Web security gateways meet rising malware threats

If your organisation is like most, Web security gateways weren't high on your list of anti-malware measures until pretty recently. Your attention to incoming Web traffic has focused largely on policy control--HR concerns over employee access to Internet pornography, gambling, etc., and productivity, as users spend disproportionate time shopping online and checking up on their stocks and favorite teams.

We're getting more work done and better efficiency on our network--speed improved dramatically. Michael Dermer, chief operating officerUrology San Antonio

Anti-malware largely meant anti-virus and was pretty well controlled by email screening and desktop antivirus. While Web security gateways are attracting increased attention, desktop antivirus vendors are scrambling to reinforce their products with improved heuristics, host-based IPS and application controls. The antivirus vendors are responding to the rapidly shifting threats from email-borne viruses to Web-based malware designed to steal confidential data and identities and take control of corporate computers.

"What's changed and started the market heating up is Web component of malware," said Peter Firstbrook, a research director at Gartner. "Since the first quarter of 2005, Web-borne malware has grown 540%."

It's easy to see why. Web 2.0 is spawning new business opportunities with little consideration (surprise!) for security. Users who have been conditioned over more than a decade to be wary of suspicious email attachments can be more easily steered to a malicious Web site that can install a bot, Trojan or rootkit without alerting the victim. Criminal motive has replaced adolescent hubris, as the bad guys find profit in identity theft, fraud and stealing sensitive corporate data more lucrative than Internet graffiti or fast-moving worms.

The problem is as vast as the Internet. A recent year-long Google study led by Niels Provos called "The Ghost In The Browser Analysis of Web-based Malware," found that 450,000 Web sites: at least 10% of those analysed downloaded malware to unsuspecting users, and another 700,000 were suspect.

The problem is compounded because legitimate Web sites can be temporarily compromised and turned into drive-by download perpetrators.

Small wonder that organisations are showing a growing interest in Web security gateways.

"Our plan is for every entry port in our enterprise have zero day Web protection," said a wide area network program manager who uses Aladdin eSafe Web security gateway to protect the networks of a large aerospace and defense company. "We decided we needed more that URL filtering, which was the standard method of doing things through 2005."

URL filtering has approached commodity status. Gartner estimates that 75% to 95% of all enterprise networks employ it. Organisations see a quick return in user productivity and freed bandwidth.

"Unauthorised use of the Internet is totally jamming our pipeline, slowing business systems," said Michael Dermer, chief operating officer of Urology San Antonio, a group practice of 23 physicians and about 150 employees. "Administratively, we were hearing we need more staff and help, but it didn't seem the workload was increasing." Dermer said URL filtering from eSoft made an immediate difference.

"We saw an overnight change," he said. "We're getting more work done and better efficiency on our network--speed improved dramatically."

SOA, Web services security hinge on XML gateways: SOA, Web services security hinge on XML gateways: XML security gateways could be the missing piece in most SOA deployments, says Tim Bond, a senior security engineer at webMethods Inc.

By contrast, Gartner pegs Web security gateway malware filtering at around 15% network coverage, this figure should increase significantly, with most vendors offering some combination of the components that Gartner uses to define the Web security gateway market--URL filtering, Web traffic malware detection and application control (IM, P2P, Skype, etc.). Gartner pegged the total market at about $700 million in 2006 and expects a 20-25% annual increase.

The Web security gateway market is an interesting mix of appliance and software vendors, each expanding on their primary strengths--URL filtering vendors like Websense and Secure Computing; traditional AV vendors like McAfee, Trend Micro and Sophos; IM control specialists like FaceTime and email security vendors such as IronPort (recently purchased by Cisco) and MessageLabs--by development, acquisition or partnerships. Newer companies like Mi5 and Anchiva suggest room for growth. (Gartner identifies Blue Coat and Secure Computing as market leaders in a June Magic Quadrant report for this newly defined market.)

Managed Web security gateway services are another option. Although the market is still young, vendors are starting to offer their technology as a service. ScanSafe, the first company to offer antimalware and URL filtering and IM control as pure-play services, actually scans all their customers Web traffic. It OEMs for companies like Postini and AT&T. MessageLabs, which initially sold ScanSafe-based services, now offers managed services based on its own technology.

Vendors and analysts say this is in large part a replacement market. Since most organisations are already budgeted for URL filtering, it's relatively easy to step up and add value at the web security gateway, either through new products or adding features to existing deployments. The pressure is growing, as the rapid development and deployment of complex malware outstrips the ability of any single technology to protect enterprises.

"We were proactive. We started seeing more and more alerts coming through as zero day threats," said the aerospace/defense manager, as he monitored feeds from Symantec's DeepSight services. He chose Aladdin because its packet inspection technology offered better zero-day protection than signature-based detection alone, but uses IronPort for email gateway protection. "We don't believe in too many eggs in one basket."

In fact, while there are compelling arguments for using the same vendor's products on the desktop and at the Web security gateway, best security practice may dictate deploying the widest range of coverage with different solutions.

"Malware detection is converging. It's all malware. Whether rootkit, adware or spyware, but malware is growing so fast and so diverse and so complex, no one vendor will catch it all," said Gartner's Firstbrook. "It needs to be from a different vendor; it's totally necessary--needs to be from different vendor. Each only knows what they know about."

In addition to protecting large enterprises, Web Security gateways make some sense for SMBs, which can add a layer of defense without necessarily beefing up security on every desktop. Gateway-based malware protection offers a single point of policy control and management. It's an alternative for companies feeling the pressure to upgrade their desktops to run the latest antimalware software, who can opt instead to wait until the end-of-life cycle runs its natural course. Specialised systems, such as medical devices that can't be updated easily, can be protected at the gateway.

"From cost perspective, I don't have to upgrade desktops; putting too much software on them affects performance," said Jay Wessel, vice president of technology for the Boston Celtics, who uses Mi5's Webgate. "It's a centralised place in which you can fix things quickly for everyone." That kind of control is important to small IT operations like his.

"I like things that live in my room better than things I have to put in anybody else's office," Wessel said.