E-mail Crimeware:An Emerging, Acute Threat

Dave Green<Date>

E-mail Security Concerns 2007• HIGHER RISKS• Targeted Crimeware

How do emerging Trojans, keystroke loggers & malware steal data?

• First-instance Threats How to protect from first-instance/

unknown threats?

• Regulatory compliance What are the penalties for

a data breach?

Targeted Crimeware Defined

• Custom-designed threats may never reach a pattern development lab Target specific organizations/industries Symantec Threat Report:

Threats focused on stealing specific access or data Decline in noisy, widely replicated threats Increase in quieter, stealthier, focused threats1

1- Symantec Internet Security Report, Vol. 9, March 2006

Targeted Crimeware – On the rise

Symantec Internet Security Report, Vol. 9, March 2006

• Symantec reports of top 50 threats – 80% attack confidential information

• +26% increase from 2004

• 92% of most threatening malicious code sent by SMTP e-mail

Recent Crimeware Examples

Attachment Blocking – Insufficient Protection

Trojan Horse Remote Code Execution

.doc.jpg

.mp3

.wmv

.doc.xls.ppt.wmf.bmp.jpg.gif

Data Mining Denial of Service/System Crash

.doc.xls.pdf

.bmp.gif.pdf

1. Business-critical attachments can carry dangerous threats

2. Blocking these attachments halts business

Consequences of security failure

• Security breach has associated costs HIPAA, Graham-Leach-Bliley Act, EU Privacy Act

Public disclosure of any security breach compromising personal info

Fines for non-compliance—Corporate and PERSONAL

California’s Senate Bill 1386 Similar laws pending or complete in other

states (IL, MA, NY, NJ)

E-mail protection is not the sameHEURISTICS

• An educated guess, not reliable for consistent protection.

BEHAVIOR-BASED

• Desktop emulator solutions ANTICIPATE (not observe) behavior, prone to false positives, difficult to deploy

TRAFFIC ORIGIN

• Targets known bad locations or traffic anomalies, may limit the effect of noisy mass mailers

PATTERN-BASED

• Effective at stopping previously identified threats only, development and deployment of new patterns takes time

BEYOND ‘DAY ZERO’--ACTUAL BEHAVIOR OBSERVATIONExecutes attached active content, and monitors for any unusual or malicious activity, detects FIRST INSTANCE of threat

Protection beyond ‘day-zero’ technology

• Allow active content messages to execute in a secure virtual machine desktop at the gateway• Observe actual behavior• Protect based on

demonstrated actions

• Virtual machine protection stops threats based upon actual behavior in a virtual machine

In action – Virtual machine crimeware protection

• Enterprise SMTP deployment configuration

Excellent track record of accurately detecting malicious behavior

Firewall protection stops propagation outside of execution environment

Real environment entices execution of payload

• Virtual Machine Benefits

Comprehensive AV Security• For previously identified threats, pattern-based

protection is an effective layer of protection Fast and efficient First instance threats can’t be stopped by pattern-

comparison

The COMBINATION of pattern-scanning + actual behavior delivers the most comprehensive e-mail

threat protection available.

Thank you for your time

Avinti, iSolation Server and E-mail Attachments—Tested and Safe are trademarks of Avinti, Inc. All other company and product names may be trademarks or registered trademarks of their respective companies.