The Power of Reputation

Jamie Barnett

When you go to the doctor for an illness, how does he or she determine exactly what's wrong? Usually, they follow a series of steps, starting off by asking what's wrong and taking your temperature. Based on these two activities, there may be some indication of what the problem is. But they must also correlate that information with dozens of other pieces of data, such as blood pressure. On their own, these don't tell the doctor much but, correlated with each other, they offer high confidence that the diagnosis is accurate. From there, the doctor can take action to block the illness where it is likely to strike next.

Similarly, cybersecurity reputation systems rely on the relationship of data across a large number of dimensions. These systems have been used for years across many disciplines-from doctors diagnosing illnesses to mathematical experts rating financial instruments-to assess situations and make decisions. 

Today, reputation calculation tools are more critical to cybersecurity than ever, as more users access more online tools via more devices and interact with colleagues, friends and strangers in more online venues. Reputation provides a comforting level of assurance around identity and integrity in critical Internet-based personal and professional transactions, where physical-world verification is impossible.

What is Reputation?

Wikipedia defines reputation as 'the opinion (more technically, a social evaluation) of the group of entities toward a person, a group of people, or an organization on a certain criterion.' The kind of reputation we discuss in this article deals with the electronic entities-from files to senders to websites.

First, reputations are dynamic and temporal. For example, a previously legitimate website can become infected with malware and then be cleaned up in a short time. A reputation must be refreshed as quickly as content is refreshed. Second, an entity's reputation is seldom 'absolutely good' or 'absolutely bad,' but rather lies somewhere in the vast gray area in between, making the intersection of reputation with policy an empowering thing to security decision makers. Finally, confidence is a critical consideration in calculating reputation. By confidence we mean the confidence interval, or reliability of our estimate. The more data points and evaluation criteria considered in analysis, the more accurate the reputation is likely to be at that moment. The four things that contribute to increasing reliability are data volume, data longevity, data trustworthiness and broad data correlation.

Reputation is calculated based on hundreds of millions of electronic entities-files, websites, Web domains, messages, DNS servers and network connections-using a highly granular scoring system based on a variety of information about the entity's behaviors, characteristics and our own experience of how comparable entities behave.

Reputation is not only an important component of any security system; it is essential. Threats move too quickly or too stealthily to rely on traditional techniques such as signature-based protection and blacklists. If a threat's intention is to hit as many computers as possible, it can propagate much more quickly than a signature can be written and deployed, and blacklist solutions don't capture the nuances that a reputation score does. On the other end of the spectrum, we see razor-targeted threats whose goal is not to spread quickly but instead to avoid detection, cause minimal impact, and achieve a very subtle, directed objective. To combat each of these extremes (and everything in between), security professionals and their vendors realize that today's threat landscape requires a system that calculates an entity's reputation in real time based on collective intelligence about that entity, and then takes action based on that reputation.

Operation Aurora, the attack against Google and more than 20 other companies in late 2009 and early 2010, used a directed effort to zero in on a specific set of individuals. The attackers used sophisticated, evasive technologies to gain access to those users' machines and, from there, to companies' valuable information and intellectual property. Despite their subtlety and efforts to avoid detection, threats such as Operation Aurora have a small number of associated entities-e-mails emanating from temporarily bad IP addresses luring unsuspecting users to malware-infected websites, for example-whose reputations can change from one moment to the next.

Four elements that ensure high confidence in calculating reputation

Besides serving as the basis for a robust reputation system, telemetry data are useful in building confidence levels in the following ways:

Data volume. Think of this as the aperture on a telescope: the more data volume (light) taken in, the deeper the viewer can see into space. This enables us to see threat activity quickly and identify it with greater accuracy.

Data longevity. Collecting data over a long period contributes to system maturity. It ensures that the reputation system will have a solid baseline for how entities are expected to behave based on their and their peers' past behavior. This helps not only detect anomalies when they occur but also identify attacks based on recognized patterns.

Data trustworthiness. A serious consideration when dealing with reputation systems is trustworthy data. Robust reputation systems must have mechanisms for authenticating the data they receive as well as for adjusting for the credibility of the source. Factors such as the location, configuration and past behavior of the data source can affect how heavily that source's data will be weighed in the overall reputation calculation.

Data correlation. The most critical factor in a robust reputation system is the ability to collect and correlate telemetry data from a broad range of sources representing all threat vectors. Being able to correlate data representing a 360-degree view of a threat is like having all of the edge pieces of a puzzle.

The Power of Reputation

Pulling data from all vectors helps us understand a threat and gives far greater precision in calculating the reputation of any entities involved with the threat. The notion of reputation-based security has been around for years, but today we must deal with a rapidly growing number of threats ranging from fast-spreading viruses to narrowly targeted and evasive IP heists to everything in between. This challenge requires a consistent, objective security framework for understanding and calculating the status of an incredibly dynamic set of entities. Knowing an entity's status with a high degree of confidence-derived from a trustworthy set of correlated telemetry data-is the keystone for providing comprehensive protection.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.