Cisco IronPort Email & Web Security

Frédéric HER, CISSP Systems Engineer, Africa Cisco IronPort Solutions [email protected]

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Cisco IronPort Unparalleled Market Leadership ƒ IronPort funded in 2000, acquired by Cisco in 2007 IronPort Positioned in the “Leaders” Quadrant in Magic Quadrant Report ƒ 20,000+ customers globally ƒ 400 million users protected IronPort is positioned as a leading ƒ 40% of Fortune 100 player in the messaging security companies appliance market ƒ 8 of the 10 largest Service Providers ƒ 7 of the 10 largest Banks Named IronPort the market share ƒ 99%+ customer renewal leader in the email security appliance rates market 2 The Cisco IronPort Story Application-Specific Security Gateways

BLOCK Incoming Threats: ƒ Spam, Phishing/Fraud Internet ƒ Viruses, Trojans, Worms SensorBase ƒ Spyware, Adware (The Common Security Database) ƒ Unauthorized Access

APPLICATION-SPECIFIC SECURITY GATEWAYS EMAIL WEB Security Gateway Security Gateway

MANAGEMENT Appliance

3 Cisco IronPort Email Security

Cisco IronPort Email Security Appliance

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Email Challenges

Standard Email does not natively offer what is expected

Junk Mail Privacy & Control

Viruses Regulations

5 Cisco IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance

Before Cisco IronPort After Cisco IronPort

Internet Internet

Firewall Firewall

Encryption Platform DLP MTA Scanner

Anti-Spam

Anti-Virus DLP Policy Cisco IronPort Email Security Appliance Manager Policy Enforcement

Mail Routing

Groupware Groupware

Users Users

6 Spam Trends

300 • Record spam volumes and criminal botnet activity ) s n 250 o li il b ( e 200 m lu o V m150 a p S y il a 100 D e g ra e 50 v A

0 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ------l------l- - - - - n b r r y n u g p ct v c n b r r y n u g p ct v a e a p a u J u e o e a e a p a u J u e o J F M A M J A S O N D J F M A M J A S O N

Month 7 Spam Sophistication Increasing

TEXT SPAM ATTACHMENT SPAM (PDF, EXCEL, MP3) 2005 2007

2006 2008

IMAGE SPAM TARGETED ATTACKS

Your Equitable Bank account Your Equitable BankYour Equitableaccount is closed, call isBank closed, account call usis closed, now at call (802)354-4250us now at (802)354-4250 us now at (802)354-4250

Image Spam

8 Cisco IronPort SensorBase

• Statistics on more than 30% of the world’s e-mail traffic • New threats & alerts detection • More than 200 parameters to build reputation scores

•Data Volume • Message Structure E-Mail Reputation Filters • Complaints Reputation Score • Blacklists, whitelists • Off-line data

• URL blacklists & whitelists Web Reputation Filters • HTML Content Reputation Score • Domain Info • Known “bad” URLs • Website history…

9 Email Security Architecture Cisco IronPort Email Security Appliance

INBOUND Spam Virus SECURITY Defense Defense

MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM

Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging

10 Cisco IronPort AsyncOS Revolutionary Email Delivery Platform

Traditional Email Gateways Cisco IronPort Email Security and Other Appliances Appliances

200 Low Performance/ 1K – 10K High Performance/ Connections Peak Delivery Issue Connections Sure Delivery

Unable To Leverage Disk I/O Limited Solely Bottlenecks Full Capability CPU By CPU Capacity Components

11 Advanced Controls for Security and Efficiency And to protect against the risk of being blacklisted

Destination Controls IronPort Virtual Gateways

?

Internet 163.24.127.3

163.24.127.3

Internet 163.24.127.4

163.24.127.5

1. Protect internal servers 1. Protects the reputation of a domain 2. Rules per destination domain 2. Relies on different IP addresses for sending messages

Email Authentication (DomainKeys, DKIM, SPF, SIDF) 12 Email Security Architecture Cisco IronPort Email Security Appliance

INBOUND Spam Virus SECURITY Defense Defense

MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM

Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging

13 Anti-Spam Defense in Depth

SensorBase IronPort Anti-Spam Reputation Filtering

Verdict

> 99% Catch Rate Spam Blocked Before < 1 in 1 million Entering Network False Positives

14 SensorBase Reputation Filtering Real Time Threat Prevention

• Known good is delivered

• Suspicious Reputation IronPort is rate limited Filtering Anti-Spam & spam filtered

Incoming Mail Good, Bad, and • Known bad is Unknown Email blocked

Cisco’s Internal Message Category % Messages Stopped by Reputation Filtering 93.1% 700,876,217 Email Experience: Stopped as Invalid recipients 0.3% 2,280,104 Spam Detected 2.5% 18,617,700 Virus Detected 0.3% 2,144,793 Stopped by Content Filter 0.6% 4,878,312 Total Threat Messages: 96.8% 728,797,126 Clean Messages 3.2% 24,102,874

Total Attempted Messages: 752,900,000 15 Email Security Architecture Cisco IronPort Email Security Appliance

INBOUND Spam Virus SECURITY Defense Defense

MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM

Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging

16 Cisco IronPort Virus Outbreak Filters The First Line of Defense

Early Protection with IronPort Virus Outbreak Filters

17 Multi-Layer Virus Defense Zero Hour Malware Prevention and AV Scanning

Virus Outbreak Filters Anti-Virus

T = 15 mins T = 5 mins T = 0 -zip (exe) files -zip (exe) files -zip (exe) files -Size 50 to 55 KB -Size 50 to 55KB

-“Price” in the filename

An analysis over one year:

Average lead time …………………………over 13 hours Outbreaks blocked ………………………291 outbreaks Total incremental protection ……………. over 157 days 18 Email Security Architecture Cisco IronPort Email Security Appliance

INBOUND Spam Virus SECURITY Defense Defense

MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM

Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging

19 Risks for the Organization

Top Risk: Employees Biggest Impact: Customer Data

Top Data Loss Types 4% 7% 8% 4% 5% 4% 10% Information marked 44% Personal client Confidential 12% information

21% Personnel Information

Intellectual Property

20 Data Loss Prevention Comprehensive, Accurate, Easy

Comprehensive ƒ 100+ Pre-defined templates ƒ Regulatory compliance

Easy ƒ One-click activation ƒ Policy enable/disable

Accurate ƒ Multiple parameters ƒ Key words, proximity, etc.

21 Email Encryption Instant Deployment, Zero Management Cost

Message pushed to recipient

User opens secured message in browser

Gateway encrypts message

Key is stored User authenticates and receives message key

Decrypted Cisco Registered Envelope Service message is displayed

ƒ Automated key management ƒ No desktop software requirements ƒ No new hardware required

22 Email Security Architecture Cisco IronPort Email Security Appliance

INBOUND Spam Virus SECURITY Defense Defense

MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM

Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging

23 Cisco IronPort Email Security Manager Single view of policies for the entire organization

Categories: by Domain, Username, or LDAP

• Allow all media files • Quarantine executables IT

• Mark and Deliver Spam

SALES • Delete Executables

• Archive all mail • Virus Outbreak Filters LEGAL disabled for .doc files

“IronPort Email Security Manager serves as a single, versatile dashboard to manage all the services on the appliance.” – PC Magazine 24 Comprehensive Insight Unified Business Reporting

Consolidated Reports

ƒ Single view across the organization Email Volumes

Spam Counters ƒ Real Time insight into Policy Violations email traffic and Virus Reports security threats Outgoing Email Data

Multiple data points Reputation Service

ƒ Actionable drill System Health View down reports

25 Visibility Into Email Messages Message Tracking

What happened to the email I sent 2 hours ago? 9Track Individual Email Messages

Who else received similar emails? 9 Forensics to Ensure Compliance

26 Email Security Hosted Offerings

Cisco IronPort Hosted Email Security

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Choice Maximizes Flexibility Full Continuum of Deployment Options

Appliances Hosted Hybrid Hosted Managed

Award-Winning Dedicated Best of Both Fully Managed Technology SaaS Worlds on Premises Infrastructure

Backed by Service Level Agreements

28 Cisco IronPort Web Security Overview

Cisco IronPort Web Security Appliance

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Malware Threat Distribution

Malware Infections

Email Vector

Web Vector

Time

Malware infection vectors are shifting from email to Web

30 Malware Evades Legacy Defenses

URL classification is reactive, has low coverage

Predictable, easy to classify

Hundreds of millions of sites Thousands of new sites per hour

Signatures are reactive and Big CANNOT keep up Head Long Tail Traffic Volume

# of Sites 31 Exploited Websites An Invisible Threat

32 Drive-By Scareware

- Full-screen pop-up simulates real AV software, asks you to buy full version to clean machine. - Fakes scan of c:\ drive and pretends to find viruses even on Linux or Mac OS X! 33 The limits of legacy solutions

ƒ Low Performance – not suitable for current usage of Web ƒ High Latency ƒ Low Security: often only URL filtering ƒ ….or only Antivirus and no efficient protection against Malware

34 Next Generation Secure Web Gateway

Before Cisco IronPort After Cisco IronPort

Internet Internet

Firewall Firewall

Web Proxy & Caching

Anti-Spyware

Anti-Virus Cisco IronPort WSA Anti-Phishing

URL Filtering

Policy Management

Users Users

All web security components in a single integrated platform 35 Web Security Architecture Cisco IronPort Web Security Appliance

L4 Traffic URL Monitor Filters

PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM

Web Reputation Anti-Malware Management Filters System

36 High-Performance Web Proxy Connection Management & Optimized Storage

MaintainMaintain poolpool ofof persistentpersistent HandleHandle extremelyextremely highhigh traffictraffic TCPTCP connectionsconnections (client(client andand volumesvolumes serverserver side)side)

Co-relatedCo-related objectobject storagestorage andand SignificantlySignificantly improvedimproved high-performancehigh-performance cachingcaching responseresponse timestimes

Facts & Figures: – 100,000 simultaneous duplex TCP connections to easily handle traffic spikes – Average latency introduced to end user: 5-15 milliseconds

37 Web Security Architecture Cisco IronPort Web Security Appliance

L4 Traffic URL Monitor Filters

PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM

Web Reputation Anti-Malware Management Filters System

38 Detecting Existing Client Infections

Users

ƒ Cisco IronPort Layer 4 Traffic Monitor Packet and • Scans all traffic, all ports, all protocols Header Inspection • Detects malware bypassing Port 80 Network Layer Analysis • Prevents botnet traffic

ƒ Powerful anti-malware data • Automatically updated rules Cisco IronPort S-Series • Real-time rule generation using “Dynamic Discovery” Internet

39 Web Security Architecture Cisco IronPort Web Security Appliance

L4 Traffic URL Monitor Filters

PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM

Web Reputation Anti-Malware Management Filters System

40 Web: Huge, Growing and Transient

Dynamic Web User Generated & 2005: Web 2.0 Web 2.0 Content tipping point Number of Webpages Static Web Traditional Content Publishers Legacy URL Filtering Focus

1998 2000 2008 28 Million 1 Billion 1 Trillion webpages webpages webpages

Source: Multiple, including Cisco SIO, Google, Wikipedia 41 The Dark Web Challenge Legacy URL Filtering Effectiveness is Decreasing

URL Lookup in Database ƒ Legacy URL filtering primarily focuses on Gambling www.sportsbook.com/ URL Database crawling and manual

Uncategorized review/classification ƒ Databases add thousands of new URLs per day…while the web adds a Billion OBSCENE ADULT ƒ 95% of the web will be uncategorized by 2015

PORN GAMBLING

42 Cisco IronPort Web Usage Controls Dynamic Categorization for the Dark Web

URL Lookup in Database

Gambling www.sportsbook.com/ URL Database ƒ Industry-leading URL Uncategorized database efficacy

URL Keyword Analysis • 65 categories • Updated every 5 minutes • Powered by Cisco SIO Gambling www.casinoonthe.net/ ƒ Dynamic categorization Uncategorized identifies ~90% of Dark Web content in commonly Dynamic Content Analysis Engine blocked categories

Analyze Site Content Gambling

43 Cisco Security Intelligence Operations (SIO) Unmatched Visibility Drives Unparalleled Efficacy

Cisco IronPort Web Security Appliances on Customer Premises

Updates published every 5 Customer minutes Administrators URL Categorization Uncategorized Requests URLs Cisco SIO

Analysis and Processing

Master URL Database

External Feeds Crawler Targeting

Traffic Data from Crowd Sourcing Cisco IronPort Email Security Appliances, Manual Web Cisco IPS, and Cisco 44 Categorization Crawlers ASA sensors Web Security Architecture Cisco IronPort Web Security Appliance

L4 Traffic URL Monitor Filters

PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM

Web Reputation Anti-Malware Management Filters System

45 Protection For a Dynamic Web 2.0 World Visibility Beyond the Initial Threat

Web Reputation Filters Scan each object, not just the initial request Web servers not affiliated with Client PC Trusted Web Site the trusted web site (e.g. ad servers)

ƒ Web pages are made up of objects ƒ Compromised websites often grab coming from different sources malicious objects from external sources ƒ Objects can be images, executables, JavaScript… ƒ Security means looking at each object individually, not just the initial request

46 Cisco IronPort DVS Engine Dynamic Vectoring and Streaming

Adware Spyware Trojans Worms Viruses

Webroot + Webroot McAfee McAfee

~35% Additional Coverage

ƒ Multiple integrated verdict engines ƒ Accelerated signature scanning • McAfee and Webroot • Parallel scans ƒ Decrypt & scan SSL traffic • Stream scanning • Selectively, based on category & ƒ Automated updates reputation

47 Cisco IronPort DVS Engine Multi-Layered Malware Defense

ƒ Deep content inspection

ƒ High-performance Webroot scanning McAfee - Parallel scans IRONPORTIRONPORT DVSDVS ENGINEENGINE - Stream scanning

VERDICT ƒ Multiple verdict engines ENGINE “N” - Integrated, on-box - Supported engines: PolicyPolicy ManagementManagement Webroot, McAfee

48 Usage of Ports 80 & 443 has changed

ƒ A lot of applications traversing port 80 are not “web browsing” ƒ A lot of applications using port 80 are not business-related ƒ Nearly all companies include Webmail users – Malicious attached files? ƒ Instant Messaging is found in all companies – How do you keep it open while ensuring your network is not at risk? ƒ Web-based file transfer is growing fast (MegaUpload, Rapidshare…) ƒ Peer-to-Peer is still used heavily

49 Web Application Controls

ƒ Native control for HTTP, HTTP(s), FTP applications ƒ Selective decryption of SSL traffic for security and policy ƒ Policy enforcement for applications tunneled over File Transfer HTTP—FTP, IM, video Protocol ƒ Application traversal using policy-based HTTP CONNECT

Understanding Web Traffic 50 50 HTTPS Scanning Selective, Based on Trust

Decrypted • Inspected • Re-encrypted Selectively on TRUST, Category, Source

Web Internet Server

Cisco IronPort Users WSA Decrypted • Inspected • Re-encrypted Selectively on Category, Source

51 Cisco IronPort WSA Complete Data Security

ƒ On-box Common Sense Security • Allow, block, log based on file metadata, URL category, user and web reputation • Multi-protocol: HTTP(s), FTP, HTTP tunneled Partner site Log

Allow Internet Documents Block Webmail

ƒ Off-box Advanced Data Security • Deep content inspection: Structured and unstructured data matching • Performance optimized: Works in tandem with accelerated on-box policies

Log

Allow Internet Documents Block

Content Verdict

DLP Vendor Box 52 Web Security Architecture Cisco IronPort Web Security Appliance

L4 Traffic URL Monitor Filters

PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM

Web Reputation Anti-Malware Management Filters System

53 Cisco IronPort Web Security Manager Single View of Policies for the Entire Organization

Group by LDAP, Active Directory, Network • Block FTP • Allow Media files • Allow all URL categories Marketing

• Block executables • Block gambling sites • Block all malware Sales

• Allow Skype • Monitor all traffic • Allow executables IT • Allow all applications • Allow all protocols

54 Delegated Administration Flexibility to Support Organizational Requirements

Global administrator IT defines roles and No Media access permissions

No FTP SALES

No Webmail

Policy officer sets rules for users they manage LEGAL

ƒ Assign administrators for groups of users, appliances, subnets, or destinations ƒ Fine-grained, role-based access control 55 Comprehensive Reporting

ƒ In-depth Threat Visibility - Web Traffic Overview - Layer 4 Traffic Monitor - Anti-Malware Category and Threat Details - Client Malware Risk & Activity Detail - Website Activity and Detail ƒ Extensive Forensic Capabilities - Investigate acceptable use violations - Drill down for further analysis - Satisfy compliance requirements ƒ Detailed off-box analysis - Offload extensive data crunching - Top N and trend reporting for malware - Client, Source, Malware Name and Category

for IronPort 56 Web Security Hosted Offerings

ScanSafe SaaS Web Security

is now part of Cisco

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 The leading SaaS Web security solution

ƒ Pioneer Awards ƒ Leadership position: 34.5% Security product Market Share (IDC) of the year 2008 ƒ 30Bn Web requests monthly Customers ƒ Millions of users ƒ Customers in 100+ countries ƒ 100% availability ƒ 200 million threats blocked monthly Partners ƒ Award-winning

58 59