When it comes to personal and business relationships, a good reputation opens doors while a bad one slams them shut. And so it goes with enterprise security, too.
Over the past several years, e-mail and Web security companies have gotten quite adept at using behavioral data, collected via massive Internet traffic monitoring networks, to derive reputation scores for domains, IP addresses, messages and URLs. E-mail and Web security appliances then use the reputation scores to allow or prohibit connections -- without ever having to dig into content.
Dozens of antispam and anti-malware vendors today offer reputation-scoring services for their products, and most are pretty decent, says security expert Joel Snyder, a senior partner at Opus One, a consultancy in Tucson, Ariz. Especially worth noting are Cisco Systems Inc.'s IronPort SenderBase, which it acquired in the 2007 purchase of IronPort Systems; McAfee Inc.'s TrustedSource, which it picked up in the 2006 acquisition of Secure Computing (which earlier had acquired CipherTrust, the original developer); and the open-source Spamhaus block list, he says.
In his testing, for example, Snyder has found the SenderBase reputation service, when set to block at recommended levels, averages an 88% spam catch rate with few false positives. In general, this catch rate isn't as high as it is with content filters -- in recent tests, for example, Snyder says he measured the IronPort content filter blocking 96% of spam. But content filters are doing heavy processing whereas reputation services aren't.
Instead of digging into content, a reputation service simply looks up the score in the vendor database and makes a decision -- connect, quarantine or drop, perhaps -- on that alone. Most vendors offer pre-set rules, but users can modify those to be more or less aggressive about spam. In the case of SenderBase, for example, Cisco recommends blocking e-mail addresses that rate between -10 and -3 on a +10 to -10 scale. The scores themselves are determined by correlating dozens of attributes.
The ultimate protection is when reputation services and content filtering run with one another. "If you can [use a reputation service to] knock out 76% to 90% of the spam before it hits the content filter, then you have a big advantage in [the filter's] performance." Again citing recent test results, Snyder says the IronPort content filter's block rate increases to 98% when fronted by a reputation service. Two percentage points might not seem like much, but when 90% of e-mail is spam, shrinking the volume by even a tiny fraction makes a big difference, Snyder explains.
So it should come as no surprise that reputation service providers are now concentrating on putting their scoring mechanisms into play elsewhere down the enterprise security line. McAfee, for instance, already uses its TrustedSource IP reputation service in its Secure Firewall (formerly Secure Computing's Sidewinder) to allow or disallow connections. The database is fielding some 2 million queries a day from firewalls, reports Ken Rutsky, the company's vice president of marketing.