A guide to choosing web protection solutions to help address security threat challenges and give users flexible access to the web-based tools they need
by Chester Wisniewski, Sophos
The web is the number one source for malware distribution today. While many organizations have replaced first-generation URL filters with secure web gateways, even these advanced solutions do not provide web protection everywhere. This paper identifies today’s most critical web threats and provides checklists for you to identify and evaluate the security capabilities you need for the best web protection.
Nearly everyone is using the web for their work today. Cloud computing, social media, SaaS (software as a service) and other web-based technologies are reshaping the IT landscape and converging around the use of the Internet. And as you expand your use of the web for critical business applications, your company is
exposed to an ever-increasing diversity of threats. New webbased applications and a mobile workforce require you to defend your systems against increasingly sophisticated malware.
Traditional web filters
Many companies already block access to potentially dangerous URLs by employing secure web gateways. A URL filter sits on the perimeter of your network and inspects outbound URL requests to block access to known malicious, inappropriate and other unwanted sites. These filters have evolved to provide caching and filtering of inbound web traffic to improve performance and security. Still, many filters inspect traffic from the sidelines, providing little, if any, malware scanning. They rely solely on site reputation for security, which leaves users vulnerable to more sophisticated malware threats.
SaaS promises easy access and outsourced operation, but it has its downsides. You are no longer in full control of your data, availability and up time. You lose location-aware browsing. And searching by backhauling through a proxy can be frustrating. Finally, additional software requirements complicate deployment.
Conventional web filters do not provide the protection you need. A mobile workforce puts new demands on your security infrastructure. And rich web applications complicate the landscape. So what can you do to protect users on the web? You need a new approach to web protection.
Start by focusing on these four critical areas, which are essential to web-based security:
- advanced web threat protection
- Web protection everywhere to cover offsite users
- Web 2.0 application control
- Web protection that is simple to manage and cost effective.
Advanced web threat protection
Web threats evolve rapidly, exploiting new techniques to avoid detection. These techniques include obfuscation, which makes code harder to understand or read, and polymorphism, which makes malware look differently each time it is accessed, making it harder to identify. Most traditional gateway solutions cannot provide adequate protection against these threats.
You need a new approach to web protection that adopts advanced methods to identify and block today’s web threats before they do harm. Your web defense should combine 24/7 global threat intelligence with the latest web-specific, anti-malware detection technologies to provide proactive threat detection and protection. These capabilities should include:
- network-layer scanning
- advanced web malware heuristics
- bi-directional inspection
- high-performance computing
- threat intelligence with frequent updates.
Any location
Offsite workers present an enormous security challenge whether they are working from home, at the local coffee shop or at an airport. It is difficult to provide efficient, secure ways to update policy and configuration settings and monitor activity. Virtual private networks (VPNs) and other traffic redirection or backhauling solutions are complex, expensive and slow. And they often represent a single point of failure.
Unprotected offsite users can also have significant consequences for your IT department. Users are often exposed to web threats over the weekend when they are out of the office. Weekend infections force the IT department to begin each week cleaning up systems that are used outside the corporate gateway. If you have small branch office locations, it may not be economical to buy hardware gateways for each location. But you still have an obligation to monitor users. In addition, your organization may be liable if inappropriate content is accessed from machines you own.
So web security must protect users regardless of their location— on your network, or off—at any time. Look for an integrated approach to mobile security that does not require separate systems, management consoles, endpoint agents or backhauling traffic. You want an uncompromised browsing experience for users along with instant visibility and oversight for IT administrators. These capabilities should include:
- unified endpoint/gateway policy and reporting
- instant policy updates for offsite users
- instant activity reporting from offsite users
- endpoint policy enforcement with no backhauling
- a single agent.
Web 2.0 application control
Web 2.0 applications, including social media, are ingrained in our personal and business lives. Any framework that depends on user-submitted content is inherently ripe for exploitation, making these applications risky. These applications can also impact worker productivity. Look for a web security solution that provides granular access to important Web 2.0 and social networking tools without sacrificing security. You must balance user productivity with security concerns to reflect the needs of both users and IT administrators. These capabilities should include:
- granular social networking control
- Web application control
- Webmail, blog and forum controls
- Web download control.
Simplified IT management
Every organization is trying to do more with less. It is important that your web security solution operate efficiently. Switching to a new web security system can be time consuming and expensive, but continuing to use the same ineffective solution can be more costly in terms of ongoing administrative inefficiencies, malware cleanup incidents and compliance risks. Any new approach must provide significant new value, be easy to deploy, save time and reduce budget.
Your web security solution should not require expensive new infrastructure or additional client software, services or management tools. It should let you manage remote or offsite users as easily as those on the corporate network. It should be robust and operable even when key infrastructure elements are unavailable or unreachable offsite. It shouldn’t require large capital expenditures or ongoing SaaS contracts. Instead it should help you lower budgets. These capabilities should include:
- a single agent
- unified management
- endpoint policy enforcement with no backhauling
- scalability with each user
- resilience to failure
- direct control over user data.
Necessary combination
Web security must be an integrated part of your overall security solution. It should address these four critical needs: advanced web threat protection, web protection from any location, Web 2.0 application control and simple IT management. A successful web protection solution must combine the best elements of endpoint, cloud and gateway solutions to provide a better, more secure web experience. Look for these integrated capabilities in your web protection system:
- Web security that is built into the antivirus agent at the endpoint
- easy deployment at the endpoint with advanced web threat protection
- Web protection that travels with you
- 24/7 global web threat intelligence
- complete IT administrator control and visibility
- reduced network complexity without the downsides of a SaaS or proxy solution.