IBM Lotus Protector for Mail Security

V 1.53P

This talk introduces the Lotus Protector security strategy, and features Protector for Mail Security, the first offering in the product delivery plan.

Notes/Domino: The Gold Standard for e-mail Security

World's largest deployed public key infrastructure

Every user operate with an RSA-based certificate

Application level security guards against Internet-style attacks

Resists address book harvesting, worms, executables

Execution control lists (ECLs) that mistrust by default

Security foundation In the DNA

Certificates, strong passwords, file/protocol encryption

Object level access control, roles-based security, revocation

Dont you wish everything was as secure as Notes? This hard-earned reputation for protecting customers and end users is what separates Lotus from other e-mail vendors. Today well be talking about Lotus Protector, a new family of security offering that extends this legendary security to the next layer, protecting against Internet-borne threats and securing sensitive or confidential information from loss via e-mail.

E-mail security is harder, more important than ever

Spam, Phishing, and Malware comprise up to 90% of all SMTP traffic

Costly in bandwidth and CPU

Company image and employee satisfaction

Attacks now a sophisticated, specialized, for-profit business

Organized crime and terrorist funding

Targeted industrial espionage and financial fraud

Sensitive information and risk proliferates

Intentional and inadvertent loss of confidential content

Theft of data and interception of data in motion

E-mail has proved to be a boon to communication and productivity, but also is a prime attack vector for those who would separate you from your assets whether monetary or confidential data. Spam, viruses, trojans, targeted attacks, and spyware infest the Internet. By many accounts, the vast majority of all traffic is garbage either garden variety spam or much more malicious content. It clogs up your bandwidth and systems and, if it gets through, it can impact your organizations image inside and outside the firewall.

Every day the sophistication and risk grows, as the bad guys increasingly seek to monetize the use of spam and malware, aided by worldwide networks of compromised servers and PCs that lower the effective cost of the activity to zero.

Furthermore, companies face increasing risks that sensitive data can leak out via e-mail intentionally but more often inadvertently or carelessly creating competitive disadvantages, risks, and liabilities.

E-mail-borne attacks change rapidly

Source: IBM X-Force Research 2008

As this chart shows, the game of cat-and-mouse between criminals and security experts has created a fast-changing environment. IBM X-Force analysis shows several trends. Keyword spam was largely defeated, so image spam spiked until methods were devised to combat it. Recently its simple URL-based spam, where the only goal is to get users to click on links that either present a detailed sales pitch or, more ominously, seek to plant drive-by malware on their computers. Spam and phishing URLs are now engineered for short lifespans, so they can be used in the time before they are either detected by filters or taken down by their hosts.

Dynamics of Security Integration

Silo Security

Integrated Security

Effort / Complexity

Effectiveness

The problem with all of these threats and risks is that they often require different tools and approaches to combat them. This leads to security clash where multiple vendors and systems (silos) create excessive effort to deploy, and tend to suppress the overall effectiveness because they often need to be dialed down to prevent conflict. As this chart illustrates, having integrated security means you can attack the problem with less time and effort, and far greater effectiveness.

notes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngVPN

notes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngnotes32b256p.pngSMTP

server_32b256px.pngSecurity in a Domino network

empty-red-rectanglered-top-fadedEdge Components

Antispam/Antivirus

E-mail Encryption

DLP

VPN

empty-red-rectanglered-top-fadedClient Components

E-mail Encryption

DLP

VPN

E-mail / Calendar

notesminder32b256px.pngempty-red-rectanglered-top-fadedServer Components

E-mail Encryption

DLP

Antispam/Antivirus

GEL Rounded Rectangle cobaltAntispam & AntivirusGEL Rounded Rectangle msyellownotesminder32b256px.pngserver_32b256px.pngIBM LOTUS DOMINO

Lotus Protector capabilities, packaging, and release sequence subject to change

GEL Rounded Rectangle cobaltGEL Rounded Rectangle cobaltGEL Rounded Rectangle cobaltEncryptionData Loss PreventionSecurity Products

IBM Lotus Protector Offering Family

Extends Domino e-mail with new security and data protection capabilities

Protects/secures against Internet threats

Delivers enhanced content protection tools

Integrates with Notes and Domino UI & security model

The Lotus Protector security strategy is represented by this simple chart. In one sentence, we're launching products that protect against the whole set of security challenges facing collaboration customers today. These typically are driven by external threats (such as spam and viruses) and regulatory/legal pressures (such as content control). Our unique differentiator is that, while everyone else treats this as an SMTP problem, we're doing all of this exclusively from the perspective of a Notes/Domino customer. This gives us an opportunity to create a more integrated and fundamentally better experience for our customers, by weaving the security capabilities seamlessly into the user and administrator experience.

There are several distinct solution types needed to secure even to deploy -- an SMTP e-mail system. Everyone needs a spam/virus filter, of course, as 90% plus of all e-mail traffic is now either spam, phishing, or malware. Not coincidentally, the first Lotus Protector product does just that, and its what were talking about today. But there are other needs that must be addressed as well.

Encryption is a perpetual challenge, because SMTP doesn't define that kind of security. Various standards approaches (S/MIME, TLS) are so problematic that they suffer from low often stalled -- deployment. At the same time, encryption is taken for granted by Notes users. Notes-to-Notes e-mail lets you apply security with a per-user or per-message setting, ensuring that the information is not intercepted or modified between sender and receiver. However, thats only within the Domino system; regular Internet recipients are sent unencrypted (after a notification/warning to the sender). Our goal is to deliver an encryption system that extends Notes security, so it's a single experience for the user.

Data Loss Prevention (sometimes called Data Leak Prevention), or DLP, is a growing area that we're also planning to address with Protector. With DLP, you can inspect content flowing between people, to ensure that no sensitive content leaves your organization, either intentionally or (as is most typical) inadvertently. You can log, warn, or block activities in real time. You get two big benefits: you gain visibility into where your sensitive data (confidential, personal, or regulated content) is going, and it trains your people to be careful about things. We're exploring this capability, again in the Protector Notes/Domino centric mode, as a product offering.

Lastly, there's a bunch of categories that also fall into that bucket of "things you need to run a modern collaboration system," and we continue to actively investigate there. We have a number of initiatives to improve archiving and eDiscovery. We're exploring things like virtual private networking (VPN) and Web protection as well. These things will be discussed as and when they are announced, but will follow the Protector theme of great security technology, optimized for IBM and Lotus customers.

That leads us to the integration opportunities, and we have two distinct categories: vertical and horizontal. Vertical integration is where all Protector products gain maximum integration with Notes/Domino so that everything fits seamlessly into the experience for the user and administrator. Horizontal integration is where Protector products are aware of each other, and keep from getting in each other's way. A great example of this is encryption; as you bring that into the equation you start inhibiting your ability to inspect content for security purposes. Lotus Protector products take care of this, basically by sharing the Notes/Domino security context.

From here on, were speaking specifically about Lotus Protector for Mail Security, the spam/virus filter product in the Lotus Protector family

Optimized SMTP Protection For Lotus Domino

Enterprise grade spam filtering software

Featuring IBM Proventia Spam/Malware blocking technology

Dynamic Host Reputation (IP Filtering)

Multi-layered message analysis

Signature and Behavioral Antivirus

URL matching for phishing and spyware

End user quarantines, block/allow lists

Optimized for Lotus Domino customers

Easy to acquire, deploy, administer and support

Aggressive integration roadmap (vertical/horizontal)

Preemptive protection against threats

Rules/Policy engine for content protection (incoming/outgoing)

Integrated IBM Proventia intrusion prevention system

This is the overview slide about that introduces people to what we are selling; it may be flipped/alternated with the next one.

Lotus Protector for Mail Security is a software solution sold as an end user license. It is deployed as a network appliance (physical or virtual, well talk about that in a minute) that sits between your Domino Servers SMTP interface and the wild wooly Internet, and filters all the bad stuff out before Domino has to deal with it. In reality, every SMTP server needs this and virtually every customer already has something, or else they would be drowning in spam. Our differentiation is were applying premium security technology, molded to satisfy the unique needs and requirements of Domino customers.

The filtering software itself is high quality, 100% IBM-owned technology. The IBM Proventia product that shares the Protector engine is built upon Cobion, a long-time leader in multi-language spam filtering, that came to IBM in its Internet Security Systems (ISS) acquisition in 2006.

The feature list will be covered in detail, but on this page we go through some of the competetively critical and/or differentiating capabilities of Protector for Mail security.

Dynamic host reputation is our implementation of what is often called IP Reputation Filtering or IP Filtering. This assigns a likelihood of spam based on its origination IP, according to a dynamic reputation system that examines the rate and ratio of spam received.

Multi-level message analysis is the heart of the system, where a set of different filters is applied to look for different types of threats. This is where a lot of the proprietary stuff comes in, because its what makes the difference between 90-95% filter quality, or 98-99% like Protector does.

Signature and behavioral virus is a belt and suspenders approach to protect against both known and unknown threats. Our signature antivirus is powered by the premium quality Sophos engine (the only part of Protector for mail security that isnt 100% IBM technology), while the behavioral antivirus applies many of the same techniques as our spam analysis to spot threats that are unknown to the signature antivirus database.

Well talk about our massive URL database, but the idea is that all spam has to have a method to fulfill its goals, and that typically is a link to somewhere on the Web. Through our database of over 84 million known bad URLs (inappropriate/pornographic or infected with malware), we can eliminate much of the most dangerous content with one simple check.

Protector for Mail Security supports end user management of their own whitelists (allow) and blacklists (block), as well as a hosted version of the users quarantine. Thats a powerful feature in itself, but were extending this capability to Notes, for seamless integration of network filtering and client UI.

We talked about the integration, but again the real point here is that weve narrowed our field of vision on behalf of our customer base, and given ourselves permission to see things from their point of view. Thus all the enhancements were making are toward delivering a product that extends and integrates what customer already do with Notes and Domino.

Preemptive protection is a little different category of security, in this context. Whereas everything above is kind of looking out for all the bad stuff that bad people like to do, preemptive protection looks to stop things before they happen.

So the rules/policy engine, which well discuss in depth in a few minutes, can be applied to both incoming and outgoing e-mail to block the transmission of common categories of sensitive information, and be infinitely tuned to block customized kinds of information, specific to an industry or organization.

We call out the place this product holds in the IBM Proventia security product family, because it takes advantage of all the work done in ISS to harden that line of intrusion prevention systems (IPSs), firewall, etc. This protects Protector against attacks on the software from vectors other than SMTP.

Software Appliance

Hardware Appliance

Proventia

notes32b256p.pngserver_32b256px.pngThis more graphically appealing slide gives us the opportunity to talk about the main messages for Protector for Mail Security.

In the first box, our unique advantage is our position within the core Notes/Domino family. We work directly with the Lotus Westford architects and development teams. Were implementing numerous integration points in support of the Protector ideals around integration and targeted value.

In the second box, we talk about how were delivering world class technology a sixth generation spam filtering technology -- that is 100% proprietary (in the good way) to IBM. The IBM Proventia technology, which has its roots in Cobion Softwares advanced spam identification products, matches up very well for efficacy (quality of spam blocking) and throughput (volume of mail handled) against incumbent vendors who attack this, typically, from a security perspective. We look at it from an operational and e-mail perspective, which is closer to how Domino customers view it when we talk to them.

Also in the second box, weve earned ICSA Labs certification on spam filtering, which requires a 95% trap rate for spam (Protector typically achieves 98%+), with a .001% false positive rate (which we typically better as well).

In the third box, we call out deployment flexibility as an important differentiator. Protector for Mail Security is sold as a per-user license, like Notes or Sametime or Quickr or Connections. And like many Lotus licenses, it includes all the server software you need, so it scales cost-effectively from one user to infinity.

But ultimately this is an edge server application, because thats where the spam is coming in. Here its important to understand that Protector for Mail Security is different from other Lotus products in that its a complete server solution, containing the (Linux) OS as well as the filter application, and is designed to run all by itself on a computer. In fact, in this model it serves as an appliance due to that plugnplay kind of design.

Were one of a few vendors in the market who offer both software and hardware deployment licenses and we do it with the same per-user software license. Smaller organizations or branch offices can deploy the VMware version on standard x86 hardware, while larger organizations will order the specialized hardware version, which comes preloaded with the server software. Both contain the same filtering software, and can be mixed and matched e.g., hardware appliance in headquarters and VMware versions at branch offices.

Popular Filter Deployment Options

server_32b256px.png

Edge AppliancesClean

There are multiple approaches to spam and virus filtering, often with redundancy

Edge appliances and cloud services filter SMTP, but dont see internal mail

Cloud services allow less control by the customer and tends to have less filter efficacy

Server tasks clean all mail, but impose cost to server CPU

notes32b256p.pngServer TasksClean

INTERNET

This slide is included to facilitate a discussion of the different approaches available to Domino e-mail customers. Typically there are three ways to filter an SMTP stream:

Cloud Services The customer MX record is pointed to a SaaS data center, and only the cleaned stream is passed on to the customer network.

Edge Appliances The SMTP stream is treated at the edge of the customer network, and only the cleaned stream is passed onto the Domino server.

Server tasks Unfiltered SMTP flows directly to the Domino server, where a filter software program cleans it as the Domino server software sees it.

The different approaches offer different benefits and tradeoffs. Cloud-based filtering can be done at a very low cost, and additionally they save lots of downstream bandwidth to the customers network. Edge appliances tend to give a lot of control and customizability, and dont require customers to trust their users email to a third party. Server tasks can inspect both internal and Internet mail, which is necessary anyway, at least for virus filtering.

Generally speaking the cloud/appliance options have the benefit of filtering SMTP threats before Domino has to deal with them, but are difficult to integrate with e-mail systems and other security functions. Server tasks can look at both internal and external traffic, but must accept all traffic (good and bad) and process it using the Dominos servers CPU which will affect scalability and throughput for mail processing. Edge appliances and Cloud option take the load off Domino but cannot scan internal mail and arent integrated with Notes and Domino. In addition, the Cloud option tends to allow more spam to pass or more good email (HAM) to be withheld without direct customer control.

The Protector for Mail Security appliance is solving those problems through enhanced integration with Domino and Notes, so customers gain the benefits of on-server filtering without the extra CPU load, and in-the-mailbox integration for end users.

Filter Process

The filter process applies several different types of protection against e-mail threats.

First, the system itself recognizes a myriad of attack types and intrusion methods, to blocks threats that target the filter itself.

Next, the system examines methods using traditional antivirus signatures from our antivirus partner Sophos, blocking over 1200 known malware attacks and variants

A behavioral antivirus module applies analysis based on known attack designs, so that even unknown malware is blocked before it can infect your users

Spam control the heart of the system, which well discuss next applies sophisticated and efficient filtering that is 98% or better effective, out of the box, with less than .001% false positives, or one in 100,000 messages. This is important because overblocking of good messages is a direct revenue risk to an organization.

Lastly, the rich customizable policy engine can prevent messages with preset content types (e,g. hate/inappropriate language, credit card numbers, customer confidential data) or custom keywords (e.g., project code names, industry terms) from getting through. Importantly, this function (like all filters) works on both outgoing and incoming messages, so you can apply policies to prevent information from leaving your environment as well as entering it.

Protector for mail security applies a granular and highly efficient content analysis against e-mails sent to your domain.

First, a set of pre-filters is applied that knocks out a large part of the bad e-mail 80% or more before your system even accepts it. First it checks that theres actually a user at the recipient address, using LDAP lookups that are cached locally when found. Then it applies a custom blackhole list that filters known spammer addresses, without overblocking as many public lists are prone to do. Then it applies a proprietary dynamic reputation system, which grades the volumes of e-mail arriving from particular IP addresses or ranges, and blocks messages arriving from known IPs that have a high spam-to-ham (ham= good e-mail) ratio. If the percentage of ham from those IPs increases, the system automatically adjusts to permit traffic. This dynamic aspect is particularly useful when a computer is taken over by a spammer and subsequently removed from service. These pre-filters are particularly useful in some countries (e.g. Germany) that have strict retention rules. Since the mail is never accepted, it doesnt need to be stored, retained, backed up, etc.

The next set of filters looks for things like known spam signatures (including fuzzy variants); classifications driven by a Bayesian learning filter; structure analysis of words and phrases; flow control that measures traffic from different sources over time; heuristics that grade a messages likelihood of being spam based on a set of content characteristics; fingerprinting (including images) against other known spam; logic that grades a messages likelihood of being a phishing attack (to harvest personal information through fake versions of real Web sites such as Paypal); and a check against preset or custom keywords a customer has chosen to filter. The net result is a highly efficient filter system that works out of the box, without the training/tuning needed by many competitive products.

Lastly, the system checks contained URLs against a database of over 7 billion known bad URLs/objects, and conducts a file analysis (including zipped files up to 100 levels deep) that, if necessary, quarantines the e-mail and sends the file attachment to the ISS lab in Kassel Germany for human analysis.

Proprietary Research

Bayesian Filter, URL Checker, Meta Heuristics, Flow Control, Structure Analysis, Phishing detection, Fuzzy Fingerprints, Behavioral Antivirus...

Spam/Phishing Database

80 million spam signatures in the database

2 million new signatures per day

> 98% effective against spam

< 0.001% false-positives

62 categories of spam URLs

IBM X-Force Research

URL Database

9.3 billion evaluated web pages and images

150 million new pages each month

150,000 new categorized sites each day

100 million URL filter entries

68 categories of spam URLs

The heart of the system is a sophisticated and scientific approach to filtering driven by IBM X-Force research. IBM engineers and linguists constantly update the proprietary software behind the filters, with a global network of spam traps and Web crawlers combating new threats as they appear, for zero-hour protection.

X-Force has built an unrivaled database of spam signatures, known bad URLs, and phishing attacks (both messages and URLs). This is the basis of the unrivaled out of the box performance of Protector for Mail Security, and the set it and forget it performance it delivers.

Phishing Protection

Phishing attacks ebb and flow on the Internet. The Protector appliance can trap (default) or notify users of suspicious messages that try to trick them into revealing personal or sensitive information. With the growing sophistication of targeted attacks (spear phishing), the importance of this protection continues to grow. In spear phishing, a customized attack is targeted at a specific user or group of users, often using publicly available information or data shared on social networks, to create authentic-looking and compelling attacks.

Policy Editor

Granular Policy ControlThe policy editor in Lotus Protector is a high-value differentiator from other spam filter products. With a rich set of preconfigured policies, the system allows checkbox filtering of specific categories of content (hate/inappropriate language, personal/confidential information, etc.), plus infinite customer customizations. The rule set acts against all the variables used by the core filter (sender/recipient/groups, time, content analysis, etc.) and allows a wide range of predefined dispositions (block, quarantine, delete, etc.). Since this works on outgoing as well as incoming mail, the organization can deploy anything from stock to infinitely fine-grained control over e-mail content, without any additional products or purchases.

Protector for Mail Security Price Promotion 2009

Special value to help create awareness, momentum

Limited time offer for new customer acquisition

IBM quality and performance for price equivalent
to lesser solutions

25% off entitled pricing on all new licenses

Valid February-July 2009 worldwide

Lotus Protector for Mail Security Authorized User(s) License + SW S&S 12 Months D04QYLL

Lotus Protector for Mail Security Authorized User(s) from Competitor Trade-up License + SW S&S 12 Months D04R0LL

Prices valid in Passport Advantage No special processing needed

Not valid for renewals, reinstatements, or hardware

IBM Promotion #PRO1534, Letter number 509-434

Three deployment options

Minimum hardware:

2GB RAM (512MB min for each virtual instance, 1MB recommended)

100GB drive (30GB for each virtual instance)

Two network interfaces:

One host-only interface

One bridged network interface

VMware versions:

VMware Server 1.0.2 or later

VMware Workstation 5.5 or later

VMware Player 1.0.3 or later

VMware ESX 3.x or later

Dedicated Appliance

Virtual Bundle

IBM off-the-shelf hardwareCustomer provides hardwareSpecialized hardwarex3350 from IBM STGMS3004LP Appliance from IBM ISSVirtual Appliance

112233VMware throughput:12,000
mails/hrAppliance throughput:36,000
mails/hrIndependent of core software costs, customers are able to choose from among an array of server deployment options. Since the server software is always included with the user licenses, its up to the customer to decide how to deploy the server or even to adjust/change approach over time.

The first two options are based on VMware deployment. In these instances, throughput is rated at about 12,000 e-mails per hour (including both good e-mail (ham) and unsolicited bulk e-mail (UBE a.k.a. spam). Customers with virtualization strategies can simply deploy Protector for Mail Security within their VMware framework, at no additional cost beyond meeting the hardware and VMware requirements listed

For customers who want a new hardware-based solution particularly smaller or price-sensitive customers weve identified an IBM xSeries machine that will run Protector for Mail Security well. This x3350 1U system offers good performance and IBM reliability at a competitive cost. Our roadmap calls for future versions of Protector to run natively (no VMware required) on specific xSeries machines; while there are no guarantees that it will prove possible, the x3350 is one of the target units. While it will always be a good VMware unit, native support is likely to only improve throughput/performance.

For larger customers or those with heavy mail usage, the MS3004LP unit is a good choice. While more expensive than typical VMware machines or the x3350, the MS3004LP unit is designed for high throughput of approximately 36,000 e-mails per hour. Much of this performance is related to running Protector for Mail Security on the metal no VMware virtualization overhead but also simply being tuned to the hardware and drivers of this particular unit. It also offers redundancy (power suppies, fans etc.) and multiple disks employing RAID support. This gives the unit a reliability profile much greater than the commodity hardware option. MS3004LPs are also clusterable, although its important to realize that clustering is related more to administrative benefits (centralized spam processing/access) than the same term in the Domino world (high availability, failover).

Resources

www.ibm.com/lotus/protector/mailsecurity

Feature Description

Brochure

Specifications

White Papers

Demo, Video

ICSA Certification

X-Force Statistics Graphs

Support

How to buy

Product Documentation

Heres a short list of information available to you on the IBM Lotus public Web site. Check Xtreme Leverage or PartnerWorld for Sales Kit links for additional internal information

Questions?

http://www.ibm.com/software/lotus/products/protector/

Deployment flexibility

Per-user software license

World class technology

Notes/Domino integration

Part No.DescriptionRackList PriceQtyList PriceComments

4192E3UIntel Xeon Dual Core 3.16GHz, mem 2x1GB, Dual Channel 10/100/1000 Integrated G-bit Ethernet1U$1,1251$1,125options: maintenance, disk and power supply redundancy

39M4508IBM 250GB 3.5in 7.2K SS SATA HDD$1392$278

$1,403

Part No.DescriptionRackList PriceQtyList PriceComments

MS3004LPIntel Xeon 2.00GHz/1333MHz, mem 2GB, 6 hot-swap 3.5" SATA/SAS. 4x80GB + 2x250GB(RAID 1), 4x 10/100/1000 G-bit Ethernet, dual fans & power supplies2U$10,5001$10,500ISS part number, available through Deal Hub (IBM) and distribution (partners)

maint1st year maintenance$2,3101$2,310

$12,810

2009 IBM Corporation

2009 IBM Corporation

IBM Software Group | Lotus software

2008 IBM CorporationIBM Confidential