Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Watch guard reputation enabled defense
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Notes de l'éditeur
Trying to find a weapon to reinforce our arsenal against the bad guys is always an interesting job. There are on the market several new or quite new technologies, there are also old technologies presented in a new fashion or implemented in a new way. One of the most interesting areas is the use of reputation services. Reputation services are a way to determine if a source IP, domain or URL is a vector of threat or not. Trying to understand if a source is trustworthy or not is a quite difficult job, mainly because we are not in a black or white environment where a source is absolutely and completely bad forever and ever, but we are in an environment where things change rapidly. When talking about reputation we should understand a couple of things: First of all reputation is a rating service and not a blacklist service. It is a way to express in a metric how “risky” is to connect to a specific source. Nothing is absolutely trustable, than means that everything can be compromised and be, form time to time, source of risk. Nevertheless all the compromised sources are 100% un-trustable, since they can deliver also legitimate contents. An IP address can deliver thousands of different services, not all those service can be compromised at the same time. As a matter of fact, a source can be trustable for SMTP and not trustable for HTTP.
Not all reputation services are created equal, however. Early/1 st Generation Reputation Services: Rely solely on DNSBL Lists Only log IP Addresses of blocked emails, does not include email To: or From: addresses. Do not consider content or behavior Do not consider AV Threats Only 50 to 80% effective So, if we were to compare it to something many of us can relate to, it is like going through customs at the airport, where by scanning your passport, they can get some basic information about you, see where you originated or were born, if you are a “do not fly” list No one would allow you to board a plane simply by scanning your passport, but in the world of reputation services, those vendors who rely simply on DNSBL’s would allow the traffic to enter the network if the IP or URL was not on a blacklist Most Current/2 nd Generation Reputation Services: Rely on DNSBL AND volume metrics of traffic coming from an IP Only log IP Addresses of blocked emails, does not include email To: or From: addresses. Do not consider content or behavior HENCE if volume increases for valid reasons, your reputation will still suffer Do not consider AV Threats Effectiveness is 70 to 80% So if we go back to our airport security example, it is like going through the passport scan at customs, and then having a metal detector scan of your person and your carry-on. Although this is a little bit more insightful, it still doesn’t provide enough security to know what threats you may be carrying. In the world of reputation services, a vendor relying solely on DNSBL and volume would still allow you to enter the network. Next-Generation Reputation Service – WatchGuard Reputation Enabled Defense provides the most comprehensive protection of a reputation service by inspecting: DNSBL Contributor approach by harnessing intelligence from feeds from hundreds of thousands of deployed customer systems worldwide Volume of traffic coming from an IP AND conducting content inspection and behavior analysis before it determines to allow or block the traffic from entering the network Logs IP Addresses, To: and From: information for all blocked emails. Considers content and behavior of all received emails If volume increases for valid reasons, your reputation will not suffer and could in fact improve AV Threats are tracked and affect Reputation Scores Effectiveness is upwards of 98% So if we were to go back to our airport security example, not only would we scan the passport for historical or background information, see your recent trends, run a metal detector check on your bags and your person, but we would then conduct a biothermal full body xray scan that leaves no threats to the imagine. The difference is – we would block upwards of 98% of threats in comparison to the earlier generation services.
Reputation services were not very important when spam, viruses and blended threats were only 20% of all inbound email traffic. Today, with more than 93% of all emails containing threats, you can not afford to individually scan the content of each message unless you are willing to purchase bigger and faster appliances as your threat volume increases. Bad email will continue to grow faster than good email. By blocking the majority of “definite” spam at the connection layer, you can scrub the remaining email with greater depth to eliminate spam and false positives.
WatchGuard Reputation Enabled Defense is the first Next-Generation reputation system Hybrid In-the-Cloud model Rejects Unwanted Email and Web Traffic at the perimeter 98.3% Catch Rate 99.99% Accuracy Rate Unique and Patented Included with all WatchGuard XCS appliances Highlight rejection ability of the ReputationAuthority: Define Rejection Denying Entry into Your Network Rejection Versus Blocking Rejecting Traffic Sends a Bounce Message to Notify Sender, While Blocking Drops the Message Values to the Business No Archival of Unwanted Traffic Smaller Footprint Required
According to X-Force 2008 Trend & Risk Report Websense Security Labs State of Internet Security, Q3 - Q4, 2008 Besides social engineering (tricking ppl into running thing).. Drive-by downloads are the most common way to force malicious code on your computer… Your web browser introduces you to many vulnerabilities, some that don’t seem web related. Many none web application install plugins to your browser to handle that content on the internet… (QuickTime, PDF). Also, web application vulnerabilties, flaws in your own web sites code, are the one of the primary ways bad guys get into your network, or steal data from your.. Let me show you one example, of a major web application incident from 2008…
Sophisticated rejection ability of Reputation Enabled Defense: Rejection = Denying Entry into Your Network Rejection Versus Blocking: Rejecting Traffic Sends a Bounce Message to Notify Sender, While Blocking Drops the Message Values to the Business No Archival of Unwanted Traffic Smaller Footprint Required
Launch demo of Reputation Enabled Defense.org, senderbase.org, and trustedsource.org Use ibm.com as the comparison Show how granular WG RED can get in terms of providing: More detected sources than the other two services More granularity in outlining why the IP/domain was identified as a threat (drill down on RED site to show only bad IP’s) Point out that the other two services can only show IP source and spikes in volume WatchGuard Reputation Enabled Defense is the first next-generation reputation system Hybrid In-the-Cloud model Rejects Unwanted Email and Web Traffic at the perimeter 98.3% Catch Rate 99.99% Accuracy Rate Unique and Patented Included with all WatchGuard XCS appliances Highlight rejection ability of the Reputation Enabled Defense: Define Rejection Denying Entry into Your Network Rejection Versus Blocking Rejecting Traffic Sends a Bounce Message to Notify Sender, While Blocking Drops the Message Values to the Business No Archival of Unwanted Traffic Smaller Footprint Required
If you receive 1M emails in any given timeframe, DNS Blacklisting (what the competitors primarily use and some cases only use) rids the traffic of 75% of the unwanted messages BUT the key differentiation of Reputation Enabled Defense is its powerful 98.3% catch rate. So, if we were to compare the effectiveness of the three generations of reputation services as in the chart shown here using the example of 1M incoming email messages: A 1 st generation service using only DNSBL would allow upwards of 250,000 messages to enter the network A 2 nd generation service which relies simply on DNSBL and volume of traffic from an IP would allow upwards of 150,000 messages through… As a 3 rd generation service, WatchGuard Reputation Enabled Defense allows only 17,000 messages to enter the network for further defense-in-depth inspection, resulting in a significant difference of threat protection and cost savings. KEY POINT: THE REMAINING UNWANTED TRAFFIC IS CAUGHT BY WATCHGUARD SPAM PREVENTION (DEFENSE IN DEPTH)
Rather than simply monitoring traffic, unlike other older reputation services that act like a credit bureau by monitoring the historically known unwanted traffic using DNSBLs, the WatchGuard Reputation Enabled Defense provides a real-time reputation based on what is happening now, in the wild. It combines historical information with patented, next-generation adaptive identification techniques and behavioral analysis to determine the reputation and risk level of email and Web traffic trying to enter your network.
WatchGuard Reputation Enabled Defense also includes real-time behavioral analysis of each and every message by: Examining embedded links Inspecting headers and content Applying malware, spyware, crimeware and spam signature scanning Applying URL filtering
Rather than acting simply as a passive monitoring system that relies on historical black lists of known spammers or sheer volume, WatchGuard Reputation Enabled Defense examines the content of the traffic and automatically updates the network of its findings to ensure accuracy and effectiveness. This is a key differentiator from other first and second reputation services and one that makes the Reputation Enabled Defense a true zero-hour first line of defense that rejects traffic across multiple protocols.
WatchGuard Reputation Enabled Defense is constantly uploading and distributing threat feeds automatically across the entire network to stay current and proactive. Threat feeds uploaded into the system include discovered threats from all WatchGuard XCS customers, global reputation databases and 3 rd party DNSBLs from across the globe. The combination of these feeds is assimilated in the WatchGuard reputation database and streamed across the Reputation Enabled Defense network in real-time. In this way, you are not only leveraging the intelligence from traffic entering your network, you are receiving the intelligence of millions of threats that are traversing the networks of all systems monitored by Reputation Enabled Defense across the globe.
WatchGuard Reputation Enabled Defense is the most effective first line of defense reputation service for email and web security. It integrates with the WatchGuard XCS line of products to ensure no threats or unwanted traffic enters your network. How does it work? Message traffic from email and web come to the network perimeter from the internet. Reputation Enabled Defense inspects all of the email and web traffic looking to block all unwanted traffic at the connection level. All clean traffic is allowed into the network for processing and routing by WatchGuard XCS. If any additional threats or spam is discovered by XCS during the sophisticated defense-in-depth process which examines content, sender information, and contextual analysis, the message is prevented from continuing, and discovery is reported back to the Reputation Enabled Defense to automatically contribute the findings across the network to block future traffic of its kind. Hence, only clean traffic is routed and presented to end users. By investigating content and volume, then automatically contributing these results to the network instantly , Reputation Enabled Defense ensures protection from even new and emerging threats in real-time. Put the power of WatchGuard Reputation Enabled Defense to work for you…and ensure email and web-based threats don’t enter YOUR network!