The Next Step in Outbound Email Protection By Robert Mannal, CIPP, CISSP
Background and Issues Some observers are crediting email with building the Internet; reflecting that it may be the killer app that has spurred Internet growth. 1 There is no question that email has become a way of life worldwide, both in corporate environments and for personal use. Some of its advantages as a communication medium are its low cost, ubiquity, speed, and ability to provide records (logs) of communications. Most companies would agree that they would suffer significantly if their email communications were out for only a few hours. It is not surprising that opportunists moved quickly into the world of email. With its large and growing size, relatively open and trusting environment it is (and remains) a fertile field for bad people. The first wave of mis-use was broadcast SPAM, originally directed as advertising. 2 The bad people morphed the broad advertising reach into phishing 3 offers 4, which has evolved into spear phishing 5 offers. Some observers have estimated that 85-95% of email traffic today is SPAM, with the cost to the Internet system in excess bandwidth, blocking SPAM, etc., running into billions of dollars. One of the features of SPAM email is its ability to include enticing attachments, for example, Click here to see our free offer. The bad people use this feature to embed different spyware and tools on the user s computer. One effective tool for the bad people is a keylogger which captures all the key strokes that a user makes and sends them back to the bad person. The perpetrator then studies the key strokes and is quickly able to identify passwords and credit card numbers. To protect against these attacks most enterprises employ a defense-in-depth strategy, with firewalls acting as the first line, blocking any traffic that is not allowed, and forcing appropriate (yet risky) traffic through the assigned ports. For example, Port 25 is designated for Simple Mail Transfer Protocol or SMTP, which carries the bulk of email traffic. Once through the firewall, email usually goes to an email gateway 6, which is usually configured in the following fashion: Most companies would agree that they would suffer significantly if their email communications were out for only a few hours. mail.domain.com mail.otherdomain.com Internet uplink Routers/Switch ports Email Gateway Workstations 1 http://c2.com/cgi/wiki?killerapp 2 See http://en.wikipedia.org/wiki/spam_(electronic) for a description of SPAM 3 http://en.wikipedia.org/wiki/phishing 4 http://en.wikipedia.org/wiki/advance_fee_fraud 5 http://www.microsoft.com/protect/yourself/phishing/spear.mspx 5 http://www.iceteks.com/articles.php/emailgateway/2
On the email gateway, which is a server, the enterprise system administrator places the second level of protective devices, e.g., Anti-Virus, Anti-SPAM and other Malware protection. 7 These defensive products are based on signatures of known viruses or SPAM origination locations, and when a match is made, the proactive application instructs the email gateway to drop the incoming message. This has become a relatively mature area, to the point where system administrators using available tools, are able to block the vast majority of attacks. Today, the root cause of most successful attacks is when the Anti-Virus, Anti-SPAM and Malware protection applications have not been religiously applied. Traditionally, the bulk of email protection has focused on protecting the system from incoming messages. However, recent events have shown that a significant risk to an enterprise is information flowing out, rather than an attack coming in. This has resulted in companies deploying Data Leak Protection (DLP) products to monitor and protect their sensitive information. One approach is to put the DLP product on the email gateway, so that outbound email can be screened at the same location and by the same piece of equipment as the inbound email, thereby reducing the number of boxes or discrete products that have to be maintained. This email gateway can then be directed to take action on a hit, or when an outbound email contains sensitive information that should not be sent, choices can be: 1. Block the email, with appropriate notification going to the sender 2. Quarantine the email, for review by an administrator to see why it was not sent, and then has the responsibility to send it along or block it and send a notification to the sender. 3. Self-remediation, where the email is blocked, and a notice sent back to the originator saying why it was blocked, asking if he still wants to send it. Of course, all this activity is logged. 4. Encrypt the email. In these cases, the sensitive information is allowed to leave the enterprise but only if it is encrypted. An example would be a person s medical records. To protect against these attacks most enterprises employ a defense-in-depth strategy, with firewalls acting as the first line, blocking any traffic that is not allowed, and forcing appropriate (yet risky) traffic through the assigned ports. The integration of outbound protection in existing equipment appears to be an attractive solution. However, the email gateway is usually optimized in an appliance to handle relative small signature comparisons rapidly. Examination of outbound email, especially sensitive information in unstructured data, requires a larger memory and potentially faster processors. Adding DLP to the email gateway to screen for Regular Expressions, like Social Security or Credit Card Numbers, works to some degree, but if the sender obfuscates them in any way, the information will pass through. Moreover, it doubtful that it will pick up any sensitive information in unstructured data, such as the terms and conditions of a merger/acquisition, details around a product launch, or other corporate Intellectual Property (IP). 7 http://en.wikipedia.org/wiki/malware
Solution In order to block the leakage of IP, an enterprise should put in a fully featured Data Leak Protection product that uses multiple detection engines, capable of identifying sensitive information in unstructured data. This can be placed in front of an existing email gateway, providing the higher level of granularity needed for screening outbound traffic, while using the existing equipment for inbound protection. An example would be: Reviewer Vericept Console User Mail Server (Exchange, Domino) Vericept Protect IronPort Email Gateway Cisco Encryption Encryption In this configuration, the internal email server sends all outbound mail to the Vericept Protect product. Vericept scans for sensitive information, and takes the appropriate action. When encryption is required, Vericept sends the message to the encryption engine, which then sends it to the email gateway. Traditionally, the bulk of email protection has focused on protecting the system from incoming messages. Cisco/IronPort Cisco s IronPort division offers a wide range of appliances aimed at blocking Viruses, SPAM and other Malware, and includes content filtering along with encryption for outbound email. The content filtering is for regular expressions, but not for data that are more complex. The content filters on IronPort C-Series appliances identify messages to be encrypted, based on compliance and business considerations. Once encrypted, IronPort PXE messages continue through the mail pipeline for DKIM signing and delivery. The chart below shows the IronPort encryption and key management process. 8 Content Scanning Compliance Filters No Encrypt DomainKeys Signing MTA Encrypt IronPort PXE Encryption Store Message Key Key Service (Hosted of Local) 8 h http://www.ironport.com/technology/ironport_pxe_encryption.html
Merging Vericept s Protect product with its unparalleled ability to find sensitive information in unstructured data, with Cisco s IronPort products provides the optimum solution for an enterprise in protecting an enterprise s sensitive information. Depending upon the enterprise s policy, outbound email can be blocked, sent back for reconsideration, quarantined, or encrypted. Meanwhile, using the same email gateway, inbound email containing viruses, spam and other malware can be blocked with state-of-the-art equipment. The result is an optimum solution; an appliance designed to rapidly handle the high volume of inbound attacks, and a powerful contextual linguistic tool to examine the information in unstructured outbound messages, filtering and encrypting them as per policy. Robert Mannal, CIPP, CISSP With more than 25 years of experience in the security and networking arena, Robert is a Senior Manager, Product Marketing and Management at Vericept. Previously, he held management positions at Network Engines, in the Information Risk Management Practice (IRM) of KPMG, at Security Dynamics (now RSA), and at Codex (Motorola). Mannal holds an MBA in Marketing from Wharton School of Business and is Certified Information Privacy Professional (CIPP) and a Certified Information Systems Security Professional (CISSP). Vericept scans for sensitive information, and takes the appropriate action. When encryption is required, Vericept sends the message to the encryption engine, which then sends it to the email gateway. Vericept Corporation Reservoir Place 1601 Trapelo Road, Suite 140 Waltham, MA 02451 555 Seventeenth Street Suite 1500 Denver, CO 80202 800.262.0274 www.vericept.com