protect, enforce and encrypt secure mail protect, enforce and encrypt “block the bad; guard the...
TRANSCRIPT
Secure Mail
Protect, Enforce and EncryptProtect, Enforce and Encrypt“Block the Bad; Guard the Good”
Secure Mail
Protect, Enforce and EncryptProtect, Enforce and Encrypt“Block the Bad; Guard the Good”
Agenda
• Introduction to Secure Computing• Who We Are• Our Family of Enterprise Security Products
• Secure Mail Portfolio
• Secure Mail (IronMail) Inbound Security
• Secure Mail (IronMail) Outbound Protections
• Secure Mail Encryption Flexibility
• Secure Mail Family of Appliances
• Secure Mail Success Stories
• Secure Computing Secure Mail Edge
• TrustedSource Global Intelligence Solution
Secure Computing Highlights
Who We AreWho We Are
• Public company (NASDAQ: SCUR); HQ is San Jose (USA), Worldwide presence; 900+ employees
• Largest independent enterprise gateway security company
• Annual billings run rate ~$300M, profitable, strong cash generation
What We DoWhat We Do
• Singular focus on enterprise gateway to enable safe, secure and productive use of open networks, including the Internet
• Perimeter protection – most secure firewalls, Identity & Access
• Comprehensive messaging & web gateway security
• Inbound & Outbound protection: Block the bad and guard the good
TechnologyTechnology
• 145 Patents pending/granted
• Unmatched protection with TrustedSource using global intelligence
• Purpose-built gateway security appliances
• Recognized leadership positions by Gartner and IDC
CustomersCustomers • 20,000+ Blue-chip customers in 106 countries.
• 60% of Fortune 500; 56% of DJ Global 50; 8 out of 10 top world banks
Secure Computing is the Leader
• #1 in Secure ContentManagement (SCM) appliances
• #1 in Messaging Security Appliances
• #1 in Enterprise UTM Appliances($10K - $100K price band)
• #2 in Web filtering – 23M+ seats
• TrustedSource, Internet reputation system for proactive security
• Reputation-based web, messaging, firewall, Web filtering
• Leader in Gartner’s Messagingand Web Magic Quadrants
• Improving Challenger position for Firewall and Encryption
Technology LeadershipClear Market Share Leader
100% Security Focus
Acknowledged technical excellence & best-of-breed solutions
Superior customer support and track record of growth
100% Security Focus
Acknowledged technical excellence & best-of-breed solutions
Superior customer support and track record of growth
20,000 Customers in 106 Countries
60%60%Of the Fortune 500Of the Fortune 500
80%80%Of the Top 10 World Banks Of the Top 10 World Banks
56%56%Of the Global 50 Of the Global 50
• 800 security vendors
• 90 percent < $15M revenue
• Viability at risk
• Customers & Channel want to protect their investments
Viability of Security VendorsViability of Security Vendors Move to Integrated AppliancesMove to Integrated Appliances
Proactive & Reliable Threat DetectionProactive & Reliable Threat Detection Layered Security ApproachLayered Security Approach
Lots of Point Appliances
Integrated Appliances
GlobalIntelligence
•AV, IDS•Anti-Spam
Signatures
•Anomalousbehavior at the box
Local BehaviorFirewallsIDSVPN
ApplicationGateway
Messaging
Web
Other Apps
NetworkGateway
Key Security Drivers
Encryption
Anti-Virus
Anti-Malware
URLFiltering
Compliance
Secure your Messaging
Communication
Secure your Web Communication
Application Gateway
Anti-Virus
Intrusions Encryption
ComplianceAnti-
Spam
Enterprise Gateway SecurityIntegrated, Best-of-Breed Appliances
Data &Users
Internet
Ensure proper Identity & Access
Network Gateway
AV
ConnexControl
FirewallIPS
ConnexControl
AuthorizationAuthentication
Secure your Network Edge
Secure Web (Webwasher)
Secure Mail (IronMail)
Secure Firewall (Sidewinder)
Secure SafeWord
Secure Computing’s Award-Winning Portfolio
Secure Mail
Secure Computing Messaging Portfolio
Bi-DirectionalMessaging Defense &
Compliance
Bi-DirectionalMessaging Defense &
Compliance
Secure Mail (IronMail)
Internet
Inbound Email Perimeter Defense
Inbound Email Perimeter Defense
Secure Mail (Edge) Secure Mail
(IronMail)or any other
Email security
Internet
Secure Mail Comprehensive Security
MailServers
The Power of Secure Mail: Simple, powerful, integrated appliance with common management, multiple message platform support, and minimal administration
Block the Bad
Guard the Good
Inbound protection•Anti-virus
•Anti-spam
•Anti-malware
•Anti-phishing
Outbound protection•Content filtering
•Encryption
•Policy definition
•Content detection
Secure Mail
A “Leader” for Email Security
“Secure Mail is one of the most-full-featured appliance solutions on the market. … Secure Computing moves to the right in terms of vision. For anti-spam and antivirus defenses, it exploits its TrustedSource global reputation system, combined with connections management and several behavioral and content analysis tools, for very high spam detection with few false positives.”
“ Secure Computing’s Secure Mail line of appliances are known for their high level of performance and have kept the company a top competitor ….Secure Mail appliances also benefit from the company’s TrustedSource reputation network.“ Secure Mail appliances offer more than simple anti-spam and anti-virus capabilities for email, but also offer features such as encryption and anti-spyware, which is a key advantage over its top competitors.”
•2007
“We found this product to be simple to set up and easy to use. The initial configuration wizard gets the device up in just a few clicks ... The Secure Mail web interface is well organized with simple tab top navigation. This interface also features a multitude of easy to read graphs and charts that plot trends and show many other events.•Secure Mail has been rated Best Buy by SC Magazine.”
“We found this product to be simple to set up and easy to use. The initial configuration wizard gets the device up in just a few clicks ... The Secure Mail web interface is well organized with simple tab top navigation. This interface also features a multitude of easy to read graphs and charts that plot trends and show many other events.•Secure Mail has been rated Best Buy by SC Magazine.”
Secure Mail Successes
Biopharma Education Financial Government
Healthcare Retail Telco/Utilities Others
Key Messaging Security Drivers
Spam volumes reach over 90% in 2007
New spam technologies render traditional inspections useless
Storm botnet infects over 50 million computers
Annual sales from medical spam messages net over $4 billion a year
Inbound Threats Proactive & Reliable Threat Detection
•AV, IDS•Anti-Spam
Signatures
•Anomalous behavior at the box
Local Behavior
Global Intelligence+ Local Knowledge
Policy-Based Enforcement
Regulatory Point Solutions
Employee Training
Outbound Protection
Multiple industry, state, national and international regulations
42% of all complaints to the FTC are about Identity Theft
Customers lose trust in companies that can’t prevent data loses
Global compliance requires global solutions
Drivers Trends
Culture of Compliance with Automated
Enforcement
Threat: The Spam Surge
TrendTrend
Rapid increase in spam volumes
are overloading mail gateways
and servers, degrading
performance, and increasing delivery of
unwanted email
Spam Hits All Time High in 2007
Threats From All Sides• A cybercrime is committed every 10 seconds; twice the rate of actual real-world
robberies
• 46% of enterprises experienced a security breach in 2006; 10% don’t even know!!
• 26% experienced more than 10 breaches that year
• 1.8 billion records were compromised between 2000-2006
• Data loss clean up costs in 2006: • Exceeded $5 billion in the US• Exceeded £1.7 Billion in the UK
• Trojans accounted for over 78% of all newly discovered malware in August 2007
• An average of 11,906 total new malicious websites were detected daily in August 2007
• An average of 264,133 new zombies were detected daily in August 2007
Inbound ProtectionInbound ProtectionZero Hour Anti-Spam, Anti-Malware,
Anti-PhishingZero Hour Anti-Spam, Anti-Malware,
Anti-Phishing
Secure Mail: The Secure Messaging Gateway Solution For Inbound and Outbound Mail Threats
Computation of global reputation scores
EmailServersReputation-
based filtering for IP Senders,
Messages, Domains, URLs,
and Attachments
Anti-Malware
& Spyware
Anti-Virus &ContentAnalysis
Correlation and real-time updates
Spam,malware,
etc.
UsersData Leak Prevention/CompliancePolicy Management, Content Filtering, Fingerprinting, Adaptive
Lexical Analysis, Clustering, Policy Enforcement, Encryption
AttachmentFiltering &StatisticalAnalysis
Local Knowledge
Access, Management and Reporting Tools
Secure Mail
Integrated, Scalable & Secure Messaging Architecture
SpamProfiler™Industry’s First Multi-Method Spam Detection Engine
Total amount of spam stopped:
~80%
Total amount of spam stopped:
~95%
Total amount of spam stopped: 99%
+
Secure Mail Zero-Hour Anti-Virus/Malware
Secure Mail IntrusionDefender
Outbound ProtectionsOutbound ProtectionsCompliance and Data Leak Prevention
Define, Detect, Defend
Compliance and Data Leak Prevention
Define, Detect, Defend
Key Messaging Compliance Drivers
Myriad of US and International regulations: SOX, GLBA, HIPAA, PCI, State Privacy Rules, FISMA, HSPD-
12, NYSE & SEC rules, PIPEDA, PIPA, PPIPS, EU’s Directive on Data Protection, UK Data Protection Act, Australia Privacy Acts, OECD Guidelines
Myriad types of data being regulated: Corporate financial, consumer financial, healthcare,
consumer privacy, federal government, securities transaction
Regulatory Compliance Culture of Compliance
Global Content Control
Regulatory Point Solutions
Employee Training
Data Leakage
150 data breaches in 2006 exposed 80 million people to identity theft
Four sources of loss: hackers, malicious insiders, bad policies, honest mistakes
Other types of data to protect: Trade secrets, intellectual property, customer lists,
confidential financial information, R&D schedules
Drivers Trends
Multi-Reg Policies, Enforced at
the Gateway
UnexaminedMessages
Unmonitored use of multiple messaging protocols
Multi-Protocol Inspection and
Protection
Secure Mail Outbound Protection
Define/Create policy
Regulatory policy- HIPAA, GLBA, SOX, etc.
Corporate policy - Intellectual property - Liability - Offensive material
Document training - Classification - Training/signature
Enforce policy
Allow
Conditional allow
Encrypt
Quarantine
Archive
Educate users
Block
Inform
Reports
Standardized
Customizable
Forensics
Comprehensive
logging
Audits
Specialaccounts forcompliance
officers
Correlation Engine
Compliant orNon-Compliant
Multimedia content
Imageanalysis
Described content
Contentanalysis
Patternmatching
Learned content
Fingerprinting
Clustering
Adaptive lexicalanalysis
Secure Mail Define and Create Policies
Define Categories of Protected Define Categories of Protected DataData
Define Categories of Protected Define Categories of Protected DataData
Dictionaries – What to Look Dictionaries – What to Look For, WhereFor, Where
Dictionaries – What to Look Dictionaries – What to Look For, WhereFor, Where
Train on Corporate DocumentsTrain on Corporate DocumentsTrain on Corporate DocumentsTrain on Corporate Documents
Define/Create policyRegulatory policy- HIPAA, GLBA, SOX, etc.
Corporate policy - Intellectual property - Liability - Offensive material
Document training - Classification - Training/signature
Pre-built regulatory code setsPre-built regulatory code setsPre-built regulatory code setsPre-built regulatory code sets
Secure Mail Content Analysis
Customizable dictionaries with text and pattern Customizable dictionaries with text and pattern search termssearch terms
Customizable dictionaries with text and pattern Customizable dictionaries with text and pattern search termssearch terms
Customizable notifications, archivalCustomizable notifications, archivalCustomizable notifications, archivalCustomizable notifications, archival
Multimedia content
Imageanalysis
Described content
Contentanalysis
Patternmatching
Learned content
Fingerprinting
Clustering
Adaptive lexicalanalysis
Secure Mail Fingerprinting
• Identify Document Copying and Originating Sources • Identify partial documents
copied into other documents or mail
• Identify whole documents being sent outside of the network
• Intelligently group documents to develop powerful policies
•Find the originating source(s) for any outgoing message or doc
•Enforce policy by preventing unauthorized copies from leaving
•Simple interfaces to upload documents for fingerprinting
Multimedia content
Imageanalysis
Described content
Contentanalysis
Patternmatching
Learned content
Fingerprinting
Clustering
Adaptive lexicalanalysis
• A herd of buffalo can move only as fast as the slowest buffalo, and when the herd is hunted, it is the slowest and weakest ones at the back that are killed first. This natural selection is good for the herd as a whole, because the general speed and health of the whole group keeps improving by the regular culling of the weakest members. In much the same way the human brain can only operate as fast as the slowest brain cells. Excessive intake of alcohol, we all know, kills off brain cells, but naturally it attacks the slowest and weakest brain cells first. In this way, regular consumption of beer eliminates the weaker brain cells, constantly making the brain a faster and more efficient machine.”
• 0x01179d29
• 0x06e85e32
• 0x070e8b08
• 0x0bbc2488
• 0x002b616b
• 0x03bab72b
• 0x06fe9be8
• 0x02046679
• 0x014f3572
• 0x04798efb
• Excessive intake of alcohol, we all know, kills off brain cells, but naturally it attacks the slowest and weakest brain cells first. In much the same way the human brain can only operate as fast as the slowest brain cells. In this way, regular consumption of beer eliminates the weaker brain cells, constantly making the brain a faster and more efficient machine.”
• 0x06fe9be8
• 0x01179d29
• 0x0154a8b7
• 0x03bab72b
• 0x02046679
POSITIVE: 4 out of 5 fingerprints matched
• Generates digital fingerprints of documents to identify copied, deleted text, change of format
• Very robust to changes made to text and therefore can detect copies that have been intentionally obfuscated
Secure Mail Fingerprinting
Document trained to the system in Word format
Parts of .doc copied, pasted, reordered in email body
Training - text fingerprints generated and stored
Fingerprints generated, matched against trained data
Secure Mail Adaptive Lexical Analysis
• Protection from malicious, intentional data leaks• Adaptively learns company’s trade secrets• Learns unstructured (and structured) customer data• Deep lexical correlation to identify intentionally veiled text• Can account for misspellings, intentionally obfuscated text, and can even identify
similar patterns close to matching confidential text • Continually improves on its own reasoning• Single-word, multi-word, and lexical structure analysis• Simple interface for uploading documents• Potential to learn very fast (>90% comprehension with just 4 documents trained)
• Potential for very high accuracy (99.3% and beyond)
• Three different levels of performance (high, low, medium)
• Adaptively enforces HIPAA, SOX, etc. • Adaptively protects source code and other dynamic data
Bayesian AnalysisAdaptive Lexical Analysis
Secure Mail Adaptive Lexical Analysis
• Bayesian – does <word> indicate good or bad? (e.g. Ham or Spam)
• Adaptive Lexical Analysis – not just <word> but:• <<multiple words togethermultiple words together> • <multiple words in proximity to each other> (not necessarily consecutive)• frequency of words, phrases, words in proximity (groupings)• All factors used to calculate good or bad (e.g. Confidential or Non-Confidential)• Accommodates misspellings, obfuscations, etc.
Greetings in SelectedCapital Cities
Greetings in SelectedCapital Cities
Secure Mail ClusteringClustering is defined as:
The process of dividing a dataset into mutually exclusive groups such that the members of each group are as "close" as possible to one another, and different groups are as "far" as possible from one another. Also known as “guilt by association!”
New YorkWhad’s up?New YorkWhad’s up? London
CheersLondonCheers
AtlantaHowdy y’allAtlantaHowdy y’all
RioHolaRioHola
Health Care FormsHealth Care Forms
Financial StatementsFinancial Statements
Engineering SchematicsEngineering Schematics
ContractsContracts
Secure Mail Image Analysis• Sets policy regarding
sending and receiving pornographic images
• Analyzes images using skin tones, texture, position, posture, pose
• Configurable sensitivity threshold - multiple policies as appropriate to severity
• Maximum score of 100 provides flexibility to manage and educate users
• 0-40 is fine (copy to log file)• 41-65 Quarantine the message (notify
to sender “This is inappropriate material for our workplace. Please cease this activity.”)
• 66-80 Drop the image (notify sender "You're on a watch list“; notify Compliance Office "This person’s actions seem to be inappropriate" and notify HR with a copy of the message)
• 81-100 Drop the message (notify Compliance and HR to initiate termination proceedings)
Seven Actions Seven Actions Available Depending Available Depending
upon Threshold upon Threshold
Multimedia content
Imageanalysis
Described content
Contentanalysis
Patternmatching
Learned content
Fingerprinting
Clustering
Adaptive lexicalanalysis
Secure Mail Policy Enforcement Options Maximum flexibility on possible actions:
Blind copy Replace Drop a portion or even the entire message Forward in line or as an attachment Customizable Quarantine Re-route Pre-pend Log Encrypt for secure delivery Rewrite the subject line Customizable notifications to employees, managers,
compliance officers, etc. Customizable archiving options Educate users on rules
Enforce policy
Allow
Conditional allow
Encrypt
Quarantine
Archive
Educate users
Block
Reporting and Forensics• 34 Total Pre-built Reports
• Anti Fraud Summary• Anti Zombie Summary• Compliance Action Summary• Overall Compliance Summary• Overall Encryption Summary• Overall Spam Summary• Overall Virus Summary• Executive Summary• User Spam Summary• Incoming Report• IronWebMail Report• Mail IDS Report• Policy Compliance Reports for:
• AV Keyword Blocking• GLBA• HIPPA• SOX Financial
““(Secure Mail) simply provides an enterprise (Secure Mail) simply provides an enterprise reporting solution on-box that competitors reporting solution on-box that competitors
currently cannot match.”currently cannot match.”
““(Secure Mail) simply provides an enterprise (Secure Mail) simply provides an enterprise reporting solution on-box that competitors reporting solution on-box that competitors
currently cannot match.”currently cannot match.”
Reports
Standardized
Customizable
Forensics
Comprehensive
logging
Audits
Specialaccounts forcompliance
officers
Secure Mail EncryptionSecure Mail EncryptionEncryption to Anyone, AnywhereEncryption to Anyone, Anywhere
Regulatory ComplianceRegulatory Compliance
• HIPAA, GLBA, SOX and many others specify encryption
• Leaks of unencrypted privacy data can trigger fines, bad press and jail terms
• GLBA: fines of up to $500,000 and imprisonment for up to 10 years.
• SOX: fines of up to $5 million and imprisonment for up to 20 years
• HIPAA: fines of up to $5 million and imprisonment for up to 20 years
System UsabilitySystem Usability
Data LeakageData Leakage
• Sensitive information and intellectual property can only be protected if encrypted
• Merger/acquisitions, HR, finance, trade secrets, customer lists and corp. directory
Inconsistent DeploymentInconsistent Deployment
• Inability to send a secured message to any recipient due to variations in recipient OS, browser, e-mail client, or expertise
• Can’t adapt for changing technologies or requirements
• Compatibility with other systems
• End users don’t always remember to encrypt messages
• Many encryption technologies are unmanageable and administrative nightmares
• Messages encrypted at desktop cannot be scanned for content and viruses
The Key Challenges
E-M
ail S
ecur
ity
GAR
TNER
Encr
yptio
n
GAR
TNER
Gartner MQ for Encryption and Email Security
The above quadrant has been drawn with rough estimate on positions of vendors in the other two quadrants
SECU
RE C
OM
PUTI
NG
Secure ComputingSecure ComputingIronPortIronPort
TumbleweedTumbleweed
Encryption Options and FlexibilityEncryption Architecture
Integrated, policy driven, most complete and widely deployed encryption with support for multiple technologies
Secure Mail FamilySecure Mail FamilySuite of Solutions for Every Size EnterpriseSuite of Solutions for Every Size Enterprise
Central Management
Appl
ianc
e Pl
atfor
ms
Appl
ianc
e So
lutio
ns
2 Base Classes (S and E ) 4 Appliance Models
Models S10D, S120, E2200, E5200
Secure Mail (Total Inbound and Outbound protection for email)
CentralQuarantine
On-
Box
Serv
ices
Secure Mail Family - SnapshotA complete product line for protecting messaging communication
• TrustedSource Reputation
• Connection Control
• Spam Profiler
• Message Profiler
• End User Quarantine
• TLS encryption• Intrusion Defender• Threat Response Updates• Zero Hour Malware• Basic Data Leakage Compliance
• Anti-Virus• Advanced Compliance (Off box)• Gateway to End-User Encryption
(Off Box)Push or Pull (Secure Computing)VoltagePGP Universal
Mail Appliance PortfolioMail Appliance Portfolio Global Intelligence & Central ManagementGlobal Intelligence & Central Management
S-ClassS-Class E-ClassE-Class
Secure Mail
Secure Mail Out of the Box
Secure Mail (IronMail)Advanced ComplianceEncryptionSecure Mail Edge
Secure Mail Options
Differentiators
Fortune 50 Success Stories
UPSUPS
• Complex – 13 different point products
• IronMail with anti-spam, anti-virus, email firewall/IPS, compliance and encryption in a single appliance
• Single vendor, single management console
Coca-ColaCoca-Cola
• Unmanaged compliance, limited enforcement of corporate messaging policies, prevent offensive content from being sent from Coke domain
• IronMail for inbound and outbound protection
• Centralized policy management, flexible enforcement options, compliance
Retail ExampleRetail Example
• Email DoS: 1 million message directory harvest attack from multiple servers
• IronMail with Connection Control
• Protect mail server, detect DoS, notify email admin, create logs for forensics
World’s Largest Retailer
Inbound Protection Success Stories
Georgia Dept of Human ResourcesGeorgia Dept of
Human ResourcesTrader Media
GroupTrader Media
Group• Blocks 70% of inbound email
as spam• Eliminates viruses and spam
from Webmail• Deployed flexible email
security policies for different user groups
• “The IronMail solution has almost instantly eliminated the spam problem. It also ensures that all the email we send out from TMG complies with the requirements of our own email policy and safeguards our reputation.”
Southwest Airlines
Southwest Airlines
• Stopped anywhere from 75 to 90 percent of e-mail as spam
• Able to successfully migrate more than 31,000 e-mail users onto new mail server platform without lost connectivity or messages
• Achieve ROI savings of $300,000 per year in employee productivity
• Decreased workload of administrators
• “IronMail just works. There were no weeks of tweaking—right out of the box, we installed it, and it works.”
• “The IT staff no longer has to worry about malware. Now we only hear about virus or malware outbreaks in the news—and that’s where we want it to stay. When I read about a security threat in the news, I go back and check the logs and, sure enough, IronMail has proactively blocked it every time.”
• IronMail “paid for itself within a few short months.”
Compliance Success Stories
Kindred HealthcareKindred Healthcare
• F500 Healthcare provider, 17,000 users, >100,000 messages/day
• Prevent data leakage, protect HIPAA and financial data
• Appliance based• Lower initial solution and
setup costs• Lower headcount required to
maintain• Created high compliance
environment• Can add protocols when
required
Akron General Medical CenterAkron General Medical Center
• IronMail provides policy-based flexibility to secure outbound messages
• IronMail automatically encrypts email that includes sensitive information
• “Initially I was looking for a solution to our spam problem, but when I evaluated IronMail, I knew that we had to go with them for our messaging security needs. Secure Computing products are easy to use and the tech support is very knowledgeable and helpful.”
Albany MedicalAlbany Medical
• HIPAA compliance, 7,000 e-mail users, increased bandwidth, consolidate e-mail environment
• IronMail with Anti-Virus and Compliance and CMC
• Policy-based compliance, consolidate multiple devices in DMZ
Lower My Bills Lower My Bills MD AndersonMD Anderson
• Comply with HIPAA, protect sensitive information from leaving organization
• IronMail and Encryption (pull) • Automatically secure sensitive
information transparently to end-users, ensure accurate content filtering w/out dropping medical terms
MinnesotaMinnesota
• Diverse user community communicating sensitive information (dept. of revenue and other agencies communicating with each other and consumers)
• IronMail and Encryption (push)
• Robust policy-based flexible encryption, no client, easy to use, customizations
• IronMail for compliance, outbound filtering, pull encryption and inbound protection
• Simple end user experience to ensure recipient compatibility
• Customized and deployed in one week
• Encryption driven by policy ensures loan leads delivered securely
• Met tight customer deadlines with rapid customized deployment
Encryption Success Stories
Secure Mail – The Right Solution
• Maximum Effectiveness• Global plus Local Protection
• TrustedSource Global Reputation Service• IronMail On-Box Policies, Spam Profiler
• Maximum Enforcement• Inbound plus Outbound Protection
• Spam, virus, Trojan, Zombie, Malware• Regulatory Compliance, Corporate Governance, Data Leakage
• Maximum ROI• Purpose-Built Appliances
• Easiest to Deploy, Implement and Manage• High Throughput, Easily Scalable, Multiple Sizes for Every Enterprise
• Maximum Honors• Radicati, 9/07: Secure Computing is the absolute top leader in the Email Market Quadrant• Gartner, 9/06: Secure Computing is the absolute top leader in the Email Boundary Security Magic Quadrant• SC Magazine; 4/07: Rated IronMail Best Buy with 5 stars in every category• IDC: IronMail is the market leader in email security appliances• Search Security 2006: IronMail rated the highest score of ALL 60 finalists to be selected as the Best of the
Best
Secure Mail EdgeSecure Mail EdgeStopping Inbound Threats BEFORE
They Infiltrate Your NetworkStopping Inbound Threats BEFORE
They Infiltrate Your Network
Secure Mail Family: Secure Mail Edge
Reputation Based Protection
Reputation Based Protection
Incorporates TrustedSource sender reputation and message signatures
Traffic shaping controls thwart attacks by malicious senders
Real-time, global knowledge of known and unknown threats
High ThroughputHigh Throughput
Processes up to 1 million messages/hour/appliance
Blocks 50%–90% of unwanted email before it hits the enterprise gateway
Spam surges don’t impact network performance, eat up bandwidth or affect end user experiences
Improved SecurityImproved Security
Multiple layers of defense-in-depth
Eliminates spam as a source of email-borne malware, viruses, botnets and phishing
Email Perimeter Defense
Email Perimeter Defense
Secure Mail Edge Secure Mail (IronMail)
Or any Email Security Appliance
Internet
Archiving your spam Reduce your TCO
Secure Mail : Three Sources of Knowledge
Block Allow Throttle
LDAP Data Base
Secure MailEdge
Secure Mail Edge Success Stories
CBIZCBIZ
• Target of a major denial of service attack: 2 million additional connections (for a total of 3 million)
• Edge boxes handled the attack, no delays in email
• The 2 million additional connections only amounted to 55,000 additional emails making it to IronMail – 97% block rate by Edge
BeloBelo
• 420,000 connections daily
• Symantec/Brightmail replacement
• 272,000 rejections
• 2,000 greylisted
• Reduced mail volume based purely on TrustedSource – no LDAP in use or Connection Control
DominionDominion
• 3.5 million messages per day prior to Edge
• Effectively dropped incoming traffic by 80%
• Reduced bandwidth requirements by 60%
• Decreased administration time from 35 hours/week to > 30 minutes/day
• Achieved significant operational savings
• Easy to install and deploy, required no significant changes to user environment
Secure Mail Edge in Action
• Customer had email volume increasing putting pressure on email infrastructure
• Edge was deployed in front of the Secure Mail already deployed
• Reduced inbound connections by 82% freeing up additional capacity for Secure Mail and other downstream servers
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Allowed
Blocked
TrustedSource TrustedSource The Next-Generation Global Reputation System for Proactive Enterprise SecurityThe Next-Generation Global Reputation System for Proactive Enterprise Security
Shared Global Intelligence
PhysicalWorld
CIAFBI
Interpol
PoliceStations
PoliceStations
PoliceStations
IntelligenceAgents
Deploy agents officers around the globe (Police, FBI, CIA, Interpol)
Global intelligence systemShare intelligence information
Example: criminal history, global fingerprinting system
ResultsEffective: Accurate detection of offendersPro-active: Stop them from coming in the
country
CyberWorld
Intelligentprobes
Deploy security probes around the globe (firewall, email gateways,
web gateways)
Global intelligence systemShare cyber communication info
Example: spammers, phishers, hackers
ResultsEffective: Accurate detection of bad IPs,
domainsPro-active: Deny connection to intruders
trying to attack your enterprise
Atlanta
Brazil
London
Hong KongPortland
IntelliCenter
Chicago
Germany
Is the sender of this email trustworthy?
Is the client logging into the website trustworthy?Is the website that the client
visits trustworthy?
•IDS•Anti-virus•Anti-Spam
• No false positives• Often too little, too late
Like police having a band on each criminal’s
wrist
Signature-Based
Anomalous behavior at the box
• Better but false positives
Like intelligence agents looking for suspicious behavior at the airport
Local Behavior
• Tracks sources of threats by correlating global information
Like intelligence agents around the world with global database
to track offenders and share their behavior or activities
Global Intelligence with Reputation
Cyber World - What is Your Reputation?
Atlanta
Brazil
London
Hong KongPortland
IntelliCenter
Chicago
Germany
Reputation score is fundamental to business: real world or cyber space
ComputingCredit
Track
Compile
Compute
Use
Businesses & Individuals
Physical World
Business Transactions
Credit Score
Allow / Deny Credit
• Loan• LOC• Credit terms
• Timely payment• Late payment• Transaction size
• Purchases• Mortgage, Leases• Payment transactions
Cyber World
IP, Message, Domain, URL, Etc.
Cyber Communication
Reputation Score
Allow / Deny Communication
• Stop at FW, Web Proxy, Mail gateway• Allow• Quarantine
• Good IPs, domains• Bad• Grey – marketing, adware
• Email exchanges• Web transaction• URLs, images
Reputation-based Security Model
Secure Mail
•Traffic Shaping•Attack Blocking
SecureWeb
•Anti-Malware•Anti-Spoofing
SecureMail•Outbreak Detectionr
•Anti-Spam
Identity/FraudApplications
•Anti-Phishing•Zombie Alerts
REAL-TIME PROTECTION PLATFORMS
REAL-TIME PROTECTION PLATFORMS AUTOMATED ANALYSIS AUTOMATED ANALYSIS
Dynamic ComputationOf Reputation Score
In-Depth Analysis > 110 Billion Per MonthHundreds of Dimensions
Bad Good
IP Domain URL Image Message
GLOBAL DATA MONITORINGGLOBAL DATA MONITORING
IntelliCenter
Brazil
London
PortlandAtlanta
Hong Kong
Global data monitoring is fueled by the network effect of real-time information sharing from thousands of gateway security devices around the world
Ownership• Whois
• Zone files• trademark
Content• Images
• Text• Links
Behavior• Social networks
• Persistence• Longevity
TrustedSource Provides Global Intelligence toEnable Local Protection
How TrustedSource Computes Reputation Scores
High quality data & sophisticated behavior analysis are underpinnings of a reliable reputation system
High quality data & sophisticated behavior analysis are underpinnings of a reliable reputation system
Over 110 Billion Messages Per
Month Worldwide Other InternetBehavior
10s of Millions of URLs Worldwide
IronMail, Edge, Webwasher,
Sidewinder, SnapGear,F5
Spam BlockingZombie DetectionFraud Detection
Phishing Blocking
Suspicious ActivityTraffic History
URL Categorization
F5 LB
Secure Mail
Secure Mail (Edge)
Secure Firewall (Sidewinder)
Secure Web
TrustedSource Enabled Appliances
Network Gateway
Application Gateway
Mail Servers
Internet Traffic
Web Users
Internet
Secure SnapGear
60% - 85% of the unwanted traffic is stopped the edge of your network reducing the workload 60% - 85% of the unwanted traffic is stopped the edge of your network reducing the workload on down stream serverson down stream servers
60% - 85% of the unwanted traffic is stopped the edge of your network reducing the workload 60% - 85% of the unwanted traffic is stopped the edge of your network reducing the workload on down stream serverson down stream servers
Internal Network
ReputationQuery
Internet Traffic
Reputation Network• Load balancers, Firewalls, Mail &
Web gateways• 110 Billion Messages daily• Millions of New URLs monthly
Reputation Scoring • Advanced behavioral analysis• 350,000+ zombies detected each day
• Real-time multi-identity, multi-dimensional Internet reputation system
• Detects and blocks sources of threats, hence provides proactive security.
Dim
en
sio
ns
Identity
Spam
Phishing
Malware
Hacking
IP Domain URL Image Messages
Atlanta
Brazil
London
Hong KongPortland
IntelliCenter
Chicago
Germany
Multi-Identity Reputation = Multi-Protocol Protection
Social Networks
Examples of Behavioral Analysis
Examine relationship between senders
Example: Spammers makes lots of outbound connects but hardly any inbound (unlike normal businesses)
Persistence
Examine longevity/ continuity of the email sender
Example: Legitimate senders send email on a regular basis and they are stable (unlike spammers or zombies)
Volume
Examine raw mail volumes to detect bulk senders
Example: Spammers typically send in bulk, however many legitimate senders also send in bulk
0.2
0.4
0.6
0.8
0.0 0.2 0.4 0.6 0.8 1.0
0.0
0.2
0.4
0.6
0.8
1.0
Breadth Burstiness
• Global observations of email, Web traffic • 25 advanced degree research scientists• Advanced patented algorithms
Examine how many receiving hosts are contacted
Example: Legitimate senders typically have a limited and rather consistent group of receiving hosts (unlike spammers who send to millions of receivers)
Examine email sending patterns throughout the day
Example: legitimate senders send out fairly constant email quantities throughout the day (unlike spammers who spike or burst out emails)
Behavioral Classification
Bad?
One-dimensional feature spaceOne-dimensional feature space
Bad? Good?
Multi-dimensional feature spaceMulti-dimensional feature space
Behavioral Classification
63
The power of multi-dimensional reputation!IP + Message reputation working hand-in-hand
IronMail
IronMail
NEW unknownunknown spammer
NEW unknownunknown spammer
known spammerknown
spammer
1. Known spammer sends message
2. Message is blocked
3. Unknown sender sends similar message
4. Known Message is recognized (from step 2) and blocked
5. Previous unknown sender (from step 3) sends different message
6. New Message is associated with this now identified zombie machine (step 3) & blocked
TrustedSource.Org • Public Portal to view into current and historical reputation and sending patterns of the senders, as well as analytical
information such as country of origin, network ownership, and hosts for known senders within each domain. Additionally, the TrustedSource Portal provides a snapshot of global email trends, including a map illustrating country of origin for email attacks, graphs displaying overall email and spam volume trends, Secure Computing's ZombieMeter, and a snapshot view of email authentication deployments across the Internet.
Profile of a Good Sender
TrustedSource in Action: Quarantine Notice
Email Message with Headers (Image Spam!)
IP Sender Reputation
Zombie Pattern!
Domain Reputation
Arcor-ip.net has 496,150AOL had 28,050
Others Have Virtually No Information
Storm Worm Neutralized
YouTube link actually points to the IP address http://69.17.185.164/ which is a known, malicious site
Subject: "Dude dont send that stuff to my home email"
LMAO, I cant believe you put this video online. Everyone can see your face there. LOL go look at it...http://www.youtube.com/watch?v=cgnCYNHLON3
Phishing Attack Foiled
TrustedSource was able to take the URL out of the email; this site was already identified as “suspicious” weeks before the user received the message.
TrustedSource observed that this sending pattern matches that of a suspected zombie, and it that knows spam bots = scan bots = bots hosting malicious web sites
"We are glad you joined" (fill in the blank = Internet Dating, Online Casino, etc.)
Confirmation Number: foo123
Temporary Login: user123
Temp Password ID: pw123
This Login Info will expire in 24 hours. Please Change it.
Use this link to change your Login info: http://67.188.46.85/
Thank You,
Membership Services
(fill in the blank)
Why TrustedSource is Superior
Essential components of TrustedSourceEssential components of TrustedSource
• Volume of reputation data - TrustedSource sees more email sent to enterprises and
governments than any other messaging security technology in the world
• Quality of reputation data - TrustedSource correlates reputations assigned to each identity by intelligently aggregating the global behavioral and sending pattern knowledge available for
each sender
• Accuracy of reputation data - TrustedSource conducts real-time behavior analysis using over 80 behavior classifiers that examine over 1000 characteristics and typically identifies hundreds of thousands of new zombies a day
• Strength of Multiples – being able to add IP + Message + URL + Domain + Image reputation scores together allows for instant identification and prevention of blended threats
TrustedSource versus Other Reputation Services
•TrustedSource is aware of more IPs than Others
•Queried on 01/11/2008
ConclusionConclusion
Why Secure Mail?
Proven, Fast, and Secure
Complete Inbound and Outbound Protection
Global Global IntelligenceIntelligence
Best Best PerformancePerformance
Highest Highest SecuritySecurity
Secure Mail(IronMail)
Secure Mail(Edge)
TrustedSource
Thank YouThank YouQuestions??Questions??