Combating Botnets and Other Malware

- Ron Kaplan, director of products, EdgeWave (www.edgewave.com), says:

Why are EdgeWave’s Zero-Minute-Defense Email Security Solution & iPrism outbound botnet defense using ThreatSTOP technology useful in today's enterprise data centers?

Cybercriminals create autonomous applications called bots that can infect networks in a variety of ways, via Web or email. A botnet is a network of these applications that are capable of acting on instruction once they are triggered. This happens when a bot, that may be dormant in your network,, “calls home” via any port. This allows perpetrators to control infected computers via their command and control hosts residing outside your network.  In a study of 130 large companies done by TrendMicro, they found that 100% of them already had bots in their networks. That’s why a multilayered approach that combines stopping bots from being activated by blocking their outbound communications while detecting and blocking inbound threats is the best way to assure your network security.

iPrism Web Security leverages ThreatSTOP botnet technology to monitor and block any attempt at an outbound connection and the botnet threat is eradicated. ThreatSTOP continuously updates their Botnet Threat List, based on four feeds from three industry-leading sources: Abuse.ch, ShadowServer and Cyber-TA. The ThreatSTOP List is a proven service with no known false-positives and its experts constantly update their feed sources and correlation engine to mitigate false positives from blocking legitimate traffic. This unique approach:

·         Results in no false positives and improved time to detection, without managing manual rules or signature updates

·         Blocks emerging threats at its source, and adds 5-10% catch rate to existing endpoint, network or gateway AV/IPS solutions

·         Mitigates data leakage and other non-compliance events with preservation and non-repudiation of logged event

·         Adds no network latency and reduces potential bandwidth loss & peak loads

EdgeWave Email Security’s Zero Minute Defense provides a unique method of arresting developing threats from entry into and exiting your networks via email.  Zero-Minute Defense detects emerging threats in close to real time, so action can be taken to block bots and other criminal malware before they get near email servers.  This feature is activated when a threat is identified.  EdgeWave engineers analyze it and immediately create a protection rule that effectively blocks the threat.  Because threats are 100% human reviewed, accuracy is assured. The new rule is sent as an update to all EdgeWave Email Security appliance and hosted email solutions. New rules are sent as they are created so there is immediate protection from any new and emerging threats.  These updates are occurring on a continuous basis so that networks aren’t left in a vulnerable state.

EdgeWave defense technologies operate automatically and use the distributed nature of these attacks against the hackers. There is no ongoing configuration management required by data center and IT managers to make the filtering effective.

Why should data center and IT managers be concerned?

Botnets are a huge problem facing today’s data center and IT managers. More and more they are becoming focused attacks launched by criminal syndicates bent on financial gain and aiming for larger enterprise companies. Small companies also face threats from individual hackers who have easy access to botnet kits readily available online. The resulting attacks are sophisticated, targeted and elusive. Cyber criminals will typically abandon immediately any attack that has worked and launch a new one, making them very hard to trace for conventional signature-based technologies.

Botnet threats have been increasing significantly over the past 18 months and are growing worldwide. Cisco’s Q4 2010 Global Threat Report states that global malware encounters grew by 139% in 2010. In sharp contrast, spam dropped dramatically from 375 billion pieces per month to 95 billion per month from January to December 2010 (from Q4 2010 Global Threat Report, Cisco Corp.).  Several highly publicized breaches reported recently have shown the magnitude of the problem, e.g., Epsilon, Sony, HBGary Federal, Lockheed-Martin and others.

Current antivirus, antispam and conventional web filtering technologies are inherently deficient in their ability to stop these emerging threats.  Data center and IT managers need a new set of tools to combat this highly distributed and targeted, socially-engineered attacks. EdgeWave’s arsenal includes a number of critical new developments that allow these threats to be mitigated.  These defenses operate automatically and use the distributed nature of these attacks against the hackers. There is no ongoing configuration management required to make the filtering effective.

Overall priority in the data center.

Stopping such threats from both entering and leaving their networks should be a top priority.  The embattled CEO of HBGary Federal, Aaron Barr stepped down and the estimate for the Sony network breach may reach more than a billion dollars. Upgrading the network security tools to leverage the latest advances and approaches so that networks are adequately protected is critical.  Many security vendors have focused on revenue-generating commercial features and have left their core filtering/defense technologies lacking the R&D investment or focus they need to keep up with emerging threats. Crime syndicates and individual hackers alike have taken full advantage of this situation.  The proof of this lies in the fact that organizations that have some of the largest IT budgets available are having their defenses easily bypassed. Sony had millions of Playstation user accounts accessed and Epsilon’s 100 million record breach was due entirely to an email-based socially-engineered phishing attack.

The biggest challenges.

The biggest challenge we see for data center and IT managers is finding security solutions that are effective for a reasonable investment. Many of them may feel their current security solutions are adequate and don’t even consider changes until a major breach occurs. They may be operating under an assumption that “if it’s not broken, don’t fix it”. The problem with that logic is that the core filtering technology available for both signature-based antivirus as well as the core technologies of the most widely used message filtering solutions are ill-equipped to handle these sophisticated, emerging threats. 

Overcoming the challenges.

IT professionals need to educate themselves as to the available options and share that information with their colleagues.  They also need to be aware of what the new threats are and how attacks are being launched.  With new high-profile breaches seeming to hit the headlines every day, they should need no reminders that deploying effective strategies today will save them a lot of headaches in the future. They should do their homework and look for solutions that employ multi-layered approaches that don’t rely on a single technique for assuring protection from botnets and other criminal malware.  It is possible to find cost-effective solutions, such as those offered by EdgeWave, with extremely low TCO, and unique technologies that will do the job as well or better that some more costly options.

In addition to the above, look for multi-layered approaches that use a variety of techniques to combat botnets and other malware. Solutions that protect both inbound and outbound threat techniques will give you flexibility and versatility when dealing with sophisticated criminal malware.

Boosting Your Email

- Joe Fisher, Senior Vice President of Product & Solutions Marketing at Axway (www.axway.com), says:


Why is email security important for the enterprise?
Protecting the enterprise’s most valuable collaboration tool—email—is profoundly important, as most business processes flow through it. Even processes that start from an automated system (e.g., a claims document kicked out from an ERP system) are part of a collaborative workflow, and that workflow always beats a path to email inboxes. Inbound email must be kept extremely clean so that your knowledge workers can do their jobs without being burdened by spam, phishing attacks, viruses, and denial-of-service attacks. At the same time, it is imperative that outbound email—especially highly sensitive email from organizations subject to regulatory requirements—is secured before it leaves your four walls. When you protect your email system, you protect your workflow, you comply with regulatory mandates, and you protect your ability to effectively do business.

What are the biggest issues?
The balance of tactics and strategies (i.e., putting a fire out today, yet building something that’s fireproof for tomorrow) is a very important issue to consider, and a considerable challenge, too. Think about what fits your security profile. Deploying things in the cloud, whether private or public; changing the behavior of your end users who have access to sensitive information—these are challenges that need to be considered as you implement a new system. Another thing to consider: the dynamics and profile of your traffic. A decade ago, the average message size was ten kilobytes; today, it’s seventy-five kilobytes. You need to ask yourself, “Is this system we’re putting in place addressing the profile holistically? Is it considering the DNA of our email that moves in and out?” Finally, you should consider discovery. Most public organizations retain emails for five to ten years for discovery and litigation purposes. You need to be thinking about how you’re going to archive and retain these emails.

Organizations need to think about building a secure community, a group of customers and partners that they can collaborate with and trust. Organizations should enroll these people as trusted partners in their email security ecosystem. Enrolling organizations as trusted partners actually works twofold. One, you can expedite secure channels. Two, you can reduce the issue of false positives on the inbound side. So, if you’re getting a message from a trusted business partner, you can mitigate the issue of having that message fall into a spam filter. Since you trust this organization, you’ll always accept their messages. This reduces the issue of false positives as well. Make sure that you’ve got the right operational visibility as well as strategic visibility. Make sure that you’ve got the right policy flexibility. And make sure that the enterprise can build a secure community that you can collaborate with.

Enterprise Email Security: Choosing The Right Vendor

- Magi Diego, product marketing manager at Trend Micro (www.trendmicro.com), says:

As email continues to be the predominant method of business communication, enterprises need to ensure email availability without end user productivity drain and network security risks associated with spam.

The delivery mechanism for cybercriminals continues to be primarily by email. Cybercriminals are no longer just using malicious email attachments; they are now getting users to click malicious URL’s in emails.

Email is the introduction point to the network. If you can proactively block spam/malicious email you can stop the url from ever being introduced into mailboxes and the subsequent click on the link which will prevent worm/malware from entering the network and keep the infection from ever happening.

We are seeing more targeted attacks against businesses and almost always the targeted attack will start with an email to one or two people inside the organization. If they click on the malicious link inside the email they could potentially infect the entire organization with a worm or download malicious code that steals data.

With so many security solutions to choose from, what's a manager to do?
Look for a vendor that has a global presence and has more expertise than just email security. Look for a vendor who has been in the market for a long time and has a good reputation. A vendor with malware and threat expertise, not just a traditional spam filtering company is important. It’s important that your security vendor can do more than filter spam; they should be able look at embedded URLs and attachments and know which ones are malicious. The security vendor and solution should be able to be able to deal with email, web and file based threats and social networking threats.

A security company with global presence is important b/c they can provide 24/7 support, email doesn’t stop it’ll always be there and need to be dealt with. Also, make sure the vendor has the ability to support multiple infrastructures and fitting into IT infrastructure through virtualization. And also that the vendor offers a hosted service for inbound spam cleansing. Make sure vendor can also do outbound /DLP security.

Email Security: Issues and Challenges

- Scott Cressman, Product Manager of Gateway Email Security and Data Protection at Sophos (www.sophos.com), says:

Today, communication happens in real-time so users expect email to be almost instant and any email infrastructure bottlenecks means that businesses will be impacted negatively. Now more than ever, employees are being asked to do more with less. As most employees rely heavily on email to get their jobs done, IT teams must ensure that their users’ inboxes are not bombarded by spam or made vulnerable to phishing attacks, which would slow down performance and/or infect their systems.

The fastest growing threat, however, is the danger to sensitive information – both personal identifiably information (PII) and confidential company data. Email security is just not about keeping band-width-eating spam or email threats out, but also ensuring that sensitive information does not leave the organization —be it intentionally by a disgruntled employee –or accidentally. With data of all kinds travelling like the speed of light through various means – laptops, mobile devices, etc. email is one of the riskiest avenues of communication due to the sheer daily volume of email that some employees need to send and receive.

An email security solution should facilitate sound policies rather than dictating policies. Policies need to be communicated and enforced in a consistent manner in order to help users fully understand how to work in a secure way – this obviously extends beyond email security.

Educating users on the policies that are in place as well as regularly updates all employees on best email security practices can make a significant difference in helping an organization stay secure.

Biggest issues/challenges to consider
Organization must, at the very least, have a basic email security solution in place in order to protect against spam and malware.

Some of the biggest issues and challenges to consider include:

• Quality of security: With a quality email security solution, users should be getting no more than 1-2 missed spam messages in their inbox per week - if that. IT teams shouldn’t have to conduct ongoing customization to achieve this and they shouldn’t have to perform a lot of clean-up initiatives due to spam or malware emails that made it through the email filter.
• Hidden costs: While a cheap email security solution may look good on paper, businesses must ensure that they are *not* spending countless hours administering and managing the solution or fielding calls from users with email issues or spending time troubleshooting—
This can range from looking for lost messages or handling time-consuming, disruptive upgrades.

Having visibility is also key. IT teams must make sure that there are very few grey areas or black holes created by the design of their environment or by the email security solution they’ve deployed. It should be extremely easy to find out what happened – end-to-end – to a single message once it’s entered the environment. If the IT team has trouble figuring this out, they may want to use a different solution. Visibility also means the ability to monitor the environment for potential issues. Our Sophos Email Security and Data Protection Appliance is a true “managed appliance”, meaning that it contains more than 50 monitors that will proactively alert both the administrator and Sophos Support if something goes wrong – something that could impact the level of service of the email systems. Having this means that they do not need to babysit the solution. IT will be immediately notified if something has occurred so the team can evaluate what needs attention. Email security solutions that allow various types of actionable visibility at critical times are the kind of solutions IT and data centers need.

Protecting data
Begin by monitoring potential data loss and make any necessary changes to decrease false positives and false negatives. Also monitor and understand the patterns and processes of users before enforcing any policies that could disrupt business. Make sure to focus on the low-hanging fruit first, and grow business’s data protection strategy from there.

At Sophos, we focus on integrated security and data protection solutions across the endpoint, email, and web to help enforce security and data protection policies in a simple, consistent, and effective manner. Our belief is that a patchwork of security solutions from different vendor results in increased costs associated with management overhead and dealing with inconsistencies in policies and enforcement due to various technologies and approaches to security and data protection. We believe that a business’s security vendor should own the problems associated with external threats, and provide simple, manageable tools for enforcing policies and protecting sensitive data.

Choosing the Right Email Solution for Your Enterprise

- Toby Penn, CISSP, senior solutions engineer for Accuvant (www.accuvant.com), says:

Accuracy counts. For example, if you receive 1,000,000 messages per week and your solution is 5% less effective than one that costs just a little bit more, you will be allowing in 50,000 extra “bad” messages per week. This adds up quickly and can introduce malware, spyware and clog your disk storage.

Quarantine management should not be overlooked. Being able to intuitively and rapidly search for an email, determine why it was caught, and either release or explain to the user is essential. And, don’t think of this as your anti-spam solution having a lot of false positives; more than likely it is a rule you have customized that will cause this. Being able to know if your rule is working well is also key.

When choosing a solution that uses (and in some cases depends) on reputation services, make sure that you still get log entries for the connection. If a system blocks a message at the connection level (during the three-way handshake) but does not log the message, you have no mechanism of proving a message did or did not make it to your organization.

When comparing solutions, be aware that different solutions count messages differently. One solution may use the message ID (unique number that is tagged to every message), while other solutions may use recipients to calculate their statistics. This can cause widely different numbers to show up. For instance, if a single incoming message is destined for 20 recipients one solution may count this a one message and another solution may count this as 20 messages.

Enterprise Email Security: Think SaaS and Minimize Administration

- Keith Crosley, Director of Market Development at Proofpoint (www.prrofpoint.com), says:

Think SaaS to minimize costs without sacrificing security: Analysis from Osterman Research (available from Proofpoint free with registration here: http://www.proofpoint.com/id/saas-email-security-costs-whitepaper/index.php) suggests that, in nearly all cases, the Software-as-a-Service deployment model offers the lowest total cost of ownership. For a typical SMB organization, savings are typically 60 to nearly 90% over on-premises deployment models, driven by savings in labor, capital equipment, bandwidth, storage and other areas. Analysts from Gartner and Forrester frequently advise their clients that, especially for inbound (anti-spam/anti-virus, etc.) email security, there’s no reason not to deploy those functions as SaaS.

Select solutions that minimize administration overhead: In one report Gartner says that “reduced administration overhead” is the number 2 concern of email administrators. Of course, every organization will have slightly different requirements, but you want to look for solutions that have: Easy installation (“wizard” type installers that provide optimal default settings, pre-configured or easy-to-configure appliances, etc.); GUI-based administrative interface that simplifies common tasks; for appliances, active clustering and automatic configuration and policy synchronization among appliances in multi-box deployments; centralized quarantines; easy integration with directory systems like LDAP; visibility into email queues; automatic updates to anti-spam/anti-virus engines; simple software updates (e.g., “one-click” type installations with rollback options).