Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Websense releases 10 new defenses focused on trends

9-Jul-2012 - Websense has released 10 new defenses, focused on stopping advanced malware

and data theft.

“Over the past 18-24 months advanced malware incidents are heating up... it’s probably the worst I’ve seen in frequency and severity of events,” said Patrick Murray, senior director of product management and marketing.  

“We’ve been working with Patrick’s (Ruald, director security research) team to learn how malware works, and figure out methods of thwarting these attacks. Our aim is to shore up the product in terms of protection from infection. Also we’re trying to detect behavior of clients infected and sending data out. We’re basing our solutions on trends we’re seeing.”

How do you know when you’ve been compromised?

After infecting a computer or network, criminals tend to use non-standard encryption methods to send the data back to themselves. Websense refers to this as “criminal encryption”.

“Because we have a DLP engine in our gateway, we can examine the encryption on outbound transmission,” Murray said. “If it’s non-standard – because our product decrypts standard encryption – we know it’s indicative of a malicious attack in progress, either by an insider or botnet controlled client.”

Another trend is companies are storing more images, rather than Word or text files, with confidential data. That might be cheques or smartphones and pictures of confidential data. So the firm added optical character recognition (OCR).

“The innovation is we can do so in motion,” said Murray. “It can see the image content and determine whether or not it’s permitted. Using OCR in motion can apply our DLP analytics to it.”

Doesn’t further inspection slow traffic?  

“The nut we had to crack was to inspect without noticeable latency. Because of our approach to endpoint DLP products we do unstructured data, with fingerprinted, custom information. Our secret sauce lets us do so. We wouldn’t ship it if it didn’t work, because you can’t interrupt the experience.”

Cagey malicious insiders and outsiders are getting around security products by sending information in small quantities, to avoid detection; for example, someone sending a few names and contact information every few days from Salesforce.com.

Trip DLP can piece together a number of transactions, and create policies and thresholds – if this number of transactions of this type over a certain period, trigger an incident. It can be based on incident type – account numbers, names, whatever – as defined from the menu of incident units of measure, and times wanted to track over, based on what you’re seeking.

Another trend is spear phishing high value targets.

“Malware guys have done this for years and they’re practicing it on AV guys to see how well it works,” Murray said. “They’re testing email filters and security products. It starts via reconnaissance on a high value target. Then they send a spear fishing email the target is likely to click on.”

They’ll send it on a Friday, assuming a security product will scan it. To avoid detection they won’t arm the link until a couple of days later. When they feel they’ve gotten through, they arm the link.

“When that email comes through our email security product, we wrap the URL. On Monday when the high value target goes through 200 emails and clicks on the link, it’ll be sent through the email detection on our gateway for a second scan, to prevent infection. We call it ‘Scan Upon Click’ technology.”

The technique integrates email and web, combining the engine in the gateway to provide the same detection as if the target visited the page.

Password file detection is another trend. Thieves are going after high value targets and trying to access network passwords. Once they get those they can have whatever they want.

“Our web gateway can detect when password files – Active Directory or spam database – are being sent out of the organization. Without looking for specific passwords, we can detect password file format. There’s no reason for those to be sent out of the organization.”

The new advanced malware threat dashboard tells admins what client, user name, host client, what machine is infected, and what attacks are being thwarted, in order of importance.

“Beyond putting it on the front bumper, we also give a ton of information about how the attack works,” said Murray.

“We’ve found our customers want to know more about how attacks work, so they can look elsewhere in their organizations for other incidents. Ours shows the actual document. Most of our competitors can’t do that. We’re able to capture the document and show you what the attack is after – the secret formula for the drink, or the list of passwords, or whatever.

“Security guys want to know how our product is helping them. So we provide them with that information – this is what you need to clean up, and this is how our product protected you.”