Last week, I reported on how Z-Scan, Network Box's real time cloud based antivirus, is shifting the paradigm in the battle against viruses and helping us create signatures in seconds, when traditional AV companies still take several hours for a single signature.
This week we can proudly report that, after one year of field use in the war against viruses, this same technique is also being applied against spam.
The malware traps we have deployed are simply fake email addresses; what they receive is either spam or malware. It is, therefore, a natural progression to apply Z-scan spam, as well. When a new email arrives without an attachment and nothing malicious, we know it is spam. If our other 24 anti-spam engines do not recognize it yet, Z-scan creates its usual hash signature, but, this time, it is not used by the antivirus. The Z-scan anti-spam, as a 25th engine, will flag this email as spam, and from that point on, all Network Boxes globally will do the same.
Later on, our expert team analyzes the email and creates signatures that our 24 engines can use to block that same email. But, in the mean time, our customers have been spared the nuisance already!
Now the challenge is on.
In September 2010, when we first deployed Z-scan antivirus, we were running around 100 signatures a day. Today, that number has gone up all the way to 300 thousand! Three hundred thousand pieces of zero-day malware!
Today Z-scan antispam has only 597 signatures. I am certain that very soon, this number will grow exponentially as spammers increase the onslaught.
Network Box has 25 engines to protect customers from spam. Our spamtraps show that our success rate is currently 99.7%; a figure that is truly hard to beat as is. With Z-scan anti-spam, the rate will grow even closer to 100%.
Many companies greatly underestimate the security issues in the cloud and end up trying to protect their servers only with a firewall, if even that. Because the cloud is being approached as a way to save money by reducing hardware rather than by improving efficiency, the idea of deploying security in the cloud is too often overlooked as an expensive and unnecessary luxury. This is heaven for the hackers, who couldn’t ask for anything better than an environment full of servers that aren’t protected.
When Network Box started operations 11 years ago, security was generally seen as a firewall and, maybe, antivirus on the workstations. Over the years we have been telling our customers that this is not enough. IDS, IPS, and several other gateway protections have emerged. Network security today can be very strong; but too many companies are not adopting the same at the virtual level.
For one thing, in the virtual world you can’t install your own device. So you need to use what is available as a virtual solution. Some companies have virtualized their systems already; Network Box for example has a completely virtual version of its award winning hardware based solution. The two versions are identical under every aspect, including managing the system.
But most of the other offers, which customers can manage themselves, are just firewalls. And this poses a problem and a risk. A firewall is only a starting point, and definitely not the “entire” security you need to protect a network. IDS, IPS and much more is needed, just as it is in the physical world.
One solution we have seen does not even include the ability to create an IPSEC VPN. You need to install your own open source code, compile it, configure it. Where are the savings when your people need to spend so much time securing everything? And so it happens that security becomes secondary because it is seen as too expensive to be done properly.
What makes matters even worse is the generalized lack of appropriate processes and procedures to deal with the cloud. When you move your data in the cloud, you need to ensure that access controls are as strong as they can be; you also need to reinforce your database even more than when you have it in house; and you need to define very clearly who has access to what and why. The same processes and procedures you use inside your company need to apply to the cloud.
Because most of what is hosted in the cloud is servers running databases or backups, too often we see connections from the company to the cloud made via RDP, without any form of protection. My major concern is RDP exposes a login account to the Internet. And hackers have all the time they want to conduct any form of exploit – this could be a brute force password attack, but most likely it will be some sort of malformed packet that will run arbitrary code on the server. RDP should never be opened to the Internet at large. If no other option is available, it should at least be restricted to well specified source addresses.
The best way to protect your cloud is to adopt an integrated firewall/IPS/VPN solution; this will deliver the best security available in traditional environments, and allow for full protection of the cloud servers and data. Connection from the company’s network to the cloud should never be made other than through a VPN. Inbound access from the Internet to the servers should be tightly controlled, and allowed only from specific IPs if possible, and only if and when necessary.
Access outbound, to the Internet, should be controlled as well by opening only the ports that are really needed, which in most cases will be only domain, http, https and maybe a handful of ports to reach some authorization or authentication server, if really necessary (these should be restricted to the IPs of the remote servers).
The bottom line is that too many companies are adopting lackluster security postures in the cloud because they are trying to contain costs. In doing so they are putting their data in danger. At a minimum, their servers could become either zombies of botnets, or command and control centers of the same. But they could also lose their data and this could compromise the sheer existence of their company.
Do not underestimate the importance of security in the cloud; it is still your data, and it is still your company that could be at risk.
Whether your company is already using the cloud or is planning to do so during the next year, the security of your data is certainly one of your main concerns.
After managed security services, handing off the security of your data to someone else must be the single most important worry for anyone involved in securing a company's data.
Since this topic encompasses several different aspects, dealing with the various issues of security; I will try to offer thoughts around each of them in the weeks ahead, to ensure each topic is examined as needed.
The first topic we will analyze this week is data control.
Many companies are moving their email to cloud based hosted solutions -- Google, Microsoft, and many others offer this. Your workstations will connect to a remote server using an encrypted channel to download emails. Virtually, you have your own server and your own disks. But physically, your data is stored in the same disk with many other companies’ data and emails.
Some consideration must be given to how this data is protected, and not only from hackers.
Assume you have your own server in house. When the email is stored on that server, it’s under your complete control. Assume that one of your employees does something that requires law enforcement investigation and for that reason you need to hand out your data. If a law enforcement officer shows up at your doorstep without a court order, you can (and likely will) decline to hand over any data. You are not obliged in any way until there is a court order.
Assume now that you are hosting that data in the cloud; say your email is hosted with Google. Do you really think that they will take care of your data the same way you would? I would hope so, but I must be skeptical; after all, why would they anyway?
Now think of that same data stored on that same disk, sharing space with another company. Someone at that company is investigated and their data needs to be given to the authorities. Law enforcement does not take "copies". They take originals; so they show up and take the disk. So now your data is on a disk that is being used in a legal case against another company you have no ties with whatsoever; it is no longer stored in the privacy of that data center. You don't even know where it is and who is reading it anymore!
And what if the legal case if coming from another country? What if that disk is being handed over to Scotland Yard? Now your data is not only on a disk used in a legal case that is not yours; but is not even in the US anymore! And you have no control at all!
Is this something you should be worried about? I guess it depends on what type of business your company does, how sensitive that data is, how damaging it would be if it ends up in the wrong ends - be that the competition or the public! The answer can't be the same for every company; this is a consideration each company needs to make based on several parameters, but ultimately the most relevant of all is "what happens if the data ends up in the wrong hands"?
That question is the general question of security and is the reason why we have security in the first place. Moving your data to a hosted solution only adds to the uncertainty surrounding the security of your data, as it adds another layer of possible loss.
UTM seems to have become a misused term; anyone who puts together something more than a firewall in the same box calls it a UTM.
So what are the key elements? Read on:
1) Firewall – of course you want this, but in light of the other features that you will want, a packet filtering and proxy will be very useful as well; so your firewall must be a hybrid.
2) IDS/IPS – this today is a must; you can’t have edge protection without proper IPS, and it is ridiculous to buy a separate one after you have spent all the money for a UTM device. This feature should be fully integrated with the firewall, to achieve a next generation firewall protection, and should be INLINE with the firewall.
3) Email protection – should be much more than just an AV product. Should be policy protection, to block unwanted attachments, hidden, compressed or otherwise. Should be protection for the server, integrated with the firewall and IPS. Should be protection from vulnerabilities that affect the protocols and the servers.
4) Antivirus – protocols to be protected are, at a minimum: SMTP, POP3, IMAP, FTP, and HTTP.
a. AV is too generic a term; one single AV is no longer acceptable as no one can really keep up; best is to have more than one
b. Real time AV – this is an emerging technology; we already have it. But if you want to hope to block emerging threats, you need zero day protection, you need a real time AV
5) Antispam. Hackers use all kinds of ways to get in; you need to have protection against all of them. Antispam should have a proven record of at least 98% protection, should not be using old spam lists but should be based on more modern techniques, such as SPF check and many others. We still see too many systems that use old methods that cause way too many false positives and yield poor overall results
6) Web access policy – a company must be able to control where its employees are allowed to go on the internet, and this in turn enhances protection as it prevents users from landing on dangerous websites.
7) VPNs – modern devices should support IPSEC for compatibility, but should also offer SSL as a full VPN, with roaming AND site-to-site solutions. PPTP is still there, as it is free and inexpensive, but not mandatory at this point.
8) Updates – the Internet moves too fast for updates to be PULLed from the devices. PUSH updates are now a must; Network Box has had this for 10 years.
9) Monitoring/management – this is important because expert configuration is 50% of the protection.
A true UTM device should be seamless - the final result is stronger than the sum of the parts. The antispam should be able to communicate with the IPS, so that a spammer attacking your device will be blocked before the email is even delivered. The antispam should also be able to use the categorization abilities of the web access policy to see if a URL in an email should be allowed or not. The IPS and the firewall should be fully integrated.
There are many other functions that a UTM device can do for you. For example, our device can host DNS records for the company. It can act as DHCP server and NTP server. It supports VLANs (256 per interface), it can automatically create a signature for any outbound email (for legal statements mostly). We support advanced routing, any type of packet mangling, Quality of Service; we can set up a load balancer in the firewall; we can support multiple internet connections either in high availability or in weighed load balance.
Our devices can be set up in high availability or in load balance or in cluster. New functions that are emerging as required on the UTM this year are DLP and Vulnerability Scanning. These functions thus far have been done using separate devices; more and more companies are demanding to see them integrated with the gateway protection.
Lastly, it’s important that the technology offered for small offices is the same provided for the main office. For example, you want the same AV protection, nothing less. -- viruses don’t treat small offices any better than they treat your headquarters. With Network Box, you get the same exact protection whether your office has 1 person or 10,000!
Check out our Security Options Whitepaper
Last week, we unveiled the new M-385, which is replacing our popular M-380, as part of the Network Box family of unified threat management (UTM) appliances.
So, why should you upgrade to the M-385? For starters, if you’re a current Network Box USA customer, it won’t cost you a dime – the appliance is lent to you for the duration of your contract and you only pay for the service. So, you don’t have to worry about any hardware purchases or amortizing it over time.
The new M-385 also triples the performance of the M-380 and integrates a wide variety of applications. Some of these include anti-spam, anti-phishing, anti-spyware, firewall, intrusion prevention and protection, and virtual private network. Users get a sophisticated hybrid of hardware and software so your enterprise can fight backdoors, hackers, worms and other online threats.
And there’s more – via our PUSH technology, updates are performed in real time. So whenever a new antivirus signature, security patch or software update becomes available, it’s pushed out to all Network Box devices worldwide in less than a minute.
Support is also provided for Network Box advanced services – such as load balancing, quality of service, and advanced policy-based routing – and the units are monitored from our Global Management System. In addition, they can be integrated with existing clusters and networks of Network Box UTM appliances.
The M-385 is sold through our reseller channel and remotely managed by Network Box USA. Any questions? Click here., call us at 832-242-5758; toll free at 888-315-8886, or inquire via email: email@example.com.
Mark Webb-Johnson, my colleague at our Hong Kong headquarters, edits a monthly Network Box publication called "In the Boxing Ring." In this month’s issue, he reports on problems that can arise from unintended anti-spam whitelisting. I would like to share a few of his findings/reflections, which you may find very interesting.
Mark indicated that administrators may often whitelist their own or popular domains – done to hopefully avoid mails being blocked as spam. Spammers, however, may often use your own domain as the sender address. Whitelisting your own or popular domains isn’t effective in avoiding false positives – it can actually cause more problems.
To quote Mark, “This causes the Network Box to incorrectly ‘learn’ that spam as ham (resulting in other similar spam being treated as ham as well).”
Our Anti-Spam system does have the ability to perform sender white and black listing. If a sender is blacklisted, for example, that tells the Network Box that the sender only sends spam and all messages from that sender are to be treated as spam. Likewise, notes Mark, a whitelisted sender instructs the Network Box that the sender only sends ‘ham’ and all messages from that sender are to be treated as ham.
My recommendation, in agreement with Mark, is to never whitelist your own domain. It is true that you do not send out spam, but it is also true that spoofed domains are an everyday issue with spam.
If you’re experiencing any whitelisting/false positive issues, send me an email (firstname.lastname@example.org) or pick up the phone (832/242-5757) and let’s discuss!
Response times to serious and new Internet threats until now, have often taken hours.
Not anymore! We recently launched Sentinel Antivirus Engine – a new virus detection and signature service.
Network Box’s Sentinel Antivirus Engine develops its own signatures to protect against emerging viruses within 60 seconds of the threat being seen. It also works with our existing antivirus technology and automatic PUSH updates to provide the industry’s fastest protection against new threats.
We’re constantly seeing huge increases in the number of malicious viruses spreading via email. In fact, we just reported that the U.S. has overtaken India and Russia to become the biggest producer of viruses once more — the U.S. is now responsible for 12.05 percent of the world’s viruses, up from 4.03 percent from August, when the U.S. trailed both India and Russia.
The Sentinel Antivirus Engine operates by continually analyzing all the threat information that is received by the company’s proprietary Network Box Security Response system (such as spam traps, virus traps, customer submissions, mail and http statistics, suspect samples, etc).
This information is used to determine that a particular object may be malicious, and that the system maintains a confidence level for the likelihood of an object being malicious. Confidence levels are expressed as a percentage (with 0 percent being a new sample, and 100 being absolute certainty the object is malicious).
Only executable (or objects with the capability to embed executable) code have confidences assigned by the system. It is common to see a new outbreak enter the system with a low confidence level, and then escalate upwards as more samples from more sources are seen. Once that happens, the confidence level reaches 100 percent and a formal signature released.
Security managers can set at what levels they want an object blocked (the default block is 50 percent, but can be adjusted according to each company’s security requirements).
If you have any comments/questions, contact us. We always welcome your input!