e-mail crimeware: an emerging, acute threat dave green
TRANSCRIPT
E-mail Crimeware:An Emerging, Acute Threat
Dave Green<Date>
E-mail Security Concerns 2007• HIGHER RISKS• Targeted Crimeware
How do emerging Trojans, keystroke loggers & malware steal data?
• First-instance Threats How to protect from first-instance/
unknown threats?
• Regulatory compliance What are the penalties for
a data breach?
Targeted Crimeware Defined
• Custom-designed threats may never reach a pattern development lab Target specific organizations/industries Symantec Threat Report:
Threats focused on stealing specific access or data Decline in noisy, widely replicated threats Increase in quieter, stealthier, focused threats1
1- Symantec Internet Security Report, Vol. 9, March 2006
Targeted Crimeware – On the rise
Symantec Internet Security Report, Vol. 9, March 2006
• Symantec reports of top 50 threats – 80% attack confidential information
• +26% increase from 2004
• 92% of most threatening malicious code sent by SMTP e-mail
Recent Crimeware Examples
Attachment Blocking – Insufficient Protection
Trojan Horse Remote Code Execution
.doc.jpg
.mp3
.wmv
.doc.xls.ppt.wmf.bmp.jpg.gif
Data Mining Denial of Service/System Crash
.doc.xls.pdf
.bmp.gif.pdf
1. Business-critical attachments can carry dangerous threats
2. Blocking these attachments halts business
Consequences of security failure
• Security breach has associated costs HIPAA, Graham-Leach-Bliley Act, EU Privacy Act
Public disclosure of any security breach compromising personal info
Fines for non-compliance—Corporate and PERSONAL
California’s Senate Bill 1386 Similar laws pending or complete in other
states (IL, MA, NY, NJ)
E-mail protection is not the sameHEURISTICS
• An educated guess, not reliable for consistent protection.
BEHAVIOR-BASED
• Desktop emulator solutions ANTICIPATE (not observe) behavior, prone to false positives, difficult to deploy
TRAFFIC ORIGIN
• Targets known bad locations or traffic anomalies, may limit the effect of noisy mass mailers
PATTERN-BASED
• Effective at stopping previously identified threats only, development and deployment of new patterns takes time
BEYOND ‘DAY ZERO’--ACTUAL BEHAVIOR OBSERVATIONExecutes attached active content, and monitors for any unusual or malicious activity, detects FIRST INSTANCE of threat
Protection beyond ‘day-zero’ technology
• Allow active content messages to execute in a secure virtual machine desktop at the gateway• Observe actual behavior• Protect based on
demonstrated actions
• Virtual machine protection stops threats based upon actual behavior in a virtual machine
In action – Virtual machine crimeware protection
• Enterprise SMTP deployment configuration
Excellent track record of accurately detecting malicious behavior
Firewall protection stops propagation outside of execution environment
Real environment entices execution of payload
• Virtual Machine Benefits
Comprehensive AV Security• For previously identified threats, pattern-based
protection is an effective layer of protection Fast and efficient First instance threats can’t be stopped by pattern-
comparison
The COMBINATION of pattern-scanning + actual behavior delivers the most comprehensive e-mail
threat protection available.
Thank you for your time
Avinti, iSolation Server and E-mail Attachments—Tested and Safe are trademarks of Avinti, Inc. All other company and product names may be trademarks or registered trademarks of their respective companies.