How should you handle websites that are uncategorized or might have been assigned a category of “none?” It’s a problem that has plagued IT staff since the start of URL filtering.
Without a good way to deal with new web sites that were uncategorized, organizations have had to choose between blocking or allowing uncategorized sites, with each choice having their own inherent problems. IT administrators now have powerful new tools that address the problems that arise with uncategorized sites.
The introduction of Dynamic Real-Time Rating (DRTR) in 2006 addressed most of the concerns organizations had around new websites that were not already categorized in the Blue Coat WebFilter URL database.
By using cloud-based artificial intelligence, new websites could be examined in near real-time, and categorized based on the content of the website (into up to four of the 84 categories defined by WebFilter) allowing administrators to apply web governance policy to new, previously unknown websites.
Even with this new technology, however, a small percentage of new websites may still remain uncategorized.
Specifically, those sites that offer limited clues about the content of the web page are the ones most likely to remain uncategorized after a DRTR attempt. Examples of this include pages that return no content (a blank page), or a page that is filled entirely with a single image or multiple images.
It’s been an ongoing challenge. In fact, uncategorized sites are most problematic for IT administrators who traditionally have had just two choices: Either allow them or block them.
Blocking increases the number of help desk calls from users who want to access particular content, a further drain on company resources. But allowing employees to wind up wherever they want in cyber space leaves the organization vulnerable to increased levels of malware and possible infections. Neither choice was appealing and so organizations have searched for a better option.
Symantec has introduced two new tools in the last year to help IT administrators address the issue of uncategorized websites. The first one, Threat Risk Levels, was introduced as part of a new subscription service, Intelligence Services.
Intelligence Services offers all the categorization capabilities of WebFilter, combined with some additional new features including geo-location (offering the ability to create policy based on the country location of the website), and Threat Risk Levels. Threat Risk Levels are assigned to all websites; for new websites, it makes use of an updated version of the artificial intelligence engine that is deployed for categorization.
Threat Risk Levels range between 1 being the safest and 10 the riskiest. Using these values, IT administrators, can block uncategorized sites with high risk levels as part of a tougher security stance.
For even more flexibility and security, Threat Risk Levels can be integrated with web isolation, a new product from Symantec, through the 2017 acquisition of Fireglass. Web Isolation allows all code being sent from a website to run on a remote browser, rather than locally in an end-user’s browser. The remote browser then sends a visual stream of the resulting web page (and none of the executing code in the remote browser), isolating the user from any risk in the original web page.
Web Isolation provides a framework to add another layer of policy with Threat Risk Levels. For example, if the organization was allowing uncategorized sites with Threat Risk Levels of 1-3 (those sites generally considered safe), and blocking 4-10, they can now web isolate 4-6 (sites considered suspicious), and block 7-10 (the riskiest sites).
This allows IT administrators to block the riskiest uncategorized sites, and allows end-users to access the suspicious uncategorized sites safely. That translates into reduced work for the people staffing the helpdesk, which otherwise would need to field calls from employees blocked from accessing uncategorized sites.
In addition to providing a solution for uncategorized sites, even greater flexibility for an organization’s web access policy is available when you combine Threat Risk Levels and Web Isolation with policy for websites that are categorized in specific targeted web categories that may be problematic for the organization.
For example, the category File Sharing may have been a cause for consternation, as the files hosted on File Sharing sites (such as Box, Dropbox, etc), have little governance, and may be an easy access point for a cyber criminal to get malicious files down to the organization’s end-user. Web Isolation can be used on File Sharing sites with a wider range of Threat Risk Levels (say from 4 to 8, and blocking only Threat Risk Level 10), to keep access open for the end-user while at the same time isolating the end-user from any malicious content.
Figure 1 below shows some possible policy options with Web Isolation and Threat Risk Levels based on different categories and risk levels.
IT administrators have more options than ever to handle uncategorized web sites, giving them greater flexibility to allow access to new websites, with unknown content, while at the same time maintaining a high level of security for the end-user.
Threat Risk Levels make it easy to identify suspicious and risky sites and apply policy to those sites, while Web Isolation gives end-users safe access to websites that would have previously been blocked (in the case of blocking uncategorized sites), and safe access to websites that could have infected the end-user (in the case of allowing uncategorized sites).
If you found this content useful, you may also enjoy:
The Need for Threat Risk Levels: https://www.symantec.com/content/dam/symantec/docs/white-papers/need-for-threat-tisk-Levels-in-secure-web-gateways-en.pdf
Request a Demo of Symantec Web Isolation: https://resource.elq.symantec.com/LP=4704
Does Your Endpoint Security Solution Have These 5 Essential Features? https://www.symantec.com/blogs/product-insights/does-your-endpoint-security-solution-have-these-5-essential-features