Security attacks are an ever-increasing threat that can expose your business to data breaches. Securing your web gateway (SWG) is essential to protect your network.
Your SWG solution should incorporate multiple security engines to balance accuracy and adaptability. File Reputation-based Threat Protection
A reputation-based security engine offers superior accuracy to traditional heuristics and behavior-blocking engines. It considers the global view of a file, such as its prevalence (how many users are downloading it) and its age (how long the file has been on the web). These features enable more granular and sophisticated policies than schemes that provide only a binary verdict.
The SWG security measures also enable administrators to create policies that leverage domain category definitions and other generic attributes to define security measures effectively. This allows the gateway to deliver robust protection to users when accessing websites flagged for hosting malware and phishing content.
SWG can evaluate the integrity of files transferred over a secure connection to ensure the transmitted data has not been altered or corrupted. It compares the contents of a file as it is being downloaded and after it has been uploaded and then assesses whether the hash value has changed.
SWG also uses threat/data intelligence feeds to categorize IP addresses, domains, URLs, SaaS services and other elements the gateway sees and their respective reputation scores. This allows the SWG to bypass TLS decryption on specific categories where it has been established that the threat is low and the organization is comfortable with a lesser level of security.
Policy-Based Traffic Selection
A secure web gateway (SWG) is a solution that uses URL filtering, SSL inspection, content filtering, advanced threat defense, and legacy malware protection to defend users against threats and enforce acceptable use policies for internet and cloud applications. SWGs can be deployed on-premises as hardware, virtual appliances, or in the cloud via a service provider.
The SWG’s domain reputation security engine allows administrators to create policies based on domain categories and domain threat scores, empowering them to protect users from accessing websites flagged as malicious. The security engine also operates after TLS decryption to inspect and analyze clear HTTP traffic, providing enhanced protection against phishing and malware attacks often concealed in encrypted website content.
In addition, the SWG’s security engines can operate based on groups and device types (managed vs. unmanaged, OS/user-agent, etc.) to offer contextual access control and improve productivity. The SWG also enables organizations to deploy granular application control policies, helping them to prevent data loss and minimize business risk.
SWGs can also incorporate a malware detection engine that uses advanced machine learning to analyze and identify files that may be malicious. The engine can scan the entire file or look at specific parts, including the header, payload, and metadata. It can even scan compressed files, detecting hidden or undetectable threats.
Data Loss Prevention (DLP) Security Engine
SWGs analyze data packets at the network edge to identify malicious code and other Internet threats, such as phishing and malware. This ensures that data is not exposed to the Internet, avoiding security risks such as breaches and data exfiltration.
SWG solutions also monitor the flow of sensitive data to prevent PII from being shared outside the organization. PII is information that could be used to identify or distinguish one person from another (such as email addresses, Social Security numbers, login IDs, and biometric data). SWGs can identify and prevent this data type from leaving the company via web channels.
A granular DLP engine analyzes data to identify and categorize it in real time. It looks for patterns such as 16-digit credit card numbers or dates near “VISA,” for example, that can indicate a financial transaction. It can then identify the types of identifiers in the data, such as PII or proprietary intellectual property.
Next Gen SWGs have evolved beyond basic web filtering to provide a holistic approach to protecting your data, apps, devices, and users. They deliver cloud application control, integrated threat protection, a cloud-native architecture, and robust data loss prevention. This is important as more employees work remotely and the number of cloud applications grows in your enterprise.
Threat/Data Intelligence Feeds
Threat/data intelligence feeds are collections of information on cybersecurity threats and trends, often streamed in real time. They help security teams identify and prioritize potential vulnerabilities and understand the tactics, techniques, and procedures threat actors use to prevent attacks.
SWG uses threat/data intelligence feeds to collect and analyze information from human intelligence, cross-industry cybersecurity statistics, data on malware attacks, incident and attack reports, and other data directly related to potential threats. It also leverages these feeds to categorize domains, URLs, files, and SaaS services so they can be monitored and controlled more effectively.
The SWG uses the gathered intelligence to classify potential malware based on content analysis, preventing it from entering or exiting the network. Additionally, it utilizes threat/data intelligence feeds to organize data as sensitive or confidential, enabling the SWG to enforce policies based on those classifications.
While firewalls are good at blocking known threats, they don’t have visibility into the traffic that traverses them. To overcome this, SWGs can ingest threat/data intelligence feeds into their SIEM solutions and endpoints to detect various security threats.
