Transcript Document

E-mail Crimeware:
An Emerging, Acute Threat
Dave Green
<Date>
E-mail Security Concerns 2007
• HIGHER RISKS
• Targeted Crimeware

How do emerging Trojans, keystroke loggers & malware
steal data?
• First-instance Threats

How to protect from first-instance/
unknown threats?
• Regulatory compliance

What are the penalties for
a data breach?
Targeted Crimeware Defined
• Custom-designed threats may never reach a
pattern development lab
Target specific organizations/industries
 Symantec Threat Report:




Threats focused on stealing specific access or data
Decline in noisy, widely replicated threats
Increase in quieter, stealthier, focused threats
1
1- Symantec Internet Security Report, Vol. 9, March 2006
Targeted Crimeware – On the rise
• Symantec reports
of top 50 threats –
80% attack
confidential
information
• +26% increase
from 2004
• 92% of most
threatening
malicious code
sent by SMTP email
Symantec Internet Security Report, Vol. 9, March 2006
Recent Crimeware Examples
Attachment Blocking – Insufficient Protection
Trojan Horse
.doc
.jpg
.mp3
.wmv
Data Mining
.doc
.xls
.pdf
Remote Code
Execution
.doc
.xls
.ppt
.wmf
.bmp
.jpg
.gif
Denial of Service/
System Crash
.bmp
.gif
.pdf
1. Business-critical
attachments can
carry dangerous
threats
2. Blocking these
attachments halts
business
Consequences of security failure
• Security breach has associated costs

HIPAA, Graham-Leach-Bliley Act, EU Privacy Act



Public disclosure of any security breach compromising
personal info
Fines for non-compliance—Corporate and PERSONAL
California’s Senate Bill 1386

Similar laws pending or complete in other
states (IL, MA, NY, NJ)
E-mail protection is not the same
HEURISTICS
• An educated guess, not reliable for consistent protection.
BEHAVIOR-BASED
• Desktop emulator solutions ANTICIPATE (not observe)
behavior, prone to false positives, difficult to deploy
TRAFFIC ORIGIN
• Targets known bad locations or traffic anomalies, may limit
the effect of noisy mass mailers
PATTERN-BASED
• Effective at stopping previously identified threats only,
development and deployment of new patterns takes time
BEYOND ‘DAY ZERO’--ACTUAL BEHAVIOR OBSERVATION
Executes attached active content, and monitors for any unusual
or malicious activity, detects FIRST INSTANCE of threat
Protection beyond ‘day-zero’ technology
• Allow active content messages to
execute in a secure virtual
machine desktop at the gateway
• Observe actual behavior
• Protect based on
demonstrated actions
• Virtual machine protection stops threats
based upon actual behavior in a virtual
machine
In action – Virtual machine crimeware protection
• Enterprise SMTP deployment configuration
• Virtual Machine Benefits
Excellent track record of accurately detecting
malicious behavior
 Firewall protection stops propagation outside of
execution environment
 Real environment entices execution of payload

Comprehensive AV Security
• For previously identified threats, pattern-based
protection is an effective layer of protection
Fast and efficient
 First instance threats can’t be stopped by patterncomparison

The COMBINATION of pattern-scanning + actual
behavior delivers the most comprehensive e-mail
threat protection available.
Thank you for your time
Avinti, iSolation Server and E-mail Attachments—Tested and Safe are trademarks of Avinti, Inc.
All other company and product names may be trademarks or registered trademarks of their respective companies.