Web Protection Must be Built on a Foundation of Layered Technology
Gartner's techniques on malware protection; where McAfee Web Technology fits in
To help organizations better understand available protections and evaluate Secure Web Gateways, Gartner outlines 10 different techniques for malware detection in the research, 'Secure Web Gateway Malware Detection Techniques.' Use of multiple technologies, such as those outlined by Gartner, enables McAfee solutions to provide greater defenses while optimizing security on a single platform with different, yet complementary, technologies.
McAfee provides outstanding protection in each of the key areas outlined including:
Block Lists
Signature Detection
Domain or IP Reputation
Static Code Analysis
Vulnerability Shields
Dynamic Code Analysis
Network Traffic Analysis
Content Analysis
Custom Rules
Policy-based Controls
Whether deploying on-premises with McAfee Web Gateway or in the cloud with McAfee Web SaaS Protection, McAfee solutions combine real-time intent analysis found in the Gateway Anti-Malware engine with comprehensive McAfee signature-based anti-virus protection and several reputation technologies – all powered by McAfee Labs.
10 key protection techniques outlined by Gartner and supported by McAfee technologies:
1. Block Lists: Building and Maintaining URL Filtering Databases McAfee has a large, dedicated staff that builds and maintains the McAfee URL filtering database or block list. Web crawlers, feeds, propriety scanning engines and forensics are used by the team to analyze and categorize web sites. Organizations can choose between an on-premises database and cloud look-ups or a combination of both. Cloud look-ups eliminate protection gaps between discovery/change and system updates and offer significantly enhanced coverage. McAfee Web Gateway is also able to dynamically query and apply externally hosted data or lists to Web Gateway policies. For example, Web Gateway can query the Google API for YouTube categorization in real-time, query trusted Certificate Authorities for the most up-to-date information or access additional 3rd-party malware feeds.
2. Signature Detection: Remembering Data or Communication Patterns
McAfee Web Protection solutions seamlessly integrate with McAfee's industry-leading signature-based anti-malware defenses. With a network of millions of sensors spanning the Internet, McAfee Labs delivers unparalleled signature-based protection through a complete suite of anti-malware products found in McAfee Web Protection solutions and OEM'ed by numerous Web security vendors. With cloud-based McAfee GTI file reputation look-up capabilities, used by Web Gateway, McAfee reduces signature file size footprint on the host and closes the gap between virus discovery and system update/protection.
While the coverage of the McAfee anti-malware signature-based protection in McAfee Web Gateway is similar to that found in widely-adopted endpoint security products, when the signature-based engine is deployed in a gateway such as the McAfee Web Gateway, it uses additional signatures not available through the endpoint products. McAfee Web Gateway also includes the optional use of an additional 3rd-party signature-based anti-virus engine from Avira.
3. Domain or IP Reputation: Creating a Profile of Internet Entities, Domains and IP Addresses For reputation-based filtering, McAfee uses its Global Threat Intelligence to create a profile of Internet entities domains and IP addresses—based on hundreds of different attributes gathered from the massive, global data collection capabilities of McAfee Labs and McAfee deployed solutions including Web and Email Gateways, IPS, firewall and endpoint systems. It then assigns a reputation score based on the security risk posed, enabling administrators to apply very granular rules about what to permit or deny. McAfee Web Gateway offers expanded reputation capabilities that include geo-location, enabling geographic visibility and policy management based on the web traffic's originating country.
4. Static Code Analysis (Heuristics): Detecting Unknown Threats
There are three separate heuristic capabilities built into the McAfee Gateway Anti-Malware engine that detect unknown threats:
1. Static Behavior Heuristics – Blocks suspicious or undesired behavior in code samples not seen before. For example, it could detect a Java script trying to write to the registry and then optionally a) block the entire page, b) remove the java script completely or c) remove just the offending fragment of the java script. The last two options would still allow the web page to render and allow the client to access the content without malware infection.
2. Structural Heuristics – Allows the engine to correlate a new, slightly modified variant of malicious code to a known family of malware.
3. Network Behavior Heuristics – Enables the identification of potentially infected client PCs that produce suspicious internet access behavior.
5. Vulnerability Shields: Detecting Exploits Aimed at a Specific Code Weakness in Unpatched Software Exploit detection, a key function of the Gateway Anti-malware engine, performs real-time content inspection and virtual machine emulation to detect potential zero-day or targeted exploit attacks before they get to client PCs, further explained below under Dynamic code analysis. Specific coverage includes the ability to block behaviors for code execution exploits and browser exploits along with vulnerable ActiveX controls.
6. Dynamic Code Analysis: Behavioral Monitoring Web Gateway uses a patent-pending approach to signature-less intent or dynamic code analysis with the McAfee Gateway Anti-Malware Engine. Proactive intent analysis filters out malicious content from web traffic in real time. By scanning a web page's active content, emulating and understanding its behavior, and predicting its intent, Web Gateway proactively protects against zero-day and targeted attacks as they occur. To further improve Gateway protection against malicious software that usually download further malicious payloads, such as Trojan downloaders, Bots, Spyware and other exploits, Web Gateway uses a US and EU patent-pending detection techniques todistinguish real/human users surfing the web, from malicious software accessing the internet. The McAfee Gateway Anti-Malware Engine will adjust its protections to become more aggressive if the client is a potentially automated and untrusted.
McAfee's finely tuned processes ensure speed is not issue with the McAfee Gateway Anti-malware engine's behavioral analysis. Deployed in explicit proxy mode, nothing is delivered to the end-point before it is scanned by McAfee Web Gateway.
7. Network Traffic Analysis: Performing Deep Inspection on Proxied Connections McAfee Web Gateway performs deep inspection on Web protocols: HTTP, HTTPS, FTP. These proxied connections are controlled up to the application layer which allows McAfee Web Gateway to inspect and understand complete data communication. Customer feed-back continues to emphasize a separation of duties between web gateways for high-performance, deep web content inspection and dedicated network products for additional protocol coverage and protection. McAfee offers various network solutions including McAfee Firewall Enterprise and McAfee Network Security Platform that control network applications and protocols.
8. Content Analysis: Revealing the Exportation of Sensitive Data McAfee Web Gateway protects organizations from outbound threats — such as leakage of confidential information — by scanning outbound content over all key web protocols, including SSL. This makes it an essential tool for preventing intellectual property loss, ensuring and documenting regulatory compliance, and providing forensic data in the event of a breach. Integrated with the McAfee Network Data Loss Prevention solution, McAfee Web Gateway supports predefined DLP dictionaries and enables custom dictionaries to be created through keyword matching and/or regular expressions.McAfee Web Gateway outbound detection also protects roaming users with an already infected laptop from data leakage, because the malicious "phone home" activity — sending stolen passwords and other data — can be detected just-in-time at the network perimeter. The McAfee Gateway Anti-Malware engine blocks the data flow and isolates the client from further web access until it is cleaned.
9. Custom Rules: Patented Rules to Find and Stop Malware (Used by Malware Research Labs for Detecting Particular Threats or Threat Types) McAfee and McAfee Labs have a long history of innovation. This has resulted in more than 420 patents issued and numerous pending including more than 20 that are Web Gateway related. These patents relate to custom, proprietary techniques for finding and stopping malware.
10. Policy-based Controls: Designed to Control Traffic and Enhance Security McAfee Web Gateway offers a powerful rules-based engine for optimal policy flexibility, security and control. With the ability to extract any HTTP header in both the request and the response, McAfee Web Gateway can easily implement rules to control traffic and enhance security such as blocking known vulnerable versions of browsers. The McAfee Web Gateway platform extends policy flexibility and control to web applications as well, enabling granular, proxy-based control over how web applications are used. Organizations can choose from nearly 1,000 popular web applications, enabling or disabling specific functionality as needed, controlling who uses a web application and how it is used.
For more information on McAfee Web Protection solution technologies and the McAfee Gateway Anti-Malware engine, read the McAfee Labs report: McAfee Anti-Malware Engines: Values and Technologies.
Source: McAfee
