MessageLabs HTTP Security Webcast

I watched a MessageLabs HTTP Security Webcast earlier today. I have evaled their product both when they were reselling Scansafe and once since they implemented their own solution.
As anyone reading this site already knows, there was a big uptick in malware served by legitimate sites at the end of 2008. SQL injection and other tricks were used to get malicious code to load from legitimate websites. The old advise about “dont click on this or that” just doesn’t work when its a common site compromised to serve the malware.
Spyware is even more sneaky. They use boxes that appear to be Windows Update. They pretend to be a needed codec. They masquerade as security software. They even get accepted as advertisements on legitimate banner ad networks.
As user details are stolen (such as in the hack) or voluntarily disclosed on social network sites, a treasure trove of material for a targeted attack is put into the bad guys hands. That combined with public data found on genealogy sites and voter registration rolls, makes it possible to craft emails that appear to be legitimate because they already know so much about you. The questions used to reset the password on your accounts are easy to find answers to as many celebrities have experience much to their chagrin.
The need for advance web security is obvious. With MessageLabs web security, they use two antivirus engines and a pared down version of their Skeptic heuristic engine. Its my belief that this will provide better security than competitors.
What has kept me from implementing this solution in the past is the desire to avoid using a direct proxy. Transparent proxies work better in my opinion. MessageLabs provides a proxy for the corporate network so that internal usernames and IPs can make it to their logs (otherwise with NAT they’d only have your firewall IP as the source). I hear this proxy is a customized Squid proxy. While Squid supports WCCP, this is not something MessageLabs has supported to my knowledge. I looked at their instructions for Checkpoint to forward traffic transparently to MessageLabs. That did not solve the problem of their logs only having the firewall IP address.
While Direct versus Transparent is still a challenge, I did learn in this webcast that MessageLabs is going to be announcing a new feature next week that I’ve been looking forward to. While they didn’t say not to pass it on, I’m going to self-embargo. So hopefully I’ll get another blogging opportunity after I’ve check out the new features.