Choosing the right email solution may not change the way businesses communicate, it will deliver dramatic savings—not just in the areas of budget and infrastructure, but also in the time and resources of IT professionals and their organizations. This booklet provides a framework for evaluating next-generation email security solutions while addressing a number of specific issues including: Creating a secure email architecture and infrastructure; combating the latest inbound threats; policy-driven control and content filtering; best practices for securing outbound messages; and integration and consolidated management.
GUIDE TO Next-Generation Email Security TechnologyEvaluating the right solution for your needsAugust 2006Untitled Document1Table of Contents Introduction 2Creating a secure email architecture and infrastructure 4 Gateway filtering solutions 4 Outsourced email providers 5 Hybrid Solutions 5Combating the latest inbound threats: Spam and Dark Traffic 7 The evolution of anti-spam technologies 8Policy-driven control and content filtering 10Best practices for securing outbound messages 11 The Friday at Five O Clock Test 12Integration and consolidated management 13 Point solutions are not the answer 13 Leverage and simplify 13Conclusion 14Untitled DocumentIntroductionEmail has transformed the way we do business allowing unprecedented openness, connectivity, and rapid sharing of work throughout the world. But it also relies on an infrastructure that is inherently insecure. And its rapid adoption has outpaced the ability of many organizations to ensure security, reliability, and accountability.This rapid and often unplanned explosion of email has spawned numerous security threats including spam, viruses, scams, identity theft, and leaks of sensitive information. With each new threat, organizations have scrambled to defend their networks, often deploying a patchwork of separate security solutions. Like many other first-generation technologies, these early email security solutions were expensive to deploy, difficult to manage, and required constant fine-tuning, in order to assure acceptable results.The first-generation technologies also tended to view inbound and outbound email security as separate, unrelated challenges. Inbound solutions focused almost entirely on reducing the annoyance of spam, while separate systems were considered to encrypt outbound email, or filter content for leaks of sensitive information.Many products that were effective when initially deployed no longer adequately take care of the issues. These solutions fail the most important of all email security tests: the administrator invisibility test. If the email administrator appears invisible to most employees, it means the system is running smoothly. But when the phone rings at an email administrator s desk, the caller is almost always an unhappy employee reporting an issue. IT professionals once believed they solved their organization s spam problems; having spam reappear six months down the road is not only frustrating, it s unacceptable.GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonS2Untitled DocumentToday s IT environments face heightened and often conflicting challenges including: " continually increasing security, while decreasing costs " Providing solutions that are easy to manage, yet flexible and scalable " Allowing IT departments to outsource key components of security without giving up accountability, tracking, and control " Managing inbound and outbound email security from a single point " Passing the administrator invisibility test with solutions that continue to work effectively even as threats evolve " deploying best-of-breed technology, while consolidating around fewer products and vendorsclearly, a different kind of email security solution is needed: one that can address issues and threats as they evolve. To address these challenges, some vendors have begun to develop the next generation email security products that address multiple needs, adapt to changing threats, eliminate the need for fine tuning to be effective, and provide multiple integrated functions with centralized management and reporting. While many vendors promote this type of integrated approach, it is challenging to find complete solutions that integrate inbound and outbound security, while still maintaining best-of-breed capabilities across all functions.This paper provides a framework for evaluating next-generation email security solutions while addressing a number of specific issues including: " creating a secure email architecture and infrastructure " combating the latest inbound threats " Policy-driven control and content filtering " Best practices for securing outbound messages " Integration and consolidated management" " "3GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonSUntitled Documentcreating a secure email architecture and infrastructureThe first generation of email protection was often installed on the user machine or as a plug-in to the email server. At first, these solutions protected effectively against spam. But as email attacks became more sophisticated, these types of solutions couldn t solve problems of malicious and invalid email attacks that can significantly eat up bandwidth, with such tactics as denial of service (doS) attacks and directory harvest attacks (dHAs). unwanted, malicious, and invalid email traffic can severely impact your email infrastructure, often representing 70-90% of all inbound email traffic. When inbound servers must process all this traffic, organizations will often purchase more servers and add more staff than they need to deal with the sheer volume of email basically over-scaling their infrastructure because of junk in the system. one Fortune 500 company was ready to add several Exchange servers to help performance; first, however, they ran an email analysis and discovered that 90% of their traffic was invalid and unwanted email.In order to more effectively deal with email attacks, the new generation of email security solutions are either gateway filters or outsourced email solutions.Gateway filtering solutions Gateway filtering solutions have many advantages. Placed in front of corporate email servers, they allow email administrators to have direct control over email security policies. Gateway filters also can defend against all types of email network attacks, including dHAs and doS attacks that affect bandwidth dramatically. Because a gateway filter can reduce invalid and unwanted traffic coming into a system, organizations often see dramatic return on investment: in the case of the Fortune 500 company mentioned above, their overworked email servers suddenly processed 70% to 90% less traffic after implementing a gateway solution. Performance goes up, and administrative costs go down.In this architecture, the burden of spam filtering is in the email technology manager s court, not with the end user. depending on the organization s needs, this can be a positive or a negative. However, most organizations expect this level of control to be centralized. In addition, the gateway requires a secure platform because it is on the perimeter and faces the Internet. This can be a concern to IT professionals if the gateway has to be constantly updated and patched, as is the case with many Windows-based boxes. However, deploying locked-down appliances, such as those that run a hardened Linux oS, GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonS4Untitled Documentcan significantly reduce management costs. In effect, hardened Linux appliances make it possible to virtually outsource management of the email platform.Outsourced Email Providers This type of deployment is relatively new to the market, and can sound attractive to many organizations. First of all, the email traffic is filtered before it even hits the network perimeter. This reduces some types of email network attacks not only for the email system but for the perimeter boxes as well. unfortunately, many dHA and doS attacks cannot be filtered by this type of deployment, so the bandwidth problem cannot be addressed as effectively as with a gateway filter.Secondly, this option is easy to deploy and easy to update because the external provider is doing it, not the organization itself. As a consequence, however, there is little organizational control over corporate email policy; it s limited to what the provider can offer. depending on the organization s needs, email providers may have issues tracking information or meeting regulatory compliance demands. IT professionals may still be on the hook for compliance and tracking problems, but if they don t have the ability to control the email stream, it is difficult (or impossible) to make necessary changes.This implementation is usually most appropriate for organizations that can work within the outsourcers limitations; this is often smaller businesses and privately held organizations without rigorous reporting requirements. Hybrid Solutions Because enterprises have a mix of needs, it is often appropriate to use a best-of-breed approach. A gateway filtering solution provides the control and accountability most mid-size and large enterprises need. virtually outsourcing the email platform with a hardened Linux appliance, which reduces patch management and updating, is also advantageous. Selectively leveraging outside expertise for anti-spam and anti-virus technologies works for many businesses; most organizations do not wish to manually tune, tweak, or configure anti-spam and anti-virus solutions." " "5GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonSUntitled DocumentSpammers are constantly learning ways to get around specific anti-spam techniques, and anti-spam vendors must constantly update their techniques to remain effective.6Untitled Documentcombating the latest inbound threats: Spam and dark Trafficone threat that is always high on email administrators radar is spam. There are many anti-spam solutions on the market today, but the target is constantly moving: spammers get more clever and creative to get their junk mail to look real, and anti-spam vendors must constantly update their techniques to remain effective. It s a game of spy vs. spy : spammers are constantly learning how to get around specific anti-spam techniques, and the best vendors are always coming up with new technologies to increase the percentage of spam caught. For instance, some anti-spam vendors rely on identity analysis or reputation analysis to block spam coming from certain IP addresses. To get around this, spammers have now implemented zombie attacks or botnets (robot networks), planting spyware or Trojans on unsuspecting machines, which then work as slaves to remote machines, which then carry out a spam campaign. Instead of one machine sending out tens of thousands of emails from a single IP address, zombie attacks can have a thousand slave Pcs and a thousand different IP addresses sending out ten to twenty emails each. Effective email security requires vendors to constantly add adaptive techniques to their anti-spam systems, assuring organizations that even new threats like zombie attacks won t get through their systems and email security professionals don t get those angry calls or emails about unwanted messages. Today s enterprises expect spam filters to catch at least 95% of spam; the best spam filters catch upwards of 99% of unwanted emails. Even more importantly, however, spam filters should rarely catch a valid, wanted email and throw it out. These false positives have caused many arguments between companies when an expected email has been filtered out and never delivered. Experts recommend that the false positive rate be as close to 0% as possible, since false positives can cost organizations dearly.Spam is not the only threat to email servers. While spam is unwanted and often annoying, a bigger threat to networks today is malicious and invalid email traffic, referred to as Dark Traffc, which can actually damage an email system or a network. dark Traffic includes viruses, worms, and Trojan horses that are sometimes attached to otherwise valid-looking emails. The directory harvest attack (dHA) is often a precursor to spam, when a corporate email server is bombarded with thousands or even 7GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonSUntitled DocumentGuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonS8millions of random name combinations in order to determine valid email addresses. Email denial of service (doS) attacks, malformed SMTP packets, and invalid recipient addresses are other types of dark Traffic. As mentioned above, spam and dark Traffic can have a huge effect on bandwidth, often representing 70-90% of all inbound email traffic. Stopping spam and dark Traffic is essential to scaling email infrastructure accurately and keeping network performance up. The evolution of anti-spam technologies Spammers and hackers are constantly shifting strategies and tactics to get around spam filters. As new tactics evolve, anti-spam vendors must layer their new technology on top of the old. The following are the four major types of anti-spam technologies. " Content fltering. Early solutions relied primarily on word lists, email signatures, and lexical analysis. For instance, viagra is a word that s often tagged by content filters. To adapt, spammers started spelling it with 1 s instead of I s, and added spaces. Later, they began to include HTML graphics instead of putting in text. currently, spammers have begun to put their content in embedded PdFs; some email security vendors can filter the content of PdFs as well. " Behavioral analysis. This type of anti-spam technology used Bayesian analysis, statistical analysis and heuristics in order to predict spam. The onus for this type of technology often fell on administrators, who had to do extensive tuning and trial and error before getting satisfactory results. Bayesian filters also increased the likelihood of false positives. " Identity analysis. This looks at the identity of known spammers (often referred to as reputation analysis. ) This is a promising technology, but may require email authentication to become more widespread. Also, zombie attacks can get around this type of defense. " Pattern detection. By analyzing patterns of traffc, as much as 80% of traffc can be thrown out as invalid. This reduces the load on email servers and downstream email filters. This type of detection also does not add to the rate of false positives.All these technologies can layer on top of one another to create an effective anti-spam filter." " "Untitled Documentorganizations need to implement a secure messaging solution that takes the encryption burden off the end users and intelligently does the right thing.9Untitled DocumentPolicy-driven control and content filteringSecurity policy is increasing in both use and importance in today s business environment. Government regulations, as well as the high amount of responsibility and enormous workload given to IT professionals, make it much more efficient to implement a policy-driven framework for security. The first generation of email solutions simply dealt with email coming into an organization. Most anti-spam products rely on content filtering, but its importance is expanding. It s no longer enough just to look at the text in a message. Inbound threats can be hidden in message text, headers, HTML graphics, and various types of attachments. However, email traffic encompasses outbound emails as well. To deal with regulations and security concerns, organizations security policies have begun to address outbound issues. Email systems make it so easy to send messages that employees can send proprietary information, customer information, or accounting information to anyone, at any time and send it unencrypted. This could expose organizations to many risks, whether or not the employee is sending the email legitimately or not. For instance, if an accounting employee needs to send private accounting information or customer data to an auditor, those emails could be violating government regulations if they re not protected properly. How can organizations be sure that employees are complying with government regulations, or that a disgruntled employee isn t sending intellectual property or a customer contact list to a competitor? There could be serious implications if the wrong information gets in the wrong hands due to an unprotected email system.It s becoming increasingly clear that inbound and outbound email security techniques are linked, especially in content filtering. Identifying keywords, file types, HTML graphics, attachments, headers, and junk traffic are essential for both sides of the email perimeter. Today s email security solutions often leverage the same inbound content filtering technology for outbound email. rules can be created that flag proprietary data, social security numbers, or other personally identifiable information. certain recipients, such as auditing firms, can also have their emails flagged. The next generation of email security solutions must make policy management and content filtering as robust as possible to adequately address all customer concerns. For instance, some vendors don t scan some types of attachments, like PdFs, that can be at high risk for confidential information; other vendors only deal with inbound emails, and have lightweight or hard-to-manage solutions for outbound traffic.Therefore, it s becoming essential to apply similar security technology used for inbound email traffic to outgoing emails.GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonS10Untitled DocumentBest practices for securing outbound messagesEmail encryption protocols such as TLS, PGP, or S/MIME have existed for some time, but the process of deploying encryption has developed a well-earned reputation for being difficult, complex, and prone to failure. However, the need to encrypt sensitive information can t be ignored. organizations need to implement a secure messaging solution that takes the encryption burden off the end user and intelligently does the right thing to keep messages secure and organizations in compliance. In other words, it needs to analyze who it s from, what it contains, and where it s going, and take appropriate steps automatically. (This helps solve The Friday at Five o clock Test see sidebar.) Experts strongly recommend the following features for an effective outbound security solution: " Strong content filtering " Flexible and intuitive policy controls Effective solutions should take policy actions and route mail based on policy Policies should be granular: identity of sender, identity of recipient, matching keywords, attachments, etc. Multiple options should be available: blocking, encrypting, adding a disclaimer, etc. Easy to implement: should be an intuitive GuI instead of a unIx command line out-of-the-box lexicons for common government regulations (such as HIPAA, GLBA) " Multiple outbound delivery methods " Universality Any recipient should be able to receive an email that s been properly secured recipients should additionally be able to securely respond to the email11GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonSUntitled DocumentThe Friday at Five o clock TestOne of your accountants is trying to meet a 5:00 p.m. deadline on a Friday to send quarterly reports to your auditing firm. Some email security solutions can t look at outbound traffic at all, so the legitimate email may get sent out but it will be unencrypted, and that can present many problems in terms of government compliance and regulations. Other solutions flag the email and route it to the email administrator s box. If the email administrator has gone home for the weekend, an unpleasant surprise awaits everyone Monday morning: the deadline s been missed.You could require your accounting department to send all emails with PGP encryption, but that requires both the sender and recipient to learn several technical steps to set up email encryption properly. Alternatively, you can set up TLS encryption between your company and your auditor, but that option requires that gateway-to-gateway encryption be setup in advance.Of course, the last thing accountants (and your auditor) should be worried about is encrypting their own emails. Instead, email security solutions should intelligently analyze the email, and automatically encrypt it before it s sent. There are solutions available that will do this, and some also go a step further: they provide a Web-based tool where recipients can securely view and respond to the encrypted emails. This allows you to send and receive secure messages to anybody with a Web browser, anywhere in the world without having to train your recipients.1712Untitled DocumentIntegration and consolidated managementIf not addressed properly, the security and architectural challenges discussed above can cost companies hundreds of thousands of dollars in unnecessary infrastructure costs and lost productivity, as well as the consequences of non-compliance or compromised confidential information. disparate solutions have been available to address some of these challenges in the past, but increasingly, email administrators are looking for consolidation and simplified management.Point solutions are not the answer Many companies have deployed point solutions that just take care of a single email problem. Anti-spam and anti-virus solutions that check email can be deployed at the user level or as an email plug-in. But this type of approach is rarely part of an overall security strategy, and often leads to gaps or overlaps in email security. Additionally, most of these one-off solutions have different management interfaces, which can lead to high administrative cost and effort.As email security threats evolve, point solutions are often not worth this extra layer of management, since they only deal with a single email threat, and often only using a single method for defense. Spam, in particular, has evolved past what many point solutions can handle, making the products essentially ineffective.Enterprises now expect email security solutions to deal with many different security threats, including all the types of dark Traffic that can eat up so much bandwidth. In addition, the defending solution should be multi-layered, using different approaches and technologies to protect against evolving threats. If this type of solution is implemented, organizations can be confident that they will be quickly protected against new types of dark Traffic as they emerge. Leverage and simplify Email management can be difficult with many different products. not only can inbound and outbound security leverage the same technologies, but administrators also want to use the same management console to simplify their work and increase effectiveness. Gateway filters leverage inbound and outbound email security with ease of management. This provides administrators with the highest level of control, can perform both inbound and outbound security tasks (depending on the solution), protects against all types of dark Traffic, and saves the most bandwidth.13GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonSUntitled DocumentAlthough they have architectural advantages, not all gateway email solutions are easy to manage. Some gateway vendors simply partner with third parties for parts of their solution. This isn t a problem if the integration is done well and customer support is seamless to the organization, but that s not always the case. Some providers offer more features as part of their core offering, and these solutions tend to have integrated functionality, more streamlined support, and more complete management consoles. Any email security solution should offer consolidation of services and multiple functions, as well as a single, centralized management tool and centralized reporting. This makes every administrator s job easier. " " "conclusionThe demands of today s enterprises are driven by new government regulations and changing business requirements. organizations can choose from a new generation of email security solutions that meet the requirements to pass the administrator invisibility test much better than first-generation solutions. In order to meet these requirements, complete email security solutions should provide: " Seamless integration of multiple security functions " no need for fine tuning or adjusting of spam and virus filters these should be handled by outside experts " Intuitive and effective policy controls " deep inspection of all content and attachments " Integrated outbound secure delivery " centralized control over inbound and outbound securityEmail revolutionized the way organizations conduct business, and the next-generation email security solutions continue to build on those advantages. While choosing the right email solution may not change the way businesses communicate, it will deliver dramatic savings not just in the areas of budget and infrastructure, but also in the time and resources of IT professionals and their organizations." " "GuIdE To EvALuATInG nExT-GEn EMAIL SEcurITy SoLuTIonS1714Untitled DocumentTumbleweed CommunicationsCalifornia, USAcorporate HeadquartersTumbleweed communications corp.700 Saginaw driveredwood city, cA 94063Phone: 650-216-2000/800-696-1978www.tumbleweed.comNew York, USATumbleweed communications corp.245 Park Ave, 24th Floor new york, ny 10167 Phone: 212-209-7363/800-696-1978www.tumbleweed.comUnited KingdomTumbleweed communications uKHurst Grove, Sanford LaneHurst, Berkshire rG10 oSQuKPhone: 44 (0)118 934 7100www.tumbleweed.co.uk 2006 Tumbleweed Communications Corp. All rights reserved. Tumbleweed is a registered trademark and Tumbleweed MailGate AntiSpam, Tumbleweed MailGate Email Firewall, Intent-Based Filtering (IBF), Message Protection Lab, and Dynamic Anti-spam Service (DAS) are trademarks of Tumbleweed Communications Corp. All other brand names are the trademarks of their respective owners. 03/06APACTumbleweed communications centennial Tower, Level 213 Temasek AvenueSingapore 039190Phone: 65-65497143www.tumbleweed.com