SOURCE: IronPort Systems

March 20, 2008 08:00 ET

IronPort Bolsters Web Reputation Filters With Botsite Defense and URL Outbreak Detection

Vital Security Enhancements Use Industry's Leading Reputation Data to Improve Capture Rate of Web-Based Malware

SAN BRUNO, CA--(Marketwire - March 20, 2008) - IronPort® Systems, a Cisco® business unit and a leading provider of enterprise email and Web security gateways, today announced significant enhancements to IronPort Web Reputation Filters. Even though these filters have already had one of the industry's highest capture rates of Web-based malware, the company is adding URL Outbreak Detection and Botsite Defense -- effectively making IronPort Web Reputation Filters one of the most comprehensive Web security offerings available. These powerful new layers of malware defense are available on the IronPort S-Series™ family of Web security appliances and through IronPort's SenderBase® Network.

WWW: Wild Wild Web?

Threat analysts at IronPort and Cisco have observed that the Web is increasingly becoming the preferred method of malware distribution. As a result, corporations face even more sophisticated malware threats from a variety of entry points and coordinated cross-protocol attacks.

Threat writers are constantly looking for new ways to increase their success rate, and distributing malware through legitimate websites is an effective way to do so. A recent example of these dynamic attacks occurred in early March, when hundreds of legitimate sites were being used as a redirection hub to malware-producing bots. IronPort's Web Reputation Filters recognize where the redirection is going and can stop the request before any malware enters the network. Simple URL filtering alone does not detect threats targeted at legitimate sites, but IronPort Web Reputation Filters with Botsite Defense and URL Outbreak Detection can identify compromised sites and prevent customers from connecting to them.

There are over 10 billion active webpages. According to industry estimates between 2 percent and 10 percent of websites are malicious; a staggering amount of exposure for today's businesses. The malware and spyware delivered by these sites can result in a loss of confidential information, system and network downtime, reduced employee productivity and higher customer support costs.

Reputation filtering systems, like IronPort Web Reputation Filters with URL Outbreak Detection and Botsite Defense, can help protect against infected sites as well as rapidly-mutating malware.

Driving the Deception: Botsites

One of the fastest vectors of Web-based threats are compromised hosts (known as botsites) that follow instructions from a command-and-control network (known as botnets).

Spreading via recruiting email and spam, malicious botsites self-propagate through their own established peer-to-peer networks. The botnets coordinate with each other to create spam with infected landing pages; the botnet/botsite system represents an intelligent malware distribution platform that is reusable and self-defending. Industry estimates point to at least 7 percent of the computers connected to the Internet (75 to 100 million machines) being part of some botnet/botsite system.

"The intelligence of these botnets is astounding," said Tom Gillis, vice president of marketing for IronPort Systems. "A single botnet can produce thousands of malware-laden botsites, that are active for anywhere from a few minutes to a few hours. The only effective defense is a Web reputation service that can detect the underlying deception and filter the sites out proactively."

URL Outbreaks

Along with an increase in malicious botsites, IronPort's Threat Operations Center has observed a significant increase in URLs hosting new malware for which no signatures are available. These URL outbreaks have surged 300 percent over the past 12 months, and enterprises have had no effective solutions.

Today's URL-based threats come primarily from botsites that serve as malware distribution hubs, spam URLs, insecure Web 2.0 sites and malicious ad-distribution networks. As threats become multi-protocol in nature, IronPort helps secure the enterprise network to enable businesses to operate at high efficiency while mitigating the worry of lost productivity and resources.

"Growing volumes of botsites and the corresponding delivery of new uncategorized malware is a huge problem," said Tim Sommers, senior enterprise security engineer at Aurora Healthcare. "With the latest release of IronPort Web Reputation Filters, we now have a solution that helps to protect against such threats, before signatures are available."

Botsite Defense and URL Outbreak Detection

Existing solutions that rely on traditional URL filtering have not been effective because most rely on manual classification techniques. The infected sites hide behind a variety of benign categories (including finance, entertainment and news), thereby rendering traditional classification-based URL filtering ineffective as a defense.

IronPort's URL Outbreak Detection is designed to identify and defend against URLs that have no reputation or signature -- typically hosted on a botsite and controlled by a botnet.

The IronPort SenderBase Network has one of the largest email and Web-traffic footprints in the industry, allowing IronPort to detect and block these new URL outbreaks rapidly. Real-time analysis of global Web traffic allows analysts in the IronPort Threat Operations Center to proactively publish reputation scores for such URLs prior to signatures being available from anti-malware vendors.

These latest enhancements include security modeling techniques that provide dynamic protection against threats that target legitimate websites as well as "always on" detection, which tracks the infrastructure behind malware attacks, then adjusts to rapidly block them.


The latest release of IronPort Web Reputation Filters is available now on the IronPort S-Series family of Web security appliances. For more details, please visit:

About IronPort Systems

IronPort Systems, headquartered in San Bruno, California, is a business unit of Cisco Systems, Inc. IronPort is the leading provider of anti-spam, anti-virus and anti-spyware appliances for organizations ranging from small businesses to the Global 2000. IronPort appliances utilize SenderBase, the world's largest email and Web threat detection network and database. IronPort products are innovative and easy-to-use, providing breakthrough performance and playing a mission-critical role in a company's network infrastructure. To learn more about IronPort products and services, please visit:

Copyright © 2008 Cisco IronPort Systems, LLC. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco IronPort Systems, LLC. All other trademarks are the property of Cisco IronPort Systems, LLC or their respective owners. While every effort is made to ensure the information given is accurate, IronPort does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice.

Contact Information

  • Press / Analysts If you are a reporter or analyst and want more information
    on IronPort Systems please contact:

    David Oro
    IronPort Systems
    Email Contact

    Suzanne Matick
    IronPort Systems
    Email Contact