EmailSafety.net - Reputation scoring changes enterprise security game

Reputation scoring changes enterprise security game

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

When it comes to personal and business relationships, a good reputation opens doors while a bad one slams them shut. And so it goes with enterprise security, too.

Slideshow: 10 breakthroughs in IT security

Over the past several years, e-mail and Web security companies have gotten quite adept at using behavioral data, collected via massive Internet traffic monitoring networks, to derive reputation scores for domains, IP addresses, messages and URLs. E-mail and Web security appliances then use the reputation scores to allow or prohibit connections -- without ever having to dig into content.

Dozens of antispam and anti-malware vendors today offer reputation-scoring services for their products, and most are pretty decent, says security expert Joel Snyder, a senior partner at Opus One, a consultancy in Tucson, Ariz. Especially worth noting are Cisco Systems Inc.'s IronPort SenderBase, which it acquired in the 2007 purchase of IronPort Systems; McAfee Inc.'s TrustedSource, which it picked up in the 2006 acquisition of Secure Computing (which earlier had acquired CipherTrust, the original developer); and the open-source Spamhaus block list, he says.

Related Content

In his testing, for example, Snyder has found the SenderBase reputation service, when set to block at recommended levels, averages an 88% spam catch rate with few false positives. In general, this catch rate isn't as high as it is with content filters -- in recent tests, for example, Snyder says he measured the IronPort content filter blocking 96% of spam. But content filters are doing heavy processing whereas reputation services aren't.

Instead of digging into content, a reputation service simply looks up the score in the vendor database and makes a decision -- connect, quarantine or drop, perhaps -- on that alone. Most vendors offer pre-set rules, but users can modify those to be more or less aggressive about spam. In the case of SenderBase, for example, Cisco recommends blocking e-mail addresses that rate between -10 and -3 on a +10 to -10 scale. The scores themselves are determined by correlating dozens of attributes.

The ultimate protection is when reputation services and content filtering run with one another. "If you can [use a reputation service to] knock out 76% to 90% of the spam before it hits the content filter, then you have a big advantage in [the filter's] performance." Again citing recent test results, Snyder says the IronPort content filter's block rate increases to 98% when fronted by a reputation service. Two percentage points might not seem like much, but when 90% of e-mail is spam, shrinking the volume by even a tiny fraction makes a big difference, Snyder explains.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites