Tackling the New Challenges of Email Security By Rich Mogull, Securosis L.L.C.
Sure, email is the single most important communications tool of any company, and we've had years to manage its various security risks, but it turns out some relatively recent changes in both how we use email, and how the bad guys leverage it, make it worth rethinking our email security strategies. You've probably heard this all before, but I think it's worth a hype-free look at two of the latest trends in email security.
The most effective attacks these days are no longer focused on the network, but on your Web applications and what the attackers call clientside exploits. Clientside attacks take advantage of vulnerabilities in the applications used most commonly on your desktops and laptops — email and Web browsing. Since we've gotten pretty good at blocking standard old viruses via email, recent attack methods focus on tricking users into opening infected documents your antivirus might miss, or tricking them into clicking malicious Web links.
These techniques are so effective since attackers will customize the emails for your individual organization (if you are a target) and even the individual user. They also take advantage of serious security vulnerabilities in standard office documents such as Adobe PDF files; not requiring the user to download actual executable applications. Some of the malicious software is even designed specifically for your organization, making it less likely any signature-based antivirus will stop it.
From an email security standpoint we now use a variety of techniques that are quite a bit better at reducing these attacks (but it's pretty impossible to completely stop them). One of the most promising technologies, which we see in antivirus tools as well as email and Web gateways, is "reputation filtering". Rather than relying completely on known signatures, or unreliable endpoint heuristics, reputation filters combine the collective knowledge of everyone using the security solution and analyze all inbound messages and Web links. Ones that originate (or direct) to untrusted sources are blocked before ever hitting the user.
These work because high level SPAM patterns, monitored across many organizations and networks, turn out to be fairly reliable indicators of malicious activity. Combine this with the old-school signature scanning, the vendor's research team, and traditional SPAM filtering and it results in a system that does a reasonable job of identifying patterns early.
Reducing Data Leaks
Even though the biggest security breaches in the press are rarely the result of email leaks, we find that keeping an eye on outbound employee communications (while still respecting their privacy) reduces a lot of the day-to-day risks and compliance headaches.
If you've ever read any of my research you know I've long been a fan of Data Loss Prevention (DLP) and its advanced deep content analysis techniques. DLP allows us to build far more effective rules than simple keyword filtering or pattern matching; those that account for business process and experience low false positive rates.
Email tends to be the first place where most organizations deploy DLP and there are a few tricks to having a successful deployment:
- Make sure you have an enforcement work flow to handle any major incidents before you deploy DLP. The odds are very high you'll find some major issues early on that will quickly involve legal and human resources.
- Start with a single policy, test, and tune it, then expand over time. Depending on what you are looking for even with low false positives you will likely see a lot of policy violations until you retrain user habits.
- If you leverage cloud-based email security you have two options for DLP. Either your cloud provider needs to include it with their service, or you need to scan all emails on your own network before it heads to the cloud. Check your email architecture and if DLP is something you think you want, I highly suggest planning for it even if you aren't implementing immediately.
Finally, don't forget that a large proportion of your user's email might never hit your email server... or even be email. With the continuing proliferation of Web-based email and social networking you might also consider content-based filtering for Web communications. By taking a content focus you can still allow users to leverage these services while reducing your risks (at least when they are on corporate systems and networks). And don't forget to pick something that can scan SSL-encrypted sessions, even if it means a little work configuring your endpoints so users don't constantly see certificate alerts.
Rich has twenty years of experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team.
The content featured in the Industry Analyst Corner is the sole representation of the author, independent of Websense, Inc.