Cisco Reputation Filtering:

Providing New Levels of Network Security

Solution Overview
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Table of Contents

Executive Summary.....................................................................................................................................3

Dangerous Threats on the Rise..........................................................................................................3

Traditional Defenses Unequal to the Level of Sophisticated Attacks................4

Cisco’s Response—Cloud-Based Global Intelligence Operations...................4

Unbeatable Reputation Filtering in Action.................................................................................5

Web Reputation Filtering........................................................................................................................................................................................6
IPS Reputation Filtering...........................................................................................................................................................................................6
Malware-Infected Endpoint Detection........................................................................................................................................................7

Why Cisco Has the Most Comprehensive Security Solution ................................8

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 2
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Executive Summary
Today’s sophisticated, blended threats can exploit three or four different communications vehicles before
they launch full-scale attacks on unprepared enterprise networks.
This white paper, written for IT managers and executives, examines the new security risks for today’s
borderless enterprise networks, and describes how cloud-based Cisco® Security Intelligence Operations
and powerful, comprehensive reputation filtering capabilities built into Cisco security appliances and
services can help you protect your network from known and unknown threats.

Dangerous Threats on the Rise

Today’s borderless enterprise networks are more exposed to outside threats than ever before. Due to the
rising dependence on mobility, virtualization, cloud computing, and social networking applications in the
workplace, hackers have virtually unlimited opportunities to get around traditional network defenses. And
they are quick to exploit vulnerabilities, creating network threats specifically designed to avoid detection.
The exploits are often so targeted that there are no signatures to stop them.
Cisco Security Intelligence Operations (SIO) is a cloud-based security service—a web-based global net-
work of shared resources, software, and information provided to Cisco customers and devices on demand.
According to data collected from Cisco SIO, exploit and attack threat levels increased by 57 percent in
2009. Approximately 50 percent of malware attacks are committed by serial offenders for financial gain.
Exploiting networks is a business with unlimited opportunities for growth. It’s estimated that there are
approximately five connected devices per person in operation today around the world. Industry analysts
predict that this number will swell to 140 connected devices per person by 2013. Security threats are a
similarly dramatic trajectory, from 2.6 million identified threats this year, to 5.7 million in 2013.

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 3
 Cisco Reputation Filtering:
Providing New Levels of Network Security

At one time, exploits could often be traced to a small number of software weaknesses that were being
widely exploited. In the last few years, however, Cisco SIO has observed a greater and broader number
of vulnerabilities and attacks that require a more patches, mitigations, and wider monitoring activity.

Traditional Defenses Unequal to the Level of Sophisticated Attacks

The data is reflected in anecdotal evidence from our customers. Enterprise IT managers tell us they
are spending more time cleaning up infected PCs and servers, preventing data loss, and securing their
networks.
In response to increasingly complex attack techniques, filtering technology continues to develop, peering
deeper into network- and application-layer traffic, and performing more processing on every byte. However,
even deeper inspection with signature matching and behavioral analysis is still not able to handle the
latest threats, because the latest generation of malware uses multiple protocols, applications, and vectors
to propagate. No two attacks are exactly the same—binary containers, method of infection, and other
attributes change each time they replicate.
It’s also important to note that threat attacks are no longer confined to one vector. A perfect example is
the highly publicized Storm worm. Storm propagates itself using both web and email, along with social
engineering techniques. Storm has been around since 2007; the latest outbreak targets users by sending
spam emails that use a fake YouTube logo and video links. When unsuspecting users clink on the link, an
embedded JavaScript routine launches via browsers that exploit unpatched devices to infect them with
the W32/Nuwar Trojan. If the devices are patched, users are presented with a link that appears to be from
YouTube, enticing them to click on it.
Layered defenses using scanning engines from multiple vendors do improve catch rates, but that is not
enough to halt the most sophisticated threats. Signatures have proven to be reliable in identifying behavior,
but they have not proven so useful in determining intent, which is more easily determined by past behavior.
Zero-day outbreaks pose a particular hazard. These malware variations do not match available existing
rules, patterns, or behaviors, and so are able to remain undetected until new rules or patterns are installed.

Cisco’s Response—Cloud-Based Global Intelligence Operations

Reputation filtering—analyzing the location and behavior of email host/IP/domain addresses and source
URLs—is a fairly common practice. Most security vendors get the majority of their data from their antivirus
footprints, but they catch only a percentage of malware attacks. For example, security researchers at
Trusteer discovered that the Zbot botnet that promulgated the Zeus Trojan was detected just 23 percent of
the time by up-to-date antivirus applications. (Antivirus Rarely Catches Zbot Zeus Trojan, Sept. 2009.)
Cisco provides a level of breadth and depth in its reputation filtering not found anywhere else. Cisco Iron-
Port® pioneered reputation technology with their SenderBase network—a global traffic monitoring network
to measure, in real time, the reputation, or trustworthiness, of a given server. The company began collecting
information about email server behavior in 2002; in 2006 it added data about websites referenced in spam.
Cisco SIO has since expanded its comprehensive reputation analysis implementation by integrating
firewall and intrusion detection and prevention data for a more robust network view of dynamic threats.

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 4
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Think of Cisco SIO as the world’s largest cooperative global security ecosystem, using more than
700,000 live feeds from linked Cisco email, web, firewall, and intrusion prevention systems (IPSs).
1) Cisco SensorBase collects raw event data from more than 700,000
globally linked sensors in Cisco IPS devices, firewalls, and web
security and e-mail security devices, as well as data from more than
600 third-party feeds. SensorBase examines more than 30 percent of
the world’s e-mail, thanks to strategically located “honey-pot” accounts
equipped with e-mail addresses publicized on lists that spammers
might use.
2) The Cisco SIO Threat Operations Center weights and processes
the data. When necessary, Cisco security experts reverse-engineer
malware and other Internet threats. Engineers also collect, research,
and supply information about security events that have the potential
for widespread impact on networks, applications, and devices.
3) When the data is ready for deployment, Cisco SIO mechanisms dynamically deliver updates to
Cisco firewall, web, IPS, and email devices, and Cisco IntelliShield vulnerability aggregation and alert
services. Cisco SIO also sends security best practice recommendations and community outreach
services to Cisco customers.

Unbeatable Reputation Filtering in Action

Reputation filters are valuable because they examine parameters that are hard to manipulate. Reputation
data is also truly dynamic, reacting in real time to subtle changes in Internet behavior. Scoring is proactive
and granular, covering both positive and negative aspects.

Cisco IPS and ASA

Appliances

SensorBase

Cisco IronPort Cisco IronPort and ScanSafe

Email Security Web Security

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 5
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Email Reputation Filtering

Cisco email security appliances retrieve reputation information in real time, as incoming messages arrive.
These Cisco devices query DNS text records in SensorBase and retrieve a reputation score associated
with the IP address of the sending server. The score can range from –10.0 for the worst email senders to
+10.0 for the best. The reputation score is based on more than 200 aggregated and weighted parameters.
Cisco email security appliances reject email from servers with low scores (below –3.0.) and rate-limit send-
ers that have medium to low reputation scores. They can also white-list high reputation senders, such as IP
addresses with +9.0 scores from Fortune 1000 organizations. Because spam is so prevalent, most of our
customers report that our default settings block more than 90 percent of incoming message attempts. This
first line of defense improves the efficiency and overall block rate of downstream virus and spam scanners.

Web Reputation Filtering

Cisco web security appliances connect to Cisco SIO every five minutes for database updates. These
rulesets contain lists of compromised web hosts as well as information about infected URLs and pages.
Rapid, granular scanning of each object on a requested webpage, rather than just URLs and initial HTML
requests, significantly reduces the chance of infection.
The appliances dynamically calculate the risk of each web request and response using reputation data to
block high-risk transactions and safeguard users from attacks such as IFrame and cross-site scripting. Web
reputation filtering is used in conjunction with signature and behavior-based scanners to provide much
faster and stronger multi-layered web protection.

What do Reputation Scores Mean?

An IP address controlled by a
spam house or a known open
proxy generating massive
volume of complaints and
hitting many spamtraps.
Almost guaranteed to
be spam.
An IP on one or more
reliable blacklists or
belonging to a suspicious
new sender with some
complaints and spamtrap
hits.
Some spending history,
low, or moderate
complaints.
A known enterprise, or
sender who has
undergone third-party
certification, with no
complaints and a long
sending history.

-10 -5 0 +5 +10

Spam houses generating
complaints and hitting spam
traps. IP listed on one or more
open proxy lists. Almost
always spam.
May be dynamic IP (e.g., dial-up) Long sending history,
sending direct to Internet or few complains.
email marketer with poor
practices, or legitimate
enterprise with an open server.

IPS Reputation Filtering

Cisco intrusion prevention systems connect to Cisco SIO every 30 minutes and retrieve updated reputa-
tion data based on parameters such as whether the IP address is a Dynamic Host Configuration Protocol
(DHCP) address, whether the IP address has a Domain Name System (DNS) entry, and how often that
information changes.

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 6
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Real-time reputation feeds from Cisco SIO provide

unique context information for Cisco IPSs. Using Reputation Filtering and IPv6
Global Correlation to factor reputation into dynamic
threat assessments, Cisco IPS is able to determine
In recent months, Cisco Security Intel-
the probability of malicious intent associated with
ligence Operations (SIO) has witnessed
a network event and modify the response action
accordingly. For example, the IPS sensor may detect
a rise in criminal activity on IPv6, particu-
an event that is often but not always associated with larly as sources of email threat mes-
malicious activity. Without Global Correlation, the sen- sages and in channels used by botnet
sor will send an alert about the activity, but no action command-and-control infrastructures.
is taken on the network traffic. With Global Correlation,
In 2008, Time Magazine was hosting
however, the sensor can access a wealth of historical
voting for its 100 Most Influential People
data on the source of the traffic. If the reputation is
low, the sensor can take direct action and thwart the of the Year award. To provide legitimacy
potential attack without the risk of blocking valid traffic. and deter users from ballot stuffing,
The sensor can also use reputation data to pre-filter Time created a system whereby each IP
traffic from sources with extremely low reputations, address received one vote. The hacker
saving processing power for additional inspection. team that pushed the winner, Moot,
to the top of the charts faked out the
Malware-Infected Endpoint Detection
system by using an IPv6 address that
Cisco adaptive security appliances connect to Cisco
didn’t work with the application. Although
SensorBase every hour and retrieve the latest list
this hack was acknowledged by Time
of known botnet command and control hosts. Hosts
listed in the botnet traffic filter database earn a reputa- and was not harmful, it still shows that
tion of –10.0. While traffic volumes to botnet networks security is a critical aspect of deploying
may be small, the added protection is extremely IPv6 protocol.
valuable. Firewall botnet traffic filters also automati-
While the threat volume to date has
cally detect when infected systems in an organization
been relatively low, Cisco SIO expects
try to “phone home” to their controllers.
this trend to only continue as IPv6 imple-
Cisco Web Security Appliances include a Layer 4
mentation increases. As the backbone of
Traffic Monitor, in addition to web reputation filters and
Cisco’s threat collection and correlation
multiple malware scanning engines, which detect
website malware activity. system, Cisco SIO has been investing in
reputation scoring for IPv6 traffic.
Even with the best defenses in place, some threats
will always manage to breach the network. That’s
where the integrated Layer 4 Traffic Monitor proves its
value. It scans all ports at wire speed, detecting and
blocking spyware phone-home activity. By tracking all For more information on IPS, email,
65,535 network ports at the network data center, the and web security and how it can
Layer 4 Traffic Monitor effectively stops malware that protect your organization, visit
attempts to proliferate through the network. In addition, www.cisco.com/go/threatdefense.
the Layer 4 Traffic Monitor can dynamically add IP
addresses of known malware domains to its list of
ports and IP addresses to detect and block. Using this dynamic discovery capability, the Layer 4 Traffic
Monitor can monitor the movement of malware in real time—even as the malware host tries to avoid
detection by migrating from one IP address to another.

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 7
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Why Cisco Has the Most

Comprehensive Security Solution Advanced Cisco SIO protection
is available on the following Cisco
Through the combined intelligence in Cisco SIO
SensorBase reputation filters for e-mail, web, IPS,
products:
and firewall devices, IT security mangers gain • Cisco Adaptive Security Appliances
control over multivector threat signatures, network- • Cisco IronPort Email Security
based attack detections, and reputation classifica- Appliances, Hosted Email Security,
tions to successfully block and limit network entry. and Hybrid Hosted Email Security
 idest footprint: Cisco SensorBase collects
• W • Cisco IronPort Web Security
data from 8 of the top 10 ISPs and makes over Appliances 3
billion web requests a day—10 times • Cisco Intrusion Prevention Systems
more than other monitoring systems. A
• Cisco Integrated Services Modules
highly diverse group of more than 120,000
• Cisco IntelliShield Alert Services
organizations, including the largest networks in
the world, contribute information to Cisco— These devices and hosted services
a remarkable 5 billion messages per day.
are licensed with one or more security
The volume provides a statistically signif- i-
filters that are powered by Cisco SIO,
cant sample size, resulting in immediate and
accurate detection of even low-volume email including:
senders and URLs. • Cisco IronPort Virus Outbreak Filters
 astest response: Cisco SIO reputation filters
• F • Cisco IronPort Anti-Spam
stop viruses even before signatures are made • Cisco IronPort Email Reputation Filters
available, yielding from 13 to 48 hours more pro- • Cisco IronPort Web Reputation Filters
tection compared to the top 6 antivirus vendors. • Cisco IPS Reputation and
Competitors usually update their IPS filters twice Signature Filters a
week, or within 8 hours of an emergency. Cisco
• Cisco Firewall Botnet Traffic Filters
SIO updates new IPS reputation rules every
few minutes.
 est blended threat detection: Cisco’s unique combination of IPS signatures and firewall botnet data
• B
with massive email and web sensor feeds expands SensorBase beyond event-specific protection to
cover a wider range of exploits with real zero-day protection.
 igher accuracy: Cisco SIO reputation filters examine a multitude of factors to render much more
• H
accurate conclusions. Cisco Global Correlation yields far fewer false positives by combining suspicious
traffic profiling with reputation scoring. The two-step approach prevents sensors from blocking traffic
from sources with a neutral or positive reputation, significantly reducing the potential for false positives.
 asier implementation: Cisco SIO SensorBase detection, reporting, and update actions are automatic,
• E
so IT security administrators don’t have to look at each signature and decide what to apply. They select
their preferred reputation thresholds, and the security devices do the rest. Organizations can stay up to
date with tools such as the Cisco IntelliShield Alert Manager and Cisco SIO-to-Go.
 ost effective: Cisco’s email reputation filtering blocks 90 to 98 percent of all mail before it enters the
• M
corporate network—more than twice as much spam as the next closest vendor—even without scanning
it. Cisco research has found that IPSs using reputation filtering typically block three times more threats
than signatures alone.

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 8
 Cisco Reputation Filtering:
Providing New Levels of Network Security

Summary
Today’s network threats can appear from literally anywhere. Malicious events arise from known suspicious
websites and spam, from zero-day exploits, and from new or legitimate websites that have been invisibly
compromised.
Cisco is on the vanguard of intelligent, proactive threat defense with its blended reputation and threat
analysis approach and its global, cloud-based Cisco Security Intelligence Operations using SensorBase,
the world’s largest threat database. Near-real-time cooperative data sharing and dynamic updates deliver
the latest protection to Cisco devices and security best practices to keep Cisco customers informed
and protected.
To learn more about Cisco Security Intelligence Operations, visit www.cisco.com/go/security or contact
your local reseller. To find a reseller in your area, visit www.cisco.com/web/partners.

Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

© 2010 Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks
mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) C11-614626-00 08/10

© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 9