Categories Are Useful, But It Is Time For Risk Levels

Categories are a ubiquitous way to prevent users from going to dangerous sites. Phishing? No way. Botnet download sites? Block. 

Yet, while the categorization of sites is great for establishing the broad strokes of policy, the technique can miss a lot of the granularity needed to fine-tune your business' security. A company only relying on categories will find that some dangerous sites are still accessible, and some legitimate business sites are blocked. For example, some companies may want to allow some file storage and sharing sites, such as Dropbox or Box, but block others not allowed by corporate policy. 

Application-level blocking or whitelisting can give security teams more granularity in their policies. Some companies also employ geographical rules, such as only allowing employees to go to sites in the United States. 

Yet, an under-utilized solution may be the best approach for many companies: Threat Risk Levels. 

A newly registered site: Block or Allow?

While categories are a necessary starting point for any cyber security policy, they are based mainly on the content on the page at the time it’s rendered. Moreover, many sites are not—and perhaps cannot be—easily categorized. For many companies, uncategorized websites are not acceptable and so are blocked. Yet, there are plenty of legitimate uncategorized sites. 

Conversely, a compromised legitimate site may be used to infect visitors with malware or used in a phishing attack.

Threat risk levels use a URL’s metadata wholistically to give a site a score based on its potential riskiness, which means every URL will have a risk level. A newly created site with only a low level of traffic and obfuscated scripts will have a higher risk level. A site with no scripts, has a lifetime measured in years, and is associated with a known reputable company will have a low risk level. 

Where content categories are based on whether the security firm has seen a site, threat risk levels can be calculated for any site immediately. 

Uncategorized site: Block or Allow?

Threat risk levels fix a failing of categories. Social media sites carry a lot of user-generated content and can be used by an attacker to launch an attack against visitors in various ways. Moreover, attackers know they can create a site for a generally benign category—say, education— to get past a simplistic security policy. Risk levels stop these types of attacks, which helps companies further increase their security posture without increasing their false positive tolerance.  

In many ways, threat risk levels are a game of information: Given a specific piece of metadata—such as whether the site is newly registered—would you block or allow access to the site? If a user is trying to visit an uncategorized site, would you block or allow access? 

Symantec, a division of Broadcom (NASDAQ: AVGO), seamlessly calculates Threat Risk Levels for the millions of URLs in its database and can also calculate Threat Risk Levels in real-time. Ratings get created by dozens of components working together to create a numerical score from 1 - 10. These components look at the various metadata factors that objectively show risk. One of these components, Context Engine, uses a large scale AI system to pick up on clues from domains, subdomains, and IPs seen on our servers, ultimately giving a confidence score of how suspicious a site might be. Finally, another system uses an extensive voting system to create ratings dynamically. Looking at dozens of metadata tokens, such as the network metrics or site age, makes an objective rating in milliseconds that stops threats in their tracks, often before anyone even knows they are dangerous.

Entertainment Content and Risk Level 6+: Block or Allow?

Risk levels policy can be created in the Secure Web Gateway (SWG), which every company should tailor to their own needs. While a good start, a default policy is not meant to be the standard policy for companies. Every business has its own needs and risk sensitivities, and so the SWG should be configured to reflect those priorities. 

Any single URL can have up to four categories and a risk level, so policies can be very granular. For example, a company can block any URL that is categorized as Entertainment and has a risk level of 6 or above. Companies can also customize their risk levels so that—if a URL demonstrates a particular type of behavior—the risk level is increased or decreased. 

Threat risk levels are a way for companies to hone their cyber security policies better. Want to know how you can use risk levels to secure your users better?  Watch the webinar below for our discussion on this topic.