Web interactivity increasingly relies on user- and third-party-generated content built on rich backend database systems, which are easily exploited. This has created a breeding ground for the distribution of malware-even among the most trusted and popular web sites and applications. This dramatic change in the nature of web threats has rendered traditional web filtering technology completely ineffective. Simply blocking access to sites that may host malware is no longer a viable solution - as that would now include each and every site on the net.With the web now a mission-critical tool in most organizations day-to-day activities, it's critical to equip yourself with a security solution that enables the users to be productive, while also providing the security essential to ensure a risk-free experience.Organizations looking for protection against modern web threats need a solution that demonstrates security attributes that combines powerful application, site and content controls with proactive malware detection. In today's economy, best-of-breed security must also embrace low-impact, effective administration enabling organizations to do more with less. At the same time, the solution must meet end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need. Solutions which fail to meet these demands for security, control, performance, value and accessibility will ultimately fail the organization.
Introduction
The web is now the number one vector of attack for cybercriminals, with a newly infected web site discovered every few seconds. Hijacked trusted sites, poisoned search results, fake AV, and phishing sites are all finding their way into our browsers at an alarming rate. As a result, Internet access creates a dilemma for you: on the one hand, the risks presented by allowing unfettered access to the web are enormous, yet the Internet is undeniably becoming a mission-critical business tool. Social networking sites, blogs, forums and media portals have all become important instruments for employee recruitment, viral marketing, public relations, customer interaction, and research. They cannot be blocked without seriously impacting business productivity and effectiveness.A new approach to web security and control is required that fully supports the needs of businesses, equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. In addition to good preventive practices, such as rigorous patching and educating users about the risks of browsing, it is vital that organizations implement a comprehensive web security and control solution.
Web Security and Control Overview
Application Control
Web application control is not just about productivity - it's an important foundational layer to an effective web protection strategy.
Most web malware utilizes commercially available exploit packs that contain dozens of different vulnerability testers, redirectors, and actual exploit code that attempt to test for and exploit a myriad of vulnerabilities that exist in applications on the user's system. These kits are designed specifically to prey on users who aren't diligent in keeping their software and operating system patches up to date. It's therefore critical to not only keep your applications patched and up-to-date, but also minimize and limit the number of web applications in your environment to an absolute lowest common denominator standard set of business related programs and tools.
Unfortunately, traditional application controls at the gateway rely on port or packet inspection to identify and control instant messaging, peer-to-peer and other non-browser web applications. The problem with this approach is that it doesn't prevent these applications from being installed and ultimately exploited. This is where a security suite that integrates both endpoint and web protection together can offer enormous benefits, by controlling unwanted applications on the desktop, before they can become exploited and infected.
Security and Control Components:
- Application control
- Productivity and reputation filtering
- Proxy filtering
- Real-time malware filtering
- HTTPS filtering
- Content-based filtering
- Data loss prevention
Deployment, Management, and Vendor Capabilities:
- Low-impact end-user experience
- Flexible easy deployment
- Minimal administrative burden
- Intuitive management console
- Rich dashboard and reporting
- World-class vendor services and support
The rest of this document is dedicated to articulating the key components of an effective web security and control solution.
URL and reputation filtering
Traditional URL filters rely on vast, regularly updated databases of sites classified into different categories for the purposes of controlling productivity and enforcing acceptable use policy. URL filtering was once considered an acceptable web security solution, but the presence of web malware has shifted dramatically from dodgy porn and gambling sites to much more popular mainstream websites across all categories. So while URL filtering plays an important role in optimizing network performance and staff productivity by blocking access to illegal, inappropriate, or non-business-critical web content, it is not an effective security solution against modern threats to hijacked trusted sites. Reputation-based filters are designed to augment URL filtering and act as the first critical component in the fight against modern web-based threats. They prevent access to a continuously growing catalog of sites across all categories that are known to be currently infected or have hosted malware or other unwanted content in the past, by filtering URLs based on their reputation as "good" or "bad." Reputation filtering is now considered a proven and essential tool for successfully protecting against already known web-based threats across all site categories.
Proxy filtering
Anonymizing proxies are specially designed sites that enable users to browse blocked sites anonymously and free of company web security filtering. Obviously, these kinds of sites can completely undermine an effective web security and control solution, exposing users and the organization to significant security risks, legal liability issues, and productivity losses. To prevent users from bypassing filtering controls, the following two components are critical in forming a defence against anonymizing proxy use:
- A reputation-based service that actively seeks out new anonymizing proxies from a variety of underground sources as they are published and updates the filtering database at frequent, regular intervals.
- A real-time proxy detection engine that automatically inspects traffic for signs that it's being routed through a proxy, effectively closing the door on private home-based proxies or other proxies not identified through the reputation service.
Real-time malware filtering
Real-time predictive malware filtering goes a long way toward closing the gap left by reputation-based filters. With this kind of filter, all web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. The malware engine is optimized for low-latency scanning. Whenever a user accesses a website, regardless of its reputation or category, the traffic is scanned using a combination of signatures and behavior-based technologies.It is worth noting that this type of real-time scanning has a further advantage over traditional URL filters: the filtering is, almost by definition, bi‑-directional - both the user request to and the information returning from the web server are scanned. In addition to detecting known malware as it moves across legitimate sites, this bi-directional filtering can also provide protection against new threats regardless of where they are hosted.
A real-time malware scanning engine is not only the most critical component of an effective web security solution, it is a key point of differentiation among vendors. As a result, buyers should pay particular attention to the capabilities of their web security solution short list, and focus on some key considerations related to malware scanning capabilities:
- Real-time: looks at content as it's accessed or downloaded
- Behavioral: goes beyond signatures to analyze code for malicious intent before it executes
- Script emulation: will decode and emulate obfuscated JavaScript before passing it to the browser
- Bi-directional: inspecting both outbound requests and incoming content
- Multi-vector: provides integrated malware detection across several vectors including the gateway, the browser, and the desktop
- Low latency: can scale and handle peak loads efficiently to ensure a seamless user experience
- Update frequency: signature and threat identity information should be provided at intervals measured in minutes, not hours or days
With up to 40% of web applications and protected web sites now relying on port 443 Secure Sockets Layer (SSL), this is an increasingly popular vector for malware distribution and therefore a critical component of an effective web security solution. Since SSL content is encrypted, it can't be intercepted by most traditional web security solutions, which leaves IT completely blind to this traffic. It's no surprise that most proxy sites, phishing attacks, fake AV sites, and other malware attacks increasingly utilize this highly vulnerable point of entry. This major blind spot in security can also be a significant liability for data leakage, unwanted downloads via webmail solutions like Gmail, and bandwidth consumption.
HTTPS traffic inspection that enables a balance of user privacy with organizational security is critical to an effective web security and control solution. What's essential is a flexible solution that provides certificate validation with legitimate sites like financial institutions, while fully proxying and scanning other HTTPS sessions for signs of malware, unwanted content, phishing attacks, malware calling home, and proxy use.
Content-based filtering
Content-based filtering analyzes all web traffic on the network to determine the true file type of content coming back from a website. It can then allow or disallow this traffic, based on corporate policy.
Content filters scan the actual content of a file, rather than simply looking at the file extension or the MIME type reported by the web server, and so can identify and block files that are masquerading as innocent or allowed file types but really contain unauthorized content. A file might, for example, have a .TXT extension but in fact be an executable file.
By enabling enforcement of only business-type content, this pillar of protection enables organizations to create policies around a variety of content types that are often used to send malware, thereby dramatically reducing the risks of infection. For example, incoming Windows executables or screensavers might be disallowed. Content-based filtering can also be used to improve bandwidth optimization by blocking large or resource-hungry content, such as streaming video.
Data loss prevention
Data loss prevention is an increasingly important element of an effective web security solution in the Web 2.0 world. With strict privacy and data confidentiality regulations and requirements becoming common in most jurisdictions, it's becoming critical to enforce a comprehensive data protection strategy that governs mobile computers, removable media, devices such as USB sticks, traditional email, and of course Web 2.0 applications.For a DLP engine to be effective, it must be able to scan and recognize sensitive data types such as credit card numbers, personally identifiable information, bank account information, social insurance numbers, and more. Predefined content control lists (CCL's) that cover hundreds of different sensitive data types across multiple localized geographies are critical to making DLP manageable and effective.Furthermore, the most effective DLP will be that which can cover all potential exit points including removable media, devices, email, web and social media applications and stop sensitive data from being exposed at the source - right on the user's desktop. It should also integrate tightly with encryption solutions to facilitate the movement of sensitive data that does need to leave the organization.
Key Buying Criteria
The following table fully articulates the key buying criteria you should consider when evaluating a potential web security and control solution. Use this as a guide for your online research, vendor discussions, or RFP. Be sure you are getting the most value for your investment in web security and control by ensuring your vendor is providing you with a complete solution that is simple to deploy and administer, from a trusted source that provides the service and support you require.
| Web application control: Control and limit the number of web applications in the environment to reduce the threat surface area from exploits | What to look for: Look for an application control solution that runs on the endpoint and can block unwanted applications at the source - on the desktop. Solutions that simply inspect ports or packets at the gateway are ineffective at controlling the risk of being exploited - stop these apps from running in the first place. Also look for a solution which can identify applications based on identity signatures rather than relying on common path and file names to avoid masquerading apps from side-stepping controls. Also ensure the solution enables easy control over categories of applications with granular control as needed and provides regular updates to the app control lists on a regular basis to make administration easy. Specific questions to ask:
|
| URL filtering database: Categorization of websites with block/allow policy options | What to look for: While URL classification databases are largely a commodity, select one that has categories that make sense for your organization. More categories are not always better as it may create added complexity for your policy management. Ensure multiple languages are provided and the URL database is significant in scope and updated regularly. Also ensure that policy controls are simple, wizard driven, and enable policies set by user, group, time, site, or category with flexibility to easily create custom policies. Specific questions to ask:
|
| Reputation database: Augments URL filtering with reputation and risk classification to ensure risky sites in any category are scanned or blocked | What to look for: A reputation database that is maintained by a top-tier security company that invests heavily in web malware research and provides frequent updates. Also, look for a solution that protects both networked corporate users as well as mobile or remote users who may not be operating on the corporate network. Specific questions to ask:
|
| Anonymizing proxy detection: Blocks users from using proxies to bypass web filtering | What to look for: A combination of real-time proxy detection to identify new or obscure proxies, coupled with a comprehensive proxy discovery service to ensure policy compliance. Inquire about what sources your web security vendor uses to catalog anonymizing proxies, how many they catalog every day, and how often they provide updates. Avoid any solution which cannot detect anonymizing proxy use in real-time as users initiate a connection through one, as there are plenty of obscure or home-based proxies that any reputation service will never find. Specific questions to ask:
|
| Real-time malware scanning: Scans all inbound and outbound web traffic in real-time | What to look for: Not all web malware scanning is created equal. Avoid signature-based scanning engines and select an engine that utilizes behavioral pre-execution analysis to determine code intent which will provide zero-day protection from new malware. Furthermore, inquire about obfuscated javascript. If the anti-malware engine cannot deobfuscate and emulate javascript in real-time to analyze its behavior before passing it to the browser, look for a solution that does for the best protection from server side polymorphing malware. Since malware scanning is particularly important, here's an additional checklist of important criteria:
|
| Call-home detection: The ability to physically intercept and analyze outbound traffic through the gateway to identify infected systems or sensitive data leaving the organization | What to look for: A system that intercepts and scans outbound requests as well as incoming web traffic. If your desired solution cannot scan outbound web requests, there's no way to prevent infected machines on your network from sending sensitive data or even identifying what machines on your network might be infected. Specific questions to ask:
|
| HTTPS scanning and certificate validation: The ability to proxy and scan all web traffic including HTTPS encrypted channels often used by webmail, anonymizing proxies, etc., which are increasingly being targeted by malware | What to look for: A solution that can not only proxy and scan HTTPS encrypted connections, but one that can balance the need for end-user privacy with bank and financial institution exceptions. Also look for certificate validation to avoid phishing attacks that spoof certificates to fool users into believing they are secure. Specific questions to ask:
|
| True file type control: Examines all file downloads to determine their true type to dramatically reduce the threat surface area from undesired file types | What to look for: A solution that simply looks at file extensions or MIME types is inadequate. Only consider a solution that does true file type detection by inspecting the file header information. This is the only way to prevent content masquerading to reduce your threat surface area and keep undesirable or illegal content off your network. Specific questions to ask:
|
| Data loss prevention: Examines content for sensitive data to prevent it leaving the organization through unauthorized means | What to look for: A DLP solution should cover all vectors of potential data loss including removable media, devices such as USB sticks, traditional email, and Web 2.0 applications. Ideally the solution should block sensitive data leaks at the source - on the user's desktop. It must include a predefined list of sensitive data type definitions and must be updated on a regular basis as new sensitive data types are defined. Specific questions to ask:
|
| Scalable: A solution that scales with your growing business, from small companies to large, geographically distributed enterprises | What to look for: A range of different hardware appliance models at price points attractive to organizations of all sizes that enables you to easily upgrade as your business grows. In particular, look for a solution that offers simple centralized management of multiple appliances in either a single site for performance and redundancy or across multiple sites for geographically distributed organizations. Specific questions to ask:
|
| Flexible deployment modes: Different deployment options that enable the solution to fit with your IT and business objectives providing the ideal balance between security and ease-of-deployment and management | What to look for: The ideal solution will support a range of options including explicit proxy mode, transparent mode operation, and support for Cisco's WCCP protocol. Avoid solutions that rely strictly on port-spanning operation. Specific questions to ask:
|
| Flexible deployment modes: Different deployment options that enable the solution to fit with your IT and business objectives providing the ideal balance between security and ease-of-deployment and management | What to look for: The ideal solution will support a range of options including explicit proxy mode, transparent mode operation, and support for Cisco's WCCP protocol. Avoid solutions that rely strictly on port-spanning operation. Specific questions to ask:
|
| Directory services integration: The ability to integrate with your Microsoft Active Directory or Novell eDirectory services to identify and authenticate users automatically | What to look for: Support for both Microsoft and Novell directory services with easy setup and integration for user-based policy settings and reporting. Specific questions to ask:
|
| Easy to manage: A solution that is immediately intuitive and doesn't consume a lot of your time and effort to set up and administer on a daily basis | What to look for: If you can't get the system deployed in just a few minutes without a lot of documentation or several calls to your vendor's support line, then you have the wrong product. Select a solution with task-based, wizard-driven setup, policy administration, and reporting. Avoid any solution that's not immediately clear and intuitive. Specific questions to ask:
|
| Monitoring and alerting: The health of the appliance or solution is monitored remotely and alerts are provided in the event of any malfunction | What to look for: A solution that is remotely monitored for you by your vendor that will alert you immediately if anything is wrong. Specific questions to ask:
|
| Dashboard and reporting: The ability to monitor your user, web traffic, and threat activity at a glance from a real-time dashboard, and drill down into rich and sophisticated reporting for forensics and compliance insight | What to look for: A solution that has an aggregate dashboard that can span multiple separate appliances and present real-time status on user activity, throughput, latency, threats, and other important Internet traffic metrics. It's more important that the reporting system provide the information you need in a simple convenient manner than try to wow you with the sheer number of different reporting options. Reporting should be simple and provide drill-down capabilities, with a variety of important user, traffic, and activity reports to satisfy all stakeholders in your organization. Look for solutions that can provide both ad-hoc up to the minute reports while also supporting a variety of parameters and export options including PDF output. In addition, regular scheduled reporting is essential to save you time and effort satisfying the needs of various stakeholders in the organization... Beware: once you have rich Internet activity reporting at your fingertips, everyone will want it. Specific questions to ask:
|
| Frequent updates: Frequent updates to malware identities, risky or malware-infested sites, and anonymizing proxies | What to look for: Ideally your solution should update as frequent as every few minutes as needed. Avoid solutions whose update frequency is measured in hours. By the time you get an update, it's likely too late. Specific questions to ask:
|
| Easy upgrades: Updates to product software are easy to deploy | What to look for: Ideally your product should update automatically without any intervention and at no extra cost for minor or major version releases. Specific questions to ask:
|
| Service and Support: The support experience | What to look for: A company that treats you like a partner in protecting your organization, and that offers 24/7/365 support at no additional cost with immediate access to local front-line engineers who can actually help in your language. Also look for a solution that offers an advance replacement warranty on all hardware. Avoid vendors whose support is all overseas or who deal with both enterprise and consumer customers. Specific questions to ask:
|
| Security labs: The team responsible for threat analysis and security updates | What to look for: Look for a solution backed by a top-tier global round-the-clock security labs operation that deals with blended email, web, and endpoint threats. Specific questions to ask:
|
Buying Guide Checklist
| Criteria | Sophos | Other |
| Security and Control | | |
| | | |
| Web Application Control | | |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| URL Filtering | | |
| • | - |
| • | - |
| • | - |
| | | |
| Reputation Filtering | | |
| • | - |
| • | - |
| • | - |
| | | |
| Proxy Filtering | | |
| • | - |
| • | - |
| • | - |
| | | |
| Real-time Malware Scanning | | |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| Call-home detection | | |
| • | - |
| | | |
| HTTPS Scanning | | |
| • | - |
| • | - |
| • | - |
| | | |
| Content Filtering | | |
| • | - |
| • | - |
| | | |
| Data Loss Prevention | | |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| Deployment, management and vendor capabilities | | |
| | | |
| Scalable | | |
| • | - |
| • | - |
| • | - |
| | | |
| Deployment modes | | |
| • | - |
| • | - |
| • | - |
| | | |
| Directory services integration | | |
| • | - |
| • | - |
| | | |
| Management Console | | |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| Monitoring and Alerting | | |
| • | - |
| • | - |
| • | - |
| | | |
| Dashboard and Reporting | | |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| Updates and upgrades | | |
| 5 minutes | |
| • | - |
| • | - |
| | | |
| Service and support | | |
| • | - |
| • | - |
| • | - |
| • | - |
| | | |
| Security labs | | |
| • | - |
| • | - |
| • | - |
| • | - |
Source : http://web.sophos.com/sph/enterEmailAddress.jssp?PivotalWebId=sophos-web-security-buyers-guide-wpna&FormName=White_Paper〈=en&Resource=sophos-web-security-buyers-guide-wpna&returnUrl=/security/whitepapers/sophos-web-security-buyers-guide-wpna?action=lead_collected
