What’s in that code?

It’s pretty well accepted now that traditional anti-virus products have lost round one to the malware writers. In fact, none of the traditional security measures are quite enough anymore. The preferred approach is to use multiple protections at multiple points in the network. You can’t just protect the perimeter and you can’t just protect the end points.
You can’t use just a single technology, but need a suite of solutions to tackle different problems at different places.

Michael Sentonas, director for sales engineering and services for McAfee agrees. “There’s a massive opportunity for solutions that provide maximum security but minimum management load,” he says. “That’s why there is a move to ‘best-of-suite’ type of approach. Users need to be able to deploy quickly and manage them effectively.”

Content Inspection

One of the hottest areas resellers need to bone up on is Web content inspection. There are nearly as many approaches to protecting against Web-borne threats as there are security companies offering solutions. They all have one thing in common, they no longer rely on simple URL filtering to keep the bad guys out.

In response to the increase in blended and zero day threats, vendors have begun delving deeper into the traffic entering or leaving the enterprise. More often than not they are looking for more than virus signatures.

Although still an essential part of the security mix, in the threat 2.0 world traditional anti-virus technologies are proving less effective because they are tuned to identify existing, recognised threats by checking for a signature match. Initially, heuristic approaches were used to catch new malware with some success, but the rising incidence of self-mutating malware is making signature scanning security solutions less successful.

To minimise the risk from blended threats and zero day exploits security professionals have increasingly used Web gateways with URL filtering to restrict access to specific Internet sites perceived to be a threat to either security or worker productivity.

The idea was to block access to obvious threat sites, such as P2P and pornography along with bandwidth and time wasting sites such as YouTube and MySpace. As the crimeware gangs responded this became less effective and had to be augmented to block a wider range of sites. All too often the malware would be on a site that wasn’t already blocked, so security vendors introduced various reputation services to help identify the moving feast of threat locations, sending updates to Web appliances regularly.

Such systems have become increasingly sophisticated and continue to scale. They are not merely reactive either. Websense, for example, just launched its ThreatSeeker network. Each and every hour this system scans more than 40 million websites, assigns more than 2 million new reputation scores and scans 10 million emails. On a daily basis, the ThreatSeeker network uses more than 50 million real-time data collecting systems to parse one billion pieces of content, it uses Honeyclients to mine and analyse more than 100 million websites daily and captures spam, phishing, or exploit campaigns with Honeypots and Spamtraps for more than 10 million unsolicited attacks daily.

More often security vendors are taking advantage of the processing power available in Web appliances to take a closer look inside the traffic moving in and out of the network. Some look at the packet level for threats, while others go the added step of examining a stream of packets to get a bigger picture of the content and even reassembling it to determine exactly what the code will do when it is executed.

Early into this type of approach is WatchGuard’s Layer Seven firewall products. Scott Robertson, A/NZ regional director for WatchGuard said application level scanning allows security administrators to disassemble a packet and inspect it for its characteristics before letting it on to the network.

The proxy architecture used means there is never any direct connection between end-points on the network and the outside world. In this way, if the data stream contains a get or post command for example, the administrator can pre-assign policies for how these should be handled.