GOING BEYOND BLOCKING AN ATTACK
WEBSENSE
®TRITON™ VERSION 7.7
Websense
®Executive Summary
Introduction
We recently announced several new advanced malware and data theft protection capabilities in version 7.7 of the Websense® TRITON™ solution. This document provides a high level overview of these new developments and describes why Websense justifies its claim of “No One Stops More Threats.”
An Industry First
Context is everything in security.
It doesn’t matter how good your defenses are. A determined hacker will inevitably get in. Why? Because humans are curious and fallible. Your employees will click that link. Websense believes that understanding the context of what’s leaving your network is just as important as understanding what’s coming in.
That’s why Websense takes an entirely different approach to security that’s unique to our industry.
Figure 1: Detailed forensics of a security incident is only possible with contextual knowledge. This step-by-step malware analysis is important for risk and forensic teams to understand how they are being attacked, along with who, what and where attacks are destined.
Information leaving the
network Who was involved?
Where was the information
going?
How important was the information?
Who owns the information?
How serious
was the
incident?
When Websense stops a security incident we don’t just tell you that we blocked something. We tell you what the information is, who it belongs to, how important it is to your organization — and where it almost went.
Websense can do this because we understand the context of information flowing around your network. Armed with that contextual understanding, we can provide a higher degree of security than would be possible with conventional security methods alone (e.g., anti-virus, next generation firewalls, and IPS).
Modern security for a social, mobile and cloud-oriented world comes down to a very simple premise: 100 percent classification of what enters and what leaves the network. Websense doesn’t claim to have achieved this in all that we do. However, we do claim to be a lot closer to that goal than any other competing security technology that you are likely to buy.
Much like the hackers that try to penetrate your network, we buy alternative products on the market and benchmark our security solutions against them. Here are the test results we found against a database of over 6,700 malicious URLs:
Figure 2: How competing security technologies stack up against Websense
We understand that some readers of this document may wish to reserve judgment on the fairness of our own internal tests. Later this year we will publish the results of independent security benchmarking of Websense TRITON against competing solutions. However, because we find that many senior information security professionals want to see test results performed against their own network infrastructure, our systems engineers are available to repeat these tests in your network.
22.50%
25.40%
31.00%
34%
45.60%
52.70%
94.50%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Leading network infrastructure vendor Unified threat management (UTM) vendor SaaS web filtering vendor NG Firewall vendor with apps scanning Endpoint security vendor with RTTS Proxy/URL filtering vendor with AV Websense TRITON
Modern Malware Blocking Capability
Setting A New Standard
Going beyond the secret sauce.
There are more exciting developments packed into the latest release of Websense TRITON than we can fully describe here. Websense has redefined the web security gateway with the addition of advanced threat and data theft defenses. These include a forensic reporting dashboard, detailed incident analysis and data theft capture.
Below are our top five latest security breakthroughs:
Ten advanced threat and data theft defenses. Our security engine now has multiple industry firsts, including: detecting criminal encrypted uploads, password file theft, advanced malware payloads and command-and-control, and potentially exploited documents.
Of the ten new defenses, four stop data theft and loss. They include drip (behavioral) DLP detection;
optical character recognition (OCR) of text within images for data-in-motion; and geo-location awareness. It also includes an advanced machine learning capability, which is designed for large amounts of confidential data, where data discovery is not feasible. These defenses leverage the award- winning, embedded enterprise DLP engine unique to the Websense TRITON architecture.
Websense TRITON advanced malware threat dashboard. This new dashboard profiles security incidents, provides in-depth forensics, and data theft capture. With severity levels and the ability to export incidents to SIEM solutions, Websense users know who was attacked, how the attacks function, where those communications were being sent and most importantly, what data was targeted.
Our intelligence is advanced. Websense CyberSecurity Intelligence™ (CSI) provides the fastest second opinion in security. Get access to our most powerful threat analysis tools, including Websense
ThreatScope™, an online sandbox for safely analyzing malware. CSI is like having a Websense Security Labs™ researcher on your staff.
Point-of-click email URL sandboxing. 92 percent of unwanted emails contain links, often directing users to malicious web pages. Cyber criminals frequently target specific users with spear-phishing email attacks. Many of these attacks load malware and threats onto websites after they passed initial email gateway security inspection. The unique Websense email URL sandboxing capability identifies
suspicious links in emails for real-time analysis. When email recipients click on an embedded URL, Websense analyzes the website content and browser code in real time, in a cloud environment, to ensure safety in any location at any time.
IPv6 web gateway support and federal certification. Websense solutions meet IPv6 standards and support two-factor authentication. In addition, Websense is committed to providing the federal space with the strongest security possible. Our products and platforms meet demanding compliance standards for federal security requirements, including: EAL 2+ Common Criteria certification; HSPD #12 support;
the full Department of Defense/Army STIG Security Testing Integration Guide; 800.53a mapping; and ISO 27001. FIPS 140-2 certification is also being updated for the newest edition of its gateway.
Putting these developments in context.
It is almost inevitable that malware will get into your network no matter what defenses exist (and most
companies have little more than anti-virus and firewall technologies.) The first thing a piece of malware will do once it penetrates your network is establish command-and-control channels to call back “home”.
Websense has more advanced technology for identifying sophisticated command-and-control channels than any other company. When malware attempts the exfiltration of your most valuable assets, we are able to
understand the data, decrypt it if necessary (or understand the context of data we can’t decrypt), identify criminal encryption, and give you all the information you need to assess the risk to your business. For example, we can distinguish between a determined hacker who attempts to steal confidential information and an
employee who is banking online — two forms of communication that many other security technologies find indistinguishable.
Data thieves employ many strategies to avoid detection. A common ploy is to turn the data into images, rendering them unreadable by many security systems. At Websense, our optical character recognition (OCR) capability makes this method of obfuscating data ineffective.
Stealing data slowly, in seemingly innocent increments that don’t trigger a detection threshold, is another effective technique used by sophisticated hackers. Once again, advances in Websense technology beat hackers at their own game.
Criminals intent on stealing your data assets and monetizing the results have developed other ingenious approaches to bypassing your defenses. Consider a typical spear-phishing email campaign, one of the hardest attacks to counter. Knowing that your email gateway will inspect the offending URL, attackers dispatch their attacks over a weekend in recognition that a time delay exists between when a user receives the email and when a user clicks on a link within the email. Relying on the fact that most email security gateways will inspect the URL once and then deliver the email to the recipient, attackers use a safe and reliable domain on their phishing lure and switch it to a malicious link once they feel certain the initial security scanning is complete.
Websense counters this approach by placing a “wrapper” around each URL in an email. This allows us to inspect each URL for malicious intent when the email is clicked, no matter where the user is located. We have the global infrastructure needed to deliver this degree of real-time protection with 99.999 percent availability. It’s an achievement unmatched in the security industry.
One security analyst summarizes our recent developments:
“Websense sets the benchmark for the security gateway industry — the caliber of their security defenses is second to none,” said Chris Christiansen, program vice president for the Security Products and Services division of industry analyst firm IDC. "The new Websense advanced malware and data theft innovations
address an entirely new set of situations, which is what enterprises need to keep their data safe from internal and external threats. The capabilities are brilliant and solve many of the challenges that cyber security teams will face in future attacks.”
Products Aren’t Enough
Introducing Websense CyberSecurity Intelligence™ Services.
The best security products in the world are no longer enough. People whose job is to protect a company’s most valuable information assets need swift access to threat intelligence and, when required, collaborators to outwit an attacker.
New from Websense, CyberSecurity Intelligence (CSI) services offer unparalleled insight and put our most powerful threat analysis tools in your hands. Websense CSI: On-Demand provides an online malware sandbox to profile malware step-by-step on how it infects a system and dynamic web calls made. This service also comes with online security training from malware researchers, recorded webinars and lectures on cyber security, plus the latest research from Websense Security Labs. Websense CSI: Live enables direct access to malware
researchers within Websense Security labs to research incidents or profile security defenses and policies, plus it includes Websense CSI:On-Demand..
Your own security team will appreciate having these additional easy-to-use diagnostic capabilities when it’s investigating a security incident. In addition to empowering your analysis, our CSI services can put you in touch with a Websense Security Labs™ researcher who can provide a rapid and experienced perspective on your precise circumstances. This means you get the fastest second opinion in the security industry at a time when speed really matters.
In Summary
Websense TRITON unifies all the key components of threat defense and data loss prevention (DLP) into a cohesive content security system. It combines web security, email security, mobile security and DLP defenses with unified security intelligence and a unified management console. The Websense TRITON system can be deployed on enterprise-grade appliances, in the cloud, or both as a powerful and efficient hybrid solution.
Our premise is simple. Websense must allow businesses to take advantage of the transformative technologies of mobility, cloud and social computing. These technological changes are redefining the nature of work and the definition of the network — and they are exposing the weaknesses in the traditional legacy security systems that many organizations have in place today. It’s creating a gap, a vulnerability, and we must find ways to close it. This is what we at Websense have focused on for the past eight years, and it’s precisely why we make the claim, “No One Stops More Threats.” For more information please visit www.websense.com.
