1 / 17

WebFilter

chin
Download Presentation

WebFilter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. WebFilter/WebPulse Overview WebFilter/WebPulse Overview – September 2008 version. Copyright © 2008 Blue Coat Systems, Inc.WebFilter/WebPulse Overview – September 2008 version. Copyright © 2008 Blue Coat Systems, Inc.

    2. 2 Agenda New web content challenges Cybercrime offense Enterprise defense Cloud service architecture WebPulse cloud service Hybrid web gateway solution Layered defenses Summary This presentation will focus on changing web content challenges, new cloud services that provide a community watch benefit, and how web filtering and content controls are part of a complete layered defense. This presentation will focus on changing web content challenges, new cloud services that provide a community watch benefit, and how web filtering and content controls are part of a complete layered defense.

    3. 3 New Web Content Challenges Malware in popular web sites Newly published web content Remote users Unrated sites Web content today presents a new maze of challenges. In the past, a web site was rated once, users could be tracked visiting it and we could block access to objectionable and unproductive sites if so desired. The web was a productivity issue and HR and managers needed to track employee use. Today, a popular news or retail web site can be the source of a hidden malware download. A year ago, approximately 70% of malware was from trusted web sites, today that number has escalated to over 90% according to Sophos Labs July 2008 threat report. The web has also become a two-way publishing environment with new content emerging every minute. And our idea of a perimeter is dissolving as more and more employees use laptops in remote locations and work at various hours of the day. They need web content controls and protections similar to the WAN based employee behind a web gateway. Lastly, the once ignored area of unrated sites has become a loophole for cybercrime to exploit. Most web gateways “allow” unrated sites to pass through their web gateway. What is your policy for unrated sites?Web content today presents a new maze of challenges. In the past, a web site was rated once, users could be tracked visiting it and we could block access to objectionable and unproductive sites if so desired. The web was a productivity issue and HR and managers needed to track employee use. Today, a popular news or retail web site can be the source of a hidden malware download. A year ago, approximately 70% of malware was from trusted web sites, today that number has escalated to over 90% according to Sophos Labs July 2008 threat report. The web has also become a two-way publishing environment with new content emerging every minute. And our idea of a perimeter is dissolving as more and more employees use laptops in remote locations and work at various hours of the day. They need web content controls and protections similar to the WAN based employee behind a web gateway. Lastly, the once ignored area of unrated sites has become a loophole for cybercrime to exploit. Most web gateways “allow” unrated sites to pass through their web gateway. What is your policy for unrated sites?

    4. 4 CyberCrime Offense Leveraging the web as a computing grid Continuous vulnerability analysis Expand and collect information for profit Web-based attacks increasing Cybercrime has turned the web into their own computing grid of free resources to continuously analyze PCs, servers and web sites for vulnerabilities to expand their reach and collect information for profit. PCs are turned into “bots” and managed as “botnets” to serve their creators or to be rented out. Available and often unprotected university servers act as malware drop sites. And even more important to the cybercrime computing grid is the use of popular and trusted websites to inject malware download scripts to infect more users by the minute. Since mid-2007, web based attacks have increased past email threats and continue to grow at three times the previous year. New malware variations are down, however the number of injections into popular and trusted web sites is increasing. Cybercrime is very successful with the tools they have and are expanding their reach everyday. USA Today – August 2008 – “Cybercrime is valued at $100B, larger than drug trafficking” Cybercrime has turned the web into their own computing grid of free resources to continuously analyze PCs, servers and web sites for vulnerabilities to expand their reach and collect information for profit. PCs are turned into “bots” and managed as “botnets” to serve their creators or to be rented out. Available and often unprotected university servers act as malware drop sites. And even more important to the cybercrime computing grid is the use of popular and trusted websites to inject malware download scripts to infect more users by the minute. Since mid-2007, web based attacks have increased past email threats and continue to grow at three times the previous year. New malware variations are down, however the number of injections into popular and trusted web sites is increasing. Cybercrime is very successful with the tools they have and are expanding their reach everyday. USA Today – August 2008 – “Cybercrime is valued at $100B, larger than drug trafficking”

    5. 5 Enterprise Defense Individual network castles Static & signature-based defenses One against the web Losing the battle While Cybercrime is using the web as a computing grid, enterprises continue to build individual network castles in a “one against the web” architecture. Even today’s Security SaaS (Software as a Service) solutions use this architecture where the actions of one user provide no benefit to others. Traditional static and signature based defenses for Firewall, IDS, AV and URL lists are losing the battle against the cybercrime computing grid that leverages users’ trust in popular web sites. Also, the idea of scanning all web traffic is becoming less effective as attacks are cloaked in encryption wrappers and obfuscation techniques making them nearly impossible to detect when stored on malware hosts and transparently transferred to users. Defense update cycles that are once or twice per day are not fast enough to block today’s web threats. And our traditional network castles cannot be dragged to airports, coffee shops, hotels or meeting venues to protect a growing population of remote users. The enterprise defense architecture has to change and adopt to new web threats. While Cybercrime is using the web as a computing grid, enterprises continue to build individual network castles in a “one against the web” architecture. Even today’s Security SaaS (Software as a Service) solutions use this architecture where the actions of one user provide no benefit to others. Traditional static and signature based defenses for Firewall, IDS, AV and URL lists are losing the battle against the cybercrime computing grid that leverages users’ trust in popular web sites. Also, the idea of scanning all web traffic is becoming less effective as attacks are cloaked in encryption wrappers and obfuscation techniques making them nearly impossible to detect when stored on malware hosts and transparently transferred to users. Defense update cycles that are once or twice per day are not fast enough to block today’s web threats. And our traditional network castles cannot be dragged to airports, coffee shops, hotels or meeting venues to protect a growing population of remote users. The enterprise defense architecture has to change and adopt to new web threats.

    6. 6 Cloud Service Architecture Unite all users into a computing grid Larger profile of web content More defenses Cost effective Cloud services that act as computing grid to unite millions of users together as a defense mirror a common practice in a nature – protection in numbers. Cloud services are exposed to a much larger profile of web content than any one enterprise. This volume of web content and repetition of popular web sites enables community watch cloud services to detect web threats and rate web content for the benefit of all users in the community. Cloud services can also deploy more defenses than affordable to any one enterprise, making the solution cost effective for all participants. Cybercrime leverages the web as a computing grid, it only makes sense that a defense should follow suit. Cloud services that act as computing grid to unite millions of users together as a defense mirror a common practice in a nature – protection in numbers. Cloud services are exposed to a much larger profile of web content than any one enterprise. This volume of web content and repetition of popular web sites enables community watch cloud services to detect web threats and rate web content for the benefit of all users in the community. Cloud services can also deploy more defenses than affordable to any one enterprise, making the solution cost effective for all participants. Cybercrime leverages the web as a computing grid, it only makes sense that a defense should follow suit.

    7. 7 WebPulse Cloud Service Malware detection Web content analysis & ratings Reputation analysis Real-time rating service The Blue Coat cloud service is called WebPulse. WebPulse recently reached a new milestone of analyzing over 1B user requests per week or over 150M user requests per day. WebPulse is 100% user request driven for relevance. In other words, what the computing grid requests is what the computing grid analyzes. The WebPulse cloud service unites Blue Coat web gateways and remote users into a computing grid to detect malware, rate new web content, and analyze site reputations. As a cloud service is uses multiple threat engines, machine analysis and web hunters, plus human raters to ensure quality ratings. These defenses together would not be practical or affordable for a single enterprise, however when provided as a cloud service, they are cost effective to any size organization. The WebPulse cloud service also provides a real-time web content rating service to categorize newly published or previously unrated web content. All WebPulse ratings feed into the WebFilter URL database, and that leads to the concept of a Hybrid Web Gateway on the next slide. The Blue Coat cloud service is called WebPulse. WebPulse recently reached a new milestone of analyzing over 1B user requests per week or over 150M user requests per day. WebPulse is 100% user request driven for relevance. In other words, what the computing grid requests is what the computing grid analyzes. The WebPulse cloud service unites Blue Coat web gateways and remote users into a computing grid to detect malware, rate new web content, and analyze site reputations. As a cloud service is uses multiple threat engines, machine analysis and web hunters, plus human raters to ensure quality ratings. These defenses together would not be practical or affordable for a single enterprise, however when provided as a cloud service, they are cost effective to any size organization. The WebPulse cloud service also provides a real-time web content rating service to categorize newly published or previously unrated web content. All WebPulse ratings feed into the WebFilter URL database, and that leads to the concept of a Hybrid Web Gateway on the next slide.

    8. 8 Hybrid Web Gateway Links web gateway into cloud service More malware defenses Offloads processing Extends to remote clients Linking the WebPulse cloud service with the ProxySG web gateway creates a hybrid web gateway solution. The cloud service provides more malware defenses than possible on the web gateway and even more importantly it offloads the processing load to detect malware and rate new web content from the web gateway. ProxySG runs faster and more defenses are provided. The cloud service even extends to remote users. ProxyClient for enterprise users provides central policy controls and reporting with a real-time relationship to the WebPulse cloud service. K9 is our home parenting solution and uses the full strength cloud service to block malware and rate web content for families on the web. What is most important about this diagram are the feeds into the WebPulse cloud service. ProxySG provides unrated sites, or what we call the “tail-end” of the web into the cloud service. ProxyClient and K9 provide popular web sites, or what we call the “big-head” of the web into the cloud service. Together this provides over 1B user requests per week to background analyze for malware, web threats, reputations and rating new web content. The key to the cloud service is a tremendous volume of web content and repetition of popular web sites to continuously detect hidden malware and protect all users in the community watch. WebFilter has over 50M users and ProxySG has over 40,000 appliances deployed, this creates a very large community watch computing grid unmatched by any competitor.Linking the WebPulse cloud service with the ProxySG web gateway creates a hybrid web gateway solution. The cloud service provides more malware defenses than possible on the web gateway and even more importantly it offloads the processing load to detect malware and rate new web content from the web gateway. ProxySG runs faster and more defenses are provided. The cloud service even extends to remote users. ProxyClient for enterprise users provides central policy controls and reporting with a real-time relationship to the WebPulse cloud service. K9 is our home parenting solution and uses the full strength cloud service to block malware and rate web content for families on the web. What is most important about this diagram are the feeds into the WebPulse cloud service. ProxySG provides unrated sites, or what we call the “tail-end” of the web into the cloud service. ProxyClient and K9 provide popular web sites, or what we call the “big-head” of the web into the cloud service. Together this provides over 1B user requests per week to background analyze for malware, web threats, reputations and rating new web content. The key to the cloud service is a tremendous volume of web content and repetition of popular web sites to continuously detect hidden malware and protect all users in the community watch. WebFilter has over 50M users and ProxySG has over 40,000 appliances deployed, this creates a very large community watch computing grid unmatched by any competitor.

    9. 9 New Malware Defense WebPulse 5min updates to WebFilter Immediate updates to ProxyClient and K9 Analyzes over 1B user requests per week New to our ProxySG solution with the SGOS v4.3 operating system is the ability to request 5 minute updates from the WebPulse cloud service into WebFilter. These 5 minute updates are for malware and web threat categories. Non-threat category updates for WebFilter continue to be provided several times per day. This faster update cycle closes the time span between the cloud service and the ProxySG web gateway to block new malware hosts and web threats. Currently Blue Coat has three WebPulse cloud service operations centers to serve global customers and is in the process of adding a fourth. Note that ProxyClient and K9 have an immediate benefit of any new detected malware hosts with no update cycles required, they utilize the cloud service in real-time. This new malware defenses changes the enterprise web gateway architecture. Rather than analyzing all web content requested by users at the web gateway with limited resources and defenses, the hybrid gateway offloads the web gateway by using the cloud service which sees more web content, leverages more defenses and blocks malware very efficiently by web request. As noted earlier, inline detection is becoming less effective due to attack cloaking techniques to mask threats from detection by web gateways. Community watch cloud services are changing web gateway defenses for the better and allowing web gateways to perform faster.New to our ProxySG solution with the SGOS v4.3 operating system is the ability to request 5 minute updates from the WebPulse cloud service into WebFilter. These 5 minute updates are for malware and web threat categories. Non-threat category updates for WebFilter continue to be provided several times per day. This faster update cycle closes the time span between the cloud service and the ProxySG web gateway to block new malware hosts and web threats. Currently Blue Coat has three WebPulse cloud service operations centers to serve global customers and is in the process of adding a fourth. Note that ProxyClient and K9 have an immediate benefit of any new detected malware hosts with no update cycles required, they utilize the cloud service in real-time. This new malware defenses changes the enterprise web gateway architecture. Rather than analyzing all web content requested by users at the web gateway with limited resources and defenses, the hybrid gateway offloads the web gateway by using the cloud service which sees more web content, leverages more defenses and blocks malware very efficiently by web request. As noted earlier, inline detection is becoming less effective due to attack cloaking techniques to mask threats from detection by web gateways. Community watch cloud services are changing web gateway defenses for the better and allowing web gateways to perform faster.

    10. 10 Leading 3rd Party Features Websense ThreatSeeker 5min updates Smart Filter reputation & CGI-based ratings Also in the ProxySG update for SGOS v4.3 we have included new third party feature support for deployment flexibility. If customers choose to use Websense for URL filtering on ProxySG and the ThreatSeeker cloud service, ProxySG provides a 5 minute update check option for RTSUs (Real-Time Security Updates) from Websense. The ThreatSeeker cloud service analyzes approximately 600M sites per week using a blend of customer requests and web crawlers. ProxySG also supports the latest Secure Computing SmartFilter features. Reputation ratings per category or site are now supported in policy controls, plus CGI-based ratings for search term controls. Secure Computing does not provide a cloud service community watch solution. Overall ProxySG provides support for seven URL lists with the ability to run three URL lists in parallel. Often customers will run a commercial URL list, a sealed IWF URL list to block child porn, and a custom allow/deny URL list for their network. ProxySG provides the most deployment flexibility by supporting seven URL lists, four inline threat detection engine choices and six data loss prevention (DLP) integration options. No other web gateway provides the performance, scale and deployment flexibility of ProxySG.Also in the ProxySG update for SGOS v4.3 we have included new third party feature support for deployment flexibility. If customers choose to use Websense for URL filtering on ProxySG and the ThreatSeeker cloud service, ProxySG provides a 5 minute update check option for RTSUs (Real-Time Security Updates) from Websense. The ThreatSeeker cloud service analyzes approximately 600M sites per week using a blend of customer requests and web crawlers. ProxySG also supports the latest Secure Computing SmartFilter features. Reputation ratings per category or site are now supported in policy controls, plus CGI-based ratings for search term controls. Secure Computing does not provide a cloud service community watch solution. Overall ProxySG provides support for seven URL lists with the ability to run three URL lists in parallel. Often customers will run a commercial URL list, a sealed IWF URL list to block child porn, and a custom allow/deny URL list for their network. ProxySG provides the most deployment flexibility by supporting seven URL lists, four inline threat detection engine choices and six data loss prevention (DLP) integration options. No other web gateway provides the performance, scale and deployment flexibility of ProxySG.

    11. 11 Blue Coat Layered Defenses Stepping back to look at the larger picture of layered defenses for a web gateway, you can see how the cloud service sits on top to address the bulk of malware injected into popular and trusted web sites. Blue Coat WebFilter provides over 70 categories, supports over 50 languages, has over 50M users, plus the WebPulse cloud service analyzes over 1B user requests per week to keep WebFilter updated and relevant. Visibility into web content and traffic is provided by Blue Coat Reporter with over 150 pre-defined reports and a customizable dashboard with drill-down analysis features. The second layer of inline threat detection provides protection for areas where the cloud service lacks visibility. Web mail attachments and software downloads, plus SSL traffic inspection are key examples where a web gateway with inline threat detection provides an extra layer of defense before web content arrives on the desktop or laptop. Performance features allow inline threat analysis to scale for large user audiences with the Blue Coat web gateway solution. The third layer of web application controls (e.g. IM & P2P) and web content controls is very important. Suspicious (poor reputation) and unrated websites should not be allowed to download files on to user desktops. Attacks use the loophole that unrated sites are often allowed in policy controls, this should not be the case. The fourth layer to control data leakage integrates with the third layer. Why deploy DLP and leave a web application like Skype active as it provides an open doorway to the web using proprietary encryption that does not allow inspection. DLP is only as good as the web application controls provided by a web gateway. And finally, the fifth layer protects remote users. The community watch cloud service provides an enhanced layer of protection over existing laptop defenses, plus central policy management and reporting when users are on networks you do not control.Stepping back to look at the larger picture of layered defenses for a web gateway, you can see how the cloud service sits on top to address the bulk of malware injected into popular and trusted web sites. Blue Coat WebFilter provides over 70 categories, supports over 50 languages, has over 50M users, plus the WebPulse cloud service analyzes over 1B user requests per week to keep WebFilter updated and relevant. Visibility into web content and traffic is provided by Blue Coat Reporter with over 150 pre-defined reports and a customizable dashboard with drill-down analysis features. The second layer of inline threat detection provides protection for areas where the cloud service lacks visibility. Web mail attachments and software downloads, plus SSL traffic inspection are key examples where a web gateway with inline threat detection provides an extra layer of defense before web content arrives on the desktop or laptop. Performance features allow inline threat analysis to scale for large user audiences with the Blue Coat web gateway solution. The third layer of web application controls (e.g. IM & P2P) and web content controls is very important. Suspicious (poor reputation) and unrated websites should not be allowed to download files on to user desktops. Attacks use the loophole that unrated sites are often allowed in policy controls, this should not be the case. The fourth layer to control data leakage integrates with the third layer. Why deploy DLP and leave a web application like Skype active as it provides an open doorway to the web using proprietary encryption that does not allow inspection. DLP is only as good as the web application controls provided by a web gateway. And finally, the fifth layer protects remote users. The community watch cloud service provides an enhanced layer of protection over existing laptop defenses, plus central policy management and reporting when users are on networks you do not control.

    12. 12 Summary URL filtering is changing New cloud service defense against malware Real-time web content rating service Extends to remote users Community watch cloud services leverage the web as a computing grid to analyze more web content with more defenses than any one organization can deploy and manage. Static URL filtering is not a viable defense for today’s web content. Web defenses are evolving and URL filtering is changing to meet the challenges.Community watch cloud services leverage the web as a computing grid to analyze more web content with more defenses than any one organization can deploy and manage. Static URL filtering is not a viable defense for today’s web content. Web defenses are evolving and URL filtering is changing to meet the challenges.

    13. 13 MORE DETAILS Details on SWG Solution & WebFilter These slides provide a diagram of the Blue Coat Secure Web Gateway (SWG) solution which may help in answering questions. Plus a summary of WebFilter with diagrams and feature details.These slides provide a diagram of the Blue Coat Secure Web Gateway (SWG) solution which may help in answering questions. Plus a summary of WebFilter with diagrams and feature details.

    14. 14 The key components of the Blue Coat SWG solution are numbered above for discussion during Q&A sessions.The key components of the Blue Coat SWG solution are numbered above for discussion during Q&A sessions.

    15. 15 WebFilter Provides On-proxy URL list with 5min update service ProxySG supports three URL lists (e.g. commercial, IWF, custom)? ProxyClient remote web filtering agent No fees or licensing, centralized policy & reporting K9 remote web filtering agent Internet parenting solution, no fees with email support WebPulse Cloud Service: Rating Servers with real-time update cycles Real-time web content rating service (DRTR)? Background processes for malware and web content analysis (over 150M requests per day)? 100% user driven ecosystem for relevance Public ‘sitereview’ on ratings with 1 day resolution on disputes Here is a summary slide of the WebFilter solution. WebPulse unites Blue Coat ProxySG gateways and clients into a community watch. WebPulse is 100% user driven for relevance. ProxyClient has no fees or licensing, it requires Blue Coat WebFilter on ProxySG for deployment and provides central policy management and reporting. K9 has no fees and uses a simple license sent via email to new users. Administration and reporting or local to the system K9 is deployed upon.Here is a summary slide of the WebFilter solution. WebPulse unites Blue Coat ProxySG gateways and clients into a community watch. WebPulse is 100% user driven for relevance. ProxyClient has no fees or licensing, it requires Blue Coat WebFilter on ProxySG for deployment and provides central policy management and reporting. K9 has no fees and uses a simple license sent via email to new users. Administration and reporting or local to the system K9 is deployed upon.

    16. 16 WebPulse Community Watch The WebPulse ecosystem is driven by over 150M user requests per day (or 1B per week) that make WebFilter relevant, accurate and dynamic for URL filtering. Real-time ratings cover 98% of objectionable content sites in multiple languages, plus phishing kit detection and the ability to search deep into translation services, image searches, and cached search engine content for an accurate rating not found with static URL filtering solutions. WebPulse acts as a cloud service by combining user requests from K9, ProxyClient, ProxySG appliances, and requests from Service Provider deployments of ProxySG with WebFilter. All requests are analyzed in background process for malware, web threats, reputations and new web content ratings. Five minute updates are provided to ProxySG appliances with WebFilter and clients have a real-time relationship with the WebPulse cloud service. No other web filtering solution matches the volume, features and capabilities. The WebPulse ecosystem is driven by over 150M user requests per day (or 1B per week) that make WebFilter relevant, accurate and dynamic for URL filtering. Real-time ratings cover 98% of objectionable content sites in multiple languages, plus phishing kit detection and the ability to search deep into translation services, image searches, and cached search engine content for an accurate rating not found with static URL filtering solutions. WebPulse acts as a cloud service by combining user requests from K9, ProxyClient, ProxySG appliances, and requests from Service Provider deployments of ProxySG with WebFilter. All requests are analyzed in background process for malware, web threats, reputations and new web content ratings. Five minute updates are provided to ProxySG appliances with WebFilter and clients have a real-time relationship with the WebPulse cloud service. No other web filtering solution matches the volume, features and capabilities.

    17. 17 WebPulse Cloud Service Looking inside the WebPulse cloud service, three key areas are on the diagram above. The Rating Service is the master WebFilter URL database in the cloud for all remote clients and web gateways. The Dynamic Real-Time Rating (DRTR) service is optional and provides a real-time analysis of unrated web content. This is very useful for objectionable or adult content that advertises itself and is often provided on newly created web sites and pages. DRTR does not provide malware analysis. All malware, web threat, reputation and final web content ratings are completed in the background rating processes in the diagram above. As a community watch solution, the value of these processes is the volume of web traffic they analyze and the repetition to review popular and trusted websites continuously for malware injection attacks. The cloud sees more web traffic and uses more defenses than any one organization could deploy and manage. WebPulse unites Blue Coat web gateways and clients into a computing grid defense. Looking inside the WebPulse cloud service, three key areas are on the diagram above. The Rating Service is the master WebFilter URL database in the cloud for all remote clients and web gateways. The Dynamic Real-Time Rating (DRTR) service is optional and provides a real-time analysis of unrated web content. This is very useful for objectionable or adult content that advertises itself and is often provided on newly created web sites and pages. DRTR does not provide malware analysis. All malware, web threat, reputation and final web content ratings are completed in the background rating processes in the diagram above. As a community watch solution, the value of these processes is the volume of web traffic they analyze and the repetition to review popular and trusted websites continuously for malware injection attacks. The cloud sees more web traffic and uses more defenses than any one organization could deploy and manage. WebPulse unites Blue Coat web gateways and clients into a computing grid defense.

More Related