Live Webcast
How Browser Exploits Lead to Web 2.0 Hacking
Defending Against the New Threats with Cloud-Delivered Security
Keynote Speaker
Brian Burke
August 2008
Program Director
Security Products & Services
IDC
Logistics Help
• To send us questions during the sessions:
Type the Question in the text box provided on the screen
and click „Submit‟
• Any Technical Issues?
Email david.scott@zscaler.com or call +1-678-373-4214
Tip: Microsoft IE works better with Windows Media Player
Please complete the Feedback Form as we go thru each
section.
We will send you a copy of the presentation.
Webcast Agenda
• Web Security SaaS, The Next Gen Security – Brian Burke,
IDC
• How Zscaler Improves Security at Low TCO - Jay Chaudhry,
CEO, Zscaler
• Customer Case Study, Tyler Verri, Security Analyst
• Why Reputation Does not Work for Web Security
Michael Sutton, VP, Security Research, Zscaler
• Understanding the Power of Cloud-Delivered Security, Jim
Reavis, Executive Director, Cloud Security Alliance
• Q&A Session
Web Security SaaS
The Next Generation of Web Security
Brian Burke, Program Director,
Security Products and Services, IDC
Webcast sponsored by Zscaler
Copyright 2009 IDC. Reproduction is forbidden unless authorized. All rights reserved.
Agenda
Situation Overview
 IT Challenges
 SaaS Opportunity
 Threat Environment
 Conclusions
 IDC Recommendations
Q&A
© 2009 IDC
IT Security Management Challenges
Q: IT security management challenges to your organization?
Lack of IT expertise
13%
Too many point
solutions to manage
17%
Complexity of security
solutions
17%
Not enough IT staff
29%
Lack of integration
between security
solutions
24%
All are drivers for SaaS
© 2009 IDC
Why SaaS?
Q: Please rate the importance of the following as drivers in your organization's SaaS investments
Cost savings
Threat environment
Ease of use and implementation
Shifting security budget from a capital expense to an
operational expense
Reduction of IT staff
Lack of internal IT expertise
Green IT initiative
0%
© 2009 IDC
10%
20%
30%
40%
50%
Web Security SaaS Forecast
$600
46% CAGR
$500
$400
$300
$200
$100
$0
2007
Source: IDC, 2008
© 2009 IDC
2008
2009
2010
2011
2012
2013
Web Security SaaS Compound Annual
Growth Rate (CAGR), 2008-2013
50%
45%
46%
40%
35%
30%
Software
Appliance
SaaS
Total
25%
20%
15%
20%
10%
12%
5%
0%
4%
2008-2013 CAGR
© 2009 IDC
Web 2.0 Technologies Bring New
Security Risks
”Web 2.0 and Business 2.0
applications and communities have
become a major source of malware
distribution, identity fraud, privacy
violations, and corporate data loss.”
60–70% of vulnerabilities
detected in 2007 were Web
application vulnerabilities.
– Various vendors
“One in 10 websites were
infected with malicious
code, and 70% of Web
infections were found on
„legitimate‟ websites.”
– Google study, May 2007
© 2009 IDC
To Tweet or Not to Tweet, That is the
Question
 Social networking sites, such as Facebook, which were once only
considered to be consumer applications, are quickly moving into the
enterprise environment.
 Many organizations are struggling with allowing their employees to
use Web 2.0 tools responsibly without sacrificing security and
regulatory compliance requirements. Web 2.0 have created both a
risk of data leaks as well as a new channels for malware.
 IDC believes Web 2.0 technologies, if used securely, can help
organizations increase collaboration and productivity and drive
revenue. This is especially important in today's tough economic
climate.
 The advances in Web 2.0 technologies require a new generation of
Web security tools that go well beyond traditional URL filtering
© 2009 IDC
Sources of Confidential Information Leaks
Q: How did the leak(s) of confidential information occur? (Please check all that apply)
Base: 43 respondents (Among those who have experienced leaks of confidential
information in the past 18 months)
Corporate Email
56%
Lost/stolen laptop
51%
Web Email or Web posting (message
board, blog, etc.)
37%
Instant messaging
33%
Lost/stolen mobile device (PDA, Smart
Phone)
33%
Media devices (USB, iPod)
19%
Other
12%
0%
Source: IDC, 2008
© 2009 IDC
52% other
“gadgets”
10%
20%
30%
40%
50%
60%
Importance of Monitoring Employee
Web 2.0 Use for DLP
Using a 5-point scale where 5 is a extremely high priority and 1 is very low priority
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
<100
Source: IDC, 2008
© 2009 IDC
100-999
Total (4-5)
3
Total (1-2)
1,000+
Data Leakage – HTTP is the New Channel
Traffic
HTTP Traffic
Webmail
P2P
Blogs
Instant
Messaging
• HTTP is used/supported by
most modern client
applications
Content
•
•
•
•
Social Security Numbers
Credit Card Numbers
Source code
Financial statements
Threat
• Intentional leakage
• Accidental leakage
© 2009 IDC
Web SaaS Security - Key Functionality
• Days of point products are over; Too much cost & management overhead
• Integrated portfolio; Easy to manage, Lower cost; Better security
More than
Anti-Virus
• Similar to SMTP, AV is needed on HTTP channel but AV is not enough
• Key is protection against botnets, malicious active content, XSS and various
browser exploits.
More than
URL Filtering
• URL filtering is required but it is not enough
• Key is Web 2.0 application control. Offering right access to right users for
Web 2.0 (e.g., marketing can publish on Facebook, others can only view)
Data Loss
Prevention
• Ability to inspect outbound HTTP traffic is critical
• Enforce DLP policy by applications or user groups (e.g., Source code or
customer lists can‟t be sent via Webmail or IM)
Logging &
Reporting
• Retain web logs for a longer period and access them on-demand
• Ability to get flexible reporting by users, departments, applications and
locations; Drill-down to transaction-level for detail.
Enterprise
Readiness
• Full redundancy & reliability
• Integration with directory for user/group based policies
• Ability to support mobile/roaming users without another desktop plug-in
© 2009 IDC
SaaS vs. Appliances/Software
SaaS
Appliances/Software
Cost
No cost to acquire or deploy. Requires OpEx
rather than CapEx
Need significant CapEx to acquire
and deploy boxes/software
Threat Detection
Cloud architecture enables better threat
detection and real-time updates
Harder and time-consuming to
update each box
Ease of Use &
Implementation
No need to manage appliances or software;
Customers only do policy enforcement
Requires IT to manage hardware,
software, database and policies
IT Resources
Fewer IT resources needed
Significant IT resources needed
Latency due to
Traffic Re-routing
Can lead to higher latency due to traffic rerouting unless the vendor has global
presence of data centers
Little latency (appliance sits on
customer premise) unless traffic
backhauled to HQ
Control
Less control
Full control of the environment
though employee turn-over can
make it hard
Green IT
Environmental friendly, requires fewer
boxes
Dedicated boxes for each customer;
more power/cooling
© 2009 IDC
What to Look for in SaaS Solutions
Multi-tenant Architecture
• Is a user tied to a specific data center, or can she use the nearest data
center any where around the globe? This has scalability & latency
implications. SaaS built using traditional proxies don‟t allow this.
Reliability
• Service Level Agreements – Can up-time be guaranteed?
• Redundancy – Do individual components constitute single points of failure?
Response Time (Low Latency)
• Response Time – Does traffic inspection introduce latency to web surfing
or improve throughput thanks to caching and access to networks with
greater bandwidth? Consider the following:
• Geographically Distributed Architecture – Is the „first hop‟ in the same city
or on the other side of the country?
• Speed – Is data inspection optimized or dependent upon third party
libraries which can‟t be optimized
© 2009 IDC
What to Look for in SaaS Solutions
(cont‟d)
Functionality
• Current Solutions – Does the SaaS offering have equal or
better performance when compared to existing solutions?
• Comprehensive Functionality – Is the SaaS solution
comprehensive or are you simply trading multiple appliances
for multiple clouds?
Cost
• TCO – Compare TCO for needed functionality across SaaS
solutions
Mobility
• Road Warriors – Can mobile devices and remote employees
be protected under the same SaaS architecture
© 2009 IDC
Conclusions
 Web 2.0 has become "enterprise 2.0" as a growing number of Web
applications make their way into the corporate environment, bringing
with them even more security concerns and attack vectors
 The boundaries between consumer and corporate Web 2.0
environments are blurring. IDC believes a growing number of
consumer-oriented Web 2.0 technologies will continue to saturate the
corporate environment.
 Many Web 2.0 applications leverage evasive techniques to
communicate and share information. The challenge of identifying these
applications and applying appropriate policy is burden facing many
organizations today
 The growing number of mobile and remote users is creating a complex
distributed workplace. Many corporate applications are being moved to
the Web 2.0 environment to allow remote employees to work more
efficiently.
© 2009 IDC
IDC Recommendations
 It is IDC's opinion that organizations should embrace the value of Web 2.0 tools
as a way to help lower costs and increase collaboration with little to no
administrative burden on IT staff.
 Organizations must accelerate their adoption of next generation Web security
solutions, the cost of not doing so is increased malware infection, data leakage,
and financial loss.
 New platform options, such as SaaS, should be explored as part of this
adoption, and organizations should find vendors which provide next generation
technologies.
 Corporate DMZ is cluttered with security point appliances (appliance fatigue).
Organizations using multiple point appliances should take this opportunity to
consolidate in order to reduce administrative and support costs. In-the-cloud
security, if done right, can consolidate point products, simplify them and reduce
cost.
 Latency is the hardest problem to solve for in-the-cloud security service.
Distributed, multi-tenant architecture is key to solving it.
© 2009 IDC
How Zscaler Improves Security at
Low TCO
Jay Chaudhry, CEO, Zscaler
Zscaler: The Leader in Cloud-Delivered
Security
Zscaler Services
Singular Secure, fast and policy-based Internet
Focus experience from any place, on any device
Benefits
• Twice
the functionality at half the price
• Mitigate business risk
• Improved Resource Utilization
Traditional Appliances: Don’t Help with New Challenges
HQ Users
Already
installed
Caching
+ URL
Customers want this and don‟t have
AV
Botnets + Data
Malware Leakage
Web 2.0 Webmail, Bandwidth
Control
IM
Control
Directory
Web Logs
Consolidated Reporting??
Remote Office(s)
Road
Warrior
Bypass appliances & policy (VPN???)
Mobile
User
• Acquisition & deployment Cost: X boxes
• On-going Management Cost: Multiple UI/policies, log files
Buy, install & maintain
water cleaning kit in
each home?
Current point products are expensive, inefficient and incomplete
Zscaler Service:
Secure, Fast & Policy-based Access to Internet
Appliances have limited functionality
HQ Users
Caching
Botnets + Data
AV
+ URL
Malware Leakage
IT admin defines your
company policy
Web 2.0 Webmail, Bandwidth
Control
IM
Control
Zscaler Utility
Manage
1
Forward Internet-bound
traffic to Zscaler service
4
Comply
2 Inspect & enforce
Secure
Directory
policy
Analyze
Web Logs
Consolidated Reporting??
CLEAN traffic to user
3
Inspect web pages being
returned for security
Remote Office(s)
Road
Warrior
Bypass appliances & policy (VPN???)
Mobile
User
X
• No Acquisition Cost, No Deployment Cost, Little on-going management
• Annual Subscription Fee
Let Utility clean the water
Free IT from Operational Security chores: Managing boxes
Enable IT to focus on Strategic Security: Policy & Architecture
Zscaler Service:
Comprehensive, Integrated, Best-of-Breed
URL
Filtering
Web
Web
2.02.0
Applications
Control
Bandwidth
Optimization
Safe
Web
WebAccess
Access
Browsing
Controls
Controls
Data Loss
Prevention
Advanced Threats
Protection
Forensics &
Data Mining
Anti-Virus
Anti-Virus &
& Anti-Spyware
Anti-Spyware
Zscaler Global Network
Eliminates the need to buy multiple point products; Reduces cost
Zscaler: Five Key Game Changing Technologies
3
IntelliSpectTM
• Ultra fast content
(body) scanning
• Detect malicious
content, Data
Leakage, Classify
URLs
2
4
5
Page Risk Index
NanoLogTM
Dynamically
computed
Better fraud
prevention
• 50:1 Log reduction
• Real-time
consolidation
• Trans-level drilldown
10 Gbps Platform - Latency in Micro-secs
64-bit Architecture, Zscaler TCP stack, drivers; SSMATM (Single Scan Multi Action)
1
Distributed Network, Multi-tenant Architecture
Deliver ultra-low latency, & High Reliability
26
Zscaler Global Network
Largest global Security-as-a-Service footprint
Moscow
London
Toronto
Fremont
Chicago
Brussels
Frankfurt
Paris
Beijing
DC
Tokyo
Monterey
Atlanta
Tel Aviv
Mumbai
Mexico City
Hong Kong
Dubai
Singapore
Bogota
Sao Paulo
Johannesburg
Adelaide
Buenos Aires
Delivers Rapid Response Time & High Reliability
Production
Coming Shortly
IDC’s What to Look for in SaaS Solutions
How Zscaler Stacks Up
1
Multi-tenant – True multi-tenant architecture
2
Reliability – Global, distributed network, N+1 redundancy
3
Low Latency - Ultra-low latency 10’s of microseconds
4
Functionality – Comprehensive, Integrated
5
Cost – Low TCO, Twice the functionality, half the price
6
Mobility – Supports mobile users, No client s/w needed
28
Subzero Case Study
Tyler Verri
Security Analyst
For 60 years, Sub-Zero has offered innovative, aesthetically
appealing and technologically advanced solutions to meet
virtually any home refrigeration need. Through foresight
and responsiveness, the company has earned its position
as an industry leader – a position Sub-Zero intends to
maintain well into the new millennium.
Issues
• Legacy URL filtering; Unsupported after this
company was acquired company.
• Reporting was lacking and had issues with the
logging server
• Maintaining the updates, patches and signatures
equated to substantial costs of employees time
• Mobile users had no enforcement of policy and
infections were causing the need for reimagining
• No redundancy in the event of a failure
Why Zscaler SaaS Service was Selected
• ROI was the primary driving factor in selecting Zscaler
• The operational cost of time dealing with maintenance and reimagining
infected machines
• The capital cost of no new hardware or software as it worked
seamlessly with existing equipment (ISA server)
• Unique functionality played a part as well
• Control over Web 2.0
• Advanced Security
• Real Time reporting with user level details
• No latency
• Zscaler had no perceivable effect to the end users experience
• Mobile user coverage
• Policy could follow the remote personal regardless of connection type
• Redundancy
• SLA‟s and multiple nodes to point to in the event of a failure
Why Reputation Does Not Work
for Web Security
Michael Sutton, VP of Security Research, Zscaler
Traditional Reputation Score is Ineffective for Web 2.0
Page Risk Index
Domain Reputation
Web 1.0
Identify domaines
hosting malicious
content
IP Reputation
Email
Identify servers
known to send or
proxy spam email
• Works reasonably
well
• Spam sources
relatively static
200
4
200
5
• Worked well for
Web 1.0 when web
pages were static
• With Web 2.0‟s user
generated content,
it does not work
(domain may be
good, specific
pages may be
200malicious)
200
6
7
Web 2.0
Identify malicious
pages (content)
dynamically
• Risk Index is
created for each
page in real time
• Requires
inspection of web
pages
• Effective if latency
can be minimized
“Site reputation is no
longer a useful
measure”
200
8
2009
Zscaler Dynamic Risk Index for Web 2.0
Page Risk Index (Dynamic)
Dynamic score of each page computed in-line
Code
Obfuscation
Potential Attacks:
XSS
Vulnerable
ActiveX
Zero Pixel
iFRAMES
Zero Pixel
Images
Injected
Scripts
Overall Page Risk
Index of requested
page
Users
X=
f(X1,X2)
Low
Allow
X1
Internet
High
Block
X2
Country of
Origin
Past Malicious
Content
Age of Domain
High Risk
Categorization
High Risk TLD
Past Results
Almost static, Computed mostly offline
Domain Risk Index (Static)
Risk Index combines domain & page risk index computed in real-time
Zscaler Dynamic Risk Index
Threats
• Attackers are targeting end users via web based threats
• 65% of Web-based malware is spread by exploiting browsers (ENISA)
• Anti-virus/anti-spyware cannot defend against the majority of web based threats
Environment
• User supplied, dynamic, Web 2.0 content has made static risk scores obsolete
Solution
• Risk must be dynamically determined for each individual response
Technology
• Patent-pending technology
• Full bi-directional inspection of content
• Dynamically calculated risk scores
Understanding the Power of
Cloud-Delivered Security
By Jim Reavis
August 2009
36
About
Jim Reavis
•
•
•
•
President, Reavis
Consulting Group
Executive Director, Cloud
Security Alliance
Former Executive Director,
ISSA
Track emerging trends
37
Trend towards Cloud Computing
•
•
•
•
•
Flexible, rapid deployment of information
technology
Pay as your go – compelling ROI
Shifting IT from capital expenditures to
operating budget
Downturn has accelerated cloud adoption
Broadly embraced across government,
enterprises and SMEs
Threat Profile & Trends
•
•
•
•
•
De-perimeterization: corporate IT beyond
corporate boundaries
Malicious actors employ sophisticated
technology and business models
Malware has overwhelmed traditional
security model – web top threat vector
Insider threats and data leakage on the
rise
Need to leverage cloud trends to win
Cloud-Delivered Security
•
Optimal threat coverage
•
•
•
Superior security architecture
•
•
•
Reduce redundant threat updates and latency
Uniform protection across all locations
Economic
•
•
•
Protect entire “information perimeter”
Protect against all threats: Data loss, AV, Web 2.0
“On demand”, per seat pricing
Flexible cost center accounting
Business enabler
•
•
Immediate service, no product provisioning delays
Secure new business initiatives immediately
Adoption of Cloud-Delivered Security
•
•
•
CISOs see cloud-delivered security as
inevitable next generation model
Crucial to prepare for further IT changes
Various migration strategies employed
today
•
•
•
•
Location by location
Business unit specific
Full enterprise – one security service at a time
Complete
41
Lessons learned
•
Reduced cost of ownership
•
•
•
•
•
•
Reduced capital outlays
No appliance maintenance
Fewer management consoles
Greater visibility into IT assets and usage
Leverage with business partners and
customers
Information security redeploying resources
to solve business problems
42
Summary
1
Zscaler consolidates the DMZ
Simplifies IT administration and reduces cost
2
Delivers high performance, ultra-low latency
Designed for SaaS, not re-purposed appliances
3
Most comprehensive Functionality
Integrated, best-of-breed
4
Low TCO – Twice the functionality, half the cost
Due to Technology & SaaS
Copyright © 2007-08 Zscaler Proprietary and Confidential.
43
Reminder: Feedback Form
Please complete the Feedback Form as we go thru each
section.
We will send you a copy of the presentation.
Feedback form is a pop up so if you did not receive it
please unblock pop ups
Next Steps
• Onsite Meeting
• Free Service Evaluation
• Online Personalized Demo
Contact Zscaler at:
info@zscaler.com or
+1- 408-826-8250
Please complete the Feedback Form before you exit
Contact Zscaler at:
India
Sridhar Namachivayan
sridhar.n@zscaler.com
+91 9845526361
South East Asia
Stephanie Boo
SBoo@zscaler.com
+65 97965851
Greater China
Tommy Mak
TMak@zscaler.com
+85 294996331
Australia
John Martens
JMartens@zscaler.com
+613 98595266
Please complete the Feedback Form before you exit
Q&A Session
Submit your Questions using the on-screen text box.
 Brian Burke, IDC
Please complete the Feedback Form before you exit
Copyright © 2007-08 Zscaler Proprietary and Confidential.
47