Take back control over your s

Transcription

1 IP IP spam Take back control over your s Anti-Phishing Anti-Malware Anti-Spam Graymail

2 More than just antispam Security goes hand in hand with efficiency Spare your employees the daily graymail cleanup. Vade Secure s filter solution does not compromise on security, protecting you from spam, phishing and viruses thanks to an innovative heuristic technology. Associating automatic classification of low-priority s with safe unsubscription from newsletters in 1 click, the Vade Secure solution offers a global, simple and effective response to your expectations: more productivity and control over your mail. SECURITY / HEURISTIC FILTER designed to combat all online threats Fast and accurate, scans do not require connections to external services. The filter is operational immediately after installation and is effective against waves of targeted attacks. Multi-technology engine Based on heuristic technology, the filter is complemented by signature, reputation scans and automatic content exploration. Heuristic antivirus Your users are protected from all types of viruses thanks to the heuristic antivirus as well as the Doctor Web antivirus as an additional option. Incoming and outgoing filter To protect your infrastructure and reputation from spam sent via botnets, the filter analyzes outgoing s. Effectiveness and reliability Effectiveness: detects the nature of 99.99% of s Reliability: Occurrence of false positives lower than 1/ AUTOMATIC CLASSIFICATION S The automatic classification of graymail helps users with the day-to-day management of their s. s are sorted by their nature: person-to-person, advertisement, newsletter, social network notification, etc. We classify your s according to your filter policy and strategy. Increased productivity Your users gain better visibility over important s so that they can focus on what matters. Inbox Zero becomes efficient and a pleasure to use with an uncluttered mailbox. Resources put to better use Advertisements take up 10 times the space of spam, so we spare you from having to store them Reputation management Vade Secure manages the reputation of routers so that they abide by best practices. MANAGEMENT / SAFE UNSUBSCRIPTION IN 1 CLICK Allows the user to unsubscribe from all e-subscriptions he no longer wishes to receive in 1 click. The unsubscription procedure is identified during the filtering phase. The process takes place in real time and delivers results in 1.4 seconds with a success rate of 84%. The most advanced solution All unsubscription processes are supported in order to guarantee the highest success rate. A fully secure service Unsubscribe links are detected only in legitimate graymail. Simple and fast Select the e-subscriptions you no longer wish to receive and click on Unsubscribe. Go straight to the essentials Get rid of s that no longer interest you to focus on what matters to you.

3 Always more low-priority s Advertisement s and other notifications are not spam. However, 82% of users see them as a nuisance and have indicated their dissatisfaction with their filter solutions (Gartner Magic Quadrant 2013). The issue is no longer spam, which is now well regulated by most antispam solutions on the market. The problem has shifted to low-priority s, called graymail. The proportion that graymail occupies in the global mail volume has reached 50% in professional mailboxes. There is of course a solution to the problem, but it is tedious deleting these s every day and unsubscribing from them manually. TRAFFIC COMPOSITION SOCIAL NETWORKS 28% of an employee s time is spent managing s Graymail has an impact on productivity, bringing it down by 25%. Apart from productivity, graymail takes up significant space on servers, since s containing advertisements are 10 times heavier than spam messages. Important s are drowned out in the list, increasing the risk of overlooking them. Graymail is legitimate but does not necessarily require immediate action by the user. High-priority s > Person-to-person s > Customer relationships (registration, billing, ticketing, etc) > Alerts and notifications (employment, real estate, etc.) > Bounces and acknowledgments of receipt (DNS, MDN and NDR) Graymail > Advertisements > Social networks (facebook, LinkedIn, twitter,...) > Newsletters > Discussion groups (google alerts, forums,...)

4 Take back control over your s Our solution adapts to your needs and infrastructure The only solution that recommends The solution runs independently from your mail client. Our security and graymail management product ranges are available in the following forms: Vade Secure Gateway Available in physical and virtual versions. Vade Secure Gateway adapts to your filter policy and is ready to use. Vade Secure Cloud Constraints relating to the management of an infrastructure will be a thing of the past as the cloud service filters all your s remotely and safely. Solution compatible with and Vade Secure SDK Embed the filter engine in your infrastructure for more customization and flexibility. 76 countries 300M protected mailboxes more than 4000 customers 95% renewal rate Vade Secure 3 avenue Antoine Pinay Hem - France USA - CANADA - FRANCE - HONG KONG - JAPAN Language-independent technology Contact: sales@vadesecure.com Tel.:

5 Anti Spear Phishing Solution Be protected from targeted attacks! Spear phishing s aim at hijacking a known person or an organization to deceive its recipients. Hackers who employ Spear Phishing often know the target recipient s name, address, job title, and professional network. The spear phisher already knows a lot about his intended victim thanks to the vast amount of personal information that can be accessed online via social networks, media, etc. 1. The hacker spies on Paul so he can impersonate someone from his network - John 3. When Paul opens the and either clicks on the link or attached file, his computer/network will get infected instantly 4. Hackers then gain access to company s network and are able to steal information 2. The hacker, using John s identity, sends an to Paul containing a malicious payload A COMBINATION OF CONTENT AND CONTEXTUAL HABIT ANALYSIS Vade Secure actively fights Spear Phishing with cutting edge technology dedicated to identify this specific and targeted threat. The filtering process uses two technologies: Identity Match and the Content Inspection. Advanced spoofing detection: Identity Match Identity Match is a set of protection developed and patented by Vade Secure. It identifies every that is spoofing your company domain name, alias and even similar addresses based on communication habits. The solution identifies similarities between new senders and all your previous contacts in order to identify if there is a spoofing attempt targeting your company. Sensitive data protection: Content Inspection Vade Secure uses a smart and fully integrated banner to alert users regardless of the device used when sensitive data is requested in the message. Your users are aware of the incoming threat while your administrator receives an alert to be able to react quickly in a case of a breach.

6 THE CHALLENGE FOR SECURITY VENDORS Though they are only a very small part of the world s total volume, Spear Phishing attacks are highly targeted and, therefore, effective. As a result, anti-spam technology must include content inspection to effectively combat these threats. Peter Firstbrook, an Analyst at Gartner, concluded in the most recent Magic Quadrant: Vendors that specialize in content inspection will be more successful in detecting these types of attacks than those that rely on reputation. One attack, many purposes Hackers can either use spear phishing to steal your employees sensitive information (social security number, bank credential...) or, their objective can be to gain access to your company s network through a malware injection. Once they are in the network, they are free to wire money abroad, copy your customer list, patents and more. Vade Secure s solution aims at preventing this by analyzing and understanding both content and payload. A Business Model that is 100% Scalable Our anti spear phishing solution is available either as a plugin or as part of a global filtering solution. Both in the cloud or on site through a virtual appliance. 76 countries 300M protected mailboxes more than 4000 customers 95% renewal rate Vade Secure 3 avenue Antoine Pinay Hem - France Tel.: USA - CANADA - FRANCE - HONG KONG - JAPAN Language-independent technology

7 The most advanced Anti-phishing Protection by Vade Secure Anti-phishing is major security threat used by hackers and 96% of users want better protection against targeted phishing attacks (Gartner Magic Quadrant July 2015). Vade Secure Anti-phishing solution is the only one on the market to combine both s content analysis, a webpage exploration engine and a strong ecosystem to ensure the best security and the most comprehensive real-time cycle from analyzing the message to the takedown of the phishing webpage. SECURITY BEFORE, DURING, AND AFTER THE ATTACK 1. Content filtering The heuristic engine deeply analyses every element of s such as the headers, its structure, brands elements, links and the attachments. This provides a very high accuracy even on low volume waves. 2. Webpage exploration at the «Time of Click» When the end user clicks on a link, the webpage is opened in a secure environment to verify if the page is safe at the exact user access time. This is relevant for phishing that use DNS changes to be seen as clean during the transmission. 3. Brand Alert Automated technologies that are able to identify brands without false positives. Linked with our community, we share alerts with brands, ISPs, hosting companies, and web browsers. 4. Host Alert and Webpage takedown To go further than just catching phishing, we automatically takedown, in real time, phishing webpages. Vade Retro has set up a automatic process to take down malicious webpages in less than 5min.

8 THE MOST COMPREHENSIVE TECHNOLOGIES TO FIGHT PHISHING This is the most comprehensive offer to efficiently fight phishing. Even if a phishing is not detected during the first filtering step, our webpage exploration engine check the page at the time of click, that means, even if the URL has changed users are protected. The two main technologies behind is a duo of an s content analysis and a webpage exploration engine. content analysis features Heuristic behavior analysis Zero day protection Predictive Variation insensitive Webpages exploration features Smart Pattern Machine Learning Dynamic URL Tracking User identity protection A TEAM GAME As a global organization in the security industry, Vade Secure shares its information with companies involved in phishing. Our community is composed of financial institutions, ISPs, brands, hosting companies and web browsers. This is crucial in the phishing fight, where everyone takes its responsibility, for a safer Internet. DELIVERY AVAILABLE As an On-Premise As a Cloud Solution Service 76 countries 300M protected mailboxes more than 4000 customers 95% renewal rate Vade Secure 3 avenue Antoine Pinay Hem - France Tel.: USA - CANADA - FRANCE - HONG KONG - JAPAN Language-independent technology

9 White paper Heuristic and behavioral methods for countering 0-day attacks

10 Heuristic and behavioral methods for countering 0-day attacks 1 Malware in s: insignificant volume, significant consequences is the leading vector for malware of all types. It indeed allows reaching a significant number of users easily. Malware may have different objectives: Mass mailing of spam, Causing denial of service attacks, Gathering confidential data (documents such as patents or contracts, credit card details, identifiers, social security numbers, etc), Encrypting the contents of a machine with the aim of demanding a ransom for its decryption. Malware represents a very small percentage of global traffic: As a matter of fact, only 0.02% of s sent worldwide contain malware. In a corporate environment, the presence of malware is even stronger. It represents 0.7% of traffic. Malware is sent in seasonal waves. It may depend on current events (e.g. terrorist attack, earthquakes, tsunamis, etc) to take advantage of the user s heightened attention, or may stem from a need to maintain or extend the environment of infected machines. The graph below represents the trend and frequency with which malware have been transmitted from April to September Data measured from 300 million mailboxes in 76 countries. vadesecure.com 2

11 Heuristic and behavioral methods for countering 0-day attacks The main anti-malware techniques used by the major specialized players are not effective enough to thwart 100% of attacks. Since anti-malware detection techniques are not confidential, they are now sufficiently known to cybercriminals for them to craft countermeasure techniques that can be controlled remotely or fully automated. Malware takes on very different forms, each of which have a particular objective. The graph below represents the distribution of currently active types of malware: The corporations listed below are some of the institutions with the strictest security policies and use solutions from the biggest names in information security. Despite intense focus on the protection policy, attacks still manage to weave through security barriers: State of South Carolina million Social Security numbers stolen (October 2012) LinkedIn - 6 million passwords stolen (June 2012) Global Payments million credit card numbers stolen (March 2012) State of Utah medical records stolen (March 2012) Sony Playstation Network data theft (April 2011) RSA Intellectual property theft on SecurID (March 2011) These events can be explained by the fact that malware developers focus above all on going through the most widely used anti-malware products. Indeed, cybercriminals place priority on developing malware that are transmitted through the most frequently used technologies and products in order to reach the largest number of victims. The cybercriminal will therefore maximize the return on his investment. vadesecure.com 3

12 Heuristic and behavioral methods for countering 0-day attacks 2 The main techniques used All the main techniques used involve analyzing the content of the infected file and its possible impact on the system. The main technologies used are set out below. File signatures: A digest of the file is calculated, in general in the form of a hash with a varying degree of agility (MD5, SHA1, SSDEEP). A centralized database stores signatures and spreads them directly on anti-malware filters. Heuristic rules on file contents: A signature allows detecting one or several malware. However, it is often strict and can easily be bypassed by polymorphic malware, meaning that they can produce an infinite number of hashes for the same operational objective. The aim of heuristic rules is to rely on the malware s operational behavior in order to be less sensitive to variations in its contents. Heuristic rules therefore allow identifying malware that has yet to be known to laboratories by identifying similar behavior in malware with different contents. Sandboxing: Sandboxing consists of executing a suspicious file in an isolated virtual environment. In general, sandboxing techniques provide disk space, RAM space and controlled network access in order to intercept packets there. Although security vendors innovate and improve their systems, cybercriminals remain agile and adapt to updates. Now, malware are able to identify security layers and adapt their operation accordingly. vadesecure.com 4

13 Heuristic and behavioral methods for countering 0-day attacks 3 Countermeasures used by malware a) Mutant malware: In order to evade signature systems and heuristic systems on file, many malware become mutant, meaning that they are created from an existing malware but with modified content. As such, anti-malware vendors would have to detect this evolution then create a new signature. The length of time between the publication of the mutant malware and the creation of the new signature allows the creator of the malware to infect new victims. b) Polymorphic malware: These malware are able to dynamically change forms each time they are replicated, preventing anti-malware software from identifying them by their signature. However, the way the malware operates remains unchanged - the algorithms are the same - only their translation to machine code is modified. c) Detection of a virtual environment: In order to evade sandboxing, an increasing number of malware are equipped with techniques for detecting virtual environments, as they only wish to be operational on physical machines. In order to do this, they detect specific drivers on virtual machines or even files that are only found on the disk when a hypervisor such as Vmware, KVM, Xen, etc is used. d) Waiting for user interaction: Also for the purpose of evading sandboxing, malware are equipped with chunks of code that will only be executed if the user interacts with the environment, for example by moving the mouse, the presence of a browsing history, keyboard usage, etc. e) Partially clean code: In yet another tactic to evade sandboxing, malware embed clean code, which poses no danger to the machine on which they are installed. This clean code is launched at the beginning for a certain period. The aim of this is to appear harmless during the analysis by a sandboxing system. After this period, the malware will then activate its malicious code. vadesecure.com 5

14 Heuristic and behavioral methods for countering 0-day attacks 4 Extended heuristic approach (transmission vector + content) In order not to take into account all the countermeasures set up by malware creators, heuristic methods perform a fully behavioral analysis based not only on the file alone, but on the transportation mode and all the information available about the file, including the file itself. Heuristics based on the transmission vector: In an filtering context, the extended heuristic analysis concentrates its analysis on the characteristics of a message. These algorithms can therefore be completely independent of the content and operational function of the attachment. In an context, a heuristic analysis allows focusing on the sender of the message, headers, the structure of its content, the characteristics of attachments (name, type, etc), among other properties - in other words, a set of significant data that can allow blocking a message that contains a malicious attachment. Heuristics based on macros: Macros contained in Office documents have once again become a widely used vector for spreading malware and contamination. In general, macros simply download and execute truly malicious code. The creators of such scripts therefore ensure that they will not be identified as malware so long as the actual malware file has not been downloaded. A heuristic analysis on macros allows distinguishing malicious macros from harmless macros and thereby blocks dangerous messages before they can reach the user s mailbox. Heuristics based on the analysis of PDF files: PDF files are also widely used for spreading malware. Especially in the corporate world, a PDF document may appear perfectly legitimate. Therefore a PDF-oriented heuristic analysis is a series of criteria detected within PDF documents combined with the analysis of the to identify whether it is part of a fraudulent communication. Extended heuristics: By definition, heuristic analysis may cover all the elements of the as well as the file. As such, heuristic rules aim to detect points in common between various attacks and take on malware with an advanced analysis that the cybercriminal would not be able to notice. They allow defusing polymorphic techniques on malware that attempts to bypass signature and sandboxing systems. vadesecure.com 6

15 Heuristic and behavioral methods for countering 0-day attacks 5 Heuristics avoid malware countermeasures As an expert in for more than 10 years and having protected more than 235 million mailboxes worldwide to date with a unique imprint on the French market, Vade Retro is in a position to combine a targeted heuristic analysis on commonly used file types (office documents containing macros, PDF documents, etc), with another heuristic analysis of the containing the file. This double analysis makes it possible to be fully independent of the content of the malware file with very high execution performance due to the fact that the file does not need to be fully loaded for the analysis. In addition to its heuristic analysis, Vade Retro generally provides a more conventional signature-based anti-malware technology which should be enabled for optimum effectiveness. The signature-based anti-malware will be used after the heuristic analysis in order to optimize the use of system resources. vadesecure.com 7

16 About de Vade Secure Vade Secure is the global leader on anti phishing, spear phishing, malware and ransomware filtering. Language independent, the filter analyzes globally all incoming s (links, attached files, content ) to detect all threats in zero-day, even the most targeted attacks. After elimination all threats, we eliminate the nuisance of low priority s with the Graymail Management. Ads, social networks notification and newsletters are automatically sent to the graymail folder while the Safe Unsubscribe button eliminate them forever. Protecting more than 300 million of mailboxes in 76 countries, our solutions are used by major ISPs, OEM and Enterprises worldwide. Vade Secure is implanted in 5 countries (USA, Canada, France, Hong Kong and Japan) to offer a 24/7 support. SASU Vade Secure au capital de avenue Antoine Pinay, Parc d activité des 4 vents, HEM - France RCS Lille Métropole