In our previous post on the SASE Framework, we covered DNS-Layer Security which provides an important first layer of security by incorporating overlapping defensive systems, tools, and protocols to protect users from both inbound and outbound threats at the network level. The broad coverage offered by DNS Filtering is a great starting point for threats to prevent users from visiting malicious, phishing, and objectionable content domains, but its blind spots and limitations require additional solutions to close those security gaps. In the SASE framework, the Secure Web Gateway (SWG) delivers an additional layer of protection and control against full-path URL threats which account for the vast majority of phishing and malicious links. From a data perspective, critical product differentiation for a vendor’s SASE offerings comes from the quality of the data powering the solution.
Secure Web Gateway
A Secure Web Gateway, as defined by Gartner, is a solution that filters unwanted software/malware from user-initiated web traffic and enforces corporate and regulatory policy compliance.
SWGs evolved alongside the disappearing perimeter to secure today’s modern cloud-based environment that provides ‘anytime, anywhere access’ to both remote and on-site workers and to supplement DNS Layer Security. Importantly though, DNS security solutions are designed to filter at the network level while SWGs are designed to offer a centralized security control point for all traffic which allows for deep visibility and consistent controls across endpoints, users, clouds, and networks.
One of the most important features of an SWG is that it offers full network traffic visibility, allowing for deep inspection of web and encrypted web traffic to identify and isolate potential threats. The SWG acts as a proxy, or intermediary, between the client and server for SSL decryption, or SSL interception. Which means that it intercepts the outbound connection, terminates it, and then emulates the client to originate a separate outbound connection to a server. Since the SWG has proxied the connection, it can wait to receive and assemble the entire communication. And, since proxies are built to decrypt and reassemble encrypted traffic, the full-path URL visibility greatly increases the effectiveness of protecting against phishing and malicious attacks by effectively eliminating the DNS Level SSL blindspot. Once the communication has been reassembled, the SWG can either send it along to its destination or pass it to other solutions for further inspection or analysis.
Improved Threat Detection
Unlike DNS Filtering, the SWG’s deep visibility and capability to decrypt, inspect and re-encrypt SSL/TLS traffic, ensures that threats and sensitive data cannot evade detection. The SWG extends protection against previously known threats, emerging threat vectors, and even highly specialized Malware which can evade detection by antispyware and antimalware software packages deployed at the endpoints. Additionally, the deep inspection enables threat protection at the full-path URL level which is critical in blocking 80% of the phishing and malicious threats — including those hiding in whitelisted sites widely used by businesses like Dropbox, Google Drive, iCloud, etc. For compromised hosts, shared user content sites, or shared hosting sites, full-path URL visibility is critical because the attack may not allow filtering at the domain or subdomain level. When legitimate sites are compromised, full-path URL level filtering is required to stop the attack. Attackers frequently target docs.google.com or sites.google.com, with the compromised URLs that may look similar to what is shown in the examples below.
While you could block the attack at the domain level, that is rarely a feasible option. Instead, an SWG enables you to block just the bad URLs so you don’t lose any access to the legitimate site and have full protection against phishing and malicious attacks.
Key Features of Secure Web Gateways
At minimum, according to Gartner, a Secure Web Gateway must include URL filtering, malicious-code detection and filtering, and application controls for web-based applications. While not officially included in Gartner’s definition of an SWG, Data Loss Prevention (DLP) is increasingly included as a key piece of the SWG solution.
URL Filtering. URL Filtering monitors communication between end users and the internet, enabling the necessary visibility to inspect sites at the source so you can implement security protocols that will block high risk or potentially dangerous connections to malicious, phishing, and non-sanctioned objectionable content at the domain, sub-domain, and full-path URL level.
Application Control. Application Control provides administrators with the ability to create granular web security policies based on users to identify, block or limit usage of web applications
Data Loss Prevention (DLP). DLP software allows administrators to have control over the data users are able to transfer which ensures that critical and sensitive information remains inside of the organization’s network. Comprehensive DLP solutions should cover each of the following areas: Email, Endpoint Management, Network, and Cloud.
Antivirus. The primary objective of antivirus software is to protect computers against different forms of malware like viruses, botnets, spyware, trojans, and so on. The software uses real-time virus signatures to detect and remove malicious code from network devices, help block threats, and manage web security services to monitor networks for efficient incident response and attack resolution. For the most robust protection, antivirus coverage should include the following areas: Malware signature, system monitoring, and machine learning.
Powering the Secure Web Gateway
Just as is the case with DNS-Layer Security — and as will be the case for each of the subsequent security layers that make up the SASE framework — the potential of an SWG to deliver maximum threat protection rests in the quality of data used to power the solution.
Vendors who choose to pursue a maximum protection model are advised to evaluate solutions based on a number of the same areas that are recommended for evaluating a DNS Filtering solution. While there is overlap in the recommended areas to evaluate between DNS Filtering and SWG, the key areas added here include a greater focus on threat detections, a highly granular taxonomy for content classifications, and having the very critical capability to block and filter full-path URLs.
- Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is key.
- Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
- Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
- Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds to have maximum coverage with the lowest possible amount of false positives.
- Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious protection.
- Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
- URL Level for Blocking. It’s important to have the ability to filter and block URLs at various levels depending on the implementation — domains, subdomains, IPs and full-path. In some cases, blocking at the domain and subdomain is perfectly fine. Other times, full-path URL blocking is necessary to protect against threats more deeply embedded in commonly whitelisted sites like google docs, Dropbox, etc.
How SWGs Fit with SASE
While DNS Filtering has quickly become the ‘table stakes’ starting point for a comprehensive SASE cybersecurity solution, the Secure Web Gateway is a complementary security solution that enables deep inspection of all web traffic, along with powerful anti-malware and data security technologies to ensure that information and endpoint assets are protected against a variety of threats. Having both DNS Filtering and SWGs in a SASE portfolio are increasingly the minimum functionality necessary in the highly competitive cybersecurity market. And even though DNS Filtering and SWGs are approaching the status of being the minimum functionality needed, the SASE market continues to evolve as customers demand more comprehensive protection, which will be addressed in the next posting on of the SASE framework — Cloud Access Security Brokers (CASBs).
Where zvelo Fits with Secure Web Gateways in the SASE Framework
zvelo is the industry’s leading provider of premium cyber threat intelligence data, URL database, and web classification services. zveloDB is the market’s premier Domain Database with the broadest coverage of phishing, malicious and objectionable content detections, lowest FP rate, fastest time to update, and best lookup performance speed. Additionally, the zveloCTI threat data offers both phishing and malicious detection threat feeds to support the need for full-path threat protection you need to power your SWG, making zvelo a single data powerhouse for your DNS Filtering, Secure Web Gateway, CASB and other SASE functions, all available through a single integration.
Next up in this blog series: Extending Threat Protection to Cloud Apps with CASBs