkbased attack detections, and reputation classifications to successfully block and limit network entry. Widest footprint: Cisco SensorBase collects data from 8 of the top 10 ISPs and makes over Cisco IronPort Web Security Appliances 3 billion web requests a day 10 times Cisco Intrusion Prevention Systems more than other monitoring systems. A Cisco Integrated Services Modules highly diverse group of more than 120,000 Cisco IntelliShield Alert Services organizations, including the largest networks in the world, contribute information to Cisco These devices and hosted services a remarkable 5 billion messages per day. are licensed with one or more security The volume provides a statistically signif- i- cant sample size, resulting in immediate and accurate detection of even low-volume email senders and URLs. Fastest response: Cisco SIO reputation filters stop viruses even before signatures are made available, yielding from 13 to 48 hours more protection compared to the top 6 antivirus vendors. Competitors usually update their IPS filters twice week, or within 8 hours of an emergency. Cisco SIO updates new IPS reputation rules every few minutes. Advanced Cisco SIO protection is available on the following Cisco products: Cisco Adaptive Security Appliances Cisco IronPort Email Security Appliances, Hosted Email Security, and Hybrid Hosted Email Security filters that are powered by Cisco SIO, including: Cisco IronPort Virus Outbreak Filters Cisco IronPort Anti-Spam Cisco IronPort Email Reputation Filters Cisco IronPort Web Reputation Filters Cisco IPS Reputation and Signature Filters Cisco Firewall Botnet Traffic Filters Best blended threat detection: Cisco s unique combination of IPS signatures and firewall botnet data with massive email and web sensor feeds expands SensorBase beyond event-specific protection to cover a wider range of exploits with real zero-day protection. Higher accuracy: Cisco SIO reputation filters examine a multitude of factors to render much more accurate conclusions. Cisco Global Correlation yields far fewer false positives by combining suspicious traffic profiling with reputation scoring. The two-step approach prevents sensors from blocking traffic from sources with a neutral or positive reputation, significantly reducing the potential for false positives. Easier implementation: Cisco SIO SensorBase detection, reporting, and update actions are automatic, so IT security administrators don t have to look at each signature and decide what to apply. They select their preferred reputation thresholds, and the security devices do the rest. Organizations can stay up to date with tools such as the Cisco IntelliShield Alert Manager and Cisco SIO-to-Go. Most effective: Cisco s email reputation filtering blocks 90 to 98 percent of all mail before it enters the corporate network more than twice as much spam as the next closest vendor even without scanning it. Cisco research has found that IPSs using reputation filtering typically block three times more threats than signatures alone. a 8
Summary Today s network threats can appear from literally anywhere. Malicious events arise from known suspicious websites and spam, from zero-day exploits, and from new or legitimate websites that have been invisibly compromised. Cisco is on the vanguard of intelligent, proactive threat defense with its blended reputation and threat analysis approach and its global, cloud-based Cisco Security Intelligence Operations using SensorBase, the world s largest threat database. Near-real-time cooperative data sharing and dynamic updates deliver the latest protection to Cisco devices and security best practices to keep Cisco customers informed and protected. To learn more about Cisco Security Intelligence Operations, visit www.cisco.com/go/security or contact your local reseller. To find a reseller in your area, visit www.cisco.com/web/partners. Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. 2010 Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) C11-614626-00 08/10 9