Transcript Document
E-mail Crimeware: An Emerging, Acute Threat Dave Green <Date> E-mail Security Concerns 2007 • HIGHER RISKS • Targeted Crimeware How do emerging Trojans, keystroke loggers & malware steal data? • First-instance Threats How to protect from first-instance/ unknown threats? • Regulatory compliance What are the penalties for a data breach? Targeted Crimeware Defined • Custom-designed threats may never reach a pattern development lab Target specific organizations/industries Symantec Threat Report: Threats focused on stealing specific access or data Decline in noisy, widely replicated threats Increase in quieter, stealthier, focused threats 1 1- Symantec Internet Security Report, Vol. 9, March 2006 Targeted Crimeware – On the rise • Symantec reports of top 50 threats – 80% attack confidential information • +26% increase from 2004 • 92% of most threatening malicious code sent by SMTP email Symantec Internet Security Report, Vol. 9, March 2006 Recent Crimeware Examples Attachment Blocking – Insufficient Protection Trojan Horse .doc .jpg .mp3 .wmv Data Mining .doc .xls .pdf Remote Code Execution .doc .xls .ppt .wmf .bmp .jpg .gif Denial of Service/ System Crash .bmp .gif .pdf 1. Business-critical attachments can carry dangerous threats 2. Blocking these attachments halts business Consequences of security failure • Security breach has associated costs HIPAA, Graham-Leach-Bliley Act, EU Privacy Act Public disclosure of any security breach compromising personal info Fines for non-compliance—Corporate and PERSONAL California’s Senate Bill 1386 Similar laws pending or complete in other states (IL, MA, NY, NJ) E-mail protection is not the same HEURISTICS • An educated guess, not reliable for consistent protection. BEHAVIOR-BASED • Desktop emulator solutions ANTICIPATE (not observe) behavior, prone to false positives, difficult to deploy TRAFFIC ORIGIN • Targets known bad locations or traffic anomalies, may limit the effect of noisy mass mailers PATTERN-BASED • Effective at stopping previously identified threats only, development and deployment of new patterns takes time BEYOND ‘DAY ZERO’--ACTUAL BEHAVIOR OBSERVATION Executes attached active content, and monitors for any unusual or malicious activity, detects FIRST INSTANCE of threat Protection beyond ‘day-zero’ technology • Allow active content messages to execute in a secure virtual machine desktop at the gateway • Observe actual behavior • Protect based on demonstrated actions • Virtual machine protection stops threats based upon actual behavior in a virtual machine In action – Virtual machine crimeware protection • Enterprise SMTP deployment configuration • Virtual Machine Benefits Excellent track record of accurately detecting malicious behavior Firewall protection stops propagation outside of execution environment Real environment entices execution of payload Comprehensive AV Security • For previously identified threats, pattern-based protection is an effective layer of protection Fast and efficient First instance threats can’t be stopped by patterncomparison The COMBINATION of pattern-scanning + actual behavior delivers the most comprehensive e-mail threat protection available. Thank you for your time Avinti, iSolation Server and E-mail Attachments—Tested and Safe are trademarks of Avinti, Inc. All other company and product names may be trademarks or registered trademarks of their respective companies.