Buyers Guide to Web Protection

The web is the number one source for malware distribution today. While many organizations have replaced first-generation URL filters with secure web gateways, even these advanced solutions do not provide web protection everywhere. This paper identifies todays most critical web threats and provides checklists for you to identify and evaluate the security capabilities you need for the best web protection.

Buyers Guide to Web Protection

Nearly everyone is using the web for their work today. Cloud computing, social media, SaaS (software as a service) and other web-based technologies are reshaping the IT landscape and converging around the use of the Internet. And as you expand your use of the web for critical business applications, your company is exposed to an ever-increasing diversity of threats. New web-based applications and a mobile workforce require you to defend your systems against increasingly sophisticated malware. This step-by-step guide to choosing web protection solutions can help you address these challenges and still give users flexible access to the web-based tools they need.

Todays landscape for web threats

Here are just a few of the techniques cybercriminals commonly use to distribute malware on the web:

Malicious code typically installs spyware or malware by exploiting known vulnerabilities in your browser or associated plugins. These malware threats include:

Blackhat search engine optimization (SEO) ranks malware pages highly in search results. Social engineered click-jacking tricks users into clicking on innocent-looking webpages. Spearphishing sites mimic legitimate institutions, such as banks, in an attempt to steal account login credentials. Malvertising embeds malware in ad networks that display across hundreds of legitimate, high-traffic sites. Compromised legitimate websites host embedded malware that spreads to unsuspecting visitors. Drive-by downloads exploit flaws in browser software to install malware just by visiting a webpage.

Fake antivirus to extort money from the victim. Keyloggers to capture personal information and account passwords for identity or financial theft. Botnet software to subvert the system into silently joining a network that distributes spam, hosts illegal content or serves malware.

Buyers Guide to Web Protection

Traditional web filters and why they arent enough

Many companies already block access to potentially dangerous URLs by employing secure web gateways. A URL filter sits on the perimeter of your network and inspects outbound URL requests to block access to known malicious, inappropriate and other unwanted sites. These filters have evolved to provide caching and filtering of inbound web traffic to improve performance and security. Still, many filters inspect traffic from the sidelines, providing little, if any, malware scanning. They rely solely on site reputation for security, which leaves users vulnerable to more sophisticated malware threats. SaaS promises easy access and outsourced operation, but it has its downsides. Youre no longer in full control of your data, availability and up time. You lose location-aware browsing. And searching by backhauling through a proxy can be frustrating. Finally, additional software requirements complicate deployment.

The 2012 web protection checklist

Conventional web filters don't provide the protection you need. A mobile workforce puts new demands on your security infrastructure. And rich web applications complicate the landscape. So what can you do to protect users on the web? You need a new approach to web protection. Start by focusing on these four critical areas, which are essential to web-based security: 1. Advanced web threat protection 2. Web protection everywhere to cover offsite users 3. Web 2.0 application control 4. Web protection that is simple to manage and cost effective The following sections describe the web security features and capabilities you need in each of these areas to keep your systems and data secure.

Buyers Guide to Web Protection

What to look for in advanced web threat protection

Web threats evolve rapidly, exploiting new techniques to avoid detection. These techniques include obfuscation, which makes code harder to understand or read, and polymorphism, which makes malware look differently each time it is accessed, making it harder to identify. Most traditional gateway solutions cannot provide adequate protection against these threats. You need a new approach to web protection that adopts advanced methods to identify and block todays web threats before they do harm. Your web defense should combine 24/7 global threat intelligence with the latest web-specific, anti-malware detection technologies to provide proactive threat detection and protection. These capabilities should include: Network-layer scanning Advanced web malware heuristics Bi-directional inspection High-performance computing Threat intelligence with frequent updates

Buyers Guide to Web Protection

Web threat protection checklist

Capability to look for
Network-layer scanning

Description
Scans web traffic at the network-layer stack before it becomes a problem. Otherwise, web traffic scanned in a browser helper object (BHO) or plugin is limited to a single browser and can be disabled or exploited. Looks at content as its accessed or downloaded and before its passed to the browser to: De-obfuscate, emulate or sandbox it. Analyze it for suspicious or malicious behavior.

Questions to ask your vendor

How is your web malware engine implemented? o Plugin o BHO o Network stack  What kinds of web threat technologies do you include? o Heuristics o De-obfuscation o Sandboxing o Behavioral analysis

Advanced web threat heuristics

Bi-directional inspection

Inspects both incoming content and outbound requests for signs of malware on your network that calls home by capturing information from your computers and sending it to the malware server. Scales easily to support a flexible number of endpoints and provides a low-latency and transparent user experience. Includes a global threat analysis operation that is available 24/7 to provide the latest threat intelligence in cooperation with other web threat monitors, such as major search engines.

 How does your web threat solution handle malware calling home?  Can it easily identify infected machines calling home?

High-performance computing

 What is the added latency and impact of scanning all web traffic from all computers?

Threat intelligence with frequent updates

Who provides your threat intelligence?  What are their sources of web threat information? How often are threat updates provided?

Buyers Guide to Web Protection

How to provide web protection from any location

Offsite workers present an enormous security challenge whether they are working from home, at the local coffee shop or at an airport. Its difficult to provide efficient, secure ways to update policy and configuration settings and monitor activity. Virtual private networks (VPNs) and other traffic redirection or backhauling solutions are complex, expensive and slow. And they often represent a single point of failure. Unprotected offsite users can also have significant consequences for your IT department: Users are often exposed to web threats over the weekend when they are out of the office. Weekend infections force the IT department to begin each week cleaning up systems that are used outside the corporate gateway. If you have small branch office locations, it may not be economical to buy hardware gateways for each location. But you still have an obligation to monitor users. Your organization may be liable if inappropriate content is accessed from machines you own. So web security must protect users regardless of their locationon your network, or off at any time. Look for an integrated approach to mobile security that doesnt require separate systems, management consoles, endpoint agents or backhauling traffic. You want an uncompromised browsing experience for users along with instant visibility and oversight for IT administrators. These capabilities should include: Unified endpoint/gateway policy and reporting Instant policy updates for offsite users Instant activity reporting from offsite users Endpoint policy enforcement with no backhauling A single agent

Buyers Guide to Web Protection

Offsite protection checklist

Capability to look for
Unified endpoint/gateway policy and reporting

Description
Employs one administration console and policy tool for systems on the network and off.

Questions to ask your vendor

How is your offsite protection provided? o Endpoint o Gateway o SaaS  How is it integrated with your corporate network protection?

Instant policy updates for offsite users

Sends policy updates to users instantly without any IT administrator or user intervention. Includes users offsite web activity in reports immediately, without delay. Enforces policy and scans for threats on endpoint computers without compromising the user experience. Also avoids unnecessary latency or expense caused by backhauling traffic across the Internet to a central service or gateway. Employs a single endpoint protection agent for threat protection, web protection, data protection and compliance.

 How quickly do offsite endpoints adopt policy changes?  How often does the administration console/ dashboard report the activity of offsite users?  Where does the actual policy enforcement and malware scanning take place?

Instant activity reporting from offsite users Endpoint policy enforcement with no backhauling

Single agent

 How many endpoint agents do I need to install and manage for threat protection, web filtering, data protection and compliance?

What to look for in Web 2.0 application control

Web 2.0 applications, including social media, are ingrained in our personal and business lives. Any framework that depends on user-submitted content is inherently ripe for exploitation, making these applications risky. These applications can also impact worker productivity. Look for a web security solution that provides granular access to important Web 2.0 and social networking tools without sacrificing security. You must balance user productivity with security concerns to reflect the needs of both users and IT administrators. These capabilities should include: Granular social networking control Web application control Webmail, blog and forum controls Web download control
7

Buyers Guide to Web Protection

Web 2.0 control checklist

Capability to look for
Granular social networking control

Description
Lets you control elements within a site, such as Facebook chat or games, while still allowing users to check their wall or update their status. Lets you control various types of potentially unwanted web-based applications by preventing them from downloading, running or communicating.

Questions to ask your vendor

 What kinds of granular social networking controls do you provide?  What kinds of web application controls do you provide and how do they work? o Download blocking o Runtime blocking o Communication control through protocol filtering

Web application control

Webmail, blog and forum controls

Lets you control users sending webmail on blogs or forums, which can create significant data loss risks. Can optionally block the sending/posting of content while still allowing users to read and access these sites. Controls various types of downloadable content to prevent illegal, dangerous or potentially unwanted content from consuming corporate bandwidth, infecting machines or being distributed from internal systems.

 What kinds of policy controls do you have for managing webmail, blogs and forums?

Web download control

 What type of content control solutions do you have?  How do they identify the true nature of content and prevent file type masquerading?

How to simplify IT management and lower web protection costs

Every organization is trying to do more with less. Its important that your web security solution operate efficiently. Switching to a new web security system can be time consuming and expensive, but continuing to use the same ineffective solution can be more costly in terms of ongoing administrative inefficiencies, malware clean-up incidents and compliance risks. Any new approach must provide significant new value, be easy to deploy, save time and reduce budget. Your web security solution shouldnt require expensive new infrastructure or additional client software, services or management tools. It should let you manage remote or offsite users as easily as those on the corporate network. It should be robust and operable even when key infrastructure elements are unavailable or unreachable offsite. It shouldnt require large capital expenditures or ongoing SaaS contracts. Instead it should help you lower budgets. These capabilities should include: A single agent Unified management Endpoint policy enforcement with no backhauling Scalability with each user Resilience to failure Direct control over user data
8

Buyers Guide to Web Protection

IT management and cost checklist

Capability to look for
Single agent

Description
Employs a single endpoint protection agent for threat protection, web protection, data protection and other security features. Offers one administration console for web usage policy and reporting on systems that are on the network or off the network.

Questions to ask your vendor

 How many endpoint agents do I need to install/ manage for threat protection, web filtering, data protection and compliance?  How is your offsite protection provided? o Endpoint o Gateway o SaaS  How is it integrated with your corporate network protection?

Unified management

Endpoint policy enforcement with no backhauling

Enforces policy and scans for threats on the endpoint computers without compromising the user experience. Also avoids unnecessary latency or expense caused by backhauling traffic across the Internet to a central service or gateway. Provides scaling for each added user and doesnt require additional capital expenditures in gateway appliance hardware or SaaS service levels.

 Where is the actual policy enforcement and malware scanning taking place?

Scalable with each user

 How is your protection provided and the scanning executed? o Endpoint o Gateway o SaaS As we add more users, what needs to scale? What are the associated costs? How easy is it?

Resilient to failure

Does not have a single point of failure and continues to operate without access to a central service or gateway.

Is there a single point of failure? What happens if this is unavailable? What is the impact? Can users still access the web? Are they protected?

Direct control over user data

Provides direct control over your user data, which is not stored and maintained by a third party. Lets you create one policy that is enforced consistently: onsite or offsite; at the network gateway; or at the endpoint.

Where does your user web activity reside? What risks does this present?  How do I apply my web gateway policy to endpoint computers?  Do I need to create a separate policy for endpoints?

Shared policy for gateway and endpoint enforcement

Buyers Guide to Web Protection

The combination you need for complete web protection everywhere

Web security must be an integrated part of your overall security solution. It should address these four critical needs: advanced web threat protection, web protection from any location, Web 2.0 application control and simple IT management. A successful web protection solution must combine the best elements of endpoint, cloud and gateway solutions to provide a better, more secure web experience. Look for these integrated capabilities in your web protection system:

Web security that is built into the antivirus agent at the endpoint. Easy deployment at the endpoint with advanced web threat protection. Web protection that travels with you for secure web access from any location. 24/7 global web threat intelligence with the latest web-specific detection technologies. Complete IT administrator control and visibility no matter where users are. Reduced network complexity without the downsides of a SaaS or proxy solution, such as backhauling, latency and a single point of failure. Seamless scalability for easy expansion over time. Cost savings that result from avoiding the purchase of traditional appliances or pure SaaS services.
By focusing on the checklists in this buyers guide and working closely with your vendor, you can find an affordable web security solution that provides the protection you need. So you get easier web protection and control with less effort and cost.

10

Buyers Guide to Web Protection Web Protection Checklist What to look for
Advanced web threat protection
o Network-layer scanning o Advanced web threat heuristics o Bi-directional inspection o High-performance computing o Threat intelligence with frequent updates How is your web malware engine implemented? o Plugin o BHO o Network stack What kinds of web threat technologies do you include? o Heuristics o De-obfuscation o Sandboxing o Behavioral analysis How does your web threat solution handle malware calling home? Can it easily identify infected machines calling home? What is the added latency and impact of scanning all web traffic from all computers? Who provides your threat intelligence? What are their sources of web threat information? How often are threat updates provided?

What to ask

Offsite protection
o Unified endpoint/gateway policy and reporting o Instant policy updates for offsite users o Instant activity reporting from offsite users o Endpoint policy enforcement with no backhauling o Single agent How is your offsite protection provided? o Endpoint o Gateway o SaaS How is it integrated with your corporate network protection? How quickly do offsite endpoints adopt policy changes? How often does the administration console/dashboard report the activity of offsite users?  Where does the actual policy enforcement and malware scanning take place?  How many endpoint agents do I need to install and manage for threat protection, web filtering, data protection and compliance?

Web 2.0 control

o Granular social networking control o Web application control  What kinds of granular social networking controls do you provide? W  hat kinds of web application controls do you provide and how do they work? o Download blocking o Runtime blocking o Communication control through protocol filtering What kinds of policy controls do you have for managing webmail, blogs and forums? What type of content control solutions do you have? How do they identify the true nature of content and prevent file type masquerading?

o Webmail, blog and forum controls o Web download control

IT management and cost

o Single agent o Unified management o Endpoint policy enforcement with no backhauling o Scalable with each user  How many endpoint agents do I need to install/manage for threat protection, web filtering, data protection and compliance? How is your offsite protection provided? o Endpoint o Gateway o SaaS  How is it integrated with your corporate network protection? Where is the actual policy enforcement and malware scanning taking place?  How is your protection provided and the scanning executed? o Endpoint o Gateway o SaaS  As we add more users, what needs to scale? What are the associated costs? How easy is it? Is there a single point of failure? What happens if this is unavailable? What is the impact? Can users still access the web? Are they protected? Where does your user web activity reside? What risks does this present?

o Resilient to failure o Direct control over user data o Shared policy for gateway and endpoint enforcement

How do I apply my web gateway policy to endpoint computers?  Do I need to create a separate policy for endpoints?

11

Buyers Guide to Web Protection

Sophos Web Protection

Sign up for a 30-day trial Visit Sophos.com/web

United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com

North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com

Boston, USA | Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Whitepaper 12.11v1.dNA