1 10243 Sophos Web Security Buyer Guide Wpna

8/6/2019 1 10243 Sophos Web Security Buyer Guide Wpna

1/15

Web security buyers guide

1


Web interactivity increasingly relies on user- and third-party-generated content built on rich backend database systems,

which are easily exploited. This has created a breeding ground or the distribution o malwareeven among the most

trusted and popular web sites and applications. This dramatic change in the nature o web threats has rendered

traditional web ltering technology completely ineective. Simply blocking access to sites that may host malware is no

longer a viable solution as that would now include each and every site on the net.

With the web now a mission-critical tool in most organizations day-to-day activities, its critical to equip yoursel with a

security solution that enables the users to be productive, while also providing the security essential to ensure a risk-ree

experience.

Organizations looking or protection against modern web threats need a solution that demonstrates security attributes

that combines powerul application, site and content controls with proactive malware detection. In todays economy,

best-o-breed security must also embrace low-impact, eective administration enabling organizations to do more with

less. At the same time, the solution must meet end-user expectations and requirements or speed, eciency, and open

access to the tools and sites they need. Solutions which ail to meet these demands or security, control, perormance,

value and accessibility will ultimately ail the organization.

The web is now the number one vector o attack

or cybercriminals, with a newly inected web site

discovered every ew seconds. Hijacked trusted

sites, poisoned search results, ake AV, and phishing

sites are all nding their way into our browsers at an

alarming rate. As a result, Internet access creates a

dilemma or you: on the one hand, the risks presented

by allowing unettered access to the web are

enormous, yet the Internet is undeniably becoming a

mission-critical business tool. Social networking sites,

blogs, orums and media portals have all become

important instruments or employee recruitment, viral

marketing, public relations, customer interaction, and

research. They cannot be blocked without seriously

impacting business productivity and eectiveness.

A new approach to web security and control is required that

ully supports the needs o businesses, equipping users with

the tools they need to be more eective while eliminating

the associated risks o potential inection rom trusted

legitimate sites. In addition to good preventive practices,

such as rigorous patching and educating users about the

risks o browsing, it is vital that organizations implement a

comprehensive web security and control solution.

Introduction


2/15


Web security buyers guide 2

Security and Control Components:

Application control

Productivity and reputation ltering

Proxy ltering

Real-time malware ltering

HTTPS ltering

Content-based ltering

Data loss prevention

In addition to best-o-breed security, the solution must

also t seamlessly into your organization.

Deployment, Management, and Vendor Capabilities:

Low-impact end-user experience

Flexible easy deployment

Minimal administrative burden

Intuitive management console

Rich dashboard and reporting

World-class vendor services and support

Finally, the solution must be aordable, providing

maximum value or your investment.

The rest o this document is dedicated to articulating the key

components o an eective web security and control solution.

Application Control

Web application control is not just about productivity

its an important oundational layer to an eective web

protection strategy.

Most web malware utilizes commercially available exploit

packs that contain dozens o dierent vulnerability

testers, redirectors, and actual exploit code that attempt

to test or and exploit a myriad o vulnerabilities that

exist in applications on the users system. These kits are

designed specically to prey on users who arent diligent

in keeping their sotware and operating system patches

up to date. Its thereore critical to not only keep your

applications patched and up-to-date, but also minimize

and limit the number o web applications in your

environment to an absolute lowest common denominator

standard set o business related programs and tools.

Unortunately, traditional application controls at the

gateway rely on port or packet inspection to identiy

and control instant messaging, peer-to-peer and other

non-browser web applications. The problem with this

approach is that it doesnt prevent these applications

rom being installed and ultimately exploited. This is

where a security suite that integrates both endpoint and

web protection together can oer enormous benets, by

controlling unwanted applications on the desktop, beore

they can become exploited and inected.

Web Security and Control Overview


3/15



URL and reputation fltering

Traditional URL lters rely on vast, regularly updated

databases o sites classied into dierent categories

or the purposes o controlling productivity and

enorcing acceptable use policy. URL ltering was once

considered an acceptable web security solution, but

the presence o web malware has shited dramatically

rom dodgy porn and gambling sites to much more

popular mainstream websites across all categories. So

while URL ltering plays an important role in optimizing

network perormance and sta productivity by blocking

access to illegal, inappropriate, or non-business-critical

web content, it is not an eective security solution

against modern threats to hijacked trusted sites.

Reputation-based lters are designed to augment URL

ltering and act as the rst critical component in the

ght against modern web-based threats. They prevent

access to a continuously growing catalog o sites across

all categories that are known to be currently inected

or have hosted malware or other unwanted content in

the past, by ltering URLs based on their reputation as

good or bad. Reputation ltering is now considered

a proven and essential tool or successully protecting

against already known web-based threats across all site

categories.

Proxy fltering

Anonymizing proxies are specially designed sites that

enable users to browse blocked sites anonymously and

ree o company web security ltering. Obviously, these

kinds o sites can completely undermine an eective

web security and control solution, exposing users and

the organization to signicant security risks, legal liability

issues, and productivity losses.

To prevent users rom bypassing ltering controls, the

ollowing two components are critical in orming a

deence against anonymizing proxy use:

A reputation-based service that actively seeks

out new anonymizing proxies rom a variety o

underground sources as they are published and

updates the ltering database at requent, regular

intervals.

A real-time proxy detection engine that automatically

inspects trac or signs that its being routed through

a proxy, eectively closing the door on private home-

based proxies or other proxies not identied through

the reputation service.

Real-time malware fltering

Real-time predictive malware ltering goes a long way

toward closing the gap let by reputation-based lters.

With this kind o lter, all web trac passes through

a scanner designed to identiy both known and newly

emerging zero-day malware. The malware engine is

optimized or low-latency scanning. Whenever a user

accesses a website, regardless o its reputation or

category, the trac is scanned using a combination o

signatures and behavior-based technologies.

It is worth noting that this type o real-time scanning

has a urther advantage over traditional URL lters: the

ltering is, almost by denition, bi-directional both

the user request to and the inormation returning rom

the web server are scanned. In addition to detecting

known malware as it moves across legitimate sites, this

bi-directional ltering can also provide protection against

new threats regardless o where they are hosted.


4/15



A real-time malware scanning engine is not only the most

critical component o an eective web security solution,

it is a key point o dierentiation among vendors. As

a result, buyers should pay particular attention to the

capabilities o their web security solution short list, and

ocus on some key considerations related to malware

scanning capabilities:

Real-time: looks at content as its accessed or

downloaded

Behavioral: goes beyond signatures to analyze code

or malicious intent beore it executes

Script emulation: will decode and emulate obuscated

JavaScript beore passing it to the browser

Bi-directional: inspecting both outbound requests

and incoming content

Multi-vector: provides integrated malware detection

across several vectors including the gateway, the

browser, and the desktop

Low latency: can scale and handle peak loads

eciently to ensure a seamless user experience

Update requency: signature and threat identity

inormation should be provided at intervals measured

in minutes, not hours or days

HTTPS fltering

With up to 40% o web applications and protected web

sites now relying on port 443 Secure Sockets Layer

(SSL), this is an increasingly popular vector or malwaredistribution and thereore a critical component o an

eective web security solution. Since SSL content is

encrypted, it cant be intercepted by most traditional web

security solutions, which leaves IT completely blind to

this trac. Its no surprise that most proxy sites, phish-

ing attacks, ake AV sites, and other malware attacks

increasingly utilize this highly vulnerable point o entry.

This major blind spot in security can also be a signicant

liability or data leakage, unwanted downloads via web-

mail solutions like Gmail, and bandwidth consumption.

HTTPS trac inspection that enables a balance o

user privacy with organizational security is critical to

an eective web security and control solution. Whats

essential is a fexible solution that provides certicate

validation with legitimate sites like nancial institutions,

while ully proxying and scanning other HTTPS sessions

or signs o malware, unwanted content, phishing

attacks, malware calling home, and proxy use.

Content-based flteringContent-based ltering analyzes all web trac on

the network to determine the true le type o content

coming back rom a website. It can then allow or

disallow this trac, based on corporate policy.

Content lters scan the actual content o a le, rather

than simply looking at the le extension or the MIME

type reported by the web server, and so can identiy

and block les that are masquerading as innocent

or allowed le types but really contain unauthorized

content. A le might, or example, have a .TXT

extension but in act be an executable le.

By enabling enorcement o only business-type content,

this pillar o protection enables organizations to create

policies around a variety o content types that are o ten

used to send malware, thereby dramatically reducing

the risks o inection. For example, incoming Windows

executables or screensavers might be disallowed.

Content-based ltering can also be used to improve

bandwidth optimization by blocking large or resource-

hungry content, such as streaming video.


5/15



Data loss prevention

Data loss prevention is an increasingly important element

o an eective web security solution in the Web 2.0 world.

With strict privacy and data condentiality regulations and

requirements becoming common in most jurisdictions,

its becoming critical to enorce a comprehensive data

protection strategy that governs mobile computers,

removable media, devices such as USB sticks, traditional

email, and o course Web 2.0 applications.

For a DLP engine to be eective, it must be able to

scan and recognize sensitive data types such as credit

card numbers, personally identiable inormation,

bank account inormation, social insurance numbers,

and more. Predened content control lists (CCLs) that

cover hundreds o dierent sensitive data types across

multiple localized geographies are critical to making DLP

manageable and eective.

Furthermore, the most eective DLP will be that which

can cover all potential exit points including removable

media, devices, email, web and social media applications

and stop sensitive data rom being exposed at the source

right on the users desktop. It should also integrate tightly

with encryption solutions to acilitate the movement o

sensitive data that does need to leave the organization.

The ollowing table ully articulates the key buying

criteria you should consider when evaluating a potential

web security and control solution. Use this as a guide

or your online research, vendor discussions, or RFP. Be

sure you are getting the most value or your investment

in web security and control by ensuring your vendor is

providing you with a complete solution that is simple

to deploy and administer, rom a trusted source that

provides the service and support you require.

Key Buying Criteria


6/15



Web application control:

Control and limit the number o

web applications in the environ-

ment to reduce the threat surace

area rom exploits

Whattolookfor:Look or an application control solution that runs on

the endpoint and can block unwanted applications at the source on the

desktop. Solutions that simply inspect ports or packets at the gateway

are ineective at controlling the risk o being exploited stop these apps

rom running in the rst place. Also look or a solution which can identiy

applications based on identity signatures rather than relying on common

path and le names to avoid masquerading apps rom side-stepping

controls. Also ensure the solution enables easy control over categories o

applications with granular control as needed and provides regular updates

to the app control lists on a regular basis to make administration easy.

Specifc questions to ask:

Does your app control block applications rom running on the desktop?

Does your app control rely on signatures or le and path names?

How many application identities does your solution include?

How oten is the database o apps updated?

Do you support fexible, easy to use policies with app categories?

SecurityandControlComponents:

URL fltering database:

Categorization o websites with

block/allow policy options

Whattolookfor:While URL classication databases are largely a

commodity, select one that has categories that make sense or your

organization. More categories are not always better as it may create

added complexity or your policy management. Ensure multiple languages

are provided and the URL database is signicant in scope and updated

regularly. Also ensure that policy controls are simple, wizard driven, and

enable policies set by user, group, time, site, or category with fexibility to

easily create custom policies.


How many languages does your database cover?

How oten is the database updated?

Who updates the database and what resources do they have/use?

Are your policy settings wizard driven?

Do you support custom policies with site tags and special hours?


7/15



Reputation database:

Augments URL ltering with

reputation and risk classica-

tion to ensure risky sites in any

category are scanned or blocked

Whattolookfor:A reputation database that is maintained by a top-tier

security company that invests heavily in web malware research and provides

requent updates. Also, look or a solution that protects both networked

corporate users as well as mobile or remote users who may not be operating

on the corporate network.


Does your reputation database protect mobile and remote users outside

the oce?

Do you track site reputation across categories?

How does your solution deal with risky sites within allowed categories?




Anonymizing proxy detection:

Blocks users rom using proxies

to bypass web ltering

Whattolookfor:A combination o real-time proxy detection to identiy

new or obscure proxies, coupled with a comprehensive proxy discovery

service to ensure policy compliance. Inquire about what sources your

web security vendor uses to catalog anonymizing proxies, how many they

catalog every day, and how oten they provide updates. Avoid any solution

which cannot detect anonymizing proxy use in real-time as users initiate

a connection through one, as there are plenty o obscure or home-based

proxies that any reputation service will never nd.


How oten do you update your catalog o anonymizing proxies?

How many new anonymizing proxies do you detect daily?

How does your solution handle obscure or private/home-based proxies?

Who updates the proxy catalog and what resources do they have/use?


8/15



Real-time malware scanning:

Scans all inbound and outbound

web trac in real-time

Whattolookfor:Not all web malware scanning is created equal. Avoid

signature-based scanning engines and select an engine that utilizes

behavioral pre-execution analysis to determine code intent which will

provide zero-day protection rom new malware. Furthermore, inquire about

obuscated javascript. I the anti-malware engine cannot deobuscate and

emulate javascript in real-time to analyze its behavior beore passing it

to the browser, look or a solution that does or the best protection rom

server side polymorphing malware. Since malware scanning is particularly

important, heres an additional checklist o important criteria:

Real-time: looks at content as its accessed or downloaded

Behavioral: goes beyond signatures to analyze code or malicious intent

beore it executes

Script emulation: will decode and emulate obuscated javascript beore

passing it to the browser

Multi-vector: provides integrated malware detection across several vectors

including the gateway, the browser, and the desktop

Bi-directional: inspecting both outbound requests (or signs o malware on

your network calling home) and incoming content

Low latency: can scale and handle peak loads eciently to ensure a

seamless user experience

Update requency: signature and threat identity inormation should be

provided at intervals measured in minutes, not hours or days.


Does your reputation database protect mobile and remote users outside the

oce?

Do you track site reputation across categories?

How does your solution deal with risky sites within allowed categories?





9/15



Call-home detection:

The ability to physically intercept

and analyze outbound trac

through the gateway to identiy

inected systems or sensitive

data leaving the organization

Whattolookfor:A system that intercepts and scans outbound requests

as well as incoming web trac. I your desired solution cannot scan

outbound web requests, theres no way to prevent inected machines

on your network rom sending sensitive data or even identiying what

machines on your network might be inected.


Does your system scan and analyze outbound requests and web trac?

How does it identiy machines that are potentially inected and calling home?


HTTPS scanning andcertifcate validation:

The ability to proxy and scan

all web trac including HTTPS

encrypted channels oten used by

webmail, anonymizing proxies,

etc., which are increasingly being

targeted by malware

Whattolookfor:A solution that can not only proxy and scan HTTPS

encrypted connections, but one that can balance the need or end-user

privacy with bank and nancial institution exceptions. Also look or

certicate validation to avoid phishing attacks that spoo certicates to ool

users into believing they are secure.


Does your solution enable the proxy and scanning o HTTPS encrypted trac?

Does it have the capability to exclude nancial institutions? Does it perorm certicate validation?

True fle type control:

Examines all le downloads

to determine their true type to

dramatically reduce the threat

surace area rom undesired

le types

Whattolookfor:A solution that simply looks at le extensions or MIME

types is inadequate. Only consider a solution that does true le type

detection by inspecting the le header inormation. This is the only way to

prevent content masquerading to reduce your threat surace area and keep

undesirable or illegal content o your network.


How many le types does your solution identiy and control?

What technique does it use to identiy les (extensions or header analysis)?


10/15



Data loss prevention:

Examines content or sensitive

data to prevent it leaving

the organization through

unauthorized means

Whattolookfor:A DLP solution should cover all vectors o potential data

loss including removable media, devices such as USB sticks, traditional

email, and Web 2.0 applications. Ideally the solution should block

sensitive data leaks at the source on the users desktop. It must include

a predened list o sensitive data type denitions and must be updated on

a regular basis as new sensitive data types are dened.


What is the scope o coverage o your DLP solution?

Where does it run and block sensitive data at?

How many sensitive data type denitions are included?

Can the sensitive data types be easily extended or customized?

How oten are the sensitive data types updated?

Does the DLP solution integrate with encryption options or data that does

need to leave?


Scalable:

A solution that scales with

your growing business, rom

small companies to large,

geographically distributed

enterprises

Whattolookfor:A range o dierent hardware appliance models at

price points attractive to organizations o all sizes that enables you to

easily upgrade as your business grows. In particular, look or a solution

that oers simple centralized management o multiple appliances in either

a single site or perormance and redundancy or across multiple sites or

geographically distributed organizations.


What range o models do you oer?

Do you oer an aordable solution or small businesses or small

branch-oce locations?

Do you oer centralized management or consistent and easy policy

settings across a large number o appliances?

Deployment,Management&VendorCapabilities


11/15



Flexible deployment modes:

Dierent deployment options that

enable the solution to t with

your IT and business objectives

providing the ideal balance

between security and ease-o-

deployment and management

Whattolookfor:The ideal solution will support a range o options including

explicit proxy mode, transparent mode operation, and support or Ciscos

WCCP protocol. Avoid solutions that rely strictly on port-spanning operation.


Does your solution support explicit proxy mode?

Does your solution support Ciscos WCCP protocol?

Does your solution support transparent mode with directory service integration?

How long does it take to deploy and congure your solution?


Directory services integration:

The ability to integrate with your

Microsot Active Directory or Novell

eDirectory services to identiy and

authenticate users automatically

Whattolookfor:Support or both Microsot and Novell directory services

with easy setup and integration or user-based policy settings and reporting.


Does your solution support Microsot Active Directory integration?

Does your solution support Novell eDirectory integration?

Easy to manage:

A solution that is immediately in-

tuitive and doesnt consume a lot

o your time and eort to set up

and administer on a daily basis

Whattolookfor:I you cant get the system deployed in just a ew minutes

without a lot o documentation or several calls to your vendors support line,

then you have the wrong product. Select a solution with task-based, wizard-

driven setup, policy administration, and reporting. Avoid any solution thats not

immediately clear and intuitive.


Whats required to set up and congure the system?

How intuitive is the management console?

Does the setup and conguration use wizards, or lots o screens with elds

that are poorly labeled?

Does the solution provide thorough online help?

How many steps does it take to set up a typical policy?

Monitoring and alerting:

The health o the appliance or

solution is monitored remotely

and alerts are provided in the

event o any malunction

Whattolookfor:A solution that is remotely monitored or you by your

vendor that will alert you immediately i anything is wrong.


Do you monitor the health o your solution or each customer?

I so, do you provide alerts and remote remediation?


12/15




Dashboard and reporting:

The ability to monitor your user,

web trac, and threat activity at

a glance rom a real-time dash-

board, and drill down into rich

and sophisticated reporting or

orensics and compliance insight

Whattolookfor:A solution that has an aggregate dashboard that

can span multiple separate appliances and present real-time status on

user activity, throughput, latency, threats, and other important Internet

trac metrics. Its more important that the reporting system provide the

inormation you need in a simple convenient manner than try to wow you

with the sheer number o dierent reporting options. Reporting should be

simple and provide drill-down capabilities, with a variety o important user,

trac, and activity reports to satisy all stakeholders in your organization.

Look or solutions that can provide both ad-hoc up to the minute reports

while also supporting a variety o parameters and export options including

PDF output. In addition, regular scheduled reporting is essential to save

you time and eort satisying the needs o various stakeholders in the

organization... Beware: once you have rich Internet activity reporting at

your ngertips, everyone will want it.


Does your solution oer centralized reporting across multiple appliances

and locations?

Does your solution oer an aggregate real-time dashboard across multiple

appliances and locations?

Does your solution oer up-to-the-minute ad-hoc reporting?

Does your solution oer PDF output or easy sharing o reports?

Does your solution oer regularly scheduled reports that are automatically

emailed to stakeholders and easy to set up with a simple wizard?

Does your solution oer reports or network trac, user activity, policy

warnings and violations, top oenders and more?

What is the length o data retention or reporting?

Frequent updates:

Frequent updates to malware

identities, risky or malware-inested

sites, and anonymizing proxies

Whattolookfor:Ideally your solution should update as requent as everyew minutes as needed. Avoid solutions whose update requency is measured

in hours. By the time you get an update, its likely too late.


How oten do you provide threat updates?

Who maintains the updates and what resources do they have/use?


13/15




Easy upgrades:

Updates to product sotware are

easy to deploy

Whattolookfor:Ideally your product should update automatically without

any intervention and at no extra cost or minor or major version releases.


Whats required to install a sotware update to the system?

How much do updates and upgrades cost?

Service and Support:

The support experience

Whattolookfor:A company that treats you like a partner in protecting

your organization, and that oers 24/7/365 support at no additional cost

with immediate access to local ront-line engineers who can actually

help in your language. Also look or a solution that oers an advance

replacement warranty on all hardware. Avoid vendors whose support is all

overseas or who deal with both enterprise and consumer customers.


What support is included at no extra charge?

When I call support, who am I talking to and where are they?

Does your company support both corporate and consumer solutions?

What premium support options do I have?

Security labs:

The team responsible or threat

analysis and security updates

Whattolookfor:Look or a solution backed by a top-tier global round-

the-clock security labs operation that deals with blended email, web, and

endpoint threats.


How many people work in your labs operations?

Where are they located?

Do team members specialize in certain threats or are the labss research

ully blended across spam, web inections, and viruses?

What level o automation and other resources do they utilize to keep

ahead o the threats?


14/15



BuyingGuideChecklist

Criteria OtherSophos

SecurityandControl

WebApplicationControl

Desktop control over applications Uses Application Identities Granular policy control Frequent identity updates

URLFiltering

Multiple language support Frequent updates (minutes) Wizard Driven Policy

ReputationFiltering

Provided by top-tier vendor Mobile/remote user protection Frequent updates

ProxyFiltering

Real-time proxy detection Proxy discovery service Hundreds o new proxies added daily

Real-timeMalwareScanning

Real-time Behavioral Script emulation Multi-vector Bi-directional Low latency Frequent updates

Call-homedetection

Scan outbound requests

HTTPSScanning

Proxy encrypted trac Financial site exclusions

Certicate validation

ContentFiltering

Uses true-le-type identities Granular policy control

DataLossPrevention

Works at the desktop Covers media, devices, web, email Includes pre-packaged data denitions Localized across multiple geographies Easily customized data denitions Frequent updates Integrates with encryption


15/15


Boston, USA | Oxord, UK

Copyright 2010. Sophos Plc. All rights reserved.

All trademarks are the property o their respective owners.

Criteria OtherSophos

Deployment,managementandvendorcapabilities

Scalable

Multiple appliance models Small, aordable branch oce appliances Centralized management/reporting

Deploymentmodes

Explicit proxy mode WCCP mode Transparent mode

Directoryservicesintegration

Microsot ActiveDirectory Novell eDirectory

ManagementConsole

Up and running in less than 10 minutes Intuitive user interace Wizards or common tasks Online help Quick easy policy setup

MonitoringandAlerting

Remotely monitored by vendor Alerting or trouble conditions Remote remediation

DashboardandReporting

Scan outbound requests Aggregate dashboard Real-time dashboard Drill-down dashboard and reporting Well organized reports by stakeholder Up to the minute ad-hoc reporting Automated scheduled reporting PDF output option Multi-year data retention

Updatesandupgrades

Frequent threat updates 5 minutes Updates and upgrades are automatic Free upgrades

Serviceandsupport

Included 24x7x365 support Direct access to engineers Local language support Replacement warranty on hardware

Securitylabs

Global labs operation Hundreds o analysts Innovative automation Blended virus, spam, and web threats

Date post:	07-Apr-2018
Category:	Documents
Upload:	28praveen
View:	229 times
Download:	0 times

1 10243 Sophos Web Security Buyer Guide Wpna

Documents