Watch Guard Reputation Enabled Defense (White Paper)Dna


Published on

Watchguard & DNA IT Solutions White Paper on Reputation Enabled Defence

  • Be the first to comment

  • Be the first to like this

Watch Guard Reputation Enabled Defense (White Paper)Dna

  1. 1. Document Presented By Wick Hill and DNA IT River Court, Albert Drive, Woking, Surrey GU21 5RP 01483 227600 Unit J 2, Maynooth Business Campus, Maynooth, Co.Kildare +353 1 651 0300
  2. 2. Cloud-based Web Security Isn’t Hype: It’s Here and It Works June 2010INTRODUCTIONIt’s not news that the web is dangerous and getting more dangerous by the day. Cyber criminals haveample economic motive and easy-to-use tools to harness the power of the web in capturing and misusingyour data.What is news is that now you can protect your company’s valuable assets from web-based attacks withan innovative, effective new form of web security – cloud-based, reputation-driven defense.Web Threats are on the RiseThe web is experiencing phenomenal growth, and with it, an unprecedented increase in the amount ofnew malware types that target web browsers, applications, and Web 2.0 infrastructure. Becausecybercriminals can reap large profits from attacks that result in identity and data theft, a growing numberof organized crime rings continuously fund new attempts to spread malware and acquire web users’personal data. Through modified packing and encrypting techniques, and other obfuscation methods,attackers can now create thousands of new variants of the same threat with relatively little effort. Despitethese threats, most organizations continue to leverage new web-based applications to drive revenue andefficiencies, particularly as Web 2.0 technologies deliver new ways to interact and engage with customersand stakeholders.Organizations frequently underestimate their exposure to malicious attacks. The statistics can besobering. In 2009 alone, there was a dramatic 345% increase in the number of new malicious web links 1discovered. These included high-profile sites, including those run by MSNBC, ZDNet, The United Nations,1 IBM X-Force 2009 Trend and Risk ReportWatchGuard Technologies
  3. 3. 2and Honda. According to IDC, up to 30% of companies with 500 or more staff have been infected as a 3result of Internet surfing. In other words, anywhere web users interact, malware encounters arefrequent and common. To fend off new forms of malware – including spyware, viruses, crimeware andother malicious codes – organizations must better safeguard their web security infrastructure. A reactiveand fixed security infrastructure must be turned into one that is proactive and adaptable to changes in thethreat landscape.There are many ways that legitimate websites can become infected. One inbound threat that hasrecently gained popularity among cybercriminals is the SQL injection. Hackers use SQL injections to getaccess to database-driven websites, planting malicious code for site visitors. This can be combined withWeb 2.0-based social engineering attacks in which users believe they are being pointed to legitimatecontent. Compromised sites may host drive-by-downloads, where malware exploits vulnerabilities on theusers’ systems to download malware without any user interaction. Common applications such as AppleQuickTime® and Adobe PDF® may be exploited. Thus, an organization’s own application vulnerabilitiesand web site code flaws open the door to cybercriminals seeking to infiltrate the organization.THE NEED TO BALANCE SECURITY AND PERFORMANCEMany IT security professionals face conflicting demands from management and network users when itcomes to web security. The need for speed is always in demand, but delivering that speed whileenhancing security for a broader, more dynamic threat environment is quite challenging. Following aresome of the most frequent obstacles to achieving this goal: • A lack of additional IT budget to shore up network security • Network constraints that conflict with security issues around cloud computing • Performance degradations across the network due to additional hosted servicesThe options for overcoming these obstacles to proactive, multi-layered security are either unappealing orinsufficient. For example, one defense against the widespread proliferation of malware is to install anti-virus scanning at the gateway, capturing malware before it ever enters the network. But scanning everypage and object at the URL can slow down web page delivery and affect both throughput at the deviceand the user experience at the browser. Some network administrators may be reluctant to use gatewayanti-virus because of its performance impact.Finally, desktop or browser-based scanning solutions only catch threats once they are in the network. Bythe time these solutions alert users, today’s malware could have already inflicted great amounts ofdamage to the organization’s computing infrastructure and/or compromised sensitive data from withinthe organization.URL Filtering is Not EnoughSince the 1990s, reputation services have been helping organizations block unwanted or bad traffic toensure that threats never enter the network. By identifying and blocking threats at the perimeter,reputation services help prevent attacks, reduce the on-premise IT footprint required to scan traffic, andlower the costs associated with the bandwidth, hardware, and other resources required to block threats.As web technologies and the web itself have grown more sophisticated, early generation reputation2 Gartner IT Security Conference 2009, Securing the Web Gateway, Peter Firstbrook3 Journal Of Emerging Technologies In Web Intelligence, Vol. 2, No. 2, May 2010, Protecting Data from the Cyber Theft– A Virulent page 2
  4. 4. services have become less effective in identifying and blocking threats. To fully understand this loss ofeffectiveness, its important to understand how these services have evolved.On the dynamic web, sites are continuously updated with new content, while URLs are frequently soldand altered. So a site that is scanned and categorized as legitimate by URL filters today may become amalware hub at some later point in time. In order to properly filter out hazardous and dangerouswebsites, a filter cannot merely rely on a static database. According to a report by IDC, “The advances inWeb 2.0 technologies require a new generation of web security tools that go well beyond traditional URL 4filtering.” It must be as dynamic as the web itself, providing real-time threat protection. In addition, itmust scale to handle the vast growth of the Internet.Effective Security is Proactive and Multi-LayeredThe most effective approach for defending against the web’sdynamic threats is a proactive, multi-layered approach to web Web Security Numberssecurity. Being proactive requires that the security solution reach A look at some of the most recentinto the Internet cloud, obtain the latest threat data from multiple figures related to web securitythreat-monitoring sources, and prepare a network’s perimeter in demonstrates the need for ITthe event that one of the threats presents itself to the network. security professionals toEffective defense is multi-layered, applying additional measures of proactively manage a broad arraythreat scanning, depending on the type of content that attemptsto enter the network. of ever-changing threat types. • 40,000 websites per week wereWatchGuard® Reputation Enabled Defense™ provides effective, compromised during 2008-instantaneous, in-depth web security in real time. Based on the 2009. 5from-the-cloud security of WatchGuard ReputationAuthority®,Reputation Enabled Defense leverages the cloud-based • The Gumblar virus aloneintelligence of millions of global sources and users, sharing compromised 60,000 6information about threats associated with URLs and domains in websites.real-time to automatically block new threats before they enter an • In 2009, 23,500 new web pagesorganizations network. 7 were infected per day.WatchGuard Reputation Enabled Defense includes real-time • 0.7% of Google Search resultsmonitoring of web traffic, including scanning of URLs, to determine display sites that have beenthe risk level of each and every web page before it enters the infected by malware. 8network. The solution assesses each threat and type of networktraffic. By scanning for hostile content and blocking malicious URLs • The Mal/Bredo malware hadat the connection level, Reputation Enabled Defense bridges the 838 variants during the first 9web security gap left exposed by simple URL filtering, provides quarter of 2010.safer web surfing and faster web performance.4 IDC, Worldwide Web Security 2009-1013 Forecast and 2008 Marketshares: It’s All About Web 2.0 You TwitFace,August 20095 Google Online Security Blog, Malware Statistics Update, August 25, 20096 Google Online Security Blog, Top 10 Malware Sites, June 3, 20097 Sophos, Sophos Security Threat Report, July 20098 Google Online Security Blog, Malware Statistics Update, August 25, 20099 Commtouch, Well-known Web Names Misused to Give Spam Deceptive Legitimacy, According to New Report byCommtouch, April 14, page 3
  5. 5. WHAT TO LOOK FOR IN REPUTATION SERVICESReputation services complement gateway antivirus and traditional desktop solutions by providingimproved performance and an additional layer of protection. Unlike traditional gateway anti-virussolutions, which typically update signatures on an hourly or daily basis, reputation services provide theequivalent of real-time updates of malware intelligence. The broader and improved URL reputation datathey provide result in greater protection from web threats and faster, more productive web surfing.However, not all reputation services function in the same manner, so IT security professionals shouldexercise caution when evaluating potential solutions.Many reputation services are implemented as plug-ins that prevent users from visiting web sites knownfor malware or phishing. By contrast, WatchGuard has adapted a contributor approach to reputationservices to offer next-generation reputation services. WatchGuard’s reputation and connectionmanagement approach reflects the belief that, to be truly effective and proactively prevent againstevolving threats, reputation services must be a true zero-hour first line of defense. They must not actsimply as a monitoring system that relies on static databases, as most reputation services on the marketdo today. Rather, to achieve proactive, adaptive identification, the WatchGuard approach is to manageweb threats at the connection level, and to perform in-depth analysis at the gateway layer. It thencontributes the findings from the gateway to the reputation service in real time, harnessing theintelligence of millions of global users and sources for more powerful and intelligent protection frommalicious URLs and web threats.WatchGuard Reputation Enabled Defense users can choose to bypass anti-virus and other scanningfunctions for URLs that are known to have a current good reputation, saving time and helping to maintainperformance levels.WatchGuard Reputation Enabled DefenseWatchGuard Reputation Enabled Defense is available on WatchGuard’s line of multi-function firewall,unified threat management (XTM) appliances, as well as on its XCS extensible content security appliancesby adding a web security subscription. It provides a cloud-based reputation lookup to identify safe orharmful URLs. Harnessing threat intelligence from millions of users worldwide, Reputation EnabledDefense offers an extra layer of protection that acts as a powerful first line of defense from web threats.By preempting threats before they enter the network, Reputation Enabled Defense helps reducecomputing overhead incurred by anti-virus scanning, particularly costly on-box scanning at the gateway,and helps speed delivery of approved content. In essence, WatchGuard takes web security beyond thebox and network, managing as much as possible in the cloud.How Reputation Enabled Defense worksAs a cloud-assisted service, Reputation Enabled Defense provides instantaneous security that is updatedcontinuously. Not only does it improve proactive security, it helps organizations take advantage of greatercomputing and processor power from servers hosted in the cloud. IT can save valuable processorresources on local appliances. As a result, more users can be served at higher rates of throughput – forless money.Figure 1 below provides an overview of how Reputation Enabled Defense works to enhance web security.The core of the service is its cloud-based reputation-scoring database – the industry’s mostcomprehensive database – and an on-appliance query page 4
  6. 6. Give users a faster, safer web surfing experienceFigure 1: Reputation Enabled Defense uses a powerful, cloud-based database to allow safe traffic in whilekeeping bad traffic out. Only unknown traffic is directed to further AV scanning, for substantial gains inweb processing time.When a web user browses to a URL, the WatchGuard appliance checks a local cache for that URL’sreputation scores. If the result is not found in the local cache, WatchGuard then queries its cloud-basedReputationAuthority server for a reputation score for the URL. If the URL has a good reputation, theappliance approves the URL and bypasses local anti-virus scanning, allowing for faster page rendering andcontent delivery.In the event that a URL is deemed to have a bad reputation (i.e., it contains hostile web threats), theWatchGuard appliance blocks the URL outright, immediately protecting users from malicious content andagain bypassing local anti-virus scanning. If a URL’s score appears in the gray area between good and bad,or if there is no score available, the appliance performs its routine defense-in-depth web security checksand then passes or blocks the URL based on these checks.WatchGuard recognizes that all organizations use the web differently. That is why Reputation EnabledDefense is fully configurable. Today’s threats introduce the possibility for normally safe web sites tobecome compromised within seconds of their last scan. Administrators can optionally choose not to usethe feature that bypasses scanning of URLs with good reputation.A True Service that Pays for ItselfWatchGuard ensures that Reputation Enabled Defense is delivering the strongest possible security withthe lowest resource usage. WatchGuard manages the growth of the URL Reputation database via multiplefeeds and aggregated data. This is a continuous and ongoing process, performed by WatchGuard,enabling customers to benefit from far greater intelligence and security than they have implemented intheir own environment.Reputation Enabled Defense typically allows the bypass of antivirus scanning for 30-50% of URLs, with anaccompanying increase in web browsing speed and throughput at the multi-function firewall. With page 5
  7. 7. web’s top URLs always clearly rated and always in the reputation database, anti-virus scanning for theseURLs can be bypassed at very low risk. This maximizes performance without sacrificing security whenvisiting these sites.BENEFITS OF REPUTATION ENABLED DEFENSEWatchGuard Reputation Enabled Defense provides a broad set of security and performance benefitsarising from the ability to perform proactive security measures in the cloud. Below are the most salientbenefits for IT and network administrators.Security Organizations can protect their valuable data by increasing efficacy and catch rate of every URL- based type of malware. Administrators gain comfort in knowing that unsafe URLs face multiple levels of automated protection prior to gaining network access. The full power and knowledge of the broad WatchGuard user community is brought to bear on the network’s security stance through cloud-based security. Administrators can strike the ideal balance of security and performance by monitoring scan results and modifying system configurations.Performance Administrators can deliver higher performance to the business and raise user satisfaction levels by minimizing URL scanning and gaining higher throughput at the gateway. Administrators can reduce bandwidth and processing cycles with connection-level rejections of bad web sites. The most frequented URLs are regularly updated in the ReputationAuthority database because the WatchGuard technology learns which URLs are popular.Proactively Fight MalwareMalware continues to spread across the web. The ability of a single organization’s IT staff to monitor andprotect against all threats is eaten away by growing threat volumes and by new and ever-morphing threatvariations. That is why WatchGuard is constantly pushing the envelope to improve methods for proactiveand cloud-based security, taking into account the critical balance that must be maintained betweensecurity and performance.WatchGuard Reputation Enabled Defense enables organizations to proactively fight the threat of malwarewithout sacrificing user experience and network performance. In fact, WatchGuard is the only UTM/multi-function firewall vendor with a URL reputation solution at the gateway.WatchGuard customers with Reputation Enabled Defense protecting their networks benefit from multipleoutstanding anti-malware technologies that provide more coverage than systems that rely on just oneanti-malware source. And benefits of Reputation Enabled Defense extend to all participating customers,because the cloud-based service dynamically protects them from newly discovered threats in real time.By making the incremental investment in Reputation Enabled Defense, customers will gain exponentiallevels of protection. Why wait? The cybercriminals are acting now. Get one step ahead of page 6
  8. 8. MORE INFORMATIONTo find out more about Reputation Enabled Defense and WatchGuard XTM security solutions, contactyour authorized WatchGuard reseller, visit, or call WatchGuard directly at+1.800.734.9905 (North America) or +1.206.613.0895 (international).NOTE: Reputation Enabled Defense is available as a subscription for all WatchGuard XTM 2, 5, 8, and 10Series Unified Threat Management appliances.For WatchGuard XCS appliances, URL reputation enabled defense is available with the purchase of the XCSWeb Security subscription. Every WatchGuard XCS appliance includes ReputationAuthority, an IPreputation-enabled defense for enterprise-class email security.ADDRESS: ABOUT WATCHGUARD505 Fifth Avenue South Since 1996, WatchGuard Technologies has provided reliable, easy to manage security appliances toSuite 500 hundreds of thousands of businesses worldwide. WatchGuard’s award-winning extensible threatSeattle, WA 98104 management (XTM) network security solutions combine firewall, VPN, and security services. The extensible content security (XCS) appliances offer content security across email and web, as well asWEB: data loss prevention. More than 15,000 partners represent WatchGuard in 120 WatchGuard is headquartered in Seattle, Washington, with offices in North America, Latin America, Europe, and Asia Pacific. For more information, please visit AMERICA SALES:+1.800.734.9905 No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features, or functionality will be provided on an if and when availableINTERNATIONAL SALES: basis. ©2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard Logo,+1.206.613.0895 and WatchGuard ReputationAuthority are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks and tradenames are the property of their respective owners. Part.No. page 7