IronPort Presentation

Cisco and Todays Email and Web Threat Landscape.
James Lee SMB Channel Manager
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Wincor-World 2008 2006 Michael Klausmeyer, Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Agenda
About Cisco IronPort. Market Leadership. Our Technology. Why Cisco IronPort 3 Key Reasons.
Wincor-World 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2006 Michael Klausmeyer, Cisco Systems, Inc. All rights reserved.
Cisco Confidential
About IronPort
The leading provider of anti-spam, anti-virus and anti-malware appliances. Founded in 2000. Part of the Cisco Security Technology Business Unit since mid 2007. Protects 12/15 of the worlds largest ISPs, 56% of the Fortune 100. Powered by Senderbase, the worlds largest threat detection database. No 1 Market Share position in Email Appliance Market.
Cisco Confidential
Gartner Magic Quadrants

for Email Security Boundaries, 2008 For Web security, 2008
Cisco Confidential
Customer Leadership UK
Cisco Confidential
IronPort Gateway Security Products

Internet
Internet
IronPort SenderBase
BLOCK Incoming Threats
APPLICATION-SPECIFIC SECURITY GATEWAYS
ENCRYPTION
Appliance
EMAIL
Security Appliance
WEB
Security Appliance
CENTRALIZE Administration PROTECT Corporate Assets Data Loss Prevention

Security MANAGEMENT Appliance
CLIENTS
Web Security | Email Security | Security Management | Encryption

Wincor-World 2008 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2006 Michael Klausmeyer, Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Security Products Overview

Comprehensive Security, Flexible Delivery
Application Level
Data Center / Campus
ACE Web App Firewall Network Admission Control IPS 4200
Network Level
FWSM
ASA 5500
Corporate HQ
Cisco IronPort C-Series
Cisco IronPort S-Series
IPS 4200
ASA 5500
Cisco Security Intelligence Operations
Branch Office
Cisco IronPort Blocker/ C-Series
Cisco IronPort S-Series
ISR
ASA 5500
Centralized Management
Teleworker
Clientless Network Access Cisco AnyConnect VPN Client
Cisco Confidential
Email Security
Adjacent Market Segment Strategy
Appliance
Barracuda
Cisco/IronPort Symantec
Google Microsoft Hosted Cisco/Webex SMB
Message Labs
Enterprise
Cisco Confidential
Why IronPort ?
1. Spam management
Cisco Confidential
10
Typical Pain Points

Volume of Spam entering the network is causing bandwidth problems damaging productivity. False postive and quarantine management is a fulltime job in itself. Policy Management is a headache.
Cisco Confidential
11
Email Security Threats

More Spam and Spammers
More Spam
Daily spam volume doubles yearly Reaching 180 billion spam messages per day
Average Daily Spam Volume
Average # Compromised Hosts
More Spammers
More Spammers with Botnetcompromised hosts send spam Malware sophistication increasing
Source: Cisco Threat Operations Center
Cisco Confidential
12
Spam Sophistication Increasing
TEXT SPAM 2005 2006 IMAGE SPAM
ATTACHMENT SPAM (PDF, EXCEL, MP3) 2007 2008 TARGETED ATTACKS

Your Equitable Bank account is closed, call us now at (802)354-4250
Your Equitable Bank account is closed, call us now at (802)354-4250
Spam has undergone a significant evolution in 2008sophisticated online criminals have been using smaller phishing campaigns aimed at more targeted groups of recipients to great effect.
- 2008 Internet Security Trends Report Published By Cisco and IronPort

Cisco Confidential
13
Malware Is On The Rise

Email is a Primary Medium
Cisco Confidential
14
Coordinated, Multi-Phase Attacks
Spam Engines (SMTP)
Landing pages (HTTP)
Cisco Confidential
15
Spammer X
Pharmaceutical spam sales results. 1 day of sales from 2006. 40 million spam sent
Spam Sent Click through ratio Total Click-throughs Click-through to sale ratio Total Sales Total Sales Revenue Spammer Commision Rate Total Spammer Income Weekly Running Costs Bulletproof hosting 4 days of Botnet Access Email Addresses Total Costs $ 40,000,000 0.12% 48000 1/200 240 37,440.00 50% 18,720.00
$230 $6,800 $4,000 $11,030
62%
Net Profit
7,690.00
Cisco Confidential
16
IronPort Anti-Spam
Lowest False Positive Rate
Source: Messaging Media, Nov, 2006
Cisco Confidential
17
IronPort Anti-Spam
Lowest False Positive Rate
Source: Messaging Media, Nov, 2006
Cisco Confidential
18
The IronPort SenderBase Network
Global Reach Yields Benchmark Accuracy

30B+ queries daily 150+ Email and Web parameters 25% of the Worlds Traffic Cisco Network Devices
Combines Email & Web Traffic Analysis

View into both email & Web traffic dramatically improves detection 80% of spam contains URLs Email is a key distribution vector for Web-based malware Malware is a key distribution vector for Spam zombie infections
IronPort EMAIL
Security Appliances
IronPort SenderBase
IronPort WEB
Security Appliances
Cisco Confidential
19
Cisco IronPort SenderBase

SpamCop, SpamHaus (SBL), NJABL, Bonded Sender Spam, phishing, virus reports SpamCop, ISPs, customer contributions Message size, attachment volume, attachment types, URLs, host names Complaint Reports IP Blacklists & Whitelists
Breadth and Quality of Data Makes the Difference
Domain Blacklist & Safelists
Spamvertized URLs, phishing URLs, spyware sites
Spam Traps
Compromised Host Lists
SORBS, OPM, DSBL
Message Composition Data
Web Site Composition Data
Downloaded files, linking URLs, threat heuristics
Global Volume Data Over 100,000 organizations, email traffic, web traffic
Other Data Fortune 1000, length of sending history, location, where the domain is hosted, how long has it been registered, how long has the site been up
SenderBase
Cisco Confidential
20
Traditional Content Filters

What CONTENT FILTERS Find
WHAT? Message content legitimate.
Verdict: UNKNOWN
Cisco Confidential
21
Full Context Analysis
What Full Context Analysis Finds

WHAT? HOW? WHO? Message content legitimate Message construction emulates Microsoft Outlook client IP address started sending email a day ago Message originated from dial-up IP address IP address generating thousands of complaints WHERE? Mismatch between display & target URL Website domain registered a day ago Website hosted on a compromised host Website hosted at an untrustworthy network owner Name servers located in Ukraine
Verdict: BLOCK
Cisco Confidential
22
Products Email Security

Cisco Spam and Virus Blocker- 50/100/250 users IronPort C150 100-999 users IronPort C360 1000-4999 users IronPort C660 5000-10000 users IronPort X1060 ISP box
Cisco Confidential
23
Why IronPort
2. Good Sites Gone Bad.
Cisco Confidential
24
Typical Pain Points

Malware entering the network through legimate sites IT Managers unable to monitor web usage by employee. Current solution is difficult to manage. Policy changes are a headache.
Cisco Confidential
25
Exploited Websites; An Invisible Threat
Cisco Confidential
26
Invisible Threats Are Very Visible

Exploited web sites are responsible for over 87% of all Web-based threats today* Over 79% of web sites hosting malicious code are Legitimate** 9 out of 10 web sites vulnerable to attack** Cross-site Scripting (XSS) and SQL Injections rank amongst the highest method of infections
Cross-Site Scripting (7 out of 10 websites)** SQL Injection (1 in 5 websites)**
*Source: IronPort TOC ** Source: White Wincor-World 2008 Hat Security, Website Sec Statistics Report 10/2007 & PPT 8/2008
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2006 Michael Klausmeyer, Cisco Systems, Inc. All rights reserved. Cisco Confidential
27
August 4th - CNN Downloader Exploit
Links took users to the Website hosting malware
Cisco Confidential
28
MySpace, LinkedIN and others targetted

Transparent GIF Downloader.Win32.VB.bjr on a MySpace page Myspace Page superimposed by a 990x990 .GIF image which had a substantial transparent area surrounding an image of a bogus Automatic Updates alert dialog. This superimposed image was anchored to an HREF tag pointing to the downloader Trojan. Clicking anywhere on the viewable screen would invoke the link and cause the Trojan to download onto the system.
Cisco Confidential
29
The windscreen attack

Flier posted on car PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to website-redacted Link to malicious web site DLL installs DLL connects to childhe.com
-3 wbrs reputation
Cisco Confidential
30
Free Malware! http://85.17.166.229/
You will be too!
Fake anti-spyware web site that claims to offer free spyware protection User downloads free scanner, gets infected with a malware
Cisco Confidential
31
Social Engineering
continues
Fake anti-spyware Website that claims to offer free spyware protection Users download free scanner, gets infected with a malicious Trojan This is an example of a Botsite using social engineering techniques
32
Blocked by Web Reputation Filters
http://85.17.166.229/ also contains links to other malicious sites, like: platinumpartner.com (see next slide) WBRS blocked at -9.0
33
IronPorts Web Reputation Filters

Analyzes more than 5 billion web transactions daily Blocks up to 70% of malware at the connection level prior to signature scanning. IronPorts Web reputation system is able to offer an industry leading 60% higher malware catch rate than traditional signature scanners.
Cisco Confidential
34
Web Reputation Filters

Closing the window of vulnerability
Web Reputation Filtering Botsite Defense URL Outbreak Detection Unknown Malware Object/ URLs/ IPs Known Malware Objects Known Malware URLs Exploit Filtering Proxy Anonymizers
URL Filtering
Signature Scanners
35
Traditional URL Filtering Vendors Dont Block These New Threats
Cisco Confidential
36
IronPort URL Filters

Leading Accuracy and Control
Categories
Enterprise-class database
52 categories, over 21 million sites, ~3.5 billion webpages 1/3 of the database is international
Advertisements & Pop-ups Arts Blogs & Forums Business Chat Computing & Internet Infrastructure Downloads Intimate Apparel & Swimwear Education Entertainment Job Search & Career Development
Categories
24 x 7 monitoring Regular, automated updates
Fashion & Beauty Kids Sites Motor Vehicles Finance & Investment Food & Dining Games Government News Peer-to-Peer Personals & Dating
Health & Medicine Philanthropic & Professional Orgs. Hobbies & Recreation Photo Searches Hosting Sites Politics Proxies & Translators Real Estate Reference
Cisco Confidential
37
Products Web Security

IronPort S160 100-999 users IronPort S360 1000-4999 users IronPort S660 5000-10000 users
Cisco Confidential
38
Why IronPort ?
3. DLP Leakage and Encryption
Cisco Confidential
39
Typical Pain Points

Director level concern about sensitive date leaving the organisation. Customer needs to adhere to corporate/public sector regulations. HR looking to enforce acceptable use policies.
Cisco Confidential
40
What Does DLP Mean To Executives?

Record Type Lost
Other 12% Email Addresses 13%
Credit Card Numbers 45%
Source: http://attrition.org/dataloss/
2006: 2007 To Date: 346 incidents 224 and counting
National Insurance Numbers 30%
Estimated Cost Per Record Lost:
$182
The Ponemon Institute
Cisco Confidential
41
Why Email Encryption Isnt Everywhere
?
Total Cost of Ownership
No Single Solution has Been Able to Overcome the Major Obstacles
Cisco Confidential
42
IronPort PXE: Sending a Message

Instant Deployment, Zero Management Costs
CISCO REGISTERED ENVELOPE SERVICE
Automated user enrollment and account creation User authentication and key delivery Message Tracking Secure Reply NEVER stores email message highest security
Cisco Confidential
43
Analyst Recognition: Email Encryption
Cisco Confidential
44
New Technologies
Web Usage Controls DLP over FTP and HTTP Scansafe Acquisition
Cisco Confidential
45
New Technology
Web Usage Controls
Cisco Confidential
46
Customer Problem
The Categorized Web

20% covered by URL lists
Cisco Confidential
47
The Dark Web

80% of the web is uncategorized, highly dynamic or unreachable
Dynamic content Password protected sites User generated content Short life sites
The Categorized Web

20% covered by URL lists
Cisco Confidential
48
The Dark Web Challenge

URL Lookup in Database
Legacy URL Filtering Effectiveness is Decreasing

Legacy URL filtering primarily focuses on crawling and manual review/classification Databases add thousands of new URLs per daywhile the web adds a Billion 95% of the web will be uncategorized by 2015
www.sportsbook.com/
URL Database
Gambling
Uncategorized
OBSCENE
ADULT
PORN
GAMBLING
Cisco Confidential
49
The Dark Web Challenge

URL Lookup in Database
Legacy URL Filtering Effectiveness is Decreasing

Legacy URL filtering primarily focuses on crawling and manual review/classification Databases add thousands of new URLs per daywhile the web adds a Billion 95% of the web will be uncategorized by 2015
www.sportsbook.com/
URL Database
Gambling
Uncategorized
The Dark Web
Invisible risks: Compliance violations Legal liabilities Acceptable use evasion
Cisco Confidential
50
Dynamic Categorization in Action

Amateur Pornography Website BLOCKED
URL List Verdict: URL Keyword Verdict:
Uncategorized Uncategorized
Dynamic Content Analysis Engine

Terms Identified in Concept Vector: Amateur Porn erotic materials FEDERAL LAW laws Concept Vector: Top Matches
Verdict: PORNOGRAPHY Action: BLOCK
Model Doc 001357 001511 000613
Confidence 67.84% 57.65% 54.90%
Category Pornography Adult Pornography
Cisco Confidential
51
Cisco IronPort Web Usage Controls
Leading Efficacy, Rich Controls, Comprehensive Visibility
Control
Per user, per group policies Multiple actions: block, warn, monitor Time-based policies Unlimited custom categories Custom end-user notifications
Visibility
Easy to understand reports Extensive logging Comprehensive alerting
Efficacy
200+ countries 50+ languages 65 categories Less than 1 in 1 million false positives
Cisco Confidential
52
Competitive Snapshot
Effective Dynamic Categorization is the Key
Vendor
Real-Time Dynamic Categorization
z z z z
Tuned to identify objectionable content on the Internet. Not available in WebSense Enterprise/Security. Only available on V10000 appliance. Not on-box. DRTR forwards uncategorized sites for in-cloud categorization, which introduces latency for end users.
No dynamic categorization.
Cisco Confidential
53
New Technology
DLP over HTTP and FTP
Cisco Confidential
54
DLP overview
At recent Forester event, only 20% of CSOs planning to deploy DLP in 2010. None were planning it in 2009 80% of all DLP issues relate to sensitive data being lost across SMTP (Email) and HTTP (Web)
Cisco Confidential
55
Cisco IronPort Data Security Filters

On Box DLP Capabilities Content metadata inspection, along with visibility and forensics Allow , block, log
Based on file metadata, URL category, user and web reputation
Multi-protocol
HTTP(s), FTP, HTTP tunneled
www.mypartner.com
Allow, Block, Log
Internet
Users
www.malwarrior.com
Cisco Confidential
56
Common Sense Policies

John Smith, Finance
Simple Approach for Avoiding Web Data Breaches

Who?
John Smith, Finance Jane Doe, Sales
What?
FiscalPlan.xls
FiscalPlan.xls
CustomerList.doc
Where?
Webmail.com
Taxfirm.com
Personal-site.com, -9 Reputation score
How?
HTTPS (Encrypted)
HTTPS (Encrypted)
FTP
Verdict
57
Cisco RSA DLP:

Comprehensive Accurate Easy
Worldwide regulatory compliance coverage, numerous remediation options
No managing false positives
Quickly deploy and manage
Cisco Confidential
58
Conclusions
Anti-Spam efficacy continues to be the key driver in the Email Security Market. Traditional URL Filtering Solutions not proactive at blocking legitimate sites that are compromised. Email encryption is a major part of Ciscos DLP strategy Cisco integration helps IronPort build on its market leading position
Cisco Confidential
59

IronPort Presentation

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

IronPort Presentation

Загружено:

Авторское право:

Доступные форматы

Cisco and Todays Email and Web Threat Landscape.

James Lee SMB Channel Manager

Gartner Magic Quadrants

IronPort Gateway Security Products

BLOCK Incoming Threats

APPLICATION-SPECIFIC SECURITY GATEWAYS

CENTRALIZE Administration PROTECT Corporate Assets Data Loss Prevention

Web Security | Email Security | Security Management | Encryption

Cisco Security Products Overview

Cisco IronPort C-Series

Cisco IronPort S-Series

Cisco Security Intelligence Operations

Cisco IronPort S-Series

Google Microsoft Hosted Cisco/Webex SMB

Typical Pain Points

Email Security Threats

Average # Compromised Hosts

Source: Cisco Threat Operations Center

Spam Sophistication Increasing

TEXT SPAM 2005 2006 IMAGE SPAM

ATTACHMENT SPAM (PDF, EXCEL, MP3) 2007 2008 TARGETED ATTACKS

Your Equitable Bank account is closed, call us now at (802)354-4250

- 2008 Internet Security Trends Report Published By Cisco and IronPort

Malware Is On The Rise

Coordinated, Multi-Phase Attacks

Spam Engines (SMTP)

Landing pages (HTTP)

$230 $6,800 $4,000 $11,030

Source: Messaging Media, Nov, 2006

Source: Messaging Media, Nov, 2006

The IronPort SenderBase Network

Global Reach Yields Benchmark Accuracy

Combines Email & Web Traffic Analysis

Cisco IronPort SenderBase

Breadth and Quality of Data Makes the Difference

Domain Blacklist & Safelists

Spamvertized URLs, phishing URLs, spyware sites

Compromised Host Lists

SORBS, OPM, DSBL

Message Composition Data

Web Site Composition Data

Downloaded files, linking URLs, threat heuristics

Traditional Content Filters

Full Context Analysis

What Full Context Analysis Finds

Products Email Security

2. Good Sites Gone Bad.

Typical Pain Points

Exploited Websites; An Invisible Threat

Invisible Threats Are Very Visible

August 4th - CNN Downloader Exploit

Links took users to the Website hosting malware

MySpace, LinkedIN and others targetted

The windscreen attack

Free Malware! http://85.17.166.229/

You will be too!

Blocked by Web Reputation Filters

IronPorts Web Reputation Filters

Web Reputation Filters

Traditional URL Filtering Vendors Dont Block These New Threats

IronPort URL Filters

24 x 7 monitoring Regular, automated updates

Products Web Security