ScanSafe Overview

Agenda ScanSafe overview Solution highlights Deployment options Demo Q&A

“The first successful in-the-cloud secure #1 SaaS Web Security Solution “The first successful in-the-cloud secure Web gateway service” Industry’s most mature platform 20 Billion web requests per month 1,000’s of customers across 80 countries 200 Million Blocks per Month Global network operations in 4 continents SLA backed 99.999% service uptime Customers

Web Security – A Big Market Where Cisco is #1 Web Security Market Large: Overall market $2.5B by 2013 Broad across size, industry, geography Growing: Market Growth at 12.3% CAGR; But 46.5% CAGR for SaaS segment

Web Security – Market Shift to SaaS SaaS is growing much faster than legacy software/hardware as it delivers lower TCO and effective security. Ideal for customers with distributed networks and mobile workers Cisco ScanSafe is the dominant provider in SaaS, with 35% market share or 5x nearest competitor according to latest IDC research

Solution Overview So looking at the ScanSafe solution from a high level, you can see the key elements: For integration and user granularity Integrated management and reporting that covers all aspects of the solution Consistent policy and security for all users, regardless of location – this includes BlackBerry mobile devices Numerous ways to integrate with existing network infrastructure and authentication services For filtering policy Bi-directional content based policy enforcement Dynamic content classification Control over HTTP & HTTPS communications For security Accurate zero-day threat protection Based on the world’s largest Web usage dataset – billions of Web requests a day All security extended to remote and roaming users as well as on-premise users And so overall, ScanSafe offers consistent, enforceable, high-performance Web security and policy, regardless of where or how users access the Internet.

FREE EVAL FOR 30 DAYS – NO OBLIGATION TO PURCHASE Positioning Required Information:- Overview of Prospect i.e. Seats/Locations/Gateways Customer Project or Problem Business Drivers – Compelling Mechanism Timescales Budget Why ScanSafe:- We do it cheaper, by saving time on cleaning infected PC’s & by managing the software on a day to day basis We are more secure, 200 million malware blocks a month – spyware/malware/viruses We are a complete solution – Internal users & External users are controlled via the same service FREE EVAL FOR 30 DAYS – NO OBLIGATION TO PURCHASE CapEx to OpEx = many customers would prefer to know the fixed amount they are paying each year and budgeting it.

Competitive Outlook Today 12 months Very significant market/vendor consolidation in past 2 years Key Competitors: Websense – incumbent in large % of deals. Focus on renewal unless pushed. Increase in development in SaaS platform. Continued move to try and position as a security vendor Blue Coat – incumbent in large % of deals. Not that security focused. Rarely lose new business deals MessageLabs – focus on email security with web security offered for completeness. Low cost, low functionality Zscaler – small and relatively new, v. aggressive, may be acquired. Partnership with Microsoft. Less success in larger Enterprise customers. Today 12 months 1. Websense 2. Blue Coat 3.MessageLabs 4. Zscaler 1. Websense 2. MessageLabs 3. Blue Coat 4. Microsoft (?)

ScanSafe Competitive Differentiation Clear market leadership position (~34% market share) More customers than any other cloud Web security solution ScanSafe sees more real-world Web traffic than any other solution Leading content visibility & zero-day threat protection Large database of Web content used to “train” security engine Uses combination of static & dynamic analysis Proven to block >25% more malware than signature solutions Proven reliability Web is now business critical communication 100% uptime for 7 years Superior reporting Complete flexibility into reporting criteria Allows end users to define exactly what data is important

Agenda ScanSafe overview Solution highlights Deployment options Demo Q&A

Data Flow with ScanSafe Web requests Allowed traffic Filtered traffic

Scalability & Reliability 15 Data Centers spanning four continents Top tier certification Thousands of devices deployed 100% availability, automated monitoring, full redundancy San Francisco Dallas Miami New York Chicago London (2) Paris Copenhagen Frankfurt Tokyo Hong Kong Sydney (2) Singapore Additional Data Centers planned Moving on to scalability and reliability - I don’t know a customer or prospect out there who isn’t looking for a solution that is both scalable and reliable. This is really one criteria that’s universal! When thinking about scalability, there’s really a multiple things to consider: Scale for total end users globally Scale for large customers with hundreds of thousands of users in a single organization with a single policy Scale globally – or maybe you’d call it global reach Doing all this while maintaining a high performance service ScanSafe hits all these points. Every day, our service scans billions of Web requests, and to give you a sense of the scale of that, it’s similar to the number of Web requests that Google handles every day. Every single one of those requests is scanned in real-time to ensure policy and security are maintained – that’s millions of end users around the world. In order to ensure that our customers maintain the highest levels of performance ScanSafe - all this real-time analysis, using our proprietary analysis engine Outbreak Intelligence, (which we’ll talk about later in this presentation) is carried out in parallel using the vast amount of resources that we have in place around the world. This enables maximized security with maximized performance. On average the scanning, analysis, security and policy enforcement offered by the ScanSafe solution takes less than 50ms which is not perceivable to end-users. Looking at where our customer base is located, ScanSafe has customers in over 100 countries, most of the globe! This is really the testament to the high performance that we enable for our customers regardless of their geographical location. The chances are that in whatever country you might want to access the Internet, we have existing customers there using our service already. ScanSafe has very clear data around the proof points for scalability and our customers feel secure that their service will be of the highest standard and performance. Thinking about reliability - we know that every time a solution that impacts Web access goes down there are severe repercussions – no Internet access means lost revenue, unhappy customers, confused business partners, more work. That’s why at ScanSafe we designed our solution with the highest levels of resilience so that our customers don’t have to suffer the pain of lost Internet access. Again going back to offering proof of our capabilities, we are very proud that over the past 6 years, ScanSafe has maintained 100% continuous uptime. Our customers have had no downtime whatsoever – there aren’t many companies who can say that. So how did we do this? We built the highest quality solution that we could. We used only top tier data centers around the world, data centers that matched the SLAs that we offer to our customers and data centers that are formally certified for the highest levels of service and security such as ISO27001, SAS 70 Type II. Then we connected all those data centers with high bandwidth connectivity – 10 gigabits per second - so that we can use all our resources with the absolute minimum of latency. Once we had this top tier, high speed network in place, we ensured that every single piece was being monitored, so that in the unlikely event of a failure, our architecture will be immediately re-routed and the issue resolved. Coupled with this, all ScanSafe customers are assigned routes to multiple data centers, so if an entire data center were to disappear, their service would remain unaffected and their Web traffic would remain secure – this is true for remote or roaming employees as well as for those that work in an office. Scalability Billions of Web requests/day Highly Parallel processing Multi-tenant architecture: average <50 ms latency 10Gb connectivity Redundant network providers

Zero-day Protection with Outbreak Intelligence Here you can see a diagram that outlines the flow of data through the ScanSafe system. On the right, there’s an end-user at their computer, on the left, the Web page that they have just requested. I’ll describe how this system works. Every Web page that is requested passes through Outbreak Intelligence. The Web page is split into the different elements that exist on that page – html, Javascript, flash, PDF…whatever is contained within the web page – these separate content elements are then fed into Outbreak Intelligence. Outbreak Intelligence is made up of numerous scanlets – each scanlet is specifically designed and trained to analyse a particular type of Web content. As you can see we have different scanlets for different types of content. One very important thing here is that all the Web page content is scanned in parallel. Nothing happens serially here – that’s how we ensure high performance while maintaining the highest level of security. So in this highly parallel process, all HTTP and SSL encrypted content is scanned using a combination of static and dynamic analysis techniques. Let’s take a look at one or two of these scanlets in a little more detail… The Windows exe scanlet is a great example of how Outbreak Intelligence uses the huge dataset of real-world Web usage – remember over 1 billion web requests a day go into this ever increasing dataset – to help determine if code is malicious. It uses a combination of both static and dynamic analysis. Based on the dataset, the Windows exe scanlet in Outbreak Intelligence knows a lot about what Windows exe files look like and how they behave. Based on this insight, it knows some very important facts, like if an executable file is obfuscated, there’s a 95% chance that it is malicious. And we know that the fewer sections an executable file consists of (they are normally made up of sections such as header, text, code and so on), the more likely it is that it’s malicious. In fact, exe files with 3 or fewer sections have a 70% chance of being malicious. We know all these things because of our deep visibility, and can make all these judgments without even looking into what the exe file is trying to do. Add that dynamic analysis of the file itself, how it behaves, what it attempts to do once it runs, and Outbreak Intelligence gives a very accurate picture of what content is malicious, and what content is benign. Another good example here is the file anomaly scanlet – this is one of my favorites. While we have specialized scanlets for major threat vectors, the file anomaly scanlet really picks up all the content that might be considered safe – things like cursors, gif files etc. We see tens of millions of unique files every day; and based on this, the file anomaly scanlet has a pretty good picture of what files look like – and conversely, what they don’t look like, and it spends it’s time looking for things that look just a bit different from the norm – for example, an animated gif with just one frame. It knows that there needs to be multiple frames, that’s what makes it animated. A great example of where this came into play recently was with one of our customers who had a machine that was infected with a trojan, the trojan was attempting to communicate with its home base by apparently requesting gif files. To many security systems this would look like a completely innocent communication – the File Anomaly scanlet however looked at the gif files that were being sent through and found that there were commands embedded within the files. It knew that gif files aren’t meant to contain commands and prevented the communication, therefore stopping the phone home behavior. Back to the diagram – once all of these scanlets have formed their opinion (85% chance of malware for example), they pass this opinion on to the Meta Scanner. The Meta Scanner is really the chairman in this committee of experts. Based on the internal statistical model of the Meta Scanner, it is then decided if the requested Web page contains malware or not. Of course all malware is blocked before it enters the networks of our customers. Finally, looking toward the bottom of this diagram you can see the Outbreak Intelligence Lab – there are a few key things here. Our people – the ScanSafe Security Threat Alert Team, or STAT are widely recognized Web security researchers who spend their time identifying emerging threats and making sure that our customers know about them and are protected. We haven’t lost the human element completely in this. They have found many different zero-day threats such as the Gumblar threat that I’ll highlight in a minute. Also inside the Outbreak Intelligence Lab is where we design our automated machine learning capabilities for our scanlets. Every scanlet is trained prior to being released into Outbreak Intelligence – this training ensures that every scanlet can accurately identify any malware within it’s specific area of expertise. I recently read a book (The Big Switch) where it mentioned about computers being trained to identify different things in pictures. To start with, they were shown trees, trees were tagged in different images. Over time the computers started to recognize trees, and in the end, they could identify trees in any image, regardless of the location or background in the picture…that’s really what we do with our scanlets…train them to identify malware. Once the scanlets are released, they are left to continue to learn and adapt to changes in the environment, so in that instance, there is no human interaction, no “security update” before our customers are protected, it’s all built in. And of course, let’s not forget the billion requests a day that goes into the Web usage dataset that enables a lot of the capabilities within Outbreak Intelligence. So hopefully you get a good picture of the high level capabilities of Outbreak Intelligence.

Outbreak Intelligence - The Results Gumblar Multiple injection attacks Percentage of malware blocks Zeus Botnet / Luckysploit So I’ve described how Outbreak Intelligence works – here we can see details of the results that Outbreak Intelligence has had in 2009. The blue slide in this chart is the percentage of blocks that are zero-day blocks made by Outbreak Intelligence, or, to put it another way, the threats that would have evaded traditional list based security systems. You can see that on some days, directly linked to the release of a new zero-day threat, the number of blocks made by Outbreak Intelligence is well over 80% - in 2008 we had numerous days when it was over 90% of all blocks. This is the real benefit – effective protection from zero-day threats. At ScanSafe we can prove to our prospects that our solution works, and works better than the competition. 27% of all malware blocks in 2009 were as a result of Outbreak Intelligence – zero-day threats that evaded signature based security solutions.

ScanCenter - Management Multiple rules and schedules for User/Group granularity Bi-directional content based policy enforcement Dynamic content classification Control over HTTP & HTTPS communications

Web Intelligence Reporting Over 24,000 report combinations covering more than 80 attributes in 11 reporting categories Cumulative, trending and search driven forensic reports, comprehensive drill down analysis Based on data warehouse infrastructure for performance Scheduled reports can be sent securely to defined users Granular reporting enables actionable remedies to issues and unrivalled visibility into resource usage And finally on to the Management aspect. I’ll take you on a walk through our management interface – ScanCenter – in a minute, but before we get there I wanted to point out some of the highlights of our reporting solution. This has been designed specifically to allow our customers clearer visibility, not only into Web usage, the who has gone where, but also how IT and network resources are being utilized. That’s why we offer the ability to report on over 80 different attributes – as well as the regular ones such as user, category, host etc, we also give customers reporting capabilities on factors such as the Referring domain, browser used, content type requested, queries entered into search engines to name but a few. All of this additional information extends the use of the reporting capabilities to be used beyond just looking at Web security related details, and enables thousands of different drill down reports for numerous groups within an organization. As well as reporting on what content is entering your network, you can also understand what information has left – or has been prevented from leaving by the outbound content control policy so you et a holistic view of what your Internet connectivity is being used for. As well as reporting on what is happening on the network, you can, of course, define a policy for all Web traffic, HTTP and SSL encrypted traffic, prevent that malicious and inappropriate content from entering your network AND help prevent confidential data from leaving your network. You can have peace of mind knowing that all the security aspects of your Web usage are taken care of – we covered that in the Security section of this presentation. All of that is managed from a single, web-based portal which also integrates all reporting for your solution. You can see some examples of WIRe here – in different output graphs. WIRe is an integrated part of our offering for all customers, and being in the cloud, there is nothing for the customer to install in order to start benefitting from WIRe from day one.

Agenda ScanSafe overview Solution highlights Deployment options Demo Q&A Deployment options

ScanSafe Deployment Options 2010

Agenda No User Granularity Required User / Group Granularity Required Connector-less Solutions Roaming & Remote Users

ScanSafe Deployment Options Module # – Name of Module ScanSafe Deployment Options No User Granularity Required

Port Forwarding / Transparent Proxy Firewall directs port 80 traffic to web security service via Transparent Proxy / Port Forward (no browser changes required) Available with certain perimeter devices that have the ability to forward traffic based on port or protocol (BlueCoat, ISA, CheckPoint, Watchguard, SonicWall, Netgate etc…) Provides Site/External IP granularity NOTE: Many Cisco devices are not capable of port forwarding

Browser Redirection via GPO / PAC file Proxy Settings are pushed to browsers via Active Directory GPO Browsers connect through Firewall on port 8080 to Web Security Service Firewall blocks all other GET requests Provides Site/External IP granularity

PAC File Deployment Through GPO, Desktop Users are configured to reference a PAC file with each browser session A global PAC file can point to different ScanSafe towers dependant on internal IP Web requests are sent directly to the ScanSafe towers

Deployment - AD Group Policy Can be targeted to the AD site, domain or individual OUs. Supports various OS platforms: Windows 2000 Windows 2k3 Server Windows XP Windows Vista Windows 7 Sometimes it is an inconvience or impractical to set-up all the users’ web-browsers manually. In this case the proxy change can be rolled out via Active Directory group policy which can be targetted to AD sites, domains or individual OUs. [CLICK] Here you can see how easy it is to push the ScanSafe service to any number of users with just a few clicks. Centrify offer GPO control to Mac OSX using DirectControl software. http://www.centrify.com/news/release.asp?id=2006061201

ScanSafe Deployment Options Module # – Name of Module ScanSafe Deployment Options User / Group Granularity Required

Standalone Connector Proxy Settings are pushed to browsers via AD,GPO or PAC file Forwards web traffic to ScanSafe on port 8080/443 to the Cloud based Tower Connector receives Client info and queries Active Directory Server for Group Information, then proxies to ScanSafe upstream Set Firewall to block all other GET requests Provides IP/End User/Group granularity

Enterprise Connector - Inline ISA Web Security Service is configured as upstream proxy on currently installed proxy device Current proxy device communicates with Connector ICAP (on box) to provide IP/User/Group information (5,500 Users max recommended) Browser traffic is directed to existing Proxy via GPO or PAC files Set firewall to block all other GET requests Provides IP/End User/Group granularity

Enterprise Connector - ICAP Web Security Service is configured as upstream proxy on currently installed proxy device Current proxy device communicates with Connector via ICAP to provide IP/User/Group information Requires no further Client configuration Set firewall to block all other GET requests Provides IP/End User/Group granularity

ScanSafe Deployment Options Module # – Name of Module ScanSafe Deployment Options Connector-less Solutions

BlueCoat Integration - Connector-less Provides AD user and group granularity. BCAAA must be installed and configured within the Active Directory environment. To also send internal IP address to the ScanSafe Scanning towers, Blue Coat must be configured to include x-forwarded-for headers. BC can run in transparent or explicit proxy mode Set firewall to block all other GET requests Provides End User/Group (possible IP granularity)

PIM - Passive Identity Management Proxy Settings are pushed to browsers via Active Directory GPO or PAC file OR PIM can be run in transparent mode with ISA / Bluecoat Login Script (or GPO etc) runs the PIM.EXE with required switches Requires no client installation Firewall blocks all other GET requests Provides End User/Group granularity

Why PIM? There are many customers that do not want to deploy proxy servers yet still want granular policy control. This can be because of the shear number of sites they have to manage or for other technical reasons Deploying a small number of proxy servers to where many different locations tunnel, negates a lot of the advantages of modern MPLS networks and increases latency and bandwidth costs

How Does PIM Work? PIM adds -XS headers to the browser’s user agent string Included in this string is a unique hash that identifies the user in our Scanning tower This detail is encrypted Upon logon, PIM sends an out-of-bound request to the scanning tower and uploads the group information for that user These groups are automatically created in ScanCenter Following registration, each time a request to the Web is made, only the hash is sent to us along with the request and we can indentify the user and apply the correct policy according to the relevant group/s

PIM Data Flow Directory Sync request (Registration) Internet request (Browsing) Client running PIM(IE/FireFox) Corporate Firewall Cisco/ScanSafe DataCentre(s) The Internet

ScanSafe Deployment Options Module # – Name of Module ScanSafe Deployment Options Roaming / Remote Users

Roaming Users (Anywhere+) Installs a Network Driver which binds to all connections (LAN, Wireless , 3G) Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible. AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy)

How Does it Work? Authenticates and directs your external client Web traffic to our scanning infrastructure Numerous datacenters are located all over the world ensuring that users are never too far from our in-the- cloud scanning services SSL encryption of all Web traffic sent improves security over public networks 37

Anywhere+ True Roaming Support Feature Known Environment (Remote) Anywhere+ (True Roaming) Access ScanSafe services from outside of corporate LAN Suitable for home workers Works with a VPN Works through another proxy Transparent to end user Works at a network which requires payment (e.g. Hotspot) Encrypts all web traffic to prevent eavesdropping Tamper resistant Location Aware (reduces latency) And when considering remote and roaming users, they require additional functionality that on-premise workers don’t, but first I’d like to clear up a difference between remote workers and roaming workers. Remote workers are those that occasionally or normally work from home. They probably connect through a cable or DSL connection and VPN into the office. It is these users that the majority of vendors cater to with their remote user product. If you start to look outside this very defined individual use case, there are many different factors to consider as you can see in this table here. Connection through another proxy – maybe a contractor working at a client location. Many remote worker solutions fall over when an additional proxy is introduced – the ports that they need to communicate are closed, or it just doesn’t know how to communicate through a different proxy device. Transparency – the method of authentication for many other remote user solutions is manual – enter your username and password…for every Web browser session. This impacts the user experience and creates a frustrating cycle for end users. Operation at locations that require payment or acceptance of Terms & Conditions – while it might seem obvious that this would be a key requirement for just about any hotel, airport or coffee shop, many solutions are not designed adequately to work with these options, hit or miss is the best you could hope for. Security through encryption – if you are sending information such as user and group identification over the Internet, it’s an excellent idea to encrypt it for security. Many solution however, as they are designed for workers sitting behind a VPN, do not offer this capability, at best this is a security hole, at worst, a lawsuit or other claim if information is used to access your organization and steal data. Tamper resistant – How easy is it for a user to circumvent the controls that are put in place? Can they change the settings? Can they disable the service? You are putting in a process to eliminate the security weak-link, however many solutions provide no protection against a user just turning off the control. Performance Optimization – Let’s say you get on a plane in New York, and get off in Sydney. You turn on your laptop and – lets assume everything works – you are routing all your traffic through a data center in the US. That’s going to add significant latency and reduce your productivity. Again, the solution many vendors offer will do exactly that, they have no capability to re-route your traffic dependent on your location. Anywhere+ is the only solution for remote and roaming users that covers all of these capabilities, to work wherever you are, however you connect to the Internet and to offer a secure, high performance Web security service. 38

ScanSafe Deployment Options Module # – Name of Module ScanSafe Deployment Options Q&A

Module # – Name of Module