It's no secret that the Web has supplanted email and other vectors as the number one source of malware. Criminals trick users into visiting malicious sites or compromising popular and legitimate but vulnerable websites with increasing frequency. Cisco Systems Inc. subsidiary IronPort's Exploit Filtering capability, announced this week, discovers compromised sites and prevents users from falling prey.
"My sense is that legitimate websites that are compromised to participate in malware distribution has gone up a lot in recent months," said Chenxi Wang, principal analyst for Forrester Research Inc. "It's been around for a while, but lately it's become more prominent on everybody's radar screen because it has increased in volume and intensity."
Attackers typically subvert websites by exploiting vulnerabilities to inject IFrames that redirect users to a malicious site, or in some cases, directly infect the user.
Most of the security response to Web-borne malware has come from the more traditional, almost commoditized URL filtering market. IronPort Systems Inc., however, leveraged its pioneering reputation filtering and high-performance appliances from its core email security products to enter what Gartner Inc. christened the Web security gateway market.
IronPort added new capabilities in March to detect bot-infested hosts. The new enhancement introduces what IronPort calls "real-time cloud scanning" of popular websites for compromise. Compromised sites are then classified as dangerous, compromised or vulnerable and treated accordingly.
- Dangerous sites are those that are actively redirecting users or downloading malware.
- Compromised sites are dormant, but are ready to be activated.
- Vulnerable sites are popular and heavily trafficked. They have not been exploited, but the potential is high.
Dangerous and compromised content is blocked by default. The aim is to maintain access to legitimate content on the site, blocking only the redirect, or if the site itself is downloading malware, only the offending page, rather than the whole domain is blocked. IronPort issues risk watches for vulnerable sites or those that have been compromised and are highly prone to exploit.
"What is new is the real-time cloud scanning of websites and looking for vulnerabilities, malicious scripts, and the malware present on those web pages," said Samantha Madrid, IronPort's product manager of Web security applications. "Having the ability to identify that and present users with safe and clean content is a huge advantage and really makes this a next generation reputation system; no longer just scoring, but scoring with real-time cloud scanning."
The battle for the Web security gateway market has picked up. Leading URL filtering leaders like Websense Inc. increased its capabilities and market share with its purchase of competitor SurfControl plc last year. Secure Computing bolstered its product line, like Cisco, by leveraging its CipherTrust email security acquisition and that company's own flavor of reputation filtering.
Traditional antivirus vendors like McAfee Inc., Trend Micro Inc. and Sophos Inc., and IM control specialists like FaceTime Communications Inc. are also in the market, along with newcomers such as Mi5 Inc. and Anchiva Systems Inc., which suggest room for growth.
The Web security services field of players is growing. Secure Computing Corp. offers a service, and ScanSafe OEMs for companies like Postini Inc./Google Inc. and AT&T. MessageLabs Inc. added Web security to its core email services.
More recently, Zscaler Inc., lead by CipherTrust Inc. founder Jay Chaudhry, and Purewire Inc., also headed by former CipherTrust principals, announced their services on the same day.
Despite the growing emphasis on robust gateway detection of Web-borne malware, many companies typically still think in terms of traditional URL filtering, which is great for enforcing Internet use policy, but highly limited for security.
"There are certainly companies very conscientious about the threats they are facing and are very proactive about adopting the latest protection mechanisms," said Forrester's Wang. "But I'd say more than half of the organizations are still relying solely on URL filtering and think that is sufficient to protect their internal infrastructure. In today's Internet world, that is a naïve assumption."