Secure Cloud Gateway: Using the Internet to Fight Cyber-Attacks

Today's security platforms, which are plagued by reactive intelligence, gaps in enforcement, and the inability to integrate the two, can't keep up. This has paved the way for a new category of cyber-security platform called a Secure Cloud Gateway (SCG).

Cyber-attacks work the same way the Internet does, using the Domain Name System (DNS) to distribute malware, control botnets and phish login credentials. With the mainstream adoption of cloud services, bring-your-own-device programs and off-network workers, the attack surface has expanded beyond the traditional corporate network perimeter.

This device and network diversity has created an environment where organizations must protect any device, anywhere it roams. Today's security platforms, which are plagued by reactive intelligence, gaps in enforcement, and the inability to integrate the two, can't keep up. This has paved the way for a new category of cyber-security platform called a Secure Cloud Gateway (SCG).A Secure Cloud Gateway uses a DNS-based foundation to provide broader security, improved coverage and deeper visibility.  Legitimate Web browsing occurs on only two protocol (port) pairs -- HTTP (80) and HTTPS (443). Yet malware is occasionally distributed over non-standard ports to infect devices, and botnets regularly use non-Web protocols to breach networks and steal data. A Secure Cloud Gateway uses DNS to provide protection across all ports, protocols and applications.Today, threats are targeted, but the targets are everywhere. Unmanaged, personal devices routinely connect to the corporate network, while employees take company devices containing sensitive data off the network and roam outside the secure perimeter. By using DNS a Secure Cloud Gateway provides security coverage for devices regardless of the network or location from which they connect.The appearance and behavior of cyber threats vary infinitely, yet they all originate from a finite number of Internet hosts. Some often share the same criminal infrastructures. To extract accurate security intelligence a Secure Cloud Gateway uses DNS infrastructure and Anycast routing technology to map every connection request across the Internet both spatially and temporally.While the vast majority of Web domains can be classified as either safe or malicious, some Internet hosts are harder to classify. That's because they store both safe and malicious Web content, or their Internet origins are suspicious. However, performing deep inspection for every Web connection significantly reduces performance. In addition, redirecting every Web connection can significantly reduce manageability. A Secure Cloud Gateway identifies high-risk or suspicious domains and uses DNS redirection to route them for deeper inspection.Unlike Secure Web Gateway (SWG) appliances or services that send every Web connection through a proxy, a Secure Cloud Gateway only routes risky Web connections for deeper inspection. This concept is called Intelligent Proxy. Here's how it works:

Scenario 1:  An employee attempts to visit site #1. A Secure Cloud Gateway has already determined that this domain is malicious, based on the risk score for the host. Perhaps the domain is related to an infrastructure known to be used for criminal attacks or there is a pattern where the domain is always requested after other malicious host requests. A Secure Cloud Gateway returns the IP address to its block page server instead of the malicious domain, thus protecting the organization's network and data.

Scenario 2:  An employee attempts to visit site #2. A Secure Cloud Gateway continually analyzes the Internet origins of the site's content hosts both spatially (e.g. geography, network) and temporally (e.g. request volume, co-occurrences). Based on both known data and algorithmic risk predictions, a Secure Cloud Gateway determines that the site #2 domain is too low of a risk to proxy and it returns the IP address to connect directly to site's host. The employee experiences no latency or any disruptions when accessing this host.

Scenario 3: An employee attempts to visit site #3. A Secure Cloud Gateway has determined the content host for this domain is too risky and returns the IP address to its proxy. The proxy provides deeper inspection beyond just the host's Internet origins domain and IP address. After these inspections, if the content is deemed safe, it is sent to the browser, connecting the employee to the domain. If the domain is malicious, a Secure Cloud Gateway sends back a block page and the employee is prevented from accessing a malicious domain.

Integrating Intelligence with Enforcement

Effective security requires both intelligence and enforcement to protect against advanced threats and targeted attacks. Intelligence without timely enforcement will fail to block malware or contain botnets. Meanwhile, enforcement without predictive intelligence will fail to stay ahead of the most complex threats. A Secure Cloud Gateway reconciles intelligence and enforcement in new ways.Actionable intelligence requires maximum coverage and visibility. A Secure Cloud Gateway, because it uses the DNS infrastructure, can gather a tremendous volume, velocity and variety of data -- enough to predict the Internet origins of emerging threats even if the attack, binary file or exploit is unknown. This data it collects reflects patterns of use across all devices regardless of network, location, type or ownership, and across all Internet connections, context and content regardless of port or protocol.Meanwhile, enforcement requires a security technology with maximum breadth and depth. Using recursive DNS a Secure Cloud Gateway can enforce security policy on traffic across 65,535 network ports and an unlimited number of protocols and apps. To provide advanced threat protection, a Secure Cloud Gateway redirects high-risk Web requests to its Intelligent Proxy which performs deeper inspection to detect and block malicious content hidden within Web sessions.Rather than using a traditional proxy or in-line architecture, a Secure Cloud Gateway uses a cloud-based infrastructure that integrates multiple security enforcement technologies with Internet scale threat intelligence gathering capabilities. This enables a Secure Cloud Gateway to stay ahead of constantly evolving attacks and emerging threats, without sacrificing performance and manageability.Hubbard is a noted information security researcher and Chief Technology Officer for OpenDNS, provider of the Umbrella cyber-security service.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCloudGatewayWide Area Networkcloud computinganti-malwareinternet

More about GatewayGatewayTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Hubbard, Chief Technology Officer, OpenDNS

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts