Trend Micro Inc is to announce technology that checks a web site’s reputation on a database held in the internet Cloud to address exploits that use the web to download components or ship out sensitive data.
The Total Web Threat protection capability, as the infosec vendor calls it, was developed because the company recognized that baseline security techniques like pattern matching, and even heuristics, can’t keep up with the rate at which malware is morphing to evade detection, said Raimund Genes, Trend’s CTO of anti-malware.
Exploits are increasingly coming with an internet component, i.e. accessing the Web to bring in additional components or, like a keylogger, to send out data from a compromised machine, so Trend saw that a reputation service for the URLs and IP addresses accessed would be a useful addition to its armory in tackling Web threats. And by placing it in the internet Cloud rather than on a local database at each customer site, the Tokyo-based ISV overcomes the update issue: it becomes immediately accessible in its most up-to-date form from any machine, anywhere.
This is baseline stuff to address the new threats, Genes said, arguing that the Achilles heel of these new Web threats is that the bad guys are limited in the number of servers they can access because they’ve haven’t got too many infiltrated, so they don’t want to change URLs or IP addresses too often. He cited the example of one exploit that, though existing in many variants, always goes to a webpage to download parts, then resizes to avoid detection and is sent out again.
The Japanese ISV’s technology works by picking up on a DNS request sent by a corporate laptop to access a URL or IP address. We then put in a second DNS request to our server farm and they reply with information about the URL, said Genes. Then if it is a known malicious site, Trend will block access to it, whereas if it is merely a suspicious site, it may be blocked if the machine is out in the big wide world, but perhaps not if it is on the company intranet and thus behind firewalls and IDS/IPS infrastructure. In other words, the technology’s response is in accordance with the policy for that machine, which will have been pre-set by the company’s IT department.
We can block known malicious sites, suspicious sites and the IP addresses and URL of known bots, or we can block only the known malicious, which would be the ‘Low’ security setting, said Genes. We recommend the ‘Medium-High’ setting, adding that because we’re linked into the firewall layer in a company’s network, we can warn the user and the admin when a site is suspicious, then block access to it.
Genes said Total Web Threat Protection has already been rolled into the 2007 version of Trend’s consumer product PC-cillin and, with 300 million domains on the database, it getting some two billion hits a day. Now we’ll roll it into all our other products, at which point we expect to reach six to eight billion hits by the end of the year, depending on the speed with which we can roll it out in corporate environments. There is already a beta underway with one corporate customer, who is testing it on its desktop estate, he added.