Download presentation
Presentation is loading. Please wait.
Published byChastity Marsh Modified over 9 years ago
1
IronPort Gateway Security Products Next Generation Perimeter Security Gateway for Email & Web
(Note to speaker: In summary, emphasize Accuracy, Performance, Consolidation) Anurak Chuetanapinyo Technical Consultant – Thailand and Vietnam IronPort Systems, A Cisco Business Unit /
2
IronPort® Gateway Security Products
Internet IronPort SenderBase BLOCK Incoming Threats APPLICATION-SPECIFIC SECURITY GATEWAYS ENCRYPTION Appliance Security Appliance WEB Security Appliance (Note to Speaker: This slide provides an opportunity to introduce the full IronPort product line and discuss how the different products fit in, as well as the overall product strategy.) Ironport offers 2 application security gateway products: Security Appliances and Web Security Appliances. Both come in several configurations to meet the scalability requirements of different sized organizations—from demanding ISP environments to the small and medium sized businesses with a few users. The Security Appliances protect port 25 against a range of threats e.g. spam, viruses, phishing attacks and inbound spoofing. They also offer integrated, easy-to-deploy data loss prevention and encryption capabilities. The Web Security Appliances protect port 80, providing the industry’s most powerful defense against spyware and malware, along with enterprise-class acceptable use policy enforcement capabilities. In addition, the WSA let’s customers identify existing infections in their network with the Layer 4 Traffic Monitor that monitors all traffic, across all ports and protocols to identify rogue communications. The IronPort Security Management Appliance ties it all together offering centralized quarantine, reporting and tracking for the ESA. In the future it will provide these capabilities—and more—across both the ESA and WSA. IronPort SenderBase is a common threat database that monitors both and Web traffic to identify threats and provide dynamic protection through both the ESA and WSA. CENTRALIZE Administration PROTECT Corporate Assets Data Loss Prevention Encryption Security MANAGEMENT Appliance CLIENTS Web Security | Security | Security Management | Encryption
3
Cisco IronPort Gateway Security Products
Security C and X Series Web Security S Series Security Management M Series S160/C160 S660/360 C660/360 M660/1060 X1060 IronPort has built a line of gateway security products. These are appliances that protect and web users by filtering and controlling traffic at the application layer. IronPort has C-Series and X-Series gateways for security, and S-Series Web Security Appliances. To manage and report on larger networks, IronPort has built the M-Series of management appliances. The picture shows C-Series models ranging from the C160 to the C660, plus the X1060 for the largest corporate or ISP environments. The S-Series is also available in three sizes, including the S160 which isn’t shown. These are purpose-built machines that control and web access for organizations of all sizes. Provides opty to discuss the range of services and products that IronPort offers. Network security has moved beyond simple packet filters, and stateful firewalls to truly understand the application. From the X1060, designed for demanding ISP environments to the C160 for companies starting at five users. ESA: Protects port 25. Spam, Viruses, Outbreaks, Phishing and Spoofing inbound. Policy enforcement and encryption outbound. SMA: Protects port 80. Spyware and malware inbound. Acceptable use policy outbound. SMA: ties it all together. Today it acts as a centralized quarantine, in the future it is the centralized reporting and tracking device across both platforms. Web Security | Security | Security Management
4
Success Cisco IronPort provides security to 8 of 10 biggest ISPs and 38 of 100 biggest enterprises Dell and many other customers say IronPort costs 75% less to maintain than previous solutions IDC: "Leading player" Radicati: "Market share leader" Gartner Magic Quadrant "Leaders quadrant" 2006, 2007 & Sept 2008: IronPort is succeding on every level and in all segments of the market. Eight out of ten of the biggest ISPs, and 38 out of the biggest 100 enterprises in the world use IronPort. Dell and many other customers say IronPort costs 75% less to maintain than their previous mail and web gateways. IDC calls IronPort a Leading Player. Radicati calls IronPort the Market Share Leader. Gartner places Cisco/IronPort in the highest position of the leaders quadrant in their last Gartner report. IronPort’s customers include some of the largest and most demanding organizations on the planet, in a wide range of industries. You’ll find IronPort in media companies, retail, finance, manufacturing, telecommunications, health, travel, education and government. Feature: Low cost of ownership means customers say IronPort reduces their admin time & costs by 75% Benefit: Operations staff can be redeployed to manage other user issues instead of Higher uptime means improved productivity and customer responsiveness Full Gartner report available on request
5
Cisco IronPort Protects Fortune Top Companies
40% of the Fortune 10 42% of the Fortune 50 42% of the Fortune 100 28% of the Fortune 500 39% of the Fortune 1000 35% of the Fortune Global 500 95% of the Fortune 100 Most Accountable Companies* Large businesses want the very best security products they can find, and IronPort supplies 42% of the Fortune Companies like Dupont, Intel, GE and Verizon depend on IronPort to protect their networks. Let’s take a look at why these companies selected security gateways from IronPort. * This list ranks the world’s largest 100 corporations by their quality of their commitment to social and environmental goals.
6
IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance
Before IronPort After IronPort Internet Internet Firewall Firewall Encryption Platform DLP Scanner DLP Policy Manager MTA Anti-Spam Anti-Virus Policy Enforcement Mail Routing One of our IronPort’s key selling points has been that we consolidate the network perimeter. This provides a dramatic reduction in total costs of ownership. Only one vendor to manage, fewer servers to manage and a more integrated secure system for doing the day-to-day tasks that are required of an admin. On this slide, you can see that we have included our encryption platform as well as the DLP platforms. These are both aspects of technology that have been incorporated into our security appliance. They allow customers to further see the benefits of what our technology can provide on a single integrated appliance. IronPort Security Appliance Groupware Groupware Users Users
7
IronPort Architecture Inbound Security, Outbound Control
M A N G E T O L S Spam Defense Virus Defense INBOUND SECURITY THE IRONPORT ASYNCOS™ PLATFORM IronPort is a believer in the concept of multi-layered defense in depth. This is evident in the architecture of our appliance. It provides different modules that can be deployed for: Inbound security - Spam and Virus defense Outbound control – Data Loss Prevention and Secure Messaging Note to sales reps: Now, if appropriate, would be a good opportunity to outline the pricing structure of our products: i.e. a customer may selectively deploy certain security applications depending on use case, need, etc. Data Loss Prevention Secure Messaging OUTBOUND CONTROL
8
IronPort AsyncOS™ Revolutionary Email Platform
Traditional Gateways And Other Appliances IronPort Security Appliance 200 Concurrent Connections Low Performance/ Peak Delivery Issue 10,000 Concurrent Connections High Performance/ Sure Delivery Single Queue For all Destinations Queue Backup Delays All Mail Per-Destination Queues Fault-Tolerance and Custom Control
9
Real Gateways for both Inbound and Outbound by Virtual IP Gateways
BLACKLISTED MX1 marketing mx1.isp.com MX2 mx2.isp.com “One bad apple doesn’t spoil the bunch.” “Separate campaigns using “clean” lists on different IPs than new or potentially “dirty” lists” MX3 companyb.com Corporate Customers’ Outbound s companya.com MX4 Broadband Consumer Outbound s Different mail policy for individual inbound & outbound IP
10
Spam Trends Through the first half of 2007
Increase In Average Daily Spam Rules Spam volumes up 18% month over month New spammer tactics -- Image link spam -- PDF spam -- XLS spam Average Daily Spam Volume By Month: Notes to speaker: One thing that has always resonated well with customers is when you talk to them about spam trends. This slide captures spam trends for the first half of the year. It talks to the spam volume increase roughly 18% month-over-month. You can also see the chart towards the bottom of the slide that shows that month-by-month volume over the course of the past year and a half. It also speaks to the new spammer tactics involving from image based spam to PDF spam and XLS spam. Another point that is important to speak to is one we are introducing here, which is the increase in average daily spam rules. Spammers continue to get more sophisticated in their tactics and you need to have technology that will address that. We have changed from introducing roughly 20,000 spam rules in 2005 to close to 200,000 daily spam rules in This speaks to the fact that you need a large infrastructure to be able to support this from a technology point of view, as well as the fact that you need a product that will address that number of spam rules without grinding to a halt. In our anti-spam engine, it is the market leader in terms of speed and being able to introduce those spam rules provides customers a level of security without the compromise in performance.
11
Evolution of Spam Spammers Testing New Techniques
Text Spam PDF Spam MP3 Spam 2005 nd Qtr 4th Qtr 2006 3rd Qtr In addition to the enormous increase in spam volumes, spammers are also innovating with the type of spam they are sending. Spammers will continue to test new techniques to see what can bypass the spam filters. Not too long ago, spam was predominantly text based. In 2006, Image Spam growth skyrocketed. In 2007 alone we saw several different techniques emerge: PDF spam, Excel spam and MP3 spam. These new spam attacks are typically very fast and high volume: In August there was a dramatic growth in the use of Excel files in spam messages, and then an equally quick decline over a period of six days. In October, there was a spike of spam using an MP3 attachment that was just as large, but it only lasted three days. At the peak of these outbreaks however, both of these spam types represented double-digit percentages of worldwide spam traffic, showing that the attackers are willing to put enormous resources into trying to find their next way to sneak into your inbox. The Excel outbreak totaled more than one billion spam messages sent worldwide! . Excel Spam Image Spam “2007 has seen a proliferation of different attachment types…Spammers are using these different attachments in order to try and get past security gateways that are unable to look into complicated file types” Internet Security Trends Report Published By Cisco and IronPort
12
Stop More Spam IronPort Multi-Lahyer Spam Defense
Multi-Layer Spam Defense Senderbase Reputation Filtering IronPort Anti-Spam Who? How? CASE Score What? Where? Data Modeling Reputation To stop spam from reaching your inbox, we deploy a multi-layered defense that combines an outer layer of filtering based off the reputation of the sender and an inner layer of filtering that performs a deep analysis of the message. This results in a highly accurate spam defense (98%-99% accuracy with an industry low false positive rate <1 in 1 mil) without sacrificing performance. Representing the outer layer, Senderbase Reputation filtering stops spam based off the Reputation of the sender. It is similar to a credit reporting service.Only, instead of analyzing your social security number and credit history, it analyzes the sender address, or IP address and gives a reputation score based off an analysis of over 150 different parameters: Parameters include things such as global volume (spammers need to send a lot of mail to be effective), country of origin, do they accept mail in return, IP Blacklists, & complaint reports, how long a domain name has existed. This data is combined to make a score of -10 to +10 which is then used by the appliance to control the mail that can be sent to a network. The more “spammy” a sender appears, the more strict the policy. SenderBase technology allows administrators to configure a policy that’s appropriate to the reputation of the sender. Bad/Junk mail is automatically dropped before entering the network Known Good mail bypasses the SPAM engine Gray/’Iffy’ mail is throttled & passed through to the SPAM filter for deeper inspection & filtering There are two main benefits of SenderBase. 1st is that we are able to block 90% of SPAM before it even hits your network. 2nd is Performance. Mail is blocked by simply looking at the IP address instead of scanning the entire message. >>>>> The second layer of filtering is unique. Unlike traditional Anti-SPAM solutions that primarily analyze only the content of a message, IronPort’s anti-spam engine is designed to take a closer look at 4 main data points. In addition to analyzing the content of the message (what’s in it), IronPort’s engine also looks at: HOW the message was constructed (spammers try to make messages look like they were sent via Outlook, for example, when really they may have used some funky software application.) WHO is sending the message (this looks at the reputation score) WHERE the call to action intends to take you (does the URL link to a suspicious website) ideal for stopping PHISHING attacks. This results in a 98-99% SPAM catch rate while still maintaining an industry low 1 in 1 million FALSE POSITVE RATE. >98% Catch Rate < 1 in 1 mil False Positives Block 90% of Spam
13
SenderBase® World's First, Biggest & Best Server Reputation Database
Like a credit rating service for and web sources Stops known and unknown threats based on risk View into both and web traffic dramatically increases threat detection 83% of spam contains URLs...80% of spam sent by zombie PCs, "spambots" is a still a key distribution vector for Web-based malware Internet Another IronPort innovation is SenderBase, the world’s first, biggest and best reputation server database. SenderBase is like a credit rating service for and web sources. It stops known and unknown threats based on risk. It gives IronPort customers a view into both and web traffic, and it dramatically increases the level of threat detection. and web threats are converging – we know that 83% of spam contains a URL. 80% of spam is being sent by zombie PCs on the web, called spambot PCs. So is a key distribution vector for web-based malware. This diagram shows that SenderBase receives information on and web servers from 100,000 sources. This is analyzed, and provided in a limited way to the public on the SenderBase web site, and in greater detail to IronPort appliance customers. SenderBase data is also shown on the Cisco web site at While server architecture is critical to a security gateway, the heart of any security device lies in the database that distinguishes good traffic from bad. IronPort pioneered the use of a global traffic monitoring network to measure in real time the reputation or trustworthiness of a given server. IronPort's SenderBase Network is the largest and most accurate database in the world. SenderBase collects data from more than 100,000 networks around the globe. SenderBase has data on virtually every active Web server and server on the Internet. This data is used by the IronPort appliance to dynamically apply a scanning policy to identify and stop incoming threats. IronPort's background in gives it an unfair advantage. By combining views of and Web traffic patterns IronPort has a unique insight into what is going on. A perfect example is the highly publicized and malicious STORM Worm. STORM propagates itself by utilizing both Web and vectors, along with social engineering techniques. STORM has been around since the start of 2007 and is growing to record proportions. Up to 30% of all spam s in 2007 were related to the STORM Worm attacks. Storm uses social engineering technique, such as spam s that use a fake YouTube logo and video links. Upon clicking the link, an embedded JavaScript routine launches via browsers that exploits un-patched machines to infect the end user with the W32/Nuwar Trojan. If the machine happens to be patched, the end user is presented with a link that appears to be from YouTube, enticing them to click on it. Info on & web servers from 100K sources analysis
14
The IronPort SenderBase® Network Global Reach Yields Benchmark Accuracy
The Dominant Force in Global and Web Traffic Monitoring… …Results in Accuracy and Advanced Protection IronPort Others Spam Caught by Reputation 20% - 50% 80% IronPort McAfee, Trend, Symantec, Sophos, CA, F-Secure Network Reach (Contributing Networks) Others 1,000 – 8,000 120,000 IronPort IronPort’s SenderBase is the world's largest and Web traffic monitoring network. With data on more than 25 percent of the world's Internet traffic, IronPort's SenderBase Network provides an unprecedented real-time view into security threats from around the world. SenderBase receives contributions from 120,000 networks worldwide. We go to great lengths to diversify our data. Benefit to you: we catch even the obscure threats that our competitors miss. IronPort’s and Web security customers harness the power of SenderBase through IronPort Reputation and Web Reputation™ technologies. SenderBase data also powers IronPort Anti-Spam, IronPort Virus Outbreak Filters™ (a preventive security service that protects customers from viruses hours before anti-virus vendors publish virus signatures) and other security applications. IronPort one of a handful of companies that has built a very large monitoring network—one that as part of Cisco gives us unprecedented access to data. And like in the cellular phone business, it’s all about the network. It means that IronPort as an IronPort customer you get the fastest, broadest, and most accurate protection against Internet threats. The proof is in the pudding: IronPort can block 80% of spam at the connection without reading the with Reputation Filters. The closest competitor is at 50%. Look it up on their Websites. As spam volumes increase, you don’t buy more hardware. Similarly, Web Reputation is capable of outright allowing and outright blocking anywhere from 40-60% of requests, which preserves the CPU-intensive operations of anti-malware scanning for only those transactions that need them. With all that data, we’re able to “predict” viruses hours, sometimes days before the AV players. Outbreak filters have stopped viruses on average 13 hours ahead of the signature based systems over the past 12 months. 30B+ queries daily 150+ and Web parameters 30% of the World’s Traffic Cisco Network Devices 13 hours* Virus Protection Lead * 6/2005 – 6/ outbreaks identified. Calculated as publicly published signatures from the listed vendors. Source: and August 6, 2006
15
What Data is Collected? 150 Data Sources...Combined For Highest Accuracy
SpamCop, SpamHaus (SBL), NJABL, Bonded Sender IP Blacklists & Whitelists Spam, phishing, virus reports Complaint Reports Domain Blacklist & Safelists Spamvertized URLs, phishing URLs, spyware sites SpamCop, ISPs, customer contributions Spam Traps Compromised Host Lists SORBS, OPM, DSBL Message size, attachment volume, attachment types, URLs, host names Downloaded files, linking URLs, threat heuristics Message Composition Data Web Site Composition Data IronPort collects up to 150 data points on each and web source. SenderBase collects data on global traffic volumes, including web site traffic. Data on URLs in messages, message composition, spam traps, compaints such as SpamCop, plus whitelist and blacklist data is all factored in. SenderBase has data on phishing URLs, spyware sites and compromised host lists. Having many data points gives you a much better picture of the risk involved than relying on one or two indicators. The combination of web data, in orange, and other public and private data makes SenderBase much more powerful than other lists or services. IronPort tracks over 90 mail related parameters and 20 web parameters in SB All the familiar ones - Global volume - Complaints, spamtraps - 3rd party blacklist and dynamic lists New parameters - Results of content filter scanning for spam and viruses - URLs with known risks of spamvertising, viruses, spyware - Website composition to look at suspicious payloads or known bad files - Domain registration information - Look at linking reputation of sites through hyperlinks Global Volume Data Other Data Over 100,000 organizations, traffic, web traffic Fortune 1000, length of sending history, location, where the domain is hosted, how long has it been registered, how long has the site been up Orange = Web-specific data
16
Reputation Determines Policy Administrator Sets Thresholds & Actions Based on Scores
• Known good is delivered (why scan it more?) • Suspicious is throttled and spam filtered Reputation Filtering Anti-Spam Engine Incoming Mail Good, Bad, and “Grey” (unknown) • Known bad is rejected at connection time -2.0 to -10.0 The administrator sets the thresholds and actions based on scores. For , the incoming mail is a mixture of good, bad and grey or unknown mail. If the message came from an MTA with a very high reputation, like +9, there’s no point in scanning it, since it won’t be spam. If the mail came from a very low reputation sender, there’s still no point in scanning it, since it will certainly be mail we don’t want. So only the suspicious, or unknown mail has to scanned in depth. It can also be throttled and controlled in other ways. For web traffic, transactions and pages on high reputation sites can skip Anti-Malware signature checks, since there’s no risk of malware. Connections to Low reputation servers and zombie PCs are blocked. You can say that SenderBase takes the identity of servers and adds reputation to them. The administrator takes this reputation and assigns policy. It’s a sophisticated response to sophisticated threats, and it’s much more powerful than simple whitelisting or blacklisting. For web traffic, transactions from sites and pages with very high reputations can skip some Anti-Malware signature checks, since there is no risk of malware infection Traffic to sites with low reputations can be blocked without any scanning at all Only traffic to unknown or neutral-reputation web sites has to be scanned to the fullest extent This dramatically increases the efficiency and responsiveness of the IronPort system SenderBase takes the Identity of servers and adds Reputation Administrator takes Reputation and assigns Policy Sophisticated response to sophisticated threats More powerful than blacklisting
17
IronPort Reputation Filters Dell Case Study
“IronPort has increased the quality and reliability of our network operations, while reducing our costs.” -- Tim Helmsetetter Manager, Global Collaborative Systems Engineering and Service Management, DELL CORPORATION Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced by 75%
18
— Mr.Tanapon Chandavasu
TRUE “It’s an ideal solution for ISPs. With an easy-to-use and flexible management, it helps us reducing administrative costs” — Mr.Tanapon Chandavasu Head of Network & Operation TRUE Internet Co.,Ltd.
19
Cisco IronPort Spam Defense Thompson Machinery Case Study
“I simply plugged it in, set it up and walked away. No more spam problems! The ROI on this product is a no-brainer.” — David Jones IT Administrator This combination proves itself in the real world. Thompson Machinery tested IronPort against another vendor for their 500-user network. Each system received 190 spams per day, but IronPort caught 99%, versus 96% for Barraduda. The Barracuda appliance delivered four times more spam each day to users. They said they simply plugged it in, set it up and walked away. No more spam problems. The ROI on this product is a no-brainer. One key reason: IronPort stops more spam than other solutions. A great case study of IronPort Spam defense is Thompson Machinery, a 500 user manufacturing company. Thompson did a production test of IronPort and Barracuda. Barracuda is like a lot of anti-spam vendors who claim high capture rates, in the 95%-96% range. IronPort claims 99% capture rate and this test revealed that those 3-4 percentage points make a difference. In this case, the difference in capture rates resulted in 400% more spam to the inbox with Barracuda than IronPort!!! IronPort required no special tuning or baby sitting by the administrator. He simply set it up and his spam problems went away, resulting in a very compelling ROI. Simply put, IronPort stops more spam USERS PROTECTED 500+
20
How To Do Spam Math MissedSpamPercentage(ProductY) / MissedSpamPercentage(IPAS)
Capture Rate: False Positive Rate, % False Positive Rate, ratio Example User Receives 100 spams Receives 100K hams IronPort Anti-Spam 98% 0.0001% 1 per million 2 arrive in inbox none lost Product Y 94% 0.0017% 17 per million 6 arrive in inbox 1.7 lost in error It’s very common that IronPort can capture 99% of all spam, but that’s not our advertised catch rate. We only claim that we block 98% of spam, nearly all of the time, anywhere in the world. If another product has a 94% capture rate, it’s not a 4% difference. To see the impact on users, divide the missed spam percentages for the two products. Or count the number of missed spams per hundred, and divide those. If IronPort misses 2 spams per hundred at our advertized capture rate, and product Y misses 6 at 94%, then our 2 is 3 times better than their six. Product Y users will really get three times more spam, and administrators could get 3 times more compaints. And if product Y has more than one false positive per million, it’s not really accurate enough to safely drop the spam, you would have to quarantine and review it. Product Y doesn’t really solve the spam problem, it just moves the spam from one place to another. Conclusions: 6 / 2 = 3 Product Y User receives three times as much spam in his inbox (6 vs. 2) Product Y not accurate enough to safely drop spam, must store and review
21
IronPort Anti-Spam Email Security Appliance
Market Leading Catch Rate & False Positive Rate: 98% and 1 in 1,000,000 So accurate that 95% of IronPort customers drop all definite and suspected spam without quarantining Stops spam types that other solutions miss Automatic updates, no need for manual rule writing, learning or tuning No additional UNIX/Windows servers to maintain IPAS Checks Web Reputation: Where does the call to action take you? Reputation: Who is sending you this message? Message Structure: How is this message constructed? Message Content: What content is included in this message? IronPort Anti-Spam has the best real-world catch rate and false positive performance in the market, at 98% with one in a million false positives. It’s so accurate that 95% of IronPort customers drop all definite and suspected spam without quarantining. IPAS stops spam types and new spam outbreaks that other solutions miss. It has automatic updates, with no manual rule writing and no need for training or tuning. There are no extra servers or systems to maintain. IPAS works in 4 phases. First it looks at any URLs in the message body, and checks where the call to action takes you. It factors in more data about who sent you the message and their reputation. It looks at how the message is constructed, for example, was it composed by Outlook or by a zombie trying to emulate Outlook. And it checks What content is included in the message. These pictures show that we do offer a quarantine, with spam digest notifications, end-user safelists and blocklists and other competitive features. But the really nice thing about IronPort Anti-Spam is that it works so well you don’t have to use them. Supports spam digest, end-user safelist/blocklist Highest Catch-Rate, Lowest False Positive Rate Of Any Anti-Spam Product Today IPAS does more processing on each message than other solutions. AsyncOS let's us do this at high speed. No other system blocks more spam more efficiently. Every 5 minutes (by default) the appliance checks for new rule updates (AS, AV, VOF) Feature: Quarantines Can store policy violations, spam or viruses for review Users receive daily spam digests Users can release or delete their own spam Web UI, Advanced Search Authenticate users via LDAP, AD, POP or IMAP servers Optional end-user spam reporting plugin for Outlook Flexible deployment Automatic disk space management C-Series on-box storage, or Centralized M-Series appliance Benefits: only a few! Most customers do not keep samples of viruses or spam, because there are no false positives and there is no need to store. Admins may need to quarantine for policy reasons, but since reviewing and releasing messages from quarantines takes time, use is kept to a minimum Users can create their own safe and blocklists, but only a few users do this once they experience IPAS accuracy (may have had bad experiences with non-IronPort mail products) In the end though, a spam quarantine is a crutch for a poor spam engine. IronPort’s accuracy is such that most customers stop using the quarantine after only a couple of weeks.
22
Evolution of Viruses Rapid Outbreaks, Frequent Variations, More URLs
URL-based Viruses Increase By 256% Harder For Traditional AV Scanners To Block End Users More Likely To Click On Links Than Open Attachments Rapid Changes To Viral Strains Feebs: 7 Days, 6 Variants Feebs Outbreak October 2007 Message Volume Frequency of Changing Feebs Variants Oct 13 , Oct 22 , 2007 IronPort Threat Operations Center In addition to spam, viruses represent another area of concern for administrators. The virus problem is not going away. As a matter of fact, viruses are becoming an even more important element of the criminal ecosystem that leverages viral payloads as a means to install a trojan and subsequently take over a PC. Viruses are evolving from the traditional attachment payload variant to a URL distribution vector. This is not what traditional AV scanners were designed to do and they are harder to block. Additionally, end users are more likely to click on links than open attachments. Unfortunately the data indicate this approach is working. URL-based viruses have increased by 256% in the past year. Not only are the distribution methods evolving, but also are the virus strains themselves. The Feebs outbreak of Oct 2007 is a great example. IN 7 days, it went through 6 different variants. Each more challenging to detect and scan than the previous.
23
Stop More Viruses IronPort Multi-Layer Virus Defense
Virus Outbreak Filters Anti-Virus T = 15 mins -zip (exe) files -Size 50 to 55KB -“Price” in the filename T = 5 mins -zip (exe) files -Size 50 to 55 KB T = 0 -zip (exe) files Similar to our spam defense, IronPort employs a multi-layer defense against viruses as well. Virus Outbreak Filters leverages the data in Senderbase to identify volume spikes in that are indicative of a virus. It uses this data to quarantine mail until the AV signature is made available. Our average lead time is well over 13 hours, providing customers protection during the critical window of exposure when the virus was detected and the signature file made available. We offer customers choice and the ability to deploy either Sophos or McAfe or both, provides a layered approach to keep viruses out of the inbox. Virus Outbreak Filters Advantage Average lead time*…………………………over 13 hours See latest outbreaks at
24
Early Protection with IronPort Virus Outbreak Filters
IronPort Virus Outbreak Filters™ First Line of Defense Early Protection with IronPort Virus Outbreak Filters
25
VOF Benefits Stops zero-day outbreaks even before your AV signatures are updated Virus Name Date Virus Description Lead Time (hh:mm) Trojan/Agent-HCJ 6/15/08 Backdoor Trojan that attempts to download malicious code. 6:42 Trojan/FakeAle-BJ 5/17/08 Trojan that generates popup messages claiming that the PC is infected to coerce the user into purchasing a fake anti-malware product. 8:44 Troj/DwnLdr-HCB 4/02/08 Trojan that installs backdoor and communicates via HTTP, thus bypassing firewall filters for connecting to remote command and control servers. 16:23 Mal/TibsPk-A 3/26/08 Video.exe file that tricks user into viewing a video file while malicious code loads on the PC in the background. 30:56 Troj/Dwnle-Gen 2/26/08 Trojan that downloads adware, spyware and other malware from multiple remote servers. 30:23 Virus/Dept. of Justice 12/3/07 Fake Department of Justice that asks user to open complaint document, which infects PCs with remote access capabilities, for additional key logger/spyware programs. 8:33 “We’ve saved $1.2M in last 7 months with Outbreak Filters” “Since Outbreak Filters we haven’t had a single virus outbreak!” “24,000 virus positive messages caught in last 9 months” IronPort customers say that VOF is the most advanced zero-day outbreak prevention system on the market. It catches new variants before AV signatures are available, and puts a preventive layer in front of the reactive, signature-based scanners. ACS said they saved 1.2 million with VOF in just 7 months. Air France said they haven’t had a single outbreak with it. Johns Hopkins caught 24,000 virus positive messages in 9 months. This table shows that VOF reacts from 6 to 30 hours sooner than any other product. VOF provides an average of over 13 hours lead time, measured against the last 175 outbreaks and 6 leading AV vendors. You can see these outbreaks and lead times at the threat operations center, published daily. Virus Outbreak Filters are integrated into the IronPort Security Appliances. When the threat level is elevated, messages are automatically filtered and suspicious messages are quarantined. Immediate and automated response to new outbreaks provides protection until updated signatures are in place. At that point, mail is released and re-scanned through the traditional anti-virus filters. By responding in a benign way, the Virus Outbreak Filters prevent serious damage without causing other issues. System administrators have the ability to tailor the specific response taken when a threat level is raised. Mail administrators can set threat levels at which messages need to be quarantined, based on their network and risk tolerance. Certain users or groups of users can be opted out of the quarantine. Using the web based administration tools in the IronPort appliance, administrators can view quarantined messages and selectively release them. Administrators can also release a message and test it to make sure the virus definition files are in place before releasing it. Virus Outbreak Filters Lead Times Published Daily at: Average lead time*…………………………over 13 hours Outbreaks blocked * ………………………175 outbreaks Total incremental protection*…………….over 94 days * May 2006 – August 2008 Annualized. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used. VOF
26
Multi-Scan Anti-Virus Results Multiple AV Engines Broaden Coverage
Ideal = Virus Capture With Multi-Scan Combined Multi-Scan Mode Virus Capture Rate Virus Capture With Single AV Vendor B alone Vendor A alone Source: 2007 IronPort-sponsored Customer Studies
27
IronPort’s Virus Defense eWeek Review Case Study
5 month test by eWEEK 1217 virus positive s stopped before AV signatures were available 48 separate virus variants 0 false positives reported “We’ve Saved $550,000 In The Last 6 Months With VOF” Here is a great case study that speaks to the value of our IronPort Virus Outbreak Filters. An independent trade magazine, eWeek studied the effectiveness of our Virus Outbreak Filters. In the first five months, they were able to save $200,000 based off of the virus messages that we stopped assuming about a $500 bucks per desktop infection & 1 in 3 messages opened. The power of outbreak filters is very real to these customers and for folks who have a traditional AV solution, it compliments quite nicely with a zero hour protection tool. “We never saw a false positive. Virus Outbreak Filters effectively blocked messages containing viruses for which signatures didn't already exist.” — - Mike Caton, Technical Writer Assumes $500 Per Desk Top Clean Up & 1/3 Open Rate of Viral Messages
28
IronPort Systems Data Loss Prevention PROTECTING SENSITIVE COMMMUNICATIONS
And now as we have articulated the features set, you can put this into context of a real-world customer case study.
29
Standard Email STILL Does Not Offer What’s Needed
Challenges Standard STILL Does Not Offer What’s Needed Junk Mail Privacy & Control Viruses Regulations
30
Data leaks continue to impact Businesses
31
Intellectual Property Leakage
Estimated $300 billion per year in losses IP theft laws are hit and miss internationally Surveyed organizations estimated 2.4 incidents per year at $500k per incident Appearance of “whistle-blower” public wiki’s.
32
Protect Sensitive Data: It’s the Law
Breach Laws (e.g. California SB-1386) Enacted in 44 states Companies forced to disclose any personal information leakage State Encryption Laws Personal Information to be encrypted as it goes over the Internet Healthcare Laws (e.g. HIPAA) Protect Patient information or pay large penalties Financial Regulations Protect Credit Card Information (PCI) Don’t disclose financial information (SOX)
33
Historical Barriers to DLP Adoption
Inaccurate False Positives & False Negatives Constant Tuning Required Difficult to Configure Complex Integration Limited Policy Coverage Expensive High Up Front Deployment Cost Resource Intensive
34
IronPort DLP: Comprehensive, Accurate, Easy
Worldwide regulatory compliance coverage, numerous remediation options No managing false positives Quickly deploy and manage Cisco’s security products offer unparalleled leadership, by virtually any way leadership is defined: We have more visibility into global traffic & threats than any vendor in the world We offer best of breed technologies both for inbound and outbound security Analyst feedback, industry awards and market share numbers all confirm that the market and analyst community view Cisco’s security solutions as best in class.
35
Comprehensive, Global Coverage
Diverse Use Cases Over 100 Pre-defined Templates Includes, by country: Driving License Numbers IBAN Numbers National Identification Numbers Passport Numbers Custom Policies
36
Comprehensive Remediation Options
1 Deliver, Quarantine, Drop or Encrypt Add disclaimer, modifiy subject Copy admins or supervisors Notify sender or receipient with custom message 2 3 4
37
Comprehensive Email Management
Configure Anti-Spam, Anti-Virus, Content Filters, Preventive AV, Encryption and DLP all in one user interface
38
Comprehensive, Accurate, Easy
Worldwide regulatory compliance coverage, numerous remediation options No managing false positives Quickly deploy and manage Cisco’s security products offer unparalleled leadership, by virtually any way leadership is defined: We have more visibility into global traffic & threats than any vendor in the world We offer best of breed technologies both for inbound and outbound security Analyst feedback, industry awards and market share numbers all confirm that the market and analyst community view Cisco’s security solutions as best in class.
39
RSA – Market & Technology Leader
Ranked as “Leader” in Gartner Magic Quadrant Focus on accuracy: large research team staffed specifically to write and refine content polices We have many customers in many different market segments. Currently, the world’s largest software company, the world’s largest telecommunications company, and the world’s largest retailer are RSA DLP customers. They all have some key traits in common: They are regulated externally They have high impact business data that is crucial they protect; formulas, and source code are good examples They have large data stores and diverse environments They are geographically dispersed “RSA has strong described content capabilities enabled by a formal knowledge-engineering process” - Gartner 39
40
In Depth Analysis Enables Accuracy
41
Comprehensive, Accurate, Easy
Worldwide regulatory compliance coverage, numerous remediation options No managing false positives Quickly deploy and manage Cisco’s security products offer unparalleled leadership, by virtually any way leadership is defined: We have more visibility into global traffic & threats than any vendor in the world We offer best of breed technologies both for inbound and outbound security Analyst feedback, industry awards and market share numbers all confirm that the market and analyst community view Cisco’s security solutions as best in class.
42
Easy to Set Up Stop Sensitive Content in Seconds!
Integrated into Policy Manager One click activation of pre-loaded policies
43
Easy to Monitor Reports by severity and policy
Real time and scheduled reports available
44
Easy to See Message Level Details
Easy message search See detail of violation and where in message it occurred
45
Easy To Create Custom Policies
Name and Describe Policy Adjust Severity Categorization Define Content Scanning Specify Remediation
46
IronPort Encryption Simple Deployment Easy Policy Assignment
Message pushed to reciepient User opens Cisco IronPort PXE in browser Gateway encrypts message Key is stored User authenticates and gets message key Decrypted message is displayed Cisco Registered Envelope Service To explain how PXE works, we have broken up the description into two sections. The first is sending a message. The thing you want to convey here is that customers can instantly deploy PXE with a simple feature key, no additional management overhead. An that is detected is as being required to have encryption would automatically be enrolled into the key management system, which is provided via Cisco registered envelope service hosted at IronPort. Then that message is pushed to the end-user and that end-user would retrieve the key from the Cisco registered envelope service and render that message in their browser. This provides for a host of center controls, because the fact that that message’s key is stored in host fashion. The sender can log-in to the registered envelope service and deal with tracking, secure, reply, recall and so on. And what makes this really powerful is the fact that we, meaning IronPort, never actually store that message. All we are doing is storing the key, making it a high-performance, high-secure model for managing secure . Simple Deployment No Additional Hardware Required 3 Step Set Up Easy Policy Assignment Central Policies User-Driven Policies
47
Detecting Pornography How does the technology work?
11 different detection methods to determine if image is pornographic: Image Cleanup Skin Detection Background Elimination Edge Detection Body Part Separation Curvature Identification Negative Curvature Rejection Body Part Elimination Face Detection Body Part Layout Decision INAPPROPRIATE
48
Spend Less Time Managing
Categories: by Domain, Username, or LDAP IT Allow all media files Quarantine executables SALES Mark and Deliver Spam Delete Executables Security Manager For Configuration We start by offering a simple 5 Step Setup Wizard that gets the product installed in <30 minutes. After the product is operational, customers typically want to set policies for their organization. One thing that is true in this business is that one size does not fit all when it comes to security policies. Customers want to have a unique policy depending upon who the user is, what LDAP group they are in or even what domain they belong to. The IronPort Security Manager provides end-users that level of policy assignment. The administrator can determine based off of a variety of settings what policies they end-user is going to get from anti-spam, anti-virus, content filters and virus outbreak filters. This is all made possible in one easy to use, easy to manage dashboard. After the policies are established, administrators need the ability to track messages and create reports. Our integrated message tracker gives customers the ability to discover what happened to a message. If your CEO calls and demands an answer to the question ‘I was expecting a message from a major customer but it hasn’t arrived, what happened to it?’ you can log into the tracker, enter his address and be presented all the he received and what the final disposition was. Lastly, Real Time Reporting is another very important management tool. We make it easy for customers to have real-time access into the security trends and data loss trends in the network. We will make this data available via schedule, delivery of the reports automatically, or also available via export. We recognize that we may not have all the reports that a customer wants integrated onto the appliance. But we make it possible to export that data in common separated value format so that the customer can take that data and manipulate it as they see fit. Real Time Reporting
49
IronPort Email Security Monitor™ Advanced Reporting System
Integrated Real-Time Graphical Reports CSV Export Scheduled Delivery PDF® Output Security Monitor™
50
“What Happened to my e-mail
“What Happened to my ???” Easily Answered by IronPort Message Tracking Provide Administrators a powerful tool to check the status of any passed through IronPort C-Series Appliances Who sent the ? Which Policy has been used with the ? Was it a spam? Did it contain any virus? Did it violate any company policy? Has it been delivered? Delivered to whom? Cisco originally came to IronPort for the power of their MTA platform to solve routing issues within their large network. Content scanning was the next application they used, and now they have standardized on IronPort infrastructure world wide. They use IronPort at 8 locations in almost as many countries, using security manager to track policies for different individuals.
51
Management Capabilities IronPort Spam Quarantine
Flexible deployment On-box or consolidated quarantine (M-Series) Use with Brightmail or IronPort Anti-Spam Full featured Authenticate users against LDAP, AD, or IMAP/POP Automatic disk space management Supports double-byte messages Features to support regulatory archiving In the end though, a spam quarantine is a crutch for a poor spam engine. IronPort’s accuracy is such that most customers stop using the quarantine after only a couple of weeks. IronPort also offers a fully-featured, centralized end-user spam quarantine. This can be deployed by customers using either Brightmail or IronPort Anti-Spam. Given the exceptionally low false-positive rate of these solutions, a quarantine is not required for most customer deployments, but some customers may use the quarantine to: Reduced Groupware load: keep suspected spam off the expensive Exchange servers Lower Admin overhead: self service, self managing, zero administration Provide a “cushion” for mail that may have been improperly marked The IronPort anti-Spam quarantine includes all of the functionality you’d expect from an end user quarantine (LDAP authentication, an easy-to use we interface, search capabilities, digests, etc.) along with some unique capabilities such as authentication via POP/IMAP which simplifies the management of usernames and passwords for smaller organizations without LDAP. The quarantine can be deployed ‘on-box’ on a single appliance or as a centralized quarantine, for multiple IronPort appliances.
52
IronPort M-Series™ Security Management Appliances
Centralized, self-managing quarantine appliance Provides complete end-user self-service, drives down administrator load Restrict message body viewing for regulatory compliance
53
IronPort M-Series Centralized Reporting and Message Tracking
Aggregated IronPort Security Monitor reports available on a central IronPort M-Series interface Helps administrators answer help desk calls quickly and easily “Joe sent me an , but I never received it.” Easier alternative to searching log files Gives one place to search for messages across different appliances An important enhancement to the management tool or the appliance has been the introduction of reporting and tracking on the M-Series. The IronPort M-Series aggregates reports on multiple appliances and makes them available via one centralized interface. It does the same thing with message tracking. Message tracking gives the administrator the ability to determine what happened to a message, what was the final disposition of that message. Most customers deploy two to ten appliances and the M-Series will give them centralized access into all of those for reporting and tracking needs. Without a feature like the M-Series, customers would have to scan the log files, grep and search and do a lot of detailed analysis to determine what happened to what message and what appliance did it go through. The M-Series removes that burden by taking all that data and centralizing it and providing it into one easy to use interface.
54
Thai Military Bank Challenge: The IronPort solution:
The existing system can’t keep up with new threats like spam, viruses, phishing, etc. Use ISP gateway as the first line of defenses (Barracuda) Reliability for both inbound and outbound The IronPort solution: Powerful, first line of defense for Lotus Notes Block over 75% of the s that Barracuda couldn’t catch. LDAP integration with Lotus Note LDAP capability Reports for security audits. Manageability, scalability, and reliability
55
Thai Military Bank
56
IronPort Customer Snapshot Over 95% of Our Customers Use IronPort to Define Acceptable Use Policies
Regulated Industries Retail All-Comers Financial Health Care Use this slide to highlight some interesting data points – “This slide shows just a few of many IronPort customers that benefit from our Content Security features. Here are some interesting data points our research has shown:” Intellectual property protection is particularly important in the Technology sector. In fact, over 80% of our technology customers use content filters for intellectual property protection. Regulatory compliance requirements are the key motivators for Content Security in the Financial and Healthcare sectors Acceptable use policy, on the other hand, is applicable and important across the board. Virtually every IronPort customer uses our technology to define acceptable use policies for .
57
Bundled: Spam Defense + Virus Defense + Compliance Filters
+ Authentication + Management Tools Optional: Encryption, McAfee, Image Analysis, RSA DLP Calculated Based on # Users
58
From Identity Stealing
360 Degrees of Protection Protect Employees From Identity Stealing Malware and Phishing Protect Company From Identity Data Leaks Anti-Spam SenderBase Reputation Filtering IronPort Anti-Spam (IPAS) RSA DLP 100+ predefined DLP policies Accurate Easy to Implement Cisco IronPort Security Solution Inbound Security Outbound Control Anti-Virus Virus Outbreak Filters (VOF) McAfee Anti-Virus Sophos Anti-Virus Encryption Secure Message Delivery Transport Layer Security
59
Q & A Thank You.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.