SANS Institute Information Security Reading Room

Page created by Bruce Moody
 
CONTINUE READING
SANS Institute Information Security Reading Room
SANS Institute
Information Security Reading Room

Protecting the User: A Review
of Mimecast's Web Security
Service
______________________________
David Szili

Copyright SANS Institute 2021. Author Retains Full Rights.

This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express
written permission.
SANS Institute Information Security Reading Room
A SANS Product Review

Protecting the User: A Review of
Mimecast’s Web Security Service

Written by David Szili                                                                              Sponsored by:

December 2019                                                                                       Mimecast

Introduction
Web and email are two primary vectors for attacks as either the initial point of entry
into an environment or the way to complete an adversary’s mission. As the CIS Control
#7 states: “Web browsers and email clients are very common points of entry and attack
because of their technical complexity, flexibility and their direct interaction with users
and with other systems and websites.”1 Unsuspecting employees remain in the firing
line despite security awareness training and increasingly
intelligent security controls. To keep up with the                            With the disappearance of enterprise perimeters,
sophistication of the attacks and to decrease the chance                      traditional defenses such as network firewalls and
of unintended or malicious traffic, a layered, defense-in-                    on-site web proxies are no longer sufficient.
depth approach of security checks is required.

With the disappearance of enterprise perimeters, traditional defenses such as network
firewalls and on-site web proxies are no longer sufficient, and modern security
tools must be able to protect users and devices even when they are outside of an
organization’s physical locations.

At the same time, security teams are pressed to keep up with the constantly changing
threat landscape and new attacks while maintaining multiple, often overwhelmingly
complex, platforms. With the increasing popularity of cloud-based offerings,
organizations seek to outsource the management of security solutions, which allows
them to focus on the more important tasks—deploying security controls and monitoring
their environments, instead of spending precious time with operating entire stacks of
hardware and software.

1
    https://learn.cisecurity.org/control-download [Registration required.]

                                                                                                                ©2019 SANS™ Institute
SANS Institute Information Security Reading Room
Because attackers often use web and email together (as with phishing and credential
harvesting, for example), SANS reviewed Mimecast Web Security cloud service, which
aims to provide a seamless and scalable security solution for protecting web traffic that
also can be integrated with Mimecast’s Secure Email Gateway service for more effective
protection and more straightforward setup and management.

Mimecast Web Security Service
The Mimecast Web Security is a fully cloud-based service that can block access to
web activity or control which cloud apps can be accessed based on a set of policies to
protect against malicious content or to enforce acceptable use policy in an organization.

Most of the controls work at the DNS level. For more advanced capabilities, such as
URL filtering and anti-malware scans, the service uses Mimecast’s selective web proxy
filtering. Mimecast Web Security has two main operation modes: internet gateway and
Mimecast Security Agent. Regardless of the operation mode, the service works as follows:

    1.	A user device initiates a web request to a domain or URL (for example, by
        clicking on a link on a website).

    2.	The DNS request generated from the device is forwarded to the Mimecast Web
        Security service for resolution and inspection.

    3.	Policies set by the organization are applied in a specific order. The domain
        name is checked, and the website may be scanned for malicious content.

    4.	Based on the policies, access to the website is either allowed or blocked with a
        notification in the browser.

Operation Modes
Mimecast’s Web Security Service offers two different operation modes (which can be
combined and used together), as shown in Figure 1.

                Office Users                                                                                     Allowed

                                                               Internet
                                                               Gateway

               Off-site Users                                                                                   Blocked

                                                                                         Mimecast
                                                                                        Web Security
                                                            Mimecast
                                                          Security Agent

                                                                                                   Figure 1. Mimecast Web Security
                                                                                                                 Operation Modes

                           Protecting the User: A Review of Mimecast’s Web Security Service                                     2
SANS Institute Information Security Reading Room
1.	Using internet gateways or DNS forwarders—The main benefits of this
           operation mode are the ease of configuration (that still protects every system
           connected to the configured network) and the ability to use location-based
           policies. This operation mode is also great for protecting a public Wi-Fi network
           where agent-based deployments are not possible.

       2.	Using Mimecast Security
           Agent—With an agent-
           based deployment, you
           can protect devices even
           if they are not connected
           to your corporate network,
           and you can identify users
           this way, which allows the
           configuration of user- or
           group-based policies and
           more granular reporting.

                                                                                                                  Figure 2. Certificate and DNS Setup
Internet Gateway or
DNS Forwarder Deployment
One of the deployment options is to send all DNS requests to Mimecast to
protect an entire network. This requires the following setup:

       • Your organization’s egress IP address has to be added as a
         Location.

       • Your DNS forwarders have to be configured to include the
         Mimecast server IP address displayed in the DNS tab of the
         Certificate and DNS Setup dialog (see Figure 2).

       • If you are using an internet gateway, you need to deploy the
         Mimecast CA certificate on endpoints to display block and
         warning pages for sites using SSL/TLS.
                                                                                                               Figure 3. DNS Forwarder Configuration
Figure 3 shows the only configuration setting that is required on a                                                          on a Firewall Appliance2

firewall appliance.

You can easily verify your configuration by
clicking on the “Check Configuration” button
under “Web Security/Certificate and DNS Setup.”
Figure 4 shows the configuration confirmation.

                                                                                                Figure 4. Network Protected by Mimecast Web Security

2
    Captured from the reviewer’s environment; SANS does not endorse or guarantee in any way.

                                  Protecting the User: A Review of Mimecast’s Web Security Service                                                 3
SANS Institute Information Security Reading Room
Agent Deployment
To protect off-site users and those
with user- or group-specific policies,
the Mimecast Security Agent must
be installed on their devices. The
Mimecast Security Agent also takes
care of the DNS and Mimecast
certificate authority (CA) certificate
configuration on the endpoint, so
the only component that needs to
be deployed is the lightweight agent
software.

Agent installation requires the creation
of an authentication key via the
Mimecast administration console. This
authentication key is included with
the Mimecast Security Agent installer
or can be downloaded separately (see
Figure 5). Mimecast Security Agent is
currently available for Windows, macOS and iOS.                                                     Figure 5. Mimecast Security Agent
                                                                                                                  Authentication Key
The PC agent installer contains MSI packages for 32- and 64-bit systems, making it very
easy to install on a single device by following the installation steps. It is also possible to
simply create a package and deploy it on multiple devices using a systems management
software product.

The macOS installer package (shown in Figure 6) is in PKG format, which makes the
installation on a single device or the deployment on multiple devices with a systems
management solution as easy as it is on PCs. The installer requires administrator
privileges, and for Apple
High Sierra OS or higher,
the third-party kernel
extension (kext) must be
authorized when installing
for the first time.

User identification
provides visibility of user
activity, whether it is a
local user or an Active
Directory domain user,                                                                           Figure 6. Mimecast Security Agent PC
and can be used for reporting and creating user- or group-specific policies. Mimecast                       and MAC Installer Wizards
Security Agent offers user authentication, which can be forced after installation, as well

                              Protecting the User: A Review of Mimecast’s Web Security Service                                     4
SANS Institute Information Security Reading Room
as transparent user
identification based
on the domain login
username. See Figures 7
and 8.

Mimecast Security Agent
is also available for iOS
devices running iOS 12
or later (when we tested
                                                                                 Figure 7. Mimecast Security Agent Authentication for PC
the product, this feature was in beta stage
but has since been released). The Security
Agent app must be deployed via an enterprise
mobility management (EMM)/mobile device
management (MDM) solution and platform that
supports the AppConfig standard. The device
needs to be in supervised mode to manage
and distribute a profile and the CA certificate
for Mimecast (see Figure 9).

                                                                              Figure 8. Mimecast Security Agent Authentication for MAC

                                                                                                      Figure 9. Mimecast Profile and the
                                                                                                                CA Certificate on an iPad

Because Apple Device Enrollment Program (DEP) and Apple Configurator 2 are
supported, even smaller enterprises can benefit from the Mimecast Security Agent
protection on their iOS devices.

                            Protecting the User: A Review of Mimecast’s Web Security Service                                           5
SANS Institute Information Security Reading Room
Figure 10. Mimecast Security Agent
Users can check the agent status in the Security Agent app to see recently blocked                                Activity Report

activities, with a detailed breakdown for different apps and browsers (see Figure 10).
This in-app report contains the past 30 days of blocked activity.

Users get a notification if they are using an app that connects to a domain blocked by a
policy. A block or warning message is also displayed when they are using a browser, as
shown in Figure 11. If needed, these block pages can be fully customized and branded.

                                                                                              Figure 11. Request Blocked in Safari
Note that due to the iOS design and architecture, an iOS device will not be protected if it                          and Chrome

is configured to use a proxy server or a VPN application, or if it uses a browser that uses
VPN, proxy services or loads web pages on the server-side. Similarly, a tethered device
that is using the iOS device as a hotspot is not protected by Mimecast Web Security.
These are not limitations of the Security Agent itself, but the way iOS works.

                           Protecting the User: A Review of Mimecast’s Web Security Service                                     6
SANS Institute Information Security Reading Room
Figure 12. Disable Password
                                                                                                             Required to Turn off the Agent

To prevent tampering with the
Mimecast Security Agent, separate
passwords are required to disable
or to uninstall the agent from a
device (see Figure 12). It is also
possible to allow/disallow users to
check for updates and install them
on their devices.

Web Security Policies
Mimecast Web Security offers six
main Web Security Policy types.
Each policy can be applied to
either every user or to selected
locations, groups (Active Directory
[AD] groups or local groups
in Mimecast) and users in an
organization. See Figure 13.

Policies are applied in the following
order of precedence, as shown in
Figure 14.
                                                                                                      Figure 13. Web Security Policy Types
    1.	Block and Allow List policies—A check is
        performed to see if the domain or URL is
                                                                                            Block/Allow
        explicitly blocked or allowed in a Block and
        Allow List policy. If it is, then the appropriate                   Targeted Threat Protection Managed URLs
        action is applied.                                                           Newly Observed Domain
    2.	Targeted Threat Protection policies with
                                                                                        Application Control
        Managed URLs enabled—If there is no
        matching Block and Allow List policy, a check                                    Category Filtering

        is made for Targeted Threat Protection policies                                   Similarity Check
        where the “Managed URLs” option is enabled
                                                                                                Anti-Virus
        to see if the domain or URL is defined as a

                                                                                 Figure 14. Mimecast Web Security Policy Precedence List

                             Protecting the User: A Review of Mimecast’s Web Security Service                                            7
SANS Institute Information Security Reading Room
managed URL in “Targeted Threat Protection/URL Protection/Managed URLs.”
           Targeted Threat Protection is part of Mimecast’s Email Security service, and
           integrates with Mimecast Web Security to deliver this capability.

    3.	Advanced Security policies with Newly Observed Domains enabled—If there
           is no matching Targeted Threat Protection policy with the “Managed URL”
           option enabled, a check is made for Advanced Security policies with the “Newly
           Observed Domains” option enabled.

    4.	Application Control—If there is no matching Advanced Security policies with
           the “Newly Observed Domains” option enabled, Application Control policies are
           evaluated to see if there is a policy defined for a specific cloud application and
           if there is, the appropriate block or allow action is applied.

    5.	
       Category Filtering—If there is no matching Application Control policy, the Category
           Filtering policies are checked to see if the domain or URL is part of a Category
           Filtering policy. If it is, then the appropriate block or allow action is applied.

    6.	Targeted Threat Protection policy with Similarity Check enabled—If there is no
           Category Filtering policy, a check is made for a Targeted Threat Protection policy
           with the “Advanced Similarity Checks” option enabled.

    7.	Antivirus checks—If a domain or URL triggers no web security policies, antivirus
           checks are initiated for sites that are not categorized to ensure that the website
           visited does not contain malicious content.

If there are multiple Web Security policies of the same type, they are applied to web
requests based on their specificity. The more specific a policy is, the higher its priority:

    1.     Policies targeting a user have higher priority than those that target a group.

    2.     Policies targeting a group have higher priority than those that target a location.

    3.     Policies targeting a location have higher priority than those that target everyone.

Block and Allow List
Block and Allow List policies are for specific domains and URLs managed either
individually or by uploading a list in a CSV file (Mimecast provides a template CSV file for
this, where the maximum number of entries in a .CSV file is 5,000). When using Block or
Allow List policies, a URL takes precedence over a domain as it is more specific.

Domains and URLs have specific syntax rules:

    • Wildcard characters are not accepted and are treated as standard alphanumeric
         characters.

    • Protocol prefixes (such as http:// and https://) and ports (such as :8080)
         are stripped from the URL.

    • Fragments (e.g., www.example.com/#anchor) are also stripped from the URL.

    • Query string parameters, however, are accepted. The parameter order is ignored,
         but parameters are case sensitive.

    • A higher level path covers URL sub-paths, but a path is case sensitive.

                               Protecting the User: A Review of Mimecast’s Web Security Service   8
SANS Institute Information Security Reading Room
With Block or Allow List policies, it is also possible to allow or block top-level domains
(TLDs). This offers granular control to allow or block a sub-domain under a TLD. TLDs are
accepted without punctuation (you do not have to include a period before the TLD).

Note that, because most Mimecast Web Security technology relies on DNS, Web Proxy
must be enabled in an Advanced Security Policy to block or allow specific URLs that
are defined in a Block and Allow List. Keep in mind that a Block or Allow List policy
takes precedence over any other type of web security policy, including Targeted Threat
Protection Managed URLs. See Figure 15.

                                                                                              Figure 15. Adding Domains and URLs
                                                                                                 Individually or Multiple Domains/
                                                                                                 URLs in a Batch (Using a CSV File)

                           Protecting the User: A Review of Mimecast’s Web Security Service                                      9
Application Control
Application Control policies allow filtering
based on the application rather than a
domain or URL, offering a much more fine-
grained control (at the time of writing, this
feature was not released to the public).
For example, Facebook might be allowed
for the Marketing team, but Facebook
Messenger can be still blocked. See Figure
16 as an example.

Application Control can help in detecting
shadow IT activity and, when the Mimecast
Security Agent is deployed on devices,
it also ensures consistent application
of policy across all devices by blocking
unapproved applications within an
organization.

Currently, there are nearly 700 different
applications known to Mimecast Web
                                                                                         Figure 16. List of Applications to Block or Allow
Security. The Application Visibility
and Control dashboard also allows
the administrators to monitor what
applications are being used in their
environments and decide if they should be
allowed or blocked.

Category Filtering
Category Filtering settings block or allow
domains and URLs based on predefined
security and content categories. Security
categories allow explicit blocking
of domains such as anonymizers,
attacker-controlled infrastructure (e.g.,
command and control domains), botnets,
compromised domains, hacking-related
domains, known malware domains,
phishing and fraud, potentially malicious
sites or spam sites. See Figure 17.
                                                                                                 Figure 17. Security Categories Available

                            Protecting the User: A Review of Mimecast’s Web Security Service                                          10
Content categories allow explicit blocking
of eight main domain categories and
several subcategories including adult
content, bandwidth-intense domains,
illegal content, different productivity
categories, social media domains, and
domains that do not fit into major
categories such as parked or unknown
domains (see Figure 18).

To check which category a specific domain
or URL belongs to, the administrative
interface offers a lookup functionality that
also allows category change requests to be
sent, as shown in Figure 19.

Targeted Threat Protection
Targeted Threat Protection policies contain
settings for Managed URLs and Advanced
                                                                                            Figure 18. Main Content Categories Available
Similarity Checks. This policy type is visible
only if the URL Protection package is
enabled for an account. URLs and domains
from the organization’s Managed URLs list
can be blocked. See Figure 20.

                                                                                                             Figure 19. Domain and URL
                                                                                                                        Category Lookup

                                                                 Figure 20. Managing URLs

                            Protecting the User: A Review of Mimecast’s Web Security Service                                         11
Note that similar to Block and Allow
Lists, Web Proxy must be enabled in an
Advanced Security Policy to block URLs.
By enabling Advanced Similarity Checks
(as shown in Figure 21), DNS requests are
checked against both Mimecast’s managed
domain lists and custom-monitored
internal and external domains to either
warn users or block access.

Adding Custom Monitored External
Domains ensures that these domains
specific to the customer’s business and
supply chain are included as part of the
Targeted Threat Protection subscription,
and they are monitored for spoofing                                                    Figure 21. Enabling Advanced Similarity Checks
attacks. See Figure 22.

                                                         Figure 22. Custom Monitored External Domains

                          Protecting the User: A Review of Mimecast’s Web Security Service                                        12
Advanced Security
Advanced Security policies can be used
to configure SafeSearch, Newly Observed
Domains and Web Proxy settings (see
Figure 23). When SafeSearch is enabled
for Google, Bing or YouTube, it helps block
explicit images, videos and websites from
search results. Note SafeSearch is actually
implemented by the search engines. The
Newly Observed Domains setting can be
turned on to block domains that might
be malicious because either they were
recently registered or never seen before.
Web Proxy settings allow powerful features
such as SSL inspection, URL categorization
and antivirus scanning. Unscannable
(encrypted or corrupted) content can be
blocked or allowed by the Mimecast web proxies as shown in                                      Figure 23. Web Proxy Settings

Figure 23.

Log Settings
Log Settings policies allow organizations to comply with data and
privacy regulations by defining which web security information
should be logged. The default setting, if there is no Log Settings
policy set, is to log all activity (see Figure 24). Other options
include no user activity to be logged or to log security events
only (e.g., visits to malicious sites). In the latter case, activity and
security logs still show all security events.

                                                                                                      Figure 24. Log Settings

                             Protecting the User: A Review of Mimecast’s Web Security Service                             13
Other Settings
There are two additional options tied to policies: Exceptions and
Locations. Exceptions can be used to create a list of trusted domains
(such as an organization’s internal domains) and IP addresses to make
sure they are never blocked by any policy, while Locations allow defining
policies based on different egress IP addresses.

Exceptions
Exceptions can be used to bypass the
Mimecast Web Security functionality for
trusted domains and IPs. For a domain
added to the exceptions list (shown
in Figure 25), security policies are not
applied, and user activity is not logged. If
a DNS request resolves to an IP address
in the exception list, configured security
policies are not applied, but the activity is
logged.
                                                                                               Figure 25. Exceptions List
All exceptions should be carefully considered, as they override all other
policies. Add only those domains and IPs that are fully trusted, such as
internal company sites.

To make the initial configuration process more straightforward, a default
exceptions list is created with the following top-level domains: local,
internal, lan, home, corp, localdomain, domain and mail.

Locations
Locations are defined as the egress IP
address of a network, allowing granular
policies for different corporate locations.
The egress IP address is visible for every
DNS and web request coming from a
network and is used to map configured
policies to the request. See Figure 26.

                                                                                               Figure 26. Locations List

                            Protecting the User: A Review of Mimecast’s Web Security Service                          14
Reporting Capabilities
The Mimecast Web Security Administration Console offers a variety of dashboards and
reporting features and the capability to export logs in CSV or XLSX format. These include
activity and security event reports, a list of protected devices and dashboards for
allowed/blocked web requests or application usage.

Web Security Dashboard
The Web Security Dashboard has an activity chart of the allowed and blocked requests
from the previous seven days. It does not display real-time data; instead, it displays
summary data that is refreshed every 30 minutes. See Figure 27.

                                                                                              Figure 27. Web Security Dashboard
                                                                                                               and Activity Chart

                           Protecting the User: A Review of Mimecast’s Web Security Service                                   15
The dashboard also has visualizations of the top 10 most accessed domains, the top
10 most accessed site categories, the top 10 blocked domains and the top 10 blocked
categories, as shown in Figure 28. The ability to customize the dashboard would be a
logical improvement.

                                                                                              Figure 28. Top 10 Domains and
Activity Report                                                                                                   Categories

The Activity Report (shown in Figure 29) displays log entries of all DNS and URL
requests in real-time. It is possible to identify the user, device name and IP addresses,
and administrators can identify which devices have a specific app installed. The
columns displayed can be changed, and it is also possible to export the logs in CSV or
XLSX format.

                                                                                                   Figure 29. Activity Report

                           Protecting the User: A Review of Mimecast’s Web Security Service                               16
Data can be searched, and after records are displayed in the activity report, they can
be filtered to focus on specific actions, discovery methods, categories, events, filtering
reasons, application names or application categories. See Figure 30.

                                                                                               Figure 30. Activity Report Filtering
Security Report
Security Report (shown in Figure 31) is very similar to the Activity Report, but it displays
only a log of security threat data. It offers the same features as Activity Report: Data can
be searched, filtered and exported to CSV or XLSX.

                                                                                                       Figure 31. Security Report

                            Protecting the User: A Review of Mimecast’s Web Security Service                                    17
Application Visibility and Control
The Application Visibility and Control dashboard provides an overview of the
applications used in an organization. It is a great way to gain detailed visibility
of user behavior and egress traffic of the protected devices as well as to discover
shadow IT. See Figure 32.

                                                                                                   Figure 32. Sanctioned, Non-sanctioned
                                                                                                               and Monitored Applications
The dashboard also has visualizations of the top 10 sanctioned applications, top
10 non-sanctioned applications, top 10 monitored applications, top 10 application
categories, top 10 blocked applications and top 10 blocked users, devices and IP
address. See Figure 33.

                                                                                               Figure 33. Application Visibility and Control

                            Protecting the User: A Review of Mimecast’s Web Security Service                                             18
Administrators can choose which applications to sanction (for approved
applications) or monitor (for applications that are not explicitly prohibited or
approved). See Figure 34.

                                                                                                 Figure 34. Application List

Protected Devices
The Protected Devices dashboard provides information and protection status of
corporate devices by using the Mimecast Security Agent. The list of devices can
be filtered by a device’s status or searched based on a device’s name, as shown
in Figure 35.

                                                                                               Figure 35. Protected Devices

                            Protecting the User: A Review of Mimecast’s Web Security Service                             19
Audit Logs
The Audit Logs dashboard allows you to search, review and export (CSV or XLSX
format) logs regarding account access and configuration changes made by
administrators (see Figure 36). These logs are not only for Mimecast Web Security
but also for all enabled Mimecast services.

                                                                                               Figure 36. Mimecast Audit Logs

Integration with Mimecast Secure Email Gateway
Mimecast Web Security can be combined with Mimecast’s Secure Email Gateway
service through Targeted Threat Protection. This way, the same intelligence
sources are used for email and web. The management of these security services
is done via a single administration console. This combined solution offers
consistent and consolidated cloud-based protection against the two dominant
attack vectors. The integration also has other advantages, such as simpler setup
and management when it comes to Active Directory synchronization, which was to
be configured only once.

Best Practices for Mimecast Web Security
As described earlier, Mimecast Web Security offers two different operation modes.
The Internet Gateway/DNS Forwarder route is a good fit for office locations or
public Wi-Fi. Nonetheless, deploying Mimecast Security Agent allows you to
protect your users and devices, even if they are not on your corporate network.

When you create a new Web Security Policy, the first thing you must decide
is whether you want to take a blacklist (block) or whitelist (allow) approach.
Blacklisting defines a list of blocked domains or URLs. It is typically a more
straightforward method of control, but blacklists are also easier to bypass
because it is not feasible to list all the “bad” sites on the Internet. On the other
hand, whitelisting tells a system what is allowed. It provides better security

                            Protecting the User: A Review of Mimecast’s Web Security Service                              20
because it is more restrictive compared with blacklisting; however, maintaining a
whitelist (especially for larger organizations) can be a challenging task. One way to
implement these lists is by using Block or Allow List policies.

A typical approach is to mix blacklisting and whitelisting and define lists of “known-bad”
and “known-good” domains and URLs. The Activity Report and Application Visibility
and Control functionalities in Mimecast Web Security can provide excellent visibility
into your organization’s web traffic. Using these features, you are able to monitor user
behavior and decide if a given connection to a domain, URL or application should
be allowed or blocked. After you have made a decision, you can update your policies
accordingly.

The most common filtering policy in enterprise environments is some form of category
filtering. The list of categories to be blocked or allowed is unique to each organization.
Unfortunately, there is no magic formula, as it depends on your business needs. As
a best practice, when you define your Category Filtering policies, it is often safe to
assume you will not block core business traffic by enabling all Security Categories
because these are all tied to malicious activities.

For content categories, however, you must be careful: Acceptable use policies usually
prohibit domains categorized as “adult” such as nudity, pornography, hate and
violence, and you have to put a security control in place to explicitly block them. You
probably also want to block resource-intensive usage such as advertisement, peer-
to-peer or cryptocurrency-related traffic. Web-based email is a frequent source of
incidents, as it bypasses enterprise security controls and might introduce malicious
code to your environment, or it can be used for exfiltration—therefore, if your acceptable
use policy forbids it, you can add this category to your block list. Social media sites
including dating or instant messaging should fall under similar scrutiny as web-
based email services. Attackers regularly register domains in advance of launching a
campaign; these domains are called “parked domains,” and it is a good idea to block
these. Unknown or uncategorized domains are a harder nut to crack. This is where the
blacklisting vs. whitelisting decision comes into play, and you must decide if you want to
allow uncategorized sites or to be more restrictive, risking that you might block domains
your users would like to access. In the case of Mimecast Web Security, uncategorized
sites can be proxied to undertake more in-depth scanning and checks.

Similar to category filtering, Application Control policies permit you to block or allow
certain application categories or to have a more fine-grained approach and do it more
selectively on specific applications.

By adding Custom-Monitored External Domains to your Targeted Threat Protection
service, you can ensure you also get additional protection for your organization’s
domains or domains belonging to your key customers and vendors, which are not
among the default Mimecast domains. You can also add your vendor domains to provide
extra protection against supply-chain attacks using a domain name similar to your
vendors. Enabling Advanced Similarity Checks and using the integration with Mimecast
Secure Email Gateway through Targeted Threat Protection is a great way to implement
defense-in-depth against more sophisticated phishing attacks.

                            Protecting the User: A Review of Mimecast’s Web Security Service   21
Enabling Advanced Security Policy features such as SafeSearch filters, blocking Newly
Observed Domains (just like parked domains, these have a higher risk of hosting
malicious content) or Web Proxy filtering can all contribute to the overall security of
your organization.

Regardless of what type of blocking policy you put in place, you should have a list of
domains and URLs that are critical to your organization. You can create exceptions for
these trusted domains and IPs to ensure they are never going to be blocked.

Mimecast Web Security also allows you to fine-tune your policies and apply them only
to specific users, groups or locations. By segmenting your user population based on
organizational units or office location, you can tailor your web filters for specific needs.
Your developers might have to look for solutions on Stack Overflow or use a project
from GitHub, but your HR or accounting personnel has no business reason to connect to
these sites.

Web Security Use Cases
The simplest way to get started with web filtering is to implement category filtering. This
allows an organization to quickly set up filtering for known malicious domains and URLs,
and rely on Mimecast’s categorization and threat intelligence. The security and content
categories block unwanted domains and URLs, whether it is a link clicked in an email or
on a web page or it is a domain typed into a browser URL bar by a user. Targeted Threat
Protection also allows integration with Mimecast Secure Email Gateway, protecting
emails and web traffic in a unified manner.

Figure 37 shows the default block message for category filtering. The domain “tamilhndu.
com” is blocked by the “Spam Sites” security category, while “hotmail.com” was blocked
by the “Web-based Email” content category.

Security and content
category filtering can block
phishing emails attempting
credential harvesting or
malicious file delivery
attacks. It is crucial to
keep in mind that category
filtering is not perfect,
and a domain might not
be categorized at the time
                                                                                                Figure 37. Mimecast Web Security
of the attack. The Advanced Similarity Checks and Newly Observed Domains features                    Category Filtering in Action
could still stop the request by checking for newly registered or lookalike domains and
uncategorized domains can be sent to the Mimecast web proxy for further checks.

                             Protecting the User: A Review of Mimecast’s Web Security Service                                 22
Figure 38 shows how “mimcast.com” was blocked by the “Phishing & Fraud” security
category, while the domain “mirecast.com” was not blocked by any category, however,
Mimecast Web Security was still able to block the phishing attempt with the Advanced
Similarity Checks feature. This highlights the importance of implementing different Web
Security Policy types to have the best protection available with Mimecast Web Security.

Mimecast Web Security
goes beyond just protecting
your user’s web browsing
activity. Modern attackers
and malware try to “live off
the land” and use built-
in operating system tools
and functionality such as
PowerShell to communicate
to a command and control                                                                         Figure 38. Mimecast Web Security
(C2 or C&C) server or to download malicious code. Because Mimecast Web                               Category Advanced Similarity
                                                                                                                 Checks in Action
Security filtering is mainly based on DNS, these attempts are also going to
be blocked by your web security policies. Figure 39
shows a PowerShell command to get the content of                    Mimecast Web Security goes beyond just protecting
the legitimate “sans.org” web site using the Invoke-                your user’s web browsing activity.
WebRequest cmdlet. This request is allowed by the
Mimecast Web Security Agent; however, the request going to “sanns.org” is
blocked, as shown in Figure 40, on the next page.

                                                                                                Figure 39. PowerShell Request to a
                                                                                                     Legitimate Domain (Allowed)

                             Protecting the User: A Review of Mimecast’s Web Security Service                                  23
Figure 40. PowerShell Request to a
                                                                                                    Lookalike Domain (Blocked)

Conclusion
Security controls must be scalable, easy to maintain and address the reality that
endpoints are the new perimeter. Mimecast Web Security offers a modern, unique
approach to protect users and their web traffic, and it offers the potential to combine it
with Mimecast’s Secure Email Gateway service to cover email security as well.

SANS found that it takes minutes to set up and use Mimecast Web Security, whether
it was done with the Internet Gateway/DNS Forwarder deployment model or using
the Mimecast Security Agent. Testing multiple scenarios and setups demonstrated the
extensive platform coverage including Windows, macOS and iOS devices, which should
be sufficient for most enterprise environments.

The granularity of web filtering policies and the number of features make this solution
very flexible, yet it is still easy to configure and maintain. The documentation provides
all the information needed and also contains recommendations and tips for the
administrators.

The ease of installation of the lightweight agent and management through the cloud-
based administration console is a combination that could be very attractive for security
teams, especially the teams that are short-staffed, and they must carefully consider
where they are going to focus their efforts to improve the security posture of their
organization.

                           Protecting the User: A Review of Mimecast’s Web Security Service                                  24
About the Author
David Szili is a SANS instructor for SANS FOR572: Advanced Network Forensics:
Threat Hunting, Analysis, and Incident Response. A managing partner and CTO at a
Luxembourg-based consulting company, he has more than eight years of professional
experience in penetration testing, red teaming, vulnerability assessment, vulnerability
management, security monitoring, security architecture design, incident response,
digital forensics and software development. David holds several IT security certifications,
including the GSEC, GCFE, GCED, GCIA, GCIH, GMON, GNFA, GYPC, GMOB, OSCP, OSWP and
CEH. He is also a member of the BSides Luxembourg conference organizing team.

Sponsor

SANS would like to thank this paper’s sponsor:

                           Protecting the User: A Review of Mimecast’s Web Security Service   25
You can also read