Your current Web browser may not display this site properly.

TrendSecure performs best when opened with the latest version of either Microsoft Internet Explorer or Mozilla Firefox .

Multi-Layered Defense is the Best Threat Protection

For both consumers and enterprises, implementing a multi-layered approach to network security is essential to combating Web threats. As discussed in the previous issue of FLOD, this can be accomplished by implementing integrated solutions at three separate layers?

  • In-the-cloud (before the data even reaches the Internet gateway)
  • At the Internet gateway (where the Internet connects to a corporate or Internet Service Provider network)
  • At the endpoint (on the PC or server)

Integrated Security Layers
The evolving nature of Web threats necessitates information sharing mechanisms, in which information gathered at one layer of the protection system is used to update information gathered at other layers (see Figure 1).

Figure 1: Feed-through (top to bottom) and feedback (arrows) capabilities complement a multi-layered approach that begins in-the-cloud and continues at the gateway and endpoint.

For example, information learned in the behavior analysis function at the gateway (where the "behavior" of combinations of potentially malicious actions is assessed) can be shared, or looped back, to update the Web reputation databases (where the "reputation" of a Web site is assessed), as well as the endpoint capabilities. Similarly, information acquired at the endpoint (e.g., client desktop or laptop computer) can be looped back to the file scanning capability at the gateway and the Web reputation capability in-the-cloud. Both feed-through and loop-back techniques are needed to ensure adequate ongoing protection.

To maximize efficiency, administrators need to be able to monitor and manage all of these capabilities and relevant policies from a centralized console. At the same time, to address the regional and local aspects of many Web threats, specific teams need to target specific regions of the world. These teams should be at the forefront of intelligence gathering, sample sourcing, mitigation and prevention, and coordination with local security groups and law enforcement agencies in the fight against Web threats. This approach is likely to result in faster response, customized solutions, and cultural awareness.

Extending Integrated, Multi-layered Security to Email
This multi-layered approach also can be extended to email security. Active protection in-the-cloud is important in the messaging realm because once email reaches the Internet gateway, regulatory requirements can mandate retention for up to ten years. Prefiltering email in-the-cloud saves bandwidth, reduces storage and maintenance costs, and aids protection. At this layer, protection should include the following:

  • Email sender IP reputation checks
  • Domain IP reputation checks
  • Email firewall
  • Anti-spam and anti-virus filtering

The email firewall should be hosted outside the email server to prevent distributed denial-of-service attacks and directory harvest attacks (i.e., attacks that randomly search for valid email addresses).

At the Internet gateway, anti-spam and anti-virus software should include attachment scanning to detect attachment spam - a relatively new form of bot-generated spam that is difficult to identify, uses images to conceal spam, consumes storage, and usually contains malware. At this level, a policy engine is needed that links to the directory (e.g., LDAP) from email servers. Here, behavioral analysis technology is used to detect, for example, that a user never replies to a repeated email, labeling it spam so it can be returned. Email content scanning can also be performed at this level to ensure that employees and others do not reveal confidential information in email or attachments to unauthorized parties. This functionality should also enable encryption for outgoing email, and email archiving to comply with regulatory requirements. In the messaging environment, the third level (the endpoint level) is the mail server itself, because mailboxes reside on the mail server.

Taking Action to Improve Security Posture

Browsing Web sites, even those that are seemingly innocuous, can pose serious ramifications for both consumers and enterprises.

  • Consumers must apply up-to-date security solutions at-the-endpoint layer (the PC) to mitigate Web-based attacks. As discussed in the last issue of FLOD, consumers also should evaluate the security measures that Internet service providers (ISPs) offer. Given the commoditization of low-cost, high-speed internet connectivity, security capabilities are becoming a key differentiator among ISPs.
  • Enterprises should implement security solutions at each layer (i.e., in-the-cloud, at the gateway, and at the endpoint) and should extend this multi-layered security approach to email. It also is advised that the solutions at each layer be well-integrated to allow information from each layer to be shared.

For additional information on multi-layer security, see Protecting Yourself and Your Company from Web Threats.