Transcription
CISCO EXPO Croatia 2008Mirko SchneiderTerritory Manager Eastern Europe & RussiaIronPort - A CISCO Systems Business UnitCISCO’S NEW STRATEGY AGAINST SPAM, VIRUSES ANDSPYWAREIronPort Messaging Security
The Power of SenderBaseOver 100,000 contributing networksOver 20M IP addresses tracked globallyView into over 25% of email trafficOver 150 parameters trackedGlobal Email and Web Traffic MonitoringFirst, Biggest, Best Reputation System
2003CipherTrustTrustedSource June 4, 2004IronPort ReputationFilters SymantecBrightmailReputationServiceJune 28, 20042004Trend MicroAcquiresKelkea ReputationProductJune 14, 20052005Tumbleweed RecurrentPattern Detection May 23, 2005Proofpoint MLX DynamicReputation IronPort SenderBase July 21, 2003November 9, 2004February 16, 2003Reputation Filtering Sets off Industry ScrambleLeading Edge Technology
A Cisco Business Unit since mid2007 Market growth rate 50%IronPort growth rate 100%revenue 2007: 250m USD Founded in 2000 by Email pioneersfrom Hotmail, ListBot, Yahoo idea: building the fastest andstrongest gateway appliance HQ in California, Silicon Valley Worldwide 500 employeesWho is IronPort?
SurfControl- Websense: 400m Postini- Google: 625m Ciphertrust- SecureComputing: 273m Brightmail- Symantec: 370m market consolidation: 5th largest acquisition ever Largest security acquistionIronPort – A CISCO Business Unit
Gartner’s Magic Quadrants 2006: LeaderIDC July 2007: market share leaderRadicati Market Quadrants 2007: Leader 52 of the World’s Largest 100 Companies20 % of Global 200012 of the 15 largest ISPsAustria d.d. ZagrebSuccess in Croatia––– Customer Leadership––– Analyst LeadershipThe Principles of Industry Leadership
ApplianceSecurityMANAGEMENTApplianceCENTRALIZE AdministrationEMAILSecurity ApplianceENCRYPTIONWeb Security Email Security Security Management EncryptionAPPLICATION-SPECIFICSECURITY GATEWAYSIronPortSenderBasePROTECT Corporate AssetsData Leakage PreventionEncryptionSecurity ApplianceWEBBLOCK Incoming ThreatsCLIENTSInternetIronPort Gateway Security Products
Malware is a key distributionvector for Spam zombieinfections Email is a key distributionvector for Web-based malware 80% of spam contains URLs View into both email & Webtraffic dramatically improvesdetection30B queries daily150 Email and Web parameters25% of the World’s TrafficCisco Network DevicesIronPort WEBSecurityAppliancesIronPort EMAILSecurity AppliancesIronPortSenderBaseCombines Email & Web Traffic Analysis Global Reach Yields Benchmark Accuracy The IronPort SenderBase Network
IronPort C-Series ApplianceThe Leader in Email Security
Anti-VirusAnti-SpamMTAUsersUsersIronPort Email Security ApplianceGroupwareDLP PolicyManagerDLPScannerGroupwareMail RoutingPolicy EnforcementEncryption PlatformFirewallInternetInternetFirewallAfter IronPortBefore IronPortFor Security, Reliability and Lower MaintenanceIronPort Consolidates theNetwork Perimeter
SPAMDEFENSEDATA LOSSPREVENTIONEMAILENCRYPTION &AUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSEMANAGEMENT TOOLSIronPort Architecture forMulti-Layered Email Security
DATA LOSSPREVENTIONEMAILENCRYPTION &AUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSEMANAGEMENT TOOLS IronPort Reputation Filters – the outer layer defense IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraudSPAMDEFENSEBest of BreedMulti-layer Spam Defense
020406080100120140160180DateOct- Dec- Feb- Apr- Jun- Aug- Oct- Dec- Feb- Apr- Jun- Aug- Oct- Dec- Feb- Apr- Jun- Aug- Oct- Dec05 05 06 06 06 06 06 06 07 07 07 07 07 07 08 08 08 08 08 08Dec 06 – Dec 07: 58% year-over-yearincrease: 44B additional messagesDec 05 – Dec 06: 100% year-over-yearincrease, 38B additional messages2005 - 2008 Reality & ProjectionsSpam VolumesAvg Daily Volume (billions)
PDF, Excel, MP3 .Spam is changing rapidly
blocks 80%of spamAdapts Over TimeComputationallyIntensiveFine-grained Inner LayerDelete or QuarantineExtremely HighPerformanceCoarse Outer LayerBlocks or Rate Limits ReactiveLayerImmediate Reactionto ThreatsPreventiveLayerPreventive Reactive Defense in DepthMulti-Layered Security
IronPort SenderBase NetworkSource: www.ciphertrust.com and www.borderware.com, August 6, 2006 5B queries daily 150 Email and Web parameters 25% of the World’s Email TrafficThe Dominant Force in GlobalEmail and Web Traffic Monitoring 50%80%4,0008,00013 hours*120,000* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listedvendors.McAfee, Trend, Symantec, Sophos, CA, F-SecureIronPortVirus Protection LeadBorderWareCipherTrustIronPortNetwork Reach (Contributing Networks)BorderWare 40%CipherTrustIronPortSpam Caught by Reputation Results in Accuracy andAdvanced ProtectionGlobal Reach Yields Benchmark Accuracy
MessageCompositionDataOver 100,000organizations,email traffic,web trafficComplaintReportsSpam Trapswww.senderbase.orgIP Blacklists &WhitelistsDownloaded files,linking URLs,threat heuristicsFortune 1000, lengthof sending history,location, where thedomain is hosted,how long has it beenregistered, how longhas the site been upOther DataWeb siteCompositionDataSORBS, OPM,DSBLSpamvertized URLs,phishing URLs,spyware sitesCompromisedHost ListsDomain Blacklists& SafelistsSenderbase Reputation Score -10 to 10Global VolumeDataMessage size,attachment volume,attachment types,URLs, host namesSpamCop, ISPs,customercontributionsSpam, phishing,virus reportsSpamCop, SpamHaus(SBL), NJABL,Bonded Sender150 parameters for each IPIronPort SenderBase Reputation
Anti-SpamEngine(reactive) Known bad isdeleted/tagged Suspiciousis rate limited& spam filtered Reputation Filters is a switch point IronPort uses identity & reputation to apply policy Sophisticated response to sophisticatedthreatsGood, Bad, and “Grey”or Unknown EmailIncoming MailReputationFiltering(preventive) Known goodis deliveredIronPort Reputation Filters Stop80% of Hostile Mail at the Door .
Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced by 75%– Reputation Filters block over 19M messages per day– 5.5M messages per day scanned byanti-spam engine– Replaced 68 servers with 8 IronPort C60s IronPort solution:– Dell currently receives 26M messages per day– Only 1.5M are legitimate messages– 68 existing gateways running Spam Assassinwere not accurate Dell’s challenge:Dell Case StudyIronPort Reputation FiltersDELL CORPORATIONManager, GlobalCollaborative SystemsEngineering andService Management,-- Tim Helmsetetter“IronPort hasincreased thequality andreliability ofour networkoperations,whilereducing ourcosts.”
sharing data acrossmultiple protocols, acrossmultiple network egresspoints, and across multiplenetworks world wide Firewalls, routers, emailappliances, webappliances, end pointsecurity agents Wide Traffic Inspection100%Extending Technology LeadershipTechnical Resources ( )Staying Ahead RequiresHigher Investment inTechnical ResourcesSelf Defending Network 3.0Accuracy (%)
Adapts Over TimeComputationallyIntensiveFine-grained Inner LayerDelete or QuarantineExtremely HighPerformanceCoarse Outer LayerBlocks or Rate Limits ReactiveLayerImmediate Reactionto ThreatsPreventiveLayerPreventive Reactive Defense in DepthMulti-Layered Security
Email reputation systems improved protectionCombating new attacks demands Web reputation TimeWhat content is included in this message?What? Message ContentHow was this message constructed?How? Message StructureWho is sending you this message?Who? Email ReputationWhere does the call to action take you?Where? Web ReputationContent filtering techniques alone are inadequateTODAY EffectivenessIronPort AntiSpam Broadens theContext with Web Reputation
URLNoattachment- Payloaddeliveredvia web
IronPort SenderBase NetworkOver 100,000 contributing networksOver 20M IP addresses tracked globallyView into over 25% of email trafficOver 150 parameters trackedGlobal Email and Web Traffic MonitoringFirst, Biggest, Best Reputation System
Web Site History Offline data (F500, G2000 ) Known Threats URLs Network Owners Web Crawler Data Compromised Host Lists Dynamic IP Addresses Domain Registrar Information Global Volume Data URL Behavior HTML Content Data URL Categorization Data URL Whitelists URL BlacklistsParametersSenderBaseDataData Analysis/Security ModelingWeb ReputationScores (WBRS)-10 to 10THREAT PREVENTION IN REALTIMEData Makes the DifferenceWeb Reputation
“the fewest false positives ofany solution tested”“no tuning necessary”“excellent spam filtering”“easy setup”Jan 2007Competitors tested:Symantec, Microsoft, Mirapoint, ProofPoint2007 Technology of the Year:Best Anti-SpamPress Reviews“(IronPort) is the absolute mustfrom this test”“We did not have to rescue asingle legitimate message”“The superiority of IronPort . . .seems abundantly clear”Dec 2006Competitors tested:CipherTrust, Borderware, Sophos,SonicWallAnti-Spam Bake-Off WinnerIronPort Anti-Spam
POLICYENFORCEMENTEMAILAUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSEMANAGEMENT TOOLS IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures Sophos Anti-Virus signature based solution with industry leading accuracySPAMDEFENSEBest of BreedMulti-layer Virus Defense
Outbreak FiltersIronPort ViruswithEarly ProtectionFirst Line of DefenseIronPort Virus Outbreak Filters
19:006:1514:002:3011:0020:009:30Virus VolumeVirus Volume15:0021:1510:0017:309:0022:454:0019:00Tim e (GMT )First AVSignatureAvailableFirst AVSignatureAvailableKukudro-A: 6-27-06Tim e (GMT )14:45020406080100120Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is notavailable, first publicly published alert time is used.Tim e (GMT )First AVSignatureAvailable23:4510:20Virus VolumeVirus Volume0:0010:00FeebsDI-Q: 6-07-0611:105:0013:457:1512:00Tim e (GMT )13:40First AVSignatureAvailable12:5018:30Bagle-GT: 4-21-0622:15Mytob-HJ: 4-19-0614:303:30Traditional AV Solutions Aren’tResponding Quickly Enough . . .15:20
IronPort SenderBase NetworkOver 100,000 contributing networksOver 20M IP addresses tracked globallyView into over 25% of email trafficOver 150 parameters trackedWhat is going onRIGHT NOW?Global Email and Web Traffic MonitoringFirst, Biggest, Best Reputation System
nStartsVOFProtectionStartsTim e (GMT )First AVSignatureAvailableKukudro-A: 3 hrs 38 mins Lead Time!Tim e (GMT )First AVSignatureAvailableBagle-GT: 18 hrs 28 mins Lead Time!Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is notavailable, first publicly published alert time is used.Tim e (GMT )First AVSignatureAvailableFeebsDI-Q: 21 hrs 59 mins Lead Time!Tim e (GMT )First AVSignatureAvailableMytob-HJ: 32 hrs 57 mins Lead Time!Virus VolumeVirus VolumeVirus Volume14:002:30Virus VolumeIntroducing Virus Outbreak 5:0013:4514:4513:4010:0017:3018:3014:3022:1515:20
Widely-spammed out email teaser promising a trailer of the film"Pirates of the Caribbean 3“. Downloads spyware onto infectedcomputers.Trojan that attempts to download malicious code.Spammed email that asks recipients to open spyware attachmentsentitled “document.txt.exe” and “video.zip”.Installs backdoor and communicates via HTTP, thus bypassingfirewall filters.Mass mailing worm that sends emails with the subject: "Chinesetest missile obliterates satellite!“. Asks users to open spywareinfected file.Spammed email message that contains PDF attachment. Onceattachment is opened, backdoor is installed for remote hackers toaccess the wPWS-AUTroj Agent.JAW* June 2005 –July 2006. Calculated as publicly published signatures from the following vendors: Sophos, McAfee , Trend Micro, ComputerAssociates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.20:086:5117:3131:1210:403:2010:06Lead Time(hh:mm)Average lead time* over 13 hoursMajor Outbreaks blocked * 175 outbreaksTotal incremental protection* .over 94 daysInstalls spyware on infected PCs.Virus Description7/24/07DateTroj/Dloadr-BCKVirus NameVirus Outbreak Filters Advantage
18:0017:00MyDoom Variant—MyDoom.BB (February 15, 2005)12:009:00February 16, 503 files quarantined13:004:003:0021:0020:00Note: All times shown are in GMT 65K saved @ 200/desktop, 5% infected2:0028 hours 46 minutes11:00First Anti-virusSignature Published22:54 GMT (Next Day)22:00IronPort Threat LevelRaised to 3 And ProtectionStarts18:08 GMT14:00G2000 Company Protected By IronPort’s Virus Outbreak Filters22:00February 15, 200519:00G2000 Company From MyDoom.BB23:00IronPort Outbreak Filters Protect24:00
DATA LOSSPREVENTIONEMAILENCRYPTION &AUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSE Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance Compliance Solutions and Encryption keep communications private and secureSPAMDEFENSEMANAGEMENT TOOLSInbound/Outbound Content Filtering for ComplianceIronPort Policy Enforcement
DATA LOSSPREVENTIONEMAILENCRYPTION &AUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSE DomainKey Signing - establishes and protects your identity on the Internet IronPort Bounce Verification – protects from misdirected bounce attacks Directory Harvest Attack Prevention –blocks attempts to steal email directory informationSPAMDEFENSEMANAGEMENT TOOLSSuperior Security and Identity ProtectionEmail Encryption & Authentication
You need that competitiveanalysis?Mail me atmschneider@ironport.com!Source: Gartner RAS Core ResearchMagic Quadrantfor E-Mail EncryptionBoundary 2007Leader in Email Encryption!
IronPort S-Series ApplianceThe Challenger in Web Security
Control & secure Webtraffic Comprehensivemanagement & visibility Industry-leadingaccuracy against Webbased threats Carrier-classperformanceIronPort S-SeriesNext Generation Web Security PlatformIronPort Web Security Appliance
WebTrafficThe Circle of Risk Malware threats & AUPviolations result incompliance & legalexposure 35-40% of Web usage isnon-business related (IDCResearch) Over 75% of all Enterprisesare infected with Spyware &MalwareWeb Traffic: Clear & Present Risks
BigHead 110 110 MillionMillion sitessites 10-12 10-12 BillionBillion WebWeb PagesPages GrowingGrowing atat 35-40%35-40% annuallyannually““BigBig HeadHead LongLong Tail”Tail”# of SitesLong TailGrowing fast, harbors suspect content & malwarePredictable traffic, well known domainsThe Long Tail Gets LongerWeb TrafficTraffic Volume
BigHead Protects against known & unknown sites Best of breed signature scanning# of SitesLong TailSignature-based Anti-Malware DefenseSolution: Web Reputation Filters Solution: URL FilteringIronPort Web Security ApplianceAddressing the Entire Spectrum of Web TrafficIronPort S-SeriesTraffic Volume
Limited visibility tosecurity threats High latency /throughput Low accuracy“Not the right toolfor the job.”Current Systems NotDesigned for Today’s Problems
Largest:Largest: overover 25%25% ofof traffictraffic fromfrom 120,000 120,000 sourcessourcesBroadest:Broadest: 150150 cross-protocolcross-protocol parametersparametersBest:Best: TwoTwo yearyear “head“head start”start” vs.vs. alternativealternative systemssystemsLargest Email & Web Traffic Monitoring NetworkIronPort SenderBase Network
Scans all 65,535ports at wire speed Detects roguephone home activity Catches malwarethat attempts tobypass Port 1001100111001000000011010011001110010000&& PacketsPacketsTCPTCP HeadersHeadersInternetAsyncOSAsyncOS forfor WebWebL4L4 TrafficTraffic MonitorMonitorNetwork LayerAnalysisUsersWire Speed Network Layer Scanning for MalwareIntegrated L4 Traffic Monitor
Web Site History Offline data (F500, G2000 ) Known Threats URLs Network Owners Web Crawler Data Compromised Host Lists Dynamic IP Addresses Domain Registrar Information Global Volume Data URL Behavior HTML Content Data URL Categorization Data URL Whitelists URL BlacklistsParametersSenderBaseDataData Makes the DifferenceData Analysis/Security Modeling-10 to 10Web ReputationScores (WBRS)THREAT PREVENTION IN REALTIMEWeb Reputation Filters
Known bad sites areblockedSYSTEMSYSTEMIronPort Web Reputation Filters is a powerful first layerof defenseIronPort Anti-Malware System provides a sophisticated second layerof defenseRequestedURLsUnknown sites arescannedANTI-MALWAREANTI-MALWAREWEBWEB IRONPORTIRONPORTKnown good sitesaren’t scannedDynamic Application of Policies
The PlatformIronPort AsyncOS
DATA LOSSPREVENTIONEMAILENCRYPTION &AUTHENTICATIONTHE IRONPORT ASYNCOS EMAIL PLATFORMVIRUSDEFENSE AsyncOS scalable and secure OS optimized for messaging Advanced Email Controls protect reputation and downstream systems Standards-based Integration replaces legacy systems with easeSPAMDEFENSEMANAGEMENT TOOLSUnmatched Scalability and SecurityIronPort AsyncOS
200420072010Average volume andsize of messagesComputational powerrequired for accuratescanningNumber of functionsthat must be supportedMeeting Security Needs – Today and TomorrowScalable and Extensible Platform
Single Queuefor all destinationsDisk I/OBottlenecksConcurrentConnections200Queue backupdelays all emailComponentsFull CapabilityUnable To LeverageLow Performance/Peak Delivery IssueTraditional Email GatewaysAnd Other ions10.000Fault-Toleranceand CustomControlBy CPU CapacityLimited SolelyHigh Performance/Sure DeliveryIronPort Email Security AppliancesRevolutionary Email Delivery PlatformIronPort AsyncOS
“Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” -- PC Magazine 2/22/05 Virus Outbreak Filtersdisabled for .doc files Archive all mail Delete Executables Mark and Deliver Spam Quarantine executables Allow all media filesLEGALSALESITCategories: by Domain,Username, or LDAPSingle view of policies for the entire organizationIronPort Email Security Manager
SJ3 MachineSJ2 MachineZagreb GroupSJ1 MachineD3 MachineD2 MachineIRONPORT CLUSTERDubrovnik GroupD1 MachineT3 MachineT2 MachineRijeka GroupT1 MachineLog in anywhere, control everywhereInterface assures configuration consistencyApply changes to a machine, group, or clusterTest on single system, “promote” to clusterIronPort Centralized Management
Centralized Reporting andMessage Tracking Console Provides complete enduser self-service, drivesdown administrator load Centralized, self-managingquarantine applianceSecurity Management AppliancesIronPort M-Series
About 85% of users who evaluate become happycustomers!– you get the right units for your needs– different ways of testing (life/ stealth, parallel, offline)– full support, full functionality any size and any way– starts with activation of keys on unit– can be extended on request Free evaluation for 30 daysSounds good? Test it!
Distributor:MACK ITwww.mack.hr- partner contacts, evaluationequipment, technical specialistsMirko SchneiderTerritory ManagerEastern Europe & RussiaMobile: 49 172 83 96 04 7mschneider@ironport.comHrvoje DoganSystems EngineerEastern Europe & RussiaMobile: 385 917655625hdogan@ironport.comIronPort, A Cisco Business UnitGet In Contact
Leading Edge Technology Reputation Filtering Sets off Industry Scramble July 21, 2003 IronPort Reputation Filters February 16, 2003 IronPort SenderBase June 28, 2004 Symantec Brightmail Reputation Service June 4, 2004 CipherTrust TrustedSource November 9, 2004 Proofpoint MLX Dynamic Reputation May 23, 2005 Tumbleweed Recurrent Pattern Detection June 14, 2005 Trend Micro Acquires .
