Securing Email: Comprehensive Messaging Security

1
Securing Email Comprehensive Messaging Security

• Dave Crilley, Proofpoint

2
Agenda

• What is Messaging Security?
• Major Spam Trends
• Outbound Content Security Compliance
• The Proofpoint Solution

3
What is Messaging Security?
Security threats have always been a problem to
enterprises
Enterprise
SMTP, HTTP, IM and FTP services
4
3 Major Trends

• Rise in spam volumes
• Rise of botnets
• Rise of image- based spam

• End users believe effectiveness has declined
• Shorter, more intense, spam attacks
• Spam circumvents filters, drops true
  effectiveness

Spam continues to be a problem facing
organizations
5
Spam Volume Continues to Increase

• Continued increase
• Average spam volume
• gt 3-4x in 12 months
• Why?
• Business is expanding
• Spam is increasing
• What can you do?
• Best spam protection
• Capacity planning

6
Why Effectiveness Matters

• 2004 Now
• Volume (msg/day) 500 Thousand 2 Million 2
  Million
• Effectiveness 94 95 99
• Spam getting through 30,000 100,000 20,000
• Users 20,000 25,000 25,000
• Spam/User 1.5 spams 4 spams 0.8 spams

Better effectiveness less spam in users Inbox
fewer Help Desk calls
7
Spam Accuracy, 2006 99 Effectiveness
100 99 98 97 96
gt 99 accuracy
8
Spam Attacks in the Old Days
9
Spam Attacks Today Botnets
(Sends Instructions)
(Listen for Instructions)
(Receive Instructions)
(Launch Image Spam Attack)
10
Embedded Images, Often Randomized

• Possible variants are endless signatures are
  useless!
• Proofpoint MLX includes
• Image Fuzzy Matching
• Web URL Reputation

11
Image Fuzzy Matching A

• Feature Description
• GIF80 and JPG80 algorithms
• Effective against 3 image obfuscation techniques
• Randomizations in unused Color Map entries
  (invisible)
• Randomizations in bottom of image (appear as
  black lines)
• Randomization in GIF Terminator (invisible)
• Proofpoint algorithms correctly identify these
  randomizations

GIF Signature
Screen Descriptor
Global Color Map
Image Descriptor
Local Color Map
Raster (Image) Data
GIF Terminator
12
Image Fuzzy Matching B

• Feature Description
• Detects altered but similar images, even if
  alteration inside image
• Effective against 2 obfuscation techniques
• Images with randomized (pixilated) borders
• Images with randomized pixels throughout image
• Proofpoint algorithms correctly identify these
  obfuscations

13
6 Images to Reconstruct 1 Image
14
6 Different Images to Reconstruct the Same Image
15
Animated GIFs Analysis

• Very recent threat
• Utilizes Animated GIFs to circumvent image
  filters
• Utilizes presence of such attributes as a
  fractional indicator of spam
• Proofpoint identifies these spams using advanced
  analysis

Frame1 Time 0.1 sec
Frame 2 Time 250 sec
Frame n Time 0.1 sec
16
OCR Resistant Animated GIF
Viewable image contains pump and dump spam...
but in slow motion
17
OCR Resistant Animated GIF
Note that this is a transparent GIF, but only the
parts required to complete the image are
transparent!

• Frame 1 contains broken text
• Frame 2 (transparent GIF) appears after 10ms
  completing the image
• Both images contain broken text OCR Resistant!

18
What Is the Double Tax on Spam Effectiveness?

• Tax 1 Increased volume perceived drop
• Perceived drop in effectiveness
• Volumes of spam result in higher spams in inbox
• End Users phone helpdesk
• Tax 2 Sophistication true drop
• True effectiveness decline
• Filters unable to handle image based spam
• Exchange, Notes, Groupwise servers are also taxed
• End Users phone helpdesk

19
Perception Defenses are Failing
They moved their message into our blind spot. -
CipherTrust/Secure Computing As an industry I
think we are losing. The bad guys are simply
outrunning most of the technology out there
today. - IronPort/Cisco
20
Why Are Some Solutions Failing?

• Static technologies
• Relying on exact matches of spam senders and
  content
• New spam is dynamic in nature IPs, images,
  content
• Permutations are endless!
• Reputation
• Examples CipherTrust/Secure Computings Trusted
  Source, IronPorts Senderbase
• How Match sending IP addresses and rules
• Problem Image-based spam comes from botnets,
  with rotating IPs.
• Signature
• Examples Symantec
• How Match copy of email (or partial copy)
  against database
• Problem Image-based spams random images text
  endless permutations

Proofpoints MLX technology is dynamic and
well-suited to the dynamic nature of spam
21
Spam Accuracy, 2006 99 Effectiveness
100 99 98 97 96
gt 99 accuracy
22
2007 Proofpoint-Forrester Survey

• Nearly 33 of companies employ staff to read
  outbound email.
• More than 25 of companies terminated employees
  for violating email policies.
• 56 say it is important or very important to
  reduce the risks of outbound email.
• Companies estimate nearly 1 in 5 emails contains
  content that poses a legal, financial or
  regulatory risk.

Read the Proofpoint-Forrester Research report
www.proofpoint.com/outbound
23
Recent Incidents

• Dec 2006 Texas Woman's University emails names,
  addresses and SSNs of 15,000 TWU students over a
  non-secure connection
• Nov 2006 University of Virginia Student
  Financial Services sent e-mail messages to
  students containing 632 other students' Social
  Security numbers
• Oct 2006 Bowling Green Police Dept. website has
  personal information on nearly 200 people the
  police had contact with names, Social Security,
  driver's license numbers
• Oct 2006 Republican National Committee
  inadvertently emailed a list of donors' names,
  SSNs and races to a New York Sun reporter
• Mar 2006 Google mistakenly posts internal ad
  projections
• Mar 2006 Blue Cross Blue Shield says contractor
  took 27,000 social security numbers
• Feb 2006 Slip-up spills beans on Dell notebooks

See a chronological list of security breaches at
www.privacyrights.org
Source ZDNet, Bradenton, Boston.com
24
Why is this Happening?
P(Data Loss) no. of channels
x data availability

• Email is everywhere
• 70 of corporate data lives in email
• File Servers
• Desktops
• Laptops
• USB Thumb Drives

• Email
• biggest thru 2010
• Weblogs
• HTTP (WebMail)
• FTP
• Instant Messaging
• New Channels

Source Gartner G00138425, 3/15/06
25
What to Do

• Define Policies
• Document
• Communicate
• Train
• Map Technology Solution to Requirements
• Corporate governance content
• Structured
• Unstructured
• Auto-Encrypted
• Inbound as well as Outbound
• Its not just Email anymore
• Webmail, Blogs, IM, FTP sites, too

26
The Proofpoint Solution
Proofpoint Attack Response Center
Network Content Sentry
Virus Protection
Zero-Hour Anti-Virus
Spam Detection
Dynamic Reputation
Regulatory Compliance
Digital Asset Security
Secure Messaging
Web-based Management Interface Policy Engine
Smart Search
27
Protecting Privacy - HIPPA

• DeKalb Medical Center
• 4,000 users
• 500,000 patients annually
• Key needs
• Ease of administration
• Strong PHI detection
• Fully managed dictionaries
• Inbound security protection
• Results
• Quarantined encrypted 1,200 messages/month
• 200,000 spam messages detected/month 1500
  savings/day
• 138 Return on Investment
• Payback in 3 Quarters

28
DeKalbs Concerns

• Outbound
• In-house email system had no protection
  functionality
• How to identify emails with suspect content
• Minimal human intervention
• Integrating with our email system
• Retention for compliance purposes
• Forensics
• Training and Education

• Inbound
• Constant stream of help desk calls about SPAM
• Offensive nature of SPAM was an HR concern
• Space requirements on email server
• Demands on an aging email gateway server
• Malicious Code
• Early identification and forensics

29
Protecting Privacy - GLBA

• Leading provider of mortgage outsourcing
  solutions
• Anti-spam, Anti-virus
• Regulatory Compliance
• Digital Asset Security
• Key content security concerns
• Protect customer financialinformation (GLBA
  compliance)
• Protecting
• loan documents
• credit reports
• application forms

30
Protecting Intellectual Property

• Helicopter design manufacturer
• Supplies the US military Lockheed Martin
• Anti-spam, Anti-virus
• Digital Asset Security
• Key content security concerns
• Confidential design documents
• RD documents
• CAD file detection

31
A Few Satisfied Proofpoint Customers
Financial Services Telecomm Technology
Retail, Services Manufacturing
Healthcare and Pharmaceuticals
Public Sector
Education
32
Learn More

• Free Forrester Research Proofpoint Report
  Outbound Email and Content Security in Todays
  Enterprise
• www.proofpoint.com/outbound
• Free white paper on how MLX technology fights
  image-based spam
• http//www.proofpoint.com/mlxwp

33
Download a Trial Version
www.proofpoint.com/trial
Dave Crilley dcrilley_at_proofpoint.com 408-850-4105