- Category: March - April 2010
In less than a decade, email has become a critical and in most instances, the primary communication medium for business.
Currently, around 250 billion emails are sent daily. This is estimated to grow to over 500 billion by 2013. However, the increased popularity of email has been mirrored by an increase in the amount and sophistication of unwanted or spam messages. Today, viruses and spam account for over 85% of all worldwide email traffic.
Many businesses have invested in infrastructure to block unwanted email and protect the corporate network, however, the complexity of the threat landscape continues to evolve as those sending spam and viruses develop new approaches to make their messages indistinguishable from legitimate email and bypass tests used by security vendors. This dynamic is forcing security vendors and IT administrators to continually make their security systems more aggressive.
For enterprises and service providers alike, the “holy grail” in messaging management is to deliver a high quality service as economically as possible. For those responsible for email administration, key objectives include:
- Ensuring rapid delivery of all legitimate email
- Producing the fewest errors (‘false positives’) possible
- Blocking as much unwanted and malicious email as possible
- Minimizing (indeed eliminating) support calls and user complaints
Email administrators are often forced to make tradeoffs between these objectives. As yet, no email filtering vendor has produced a perfect solution which eliminates the need to make these tradeoffs. While most filters can block the majority of viruses and spam, they also unintentionally block legitimate email. This is because most filters make use of probabilistic techniques such as content analysis, ‘key word’ filters and real-time IP block lists to make decisions about which messages should be rejected and which should be delivered.
Content filters have been proven to be inaccurate predictors of spam, particularly for emails containing languages other than just English. Further, the growing adoption of IPv6 will render
IP block lists significantly less effective since spammers will have the ability to continually change the sending IP addresses.
Another more serious consequence of using these techniques is that messages from legitimate correspondents including customers, suppliers and partners can be and are regularly misclassified and thus are incorrectly blocked or quarantined as spam (“false positives”).
Email filtering vendors often under-play the loss of legitimate emails as being ‘collateral damage’ and so negligible as to be insignificant. However independent studies conclude otherwise. These studies show that while solutions are often able to meet the spam catch rate standard, they consistently fail to meet their own publicly stated accuracy standards when it comes to false positives, some by a significant margin.
While the false positive rate varies from vendor to vendor, it ranges between 0.5% and 2% of legitimate email. Statistically, this failure results in over 100 million emails every day that are not being delivered to end users.
This is a serious issue for the underlying business processes which rely on email. For enterprise and government in particular, this error rate is unacceptable because it results in operational failures and vulnerabilities. At their true incidence rate, this loss of email poses a real and quantifiable risk to businesses. Today, many business owners still remain unaware of just how vulnerable their business processes are rendered due to the above failure in their messaging infrastructure.
The mean false positive rate across the vendors surveyed is 0.65%. This equates to a failure rate of 1 in 150 legitimate emails which are not being delivered. This figure is 2500 times greater than Gartner’s best practice of 1 in 400,000.
This failure results in a typical 1,000 user organization losing approximately 1,500 legitimate emails every month due to misclassification. This represents a significant operational vulnerability and an increased risk to any business processes which rely on email to communicate between entities.
Sender Reputation and Authentication Provides a Way Forward
A more sophisticated approach to messaging management is to prioritize the identity and delivery of legitimate email ahead of ‘blocking spam’. This switches the paradigm from one of blocking unwanted email to one of ‘filtering in’ email from legitimate senders first and only then filtering out unwanted messages. Using sender reputation and authentication allows trusted senders to be identified accurately and their email ‘fast tracked’ through the filtering process.
This approach is similar to automated clearance systems used at certain airports. Passengers use a combination of their passport (used to establish identity and for reputation checking) and their fingerprint, iris or face (used for authentication) to get ‘fast tracked’ through the immigration clearance process. Such an approach requires a robust and accurate means of identifying and authenticating senders. Implementing such a technique would enhance the integrity of email communications and is considered as the next generation approach to filtering emails.
How to Select Secure E-Mail Gateway Functionality
E-mail administrators face a bewildering array of features and functionality choices when evaluating secure e-mail gateways. Use enterprise-specific criteria to develop requests for proposals (RFPs) and shortlist vendors.
- The ability to identify and remove unwanted e-mail (spam) is the key selection criterion for any secure e-mail gateway. A best-of-breed gateway should deliver a minimum 99.5% spam-detection rate, with fewer than one in 400,000 “false positives.”
- Reduced administration overhead is the next-most-important concern of e-mail administrators. An effective, task-oriented graphical user interface (GUI) and comprehensive management interface will offer lower total cost of ownership (TCO).
- Data loss prevention (DLP) and encryption functionality represent the greatest differentiators among vendors’ offerings.
- Use the advanced functional capabilities that Gartner has identified to develop a secure e-mail gateway RFP, and shortlist vendors for testing on a production corpus of e-mail. Create a list of the top 10 to 20 most-common or critical tasks and use it as a guideline for comparison-testing and demonstration. Note 1: Common tasks might include message tracing; customizing a report; saving and scheduling it for distribution or alert; adding a backup server to a cluster; creating a custom outbound or inbound content filtering rule; and creating a policy for directory synchronization (and so on).
What you need to know
A wide array of secure e-mail gateway functionality is available with significant differentiation among vendors, and particularly among “best of breed” and “good enough” product vendors. No single vendor leads in all functional areas, so buyers must prioritize their requirements to address their specific business, technical and regulatory needs. Gartner recommends end-user testing of several key components of a secure e-mail gateway.
The market for secure e-mail gateway products offers significant differentiation among vendors and their offerings. An in-depth understanding of gateway functionality – and an extensive evaluation of capabilities against enterprise –specific needs – is essential.
The functionality required in a secure e-mail gateway will vary widely, depending on the enterprise’s technical resources, business needs and other factors. The functional capabilities to be considered are as follows:
- Anti-Spam Functionality
The ability to identify and remove unwanted e-mail (spam) is the No. 1 concern of e-mail administrators, and is a key selection criterion for a secure e-mail gateway. A best-of-breed gateway should deliver a minimum 99.5% spam-detection rate, with fewer than one in 400,000 “false positives.” The only valid way to evaluate anti-spam effectiveness is in a production environment, but there are certain capabilities to look for in vendors’ claims, including:
- The ability to rapidly detect and react to new spam campaigns that may evade filters
- Note2: An effective way to determine a gateway’s spam-detection capabilities is to ask the vendor for a “honeypot” graph for the previous 12 months, and then look for deep or wide valleys.
- A real-time reputation system that silently drops at least 75% of spam at the SMTP connection – at the extended Hello (EHLO) command – or 90% or more for a best-of breed solution
- A local SMTP connections management capability that can seek out “spambots” and throttle, block or increment the spam scores of suspected spam
- Intelligent SMTP error-message handling – for example, the ability to send invalid-recipient non-delivery reports (NDRs) to legitimate senders, while silently dropping invalid-recipient spam and silently inbound spoofed NDRs – that is, NDRs sent from other message transfer administrators in response to spam with spoofed “from” addresses
- An attachment scanning capability (with a broad range of attachment types that can be scanned) to detect file-based spam messages
- An image-based spam detection capability (ideally via fuzzy matching, not exact-image matching)
- Multiple-language spam detection (a more urgent concern for multinational enterprises, but an increasingly important issue for predominantly “anglophone” enterprises as spam goes global)
- Spam detection capabilities that don’t require custom administrator-created spam rules (which sometimes may be necessary to identify unwanted e-mail that’s specific to the enterprise – for example, activist e-mail addressed to executives)
- The ability to fine-tune spam and connections management elements via broad numeric thresholds, rather than via binary on/off
- DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), which may be useful in limiting phishing, but don’t significantly improve spam detection
- Antivirus (AV) Functionality
Virus detection and removal capabilities at the e-mail gateway remain a key enterprise concern. Secure e-mail gateway functionality in this area includes:
- Signature-based virus analysis, preferably with more than one choice of signature engine, to avoid excessive reliance on the incumbent PC AV vendor (preferably in a solution capable of running multiple, simultaneous AV engines for enterprises with particularly rigorous security requirements, or simply as a means of testing AV effectiveness)
- Real-type file attachment analysis (not file-extension-based) to detect file type by file characteristics, rather than by file-name extensions, which can be changed
- Proactive virus detection methods that don’t rely on signatures (a significant differentiator, because few vendors offer this capability)
- A database of known or suspect security-risk URLs, which are reliable indicators of spam, malware and phishing attacks
- The ability to identify, unpack, and recursively unpack compressed or zipped files, and identify password-protected or encrypted files
- Separate suspected-virus quarantine and multiple disposition options (for example, attachment stripping, delivery of notices to senders or recipients, quarantine file and deletion) based on file-infection type
Reduced administration overhead is the No. 2 concern of e-mail administrators. An effective task-oriented GUI and comprehensive management interface will offer lower TCO. Gartner recommends creating a list of the 10 to 20 most-common or critical tasks to use as a guideline for comparison testing and demonstration of solutions. Required management capabilities will depend heavily on enterprise-specific needs and available technical skills.
Advanced capabilities include:
- A “wizard”-type installation mechanism that provides optimal default settings for different size environments (and sometimes for appliances that are preconfigured by vendors)
- A task-based (not feature-based) management GUI, which simplifies management by hiding complexity, but also gives more-skilled users the ability to drill down into granular detail
- Note 3: A task-based system can be evaluated by creating a list of common tasks and comparing the number of steps required to complete each task.
- Native active/active clustering within and across LANs, and automatic active/standby failover
- Automatic configuration and policy synchronization among boxes in multibox deployments
- Centralized quarantines for multibox deployments
- Corporate allow-and-deny databases (white lists and blacklists) that can accept exact or “wild card” e-mail address, domain name or IP address matches
- Native message tracing capability with granular, but nontechnical, results that enable first-line help desk personnel to trace missing messages (including inbound messages dropped by reputation or connections management filters and encryption results) and understand what happened to them
- Automatic synchronization on schedule with multiple, disparate directories, each with their own policy options
- Alerting capabilities, including e-mail, Short Message Service (SMS) and SNMP
- Granular role-based administration, ideally with predefined roles and the capability to customize and add or remove options
- The ability to create different management GUI work-space views (for example, administrator or help desk view), with a user ability to adjust default views as a benefit
- Outbound or inbound mail-processing queue view to enable rapid troubleshooting of slowdowns, and a queue release option
- A task-based help function with recommendation settings for mail configuration options
- Optional vendor remote monitoring of appliance parameters (for example, CPU load, disk errors, fans or power supply)
- Simple “one click” software updates (with a rollback option in case things go wrong)
- Configuration backup and configuration preservation between upgrades
Administrators should look for reporting capabilities that are appropriate to their enterprises’ needs. Advanced tools may include:
- A real-time graphical and table-based dashboard with click-through, drill-down detail (using percentage-based metrics, not definitive totals)
- The ability to create custom reports (in HTML, XML and PDF output types), save them and schedule them for distribution
- The ability to create consolidated reports from multiple boxes
- The ability to report on the number of “spam/not-spam” selections that end users make to report false positives and false negatives
- A database that enables fast report queries and the ability to hold historic data for long-term storage in a standard format
- Group- and domain-based reporting limitations
- The capability to incorporate log or alert thresholds with security information management systems or other reporting systems
The degree of control given to end users will depend heavily on the enterprise’s policies. These controls – which may, at minimum, enable administrators to spend less time dealing with false positives and more time satisfying demands from the executive suite – may include:
- Language support (at least in the geographies where employees are working (double-byte character support remains rare)
- Active quarantine summary digests, with buttons and click boxes that enable the user to release e-mail, report false positives, add senders to allow-or-block lists and direct links to Web quarantine views
- Spam category threshold adjustments that enable users to set their own tolerances (for example, pornography or moneymaking); threshold adjustments are based on personal preference or job function
- Personal allow-and-block lists (comparable to the corporate allow-and-deny lists discussed above)
- Microsoft Outlook, Novell GroupWise or Lotus Notes client plug-ins (or, preferably, server-side capabilities) for reporting false positives and false negatives, and for blocking senders
- Search-and-sort options to enable users to find particular e-mails in large queues
- E-mail address (alias) consolidation into a single quarantine (rather than a separate quarantine for each address)
- Automatic out-of-office quarantine purge hold
- Multiple quarantines – that is, the capability to set up multiple, custom quarantines for outbound and inbound e-mail, or delegated quarantines – ideally in the form of a simple view filter on a centralized quarantine that enables virtually any quarantine to be set up
- Workflow capabilities for special compliance officer quarantine (for example, the ability to save multiple messages relating to an investigation, to annotate messages, modify disposition options or release with comments)
A secure e-mail gateway’s policy interface should be user-friendly and intuitive for nontechnical personnel
Note 4: An enterprise’s policy interface – like its policies – should be chosen fundamentally to address the needs of the business. Excessively complex and technical policy interfaces and reporting will force the IT organization to interpret and implement business policy, increasing the workload and the potential for errors and miscommunication. A policy interface should be intuitive and usable by nontechnical business personnel (for example, human resources and legal staff). A good way to test the usability of an interface is to give such personnel an opportunity to test it.
- An easy-to-read, printable policy summary for audit purposes
- Reusable policy objects (for example, dictionaries, templates and disposition actions) to enable the creation of a scalable policy environment.
- The ability to combine multiple Boolean operators and regular expressions
- The ability to run reports on hit rates for each policy and to prioritize policy execution
- Numerous predefined disposition actions (for example, quarantine, alert, append disclaimer, alert sender, alert recipient, log, delete, allow, self-authorize, append subject line and add x-header), as well as the ability to create new disposition actions
- The ability to have multiple, outgoing disclaimers for specific groups or users
- Near-instantaneous policy implementation that doesn’t require a reboot
DLP (Data Loss Prevention)
This ability to monitor and manage potentially inappropriate e-mail traffic, and to prevent the loss of sensitive data (inadvertently or through deliberate misuse of systems), is an increasingly important concern for enterprises. The functions and functional capabilities that may help in this effort include:
- Large, predefined dictionaries and lexicons (for example, lists of racist or sexist terms, obscenities or terminology that’s specific to healthcare, financial or other high-risk areas)
- Dictionaries that assign weightings to specific words, wild-card operators and case-sensitivity/insensitivity indicators
- Predefined number templates (for example, credit card numbers) and the ability to create enterprise-specific number templates (for example, customer IDs)
- “Smart” number identifiers (for example, the ability to recognize that “999 999 999” isn’t a valid credit card number)
- The ability to search for registered data (for example, database data) or specific files by name, hash marks or watermarks, and to detect partial-file-content matches
- The ability to “deep inspect” a large number of file types for content matches
- Support for more than e-mail channels, such as instant messaging (IM) and other Web or network communication protocols
Secure e-mail gateways typically include some type of encryption – most often opportunistic server-to-server Transport Layer Security (TLS) encryption – as a standard feature. Multiple encryption options – for example, Secure Multipurpose Internet Messaging Extensions (S/MIME), OpenPGP or Web-based push-pull) are more-advanced offerings and usually cost extra, but they offer the ability to protect enterprise investments by adding encryption to the infrastructure. Specific capabilities and issues to consider include:
- Integrated on-box capability with a dedicated box option for larger deployments
- Solutions that don’t include an embedded solution should integrate well with best-of-breed players
- Integrated logs that include encryption status on message tracing
- The potential benefits of dealing with a single vendor, rather than multiple vendors
The form factor of a secure e-mail gateway will depend on the enterprise’s technical resources and business needs. The four basic choices are:
- Service offering (multi-tenancy or hosted)
- “Bare metal” software (software plus operating system)
- Virtual appliance (for example, VMware)
We expect to see hybrid solutions emerging by 2009. These will include an on-premises appliance and an “in the cloud” (hosted) service, with a single management interface and the ability to seamlessly migrate specific functions, or the complete solution, from one to the other as needs change.
Integration with Other Solutions
Integration with other components of the e-mail and messaging infrastructure, although not critical, may offer significant, strategic benefits by reducing management complexity, lowering TCO and providing better protection for the enterprise’s overall infrastructure investment. The components with which integration may be desirable include:
- Web gateways
- DLP solutions
- IM hygiene functionality
- Archiving systems
Service and Support
These are essential concerns for secure e-mail gateways, just as they are for any business-critical technology. Capabilities to consider include:
- Dedicated support resources or direct access to Level 2 support
- Evidence of extended tenure of the support staff
- Vendor willingness to agree to high service-level agreements (SLAs) for call-back and e-mail support
- Support resources, including user forums, best-practice guidance and white papers
- Installation assistance and training
- A best-of-breed gateway should deliver a minimum 99.5% spam-detection rate, with fewer than one in 400,000 “false positives.”
- A real-time reputation system that silently drops at least 75% of spam at the SMTP connection – at the EHLO command – or 90% or more for a best-of breed solution – to accommodate growing spam volumes.
Condensed from a whitepaper by BoxSentry – http://www.boxsentry.com