Finally, there's a way to determine who's trustworthy, and who isn't, on the Internet
- By Daniel Ryan
- May 01, 2008
Imagine if 100 people knocked on
your front door each day, but fewer
than 10 of them were trustworthy.
The rest were crooks, con artists and
aspiring criminals. That’s the situation facing
today’s Internet users. Some skeptics
believe there is no stopping bot networks,
phishing schemes and digital scams.
The threat landscape can be intimidating.
On a typical day, the Internet hosts as
many as 450,000 new individual zombies
and tens of thousands of zombie networks.
Each zombie network, in turn,
generates the bulk of today’s Internet
spam—which clogs corporate and personal
In many cases, 95 percent of Internet
mail is spam, according to Secure
Computer Corp. researchers.
“I’ve spoken to clients where spam
represents 97 percent of e-mail,” said
Peter Firstbrook, research director at
A Hostile Threat Environment
This constant barrage threatens e-commerce
and online communications. Some
users have stopped opening unsolicited emails
from sources they don’t recognize,
said Russell Dean Vines, author of the
best-selling book “Phishing: Cutting the
Identity Theft Line.”
Other users have scaled back or halted
plans to use e-commerce service. In the
United Kingdom, for instance, nearly
one-third of users cite security fears as
the main reason for not using the Internet
to manage their finances, according to a
survey of 200 consumers conducted by
BT Group PLC in 2005.
Organizations that continue to fight
today’s threats with the same old security
tools are in for a rude awakening.
“We’ve reached an inflection point
with Internet security,” Vines said.
“People are taking a step back and saying,
‘What can I do differently?’ ”
Chief information security officers must
embrace the next generation of threat
detection and threat mitigation.
In the first generation of IT security,
organizations relied heavily on antivirus
signatures as part of a reactive security
strategy. Those signatures were useful
and helpful, but they didn’t help organizations
combat new viruses and threats
that lacked documented signatures.
Antivirus signatures are similar to
criminal fingerprints. It’s difficult to identify,
track and stop a thief using fingerprints
if he has yet to leave any prints at a
crime scene. Likewise, you can’t use digital
signatures to combat a virus if the
virus’ signature has yet to be documented.
Signatures are binary, and that is a problem. When a security company writes
a signature for a virus threat, it has to
match the virus exactly. As viruses mutate
and new ones emerge, companies that
write signature-based security programs
face a never-ending race to stay current.
A second generation of security technology—
known as heuristics—is more
flexible than signature-based technology.
Heuristics is based on value and checks
for anomalous behavior. These products
represented a solid step in the right direction,
offering supplemental security—but
there also were some downsides.
First, heuristics products that tracked
anomalous behavior sometimes led to
false positives—much in the way that
profiling can lead law enforcement officials
to interrogate and sometimes arrest
innocent parties. The other problem
involved traffic. In order to keep data
moving at a reasonable rate across a network,
businesses can’t afford to analyze
every piece of information that flows
across the network fabric.
Faced with the limitations of first- and
second-generation security products,
CISOs have been seeking third-generation
solutions that focus on behaviorbased
For some organizations, the threat landscape
is overwhelming. Many vendors
are answering the call for help with socalled
proactive security products.
Dozens of vendors claim they can keep
you ahead of the threat curve with products
that anticipate problems before they
occur. A few now claim they have zeroday
threat protection, which means they
claim to safeguard networks from newly
discovered exploits. These and other
claims are creating noise and confusion
in the security marketplace.
Still, savvy CISOs have discovered
the power of what we can only now call a
sub-zero threat protection system. Instead
of sitting back and waiting for attackers
to come knocking, CISOs are leveraging
a reputation-based system—a third-generation
security solution that identifies
who can be trusted and who cannot.
To understand how a reputation-based
system works, consider the world of financial
credit scores. In the 1960s, there was
no such thing as a credit score. You were
either a good risk or a bad risk for the
lender. There was no gray area for financial
lenders to make informed decisions.
To improve the lending system, financial
firms invented credit scoring systems
based on a history of business transactions,
personal transactions and personal
payment patterns. Suddenly, loans could
have variable terms and interest rates
based on financial credit scores.
Apply that same example to the IT
security market. Security developers have
borrowed a page from financial companies,
making available a threat reputation
scoring system based on Internet entities.
The threat reputation system scans all
IPs, domains, URLs, e-mail messages
and images, and pinpoints how trustworthy
they are by looking at their behavior—
and their reputation—in real time.
Then, the system accurately categorizes
them. Instead of simply placing Internet
entities into trusted and untrusted buckets,
the system ranks Internet entities on a
confidence scale that’s similar to the
credit score model used by financial
lenders. This mitigates false positives
within the system.
For more than four years, the global
system known as TrustedSource has been
in development, and now, more than
20,000 companies worldwide are counting
on the advanced security system to
protect against threats before they can
enter the network.
“This isn’t something you build
overnight,” said Roger Miller, president
of Network Aware. “It takes considerable
time, money and brainpower. Plus, you
need an existing global network in place
that allows you to collect and analyze all
of the data you’re going to need for a true
threat reputation system.”
Know the Options
Here’s how to separate fact from fiction as
you evaluate potential threat reputation.
The reputation system has to be the first
line of defense. Rather than sitting deep
within the heart of your network, a threat
reputation system sits on its edge and
stamps out problems before they have a
chance to touch the internal network.
Imagine, for instance, 100,000 emails
hitting the threat reputation system.
In this scenario, the application
typically blocks and destroys 60,000 of the messages based purely on IP and
domain reputation, calculated based on
real-time behavior. And the protection
doesn’t end there. The system stops an
additional 15 percent or so of the
messages based on image and message
type. And finally, another 15 percent
of messages are blocked based on
“So, only about 10 percent of the mail
directed at your network actually makes it
into the networks,” said Ed Golod, president
of Revenue Accelerators Inc.
Looking ahead, this edge approach is
the only way to protect networks and
scale internal systems. Ironically, by
adding more servers and horsepower to a
network without a threat reputation system
in place, users only increase the
capacity to receive more spam—and the
threats that come with it, such as phishing
and other for-profit hacker schemes.
A Unique System
When designed correctly, threat reputation
systems resemble massive, global intelligent
grid networks that rapidly collect and
share information across the system.
Admittedly, a handful of security
companies collect virus- and spam-related
data. But those collection systems are
fairly rudimentary and are mostly used
for antivirus research reports.
“It’s fine when an antivirus company
starts describing a new virus threat that
can exploit a software hole,” Miller said.
“But that’s old school. A new school
threat reputation system will need to dig
Think of the global system as a learning
and information-sharing network.
When one node within the system
detects an anomaly or new threat, it
passes on the information to every other
node—much like a body’s immune system
broadcasts the need for more white
blood cells when an infection attempts
to enter the system.
During a typical month,
TrustedSource monitors billions of
Internet transactions. Thanks to its global
breadth and depth, the solution blocks
up to 83 percent of mail volume and
more than 90 percent of spam before
anti-spam software even needs to kick
in. Globally, it blocks 6.2 terabytes of
Avoid False Positives
Some security vendors are designing
systems based on overly simplistic good
or bad methodologies. If the content is
deemed to be from a trusted source, it’s
allowed to enter the network. But if it’s
deemed bad, it’s blocked. That strategy
may have worked in the 1990s. But that
black-and-white approach ignores the
reality of today’s Internet traffic.
Simply put, there’s a broad gray area
that can’t be ignored. For instance, you
don’t want to block traffic from an entire
Internet service provider if only one of
its relays fails the reputation test.
“You want a system that delivers
accurate results, and you want to avoid
false positives,” Firstbrook said. “If you
start blocking entire ISPs, you can wind
up doing collateral damage.”
The threat reputation network has to
have a rich object classification system
that allows you to extensively define
each threat you’re facing. For instance,
the system should be granular enough
to indicate that you want to block selected
e-newsletters without labeling them
Find the Experts
To be sure, more big technology
providers are dabbling in IT security.
For those Goliaths, security is often a
check mark they need to have when discussing
overall product portfolios with
Still, even Firstbrook concedes that
big, broad technology companies will
have a difficult time designing in-depth,
global threat reputation systems.
“Those broad companies are doing a
lot of great things, but it’s challenging for
them to get really focused on something
like threat reputation,” Firstbrook said.
This solution seems to be a breakthrough
technology that enables organizations
to minimize vulnerabilities,
threats and risk often before they exist or
can do damage. As a result, potential
hackers, spammers, phishers and other
attackers are halted in