The Need for Proactive Web Security to Safeguard Your Business Assets

According to the DTI Information Security Breaches Survey 2006, 62% of UK companies had at least one security incident in 2005, while the overall annual cost of these incidents reached ten billion pounds. Interestingly, these breaches occurred despite the fact that 98% of the companies surveyed use anti-virus software, while 74% also deploy anti-spyware software.

These findings suggest that “traditional” security technologies, such as those mentioned above, no longer provide sufficient protection against today’s malware threats. Technologically-savvy hackers are crafting malicious code that slips through firewalls and eludes other types of reactive defenses.

Not only is malware more pervasive, it is also increasingly complex. According to IDC, the increasing sophistication of attacks is regarded as the top security challenge facing organizations over the next 12 months (IDC Enterprise Security Survey, 2005). Sophisticated web-borne threats, such as Spyware, viruses, Trojans, and other malicious code, can damage corporate machines and data, steal identities, violate privacy and compromise intellectual property.

In order to address these new types of threats, proactive security technologies have been introduced that complement existing reactive security technologies.

Reactive Security Is Not Enough

“Reactive security” relates to systems and methods that either 1) allow everything to pass, and block only what is known to be malicious or 2) block all network traffic and allow only what is known to be non-malicious.

Anti-Virus, URL Filtering, Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS) and network firewalls are well-known examples of reactive solutions. The strengths and weaknesses of these solutions are discussed below:

• Anti-Virus uses known signatures, i.e., negative patterns, to identify malicious content. If no signature was found in a given file, the file is considered safe. While Anti-Virus technology is effective against known viruses, its limitations are well-known. Until the malicious content has been analyzed at the anti-virus vendor’s lab and a signature has been created – no protection is available.
• URL Filtering solutions hold a list of web addresses (URLs) which are known to be malicious. As long as the requested URL is not within the database, users can access the site. URL Filtering is an excellent solution for enterprises that wish to control the browsing habits of their employees for improved productivity and network performance. However, in terms of detecting new malicious sites, whose life cycles are often measured in hours or days in order to avoid detection, URL Filtering is less effective.
• IDS/IPS products alert administrators only after an attack has taken place. Enforcing a negative security model, these products rely on a database of known patterns to identify network level attacks and alert administrators – similar to anti-virus signature updates. IDS/IPS products are not content/application-aware since web content is too diverse to be effectively handled by pattern recognition. While IDS/IPS products are capable of identifying clear text protocols (e.g., HTTP), they are useless in the event that SSL encrypted traffic is used (i.e., HTTPS).
• Network firewalls take the opposite approach. The firewall is designed to block all traffic by default. Only traffic or protocols that were explicitly defined as trusted content are allowed to enter the trusted network via the designated port. However, since web-based threats and malicious code enter corporate networks thru port 80 (HTTP) and port 443 (HTTPS) which are typically left open to support business operations, a complementary solution is required to scan the web content arriving via these ports.

The Window-of-Vulnerability^TM

Reactive security methods provide an important layer of defense against known threats. However, since reactive, signature-based security solutions, e.g., Anti-Virus, require time to create and deliver a signature update to their databases, they cannot offer immediate protection against new, unknown attacks. This creates a Window-of-VulnerabilityTM, during which networks are exposed and vulnerable for hours and sometimes days to new attacks, until patches or signature updates are installed.

The Need for Proactive Web Security

In order to close this Window-of-VulnerabilityTM and safeguard business and networks from new and unknown malicious code, security professionals have developed proactive security technologies. “Proactive security” relates to systems and methods that inspect content for suspicious computer operations, function calls, commands or operations. Using these findings together with smart algorithms, proactive security methods build the expected execution model and identify execution paths that violate a security policy. Any such violation is sufficient to prevent or block the malicious code from execution on the end-user machine.

Today’s sophisticated web-borne threats are primarily driven by Active Content, e.g., Java applets, VB Scripts, JavaScripts and ActiveX. While these technologies enable users to browse dynamic websites and run common business applications, they can also be exploited by hackers to install malicious Spyware and Trojans. Traditional security solutions were not designed to differentiate legitimate from malicious Active Content arriving via the web.

Behavior-based analysis and blocking is a highly effective proactive security technology that protects end-users from unknown web threats, such as those driven by Active Content. By analyzing code behavior and understanding the context of its execution environment, this approach is highly effective in handling unknown, dynamic and rich web content. When deployed at the gateway, behavior-based security detects malicious web content before it enters the corporate network and reaches end-user PCs. This type of proactive security enables corporate users to take full advantage of web-based technologies, without compromising network security and valuable business assets.

Conclusion

While reactive, signature-based solutions - such as Anti-Virus, firewall, IDS/IPS and URL Filtering - are effective against known malware, in most cases they are not capable of detecting new and emerging web-based threats, such as Spyware, Phishing, Trojans and malicious code.
Recognizing the business risks that sophisticated web-based threats pose to their mission-critical applications and information assets, corporations realize that they must take proactive measures to safeguard their network systems from malicious and/or inappropriate content.
Accordingly, security-conscious corporations are deploying proactive security solutions, such as behavior-based analysis and blocking solutions, on top of their traditional reactive solutions in order to prevent unknown and emerging web threats.

www.finjan.com