Why the Magic Behind Kerio Web Filter Makes Your Network Much More Secure
An Interview with Jeff Finn, CEO of zvelo
You have the firewall that blocks incoming viruses, worms and spyware. However, if you are not utilizing web filtering, your IT security solution is not complete.
We recently had the opportunity to speak with Jeff Finn, CEO of zvelo, which is a Kerio Technologies partner that provides the web categorization services used in the Kerio Web Filter.
Q. First things first, would you provide an overview of zvelo, as well as clarify how to pronounce the name?
We get this question often. It is pronounced “zuh vee low”.
To provide a brief overview, zvelo is a company that specializes in categorizing web content and detecting malicious websites. We use a combination of artificial intelligence systems, and human analysis that provides quality assurance. We license our technology exclusively through OEM partners such as Kerio.
Q: The Internet has billions of pages, how do you keep track of the ever-changing content?
We focus on the URLs that people actually visit, which we call ActiveWeb sites. The zveloDB URL database has nearly 500 million URLs covering over 7 billion web pages in nearly 200 languages. This covers over 99.9% of the ActiveWeb. Websites where content has changed are analyzed for real-time content categorization to determine whether the website has any type of malicious content or if it is being used for phishing, spam, etc.
Q: When should a network utilize web filtering as a security measure?
Web Filtering has historically been used as a way to block or filter access to websites with inappropriate content, such as porn, hate speech, violence, etc., or where the website impacts productivity, such as a video streaming site that consumes a company’s Internet bandwidth. These web filtering applications continue to be used by businesses and families for liability, productivity or other purposes.
However, today’s web filtering needs to go well past simply monitoring and blocking access to inappropriate content. Here’s why - hackers have traditionally used email or email-based protocols as a way of delivering their threats. As companies became better at implementing spam filtering, anti-virus and anti-spyware, Kerio Control does a great job of this with the Sophos anti-virus offering, hackers have increasingly turned to the Web as a means to deploy malware, phishing scams and other exploits. In particular, hackers are targeting social networking and blog sites where there is very dynamic content but no centralized control or moderator. This is the perfect environment for the bad guys to compromise these types of websites and deploy spyware or malware, or use social engineering tricks like phishing attacks and spear phishing to direct people to these compromised Web sites.
Q: For an average user with a PC, what are the actual risks of visiting one of these compromised web sites?
Users now risk becoming infected by simply visiting a compromised website, where they may have spyware or malware downloaded without their knowledge. Additionally, many websites are hacked and used for spam campaigns, denial of service attacks, phishing, or worse – in many cases, without the website owner’s knowledge or awareness that their website has been compromised. Most businesses and users understand the necessity of antivirus software to protect their PCs from email-borne malware, however, they are not nearly as aware of the dangers posed by malicious and compromised websites.
Furthermore, hackers have used increasingly sophisticated social engineering tricks to entice users to visit compromised websites to great effect - for the hackers. This is where web filtering as a security measure comes into play.
Q: So what would you recommend an IT guy should do?
By automatically blocking user access to malicious websites, a company can protect its users from unknowingly visiting a compromised website and getting themselves and others in their company or on the same local network infected with a wide range of malware. Unlike web filtering related to inappropriate content, there is little or no argument about blocking access to malicious websites, where an infection can wreak havoc on PCs, disk drives, directories and more, not to mention the loss of confidential corporate data, personal identity, financial and other data.
This is a critical story that needs to be communicated to the marketplace, to our customers who need to understand the differences between web filtering for content and web filtering as it relates to security. The battles with hackers in the next few years will be increasingly waged over web-based attacks and that the first step is to educate the market on the dangers posed by today’s Internet.
Q: How often is the Kerio Web Filter database updated?
Websites such as Facebook, blogging sites and other Web 2.0 websites have content that is constantly changing, in many cases with no centralized website content control or moderator. For this reason alone, we have to update the zveloDB utilized in the Kerio Web 24 hours a day.
The high volume of user traffic to these websites makes them most frequently targeted by hackers, which is why zvelo’s systems revisit these sites on a continuous basis to detect when new sites are launched or when content may have changed, not just in terms of contextual content, but also where a site has changed from clean to malicious or vice-versa.
To put this in perspective, Facebook alone has over 750 million users who, on average, post over 90 new pieces of content each month. This is over 60 billion postings or pages monthly requiring content analysis and scanning for malicious content. For good reason, Facebook has become ground zero for phishing attacks and other forms of hacker exploits.
Q: Are there any web filtering categories that a security conscious IT administrator should always consider blocking?
Yes, the malicious categories such as spyware, phishing and compromised should always be blocked. Again, there is no valid reason why a user would want to, or should be allowed to, access these types of sites. Other category settings should be aligned with the policies or culture where the web filtering is implemented.
Kerio Control allows customers to choose which of the 53 categories they’d like to filter, block or allow. I would always recommend that IT block categories like Adware, Anonymizer, Compromised, Phishing / Fraud, Spammed, and Spyware & Malicious sites.
Q: How does zvelo discover a new URL and how does it get categorized?
On any given day we see billions of queries coming into the zveloNET data centers. Within these queries, there will typically be several million new URLs, which represent brand new websites or new pages on existing sites that will be categorized in real-time using the zveloNET Auto-Categorization systems.
The zveloNET Auto-Categorization systems are artificial intelligence-based systems that look at a wide range of factors and data, in dozens of languages, to perform contextual content categorization, typically in just a few seconds. zvelo also uses a team of over 150 multi-lingual Web Analysts to perform quality assurance through statistical sampling of the categorizations performed by the zveloNET Auto-Categorization systems.
In addition to real-time content categorization, the zveloNET systems also perform an analysis of the URL to determine if it is infected, compromised or being used by hackers for phishing or similar scams. That work is done by zveloNET’s threat detection systems, which run each URL through a series of static, behavioral, script and code analyses processes.
This is a holistic approach to looking at the site in its totality and determining if there is something that appears anomalous and matches the patterns of compromised or exploited Web sites.
Q: What happens when a Kerio Control customer visits a new URL?
Let’s say a Kerio Control user receives an IM message from a colleague with a website link. The user clicks on the URL and Kerio Control’s Web Filter will instantly query the zveloDB. If the URL is categorized and in the zveloDB, and with 99.9% coverage of the ActiveWeb, there’s a high probability it will be in the database, the zveloDB returns the category value to the Kerio Web Filter. Kerio Control then allows or blocks access to the website based on the category policy settings that have been set by the company using Kerio Control. This process is very fast and typically takes less than 100 milliseconds.
If the URL is a new website that has never been seen before, the user will get a message saying to try again in a few moments, during which time the zveloNET Auto-Categorization systems will categorize the content of the URL and determine if the site is infected or compromised.
As a side note, IT managers/administrators may configure Kerio Control to allow users to access uncategorized websites, however, we recommend blocking access to uncategorized websites, due to the high percentage of new websites which are infected.
We typically will have a new website categorized within a few seconds up to a few minutes of it being received by the Auto-Categorization systems, so when the user goes back to try again, the URL is categorized and in the zveloDB.
I hope this discussion and description of the technology behind a key feature of Kerio Control has been productive. I invite you to check out more about Kerio Control at www.kerio.com/control and zvelo at www.zvelo.com. I’m also happy to respond to questions in the comments section of the blog.