The numbers on the Internet are awful: There are so many hijacked zombie computers, so many malicious and compromised websites serving malware and so many malware variations. Security companies have had to go beyond their existing models of detecting attacks and leverage their global intelligence about what sources are currently serving up mischief. This is what security folks refer to reputation-based detection, and it’s the basis for Corero Network Security’s new ReputationWatch service.
How awful are the numbers? 95,080,549 URLs serving malware in Q1 2012, up 61% over Q4 2011, according to Kaspersky’s Securelist. Google reports an average of 9,500 new malware-serving URLs per day. And 270,000 new zombies ̶ hijacked PCs ̶ are created daily to feed botnets, according to a report by Commtouch.
Enterprises can’t keep up.
Once upon a time, perhaps, they could. But gathering data about dangerous IP addresses and manually configuring your security devices to shun them is spitting into the wind.
Reputation is not a new notion. Email security vendors, faced with the sophistication and sheer numbers of spam, were the first to come up with the idea. Web security vendors and desktop AV companies followed. Reputation does not solve the security problem by itself, but complements the other technologies employed ̶ signatures, behavioral analysis, protocol validation, anomaly detection, etc.
The value in reputation-based detection depends on several factors: How comprehensive is the information? How is the intelligence collected translated into preventive action? How current is the data?
That last point is pretty crucial, because many malicious websites are legitimate sites that have been compromised (61% according to Symantec), dropping malware on visitors who assume they are safe because the site carries a brand name. The site owners will discover the problem, and, one hopes, remove the source of infection. Zombies or bots are created, discovered and remediated. The last thing a business wants is a tool that shuns legitimate traffic from good websites or turns away customers.
So, in a nutshell, the solution has to be comprehensive, fast, automated and up-to-date.
ReputationWatch continuously assesses data on the Internet about malicious IP addresses, determines which are currently “bad,” and feeds the information to Corero DDoS Defense System (DDS) and Next Generation IPS (NGIPS) customers. The devices are automatically configured to block bad addresses based on the latest information. Websites and IP addresses that are restored to good standing are removed from the shun list.
The piece of the service is enforcing security policy based on geolocation of IP addresses. This is a little more straightforward. The idea is that you can exclude or set rate limits on traffic from entire nations if you don’t do business with them. So, for example, I was speaking with a small business that only has regional customers in the U.S. So, they cut certainly ban all traffic from the Ukraine, Afghanistan, The Sudan and Uzbekistan.
If there are exceptions, you simply set the IP addresses to allow. One service provider, for example, banned all traffic from Afghanistan, then discovered it had one customer, a U.S. contractor doing business in that country. As with reputation, it’s important to be current, as new IP addresses are created.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us