ironport email security products - arrow ecsfile/ironport.pdf · ironport email security products...
TRANSCRIPT
IronPort Email Security Products
PROTECTING OVER 350 MILLION EMAIL BOXES WORLDWIDE
Mirko Schneider, IronPort Systems
Soft-Tronik Security Day, Bratislava June 6th 2007
„I need to say that the appliance is the best system that I‘ve been testing for our magazine since 2003. I need to find a way to bring it out objectively. Otherwise nobody will believe me... “
(an editor of a German IT magazine, Feb 2006)
Who is IronPort?
• Founded by Email pioneers from in2000 from Hotmail, ListBot, Yahoo
• idea: building the fastest and strongest gateway appliance
• based in USA, California, Silicon Valley
• Investors:– General Motors, Chevron-Texaco, NTT,
Menlo Ventures, Allegis Capital
– raised over 90 million USD
• Worldwide 500+ employees
• 75 in Europe (UK, Germany, Sweden, France, Spain, Italy)
• revenue 2005: ~ 70m USD, 2006: ~125m USD
• With Soft-Tronik in CZ/SK since 2006
Hot News:CISCO acquires IronPort
The Principles of Industry Leadership
• Analyst Leadership– Recognized as the leader by Gartner,
Meta, Radicati, IDC, Forrester, Bloor
• Customer Leadership– 52 of the World’s Largest 100 Companies
– 20+% of Global 2000
– 12 of the 15 largest ISPs
• Technology Leadership– First with custom, high performance MTA
– First with Reputation Filtering
– First with Virus Outbreak Filters
• Global Leadership– Operations in 35 countries, 600+ partners
– IronPort infrastructure currently operating in 75+ countries
Success in Czech Republic
Czech News Agency (ČTK)
- customer since December 2006
- a case study available soon!
Air Navigation Services (RLP)- customer since March 2007
E.ON Czech Republic- customer since December 2006
UPC Czech Republic- customer since December 2006
EZPADA Czech Republic- customer since December 2006
IronPort: Technology Leadership
Magic Quadrant
for E-Mail Security
Boundary 2006Source: Gartner RAS Core Research
You need that competitive analysis?
Mail me at [email protected]!
IronPort gets stronger!
After PostX acquisition announcement Nov 06:
• “Regard this acquisition as a positive enhancement that improves IronPort's competitive position...”
• “However, consider switching to IronPort at the next
technology "refresh" to reduce administration
overhead and costs...”
After CISCO acquisition announcement Jan 07:
• “Place Cisco/IronPort at the top of your shortlists...”
IronPort Gateway Security Products
Internet
EMAILSecurity
Appliance
WEBSecurity
Appliance
Security MANAGEMENT
Appliance
IronPortSenderBase
IronPort Email Security Appliances
• High Performance Email Security
Appliances Stopping Spam, Viruses, and
Enforcing Compliance
IronPort C350/C650IronPort C100
IronPort X1050
Product Consolidation at
the Network PerimeterFor Security, Reliability and Lower Maintenance
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
Before IronPort
IronPort Email Security Appliance
Internet
Firewall
MTAs
Groupware
Users
After IronPort
Internet
Users
Groupware
Firewall
IronPort Architecture for Multi-Layered Email Security
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort AsyncOS™
Unmatched Scalability and Security
• AsyncOS scalable and secure OS optimized for messaging
• Advanced Email Controls protect reputation and downstream systems
• Standards-based Integration replaces legacy systems with ease
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort AsyncOS™
Revolutionary Email Platform
Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance
200Incoming/Outgoing
Connections
Low Performance/DoS Potential
Single QueueFor all Destinations
Queue BackupDelays All Mail
Per-DestinationQueues
Fault-Toleranceand
Custom Control
10,000Incoming/Outgoing
Connections
High Performance/Sure Delivery
Advanced Email ControlsOnly Available from IronPort
• Safeguard Your Reputation
• Send Different Types of Mail Via Separate IPs
• IronPort Patent Pending Technology
• Protect Your Groupware Servers
• Rate Limit Mail Sent Per Destination
• Enforce TLS Encryption Per-Destination
Internet
?
163.24.127.3
163.24.127.3
163.24.127.4
163.24.127.5
InternetNew Company
Bounces
Virtual Gateway™ TechnologyDestination Controls
Multi-layer Spam DefenseBest of Breed
• IronPort Reputation Filters – the outer layer defense
• IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
Spam volumes grow
0
10
20
30
40
50
60
70
Okt
05
Nov
05
Dez
05
Jan
06
Feb
06
Mrz
06
Apr
06
Mai
06
Jun
06
Jul
06
Aug
06
Sep
06
Okt
06
Average Daily Spam Volume (billions msgs)
+110%
0
5
10
15
20
25
30
Okt
05
Nov
05
Dez
05
Jan
06
Feb
06
Mrz
06
Apr
06
Mai
06
Jun
06
Jul
06
Aug
06
Sep
06
Okt
06
Image Spam Explodes%
+421%
% Spam with an Embedded Image
Spam Gets Sneakier – Image Spam!
1. “Polka dots” 2. “Slice & Dice”
“ASCII Art” Based Spam
• uses a series of numbers to spell out a stock symbol
• numbers randomized in different order for each email to evade signatures
• similar to image spam in that there are no actual words in the email for anti-spam engines to key on
New Spam AttacksSpam Techniques Even More Difficult to Combat
Image Spam 2.0
• Attempts to mask itself as a legitimate picture by adding “greeting card” like border”
• Inserts shapes such as rectangles and pies to spoof powerpoint / excel charts
• Wavy text more difficult for OCR technologies to decipher
Multi-Layered SecurityPreventive + Reactive = Defense in Depth
Reactive
Layer+
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine
Preventive
Layer
blocks~ 80%
of spam
IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 5B+ queries daily
• 150+ Email and Web parameters
• 25% of the World’s Email Traffic
The Dominant Force in Global Email and Web Traffic Monitoring…
80%50%
40%
IronPortCipherTrust
BorderWare
Spam Caught by Reputation
Source: www.ciphertrust.com and www.borderware.com, August 6, 2006
…Results in Accuracy and Advanced Protection
120,0004,000
8,000
IronPortCipherTrust
BorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure
IronPortVirus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed
vendors.
IronPort SenderBase®
Data Makes the Difference
• Complaint Reports
• Spam Traps
• MessageComposition Data
• Global Volume Data
• URL Lists
• Compromised Host Lists
• Web Crawlers
• IP Blacklists & Whitelists
• Additional Data
150 Parameters
SenderBaseData
Data Analysis/Security Modeling
SenderBaseReputation Scores
-10 to +10
Threat Prevention in Realtime
A Broad Data Set Drives Accuracy
IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is deleted/tagged
• Reputation Filters is a switch point
• IronPort uses identity & reputation to apply policy
• Sophisticated response to sophisticated threats
Anti-Spam
Engine(reactive)
Incoming Mail
Good, Bad, and “Grey”or Unknown Email
ReputationFiltering
(preventive)
Reputation-Based Filtering:A Powerful Technique
• Beyond blacklisting—a granular view of behavior
• Scores calculated in real-time
• Pre-configured policies applied dynamically
IronPort Reputation FiltersDell Case Study
• Dell’s challenge:– Dell currently receives 26M messages per day
– Only 1.5M are legitimate messages
– 68 existing gateways running Spam Assassin
were not accurate
• IronPort solution:– Reputation Filters block over 19M messages per day
– 5.5M messages per day scanned by
anti-spam engine
– Replaced 68 servers with 8 IronPort C60s
• Accuracy of spam filtering increased 10x
• Servers consolidated by 70%
• Operating costs reduced by 75%
“IronPort hasincreased the
quality andreliability ofour networkoperations,
whilereducing our
costs.”
-- Tim HelmsetetterManager, Global
Collaborative Systems
Engineering and
Service Management,
DELL CORPORATION
Multi-Layered SecurityPreventive + Reactive = Defense in Depth
+
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine
Preventive
LayerReactive
Layer
IronPort AntiSpam Broadens the Context with Web Reputation
• Content filtering techniques alone are inadequate
• Email reputation systems improved protection
• Combating new attacks demands Web reputation
Time
TODAY
EffectivenessWhere? Web Reputation
Where does the call to action take you?
Who? Email Reputation
Who is sending you this message?
How? Message Structure
How was this message constructed?
What? Message Content
What content is included in this message?
URL
No attachment - Payload delivered via web
IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 5B+ queries daily
• 150+ Email and Web parameters
• 25% of the World’s Email Traffic
The Dominant Force in Global Email and Web Traffic Monitoring…
80%50%
40%
IronPortCipherTrust
BorderWare
Spam Caught by Reputation
Source: www.ciphertrust.com and www.borderware.com, August 6, 2006
…Results in Accuracy and Advanced Protection
120,0004,000
8,000
IronPortCipherTrust
BorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure
IronPortVirus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed
vendors.
Web Reputation Data Makes the Difference
• URL Blacklists
• URL Whitelists
• URL Categorization Data
• HTML Content Data
• URL Behavior
• Global Volume Data
• Domain Registrar Information
• Dynamic IP Addresses
• Compromised Host Lists
• Web Crawler Data
• Network Owners
• Known Threats URLs
• Offline data (F500, G2000…)
• Web Site History
SenderBaseData
Data Analysis/Security Modeling
Web ReputationScores (WBRS)
-10 to +10
Parameters
THREAT PREVENTION IN REALTIME
IronPort Anti-Spam Customer LeadershipTrusted Throughout the World
Installed in over 20% of Fortune 100 Companies
Deployed at over 2,000 customers in over 40 countries
IronPort Anti-SpamPress Reviews
2007 Technology of the Year: Best Anti-Spam
Jan 2007
Competitors tested: Symantec, Microsoft, Mirapoint, ProofPoint
“easy setup”
“excellent spam filtering”
“no tuning necessary”
“the fewest false positives of
any solution tested”
Anti-Spam Bake-Off WinnerDec 2006
Competitors tested: CipherTrust, Borderware, Sophos,
SonicWall
“The superiority of IronPort . . .
seems abundantly clear”
“We did not have to rescue a
single legitimate message”
“(IronPort) is the absolute must
from this test”
Multi-layer Virus DefenseBest of Breed
• IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures
• Sophos Anti-Virus signature based solution with industry leading accuracy
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort Virus Outbreak Filters™
First Line of Defense
Early Protection
with
IronPort Virus
Outbreak Filters
Traditional AV Solutions Aren’t Responding Quickly Enough . . .
4:0
0
9:0
0
14
:00
19
:00
0:0
0
5:0
0
10
:00
15
:00
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Mytob-HJ: 4-19-06
9:3
0
10
:20
11
:10
12
:00
12
:50
13
:40
14
:30
15
:20
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Kukudro-A: 6-27-06
0
20
40
60
80
100
120
20
:00
23
:45
3:3
0
7:1
5
11
:00
14
:45
18
:30
22
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Bagle-GT: 4-21-06
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
19
:00
22
:45
2:3
0
6:1
5
10
:00
13
:45
17
:30
21
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
FeebsDI-Q: 6-07-06
IronPort SenderBase® NetworkFirst, Biggest, Best Reputation System
Over 100,000 contributing networksOver 20M IP addresses tracked globally
View into over 25% of email trafficOver 150 parameters tracked
Global Email and Web Traffic Monitoring
What is going onRIGHT NOW?
Introducing Virus Outbreak Filters4
:00
9:0
0
14
:00
19
:00
0:0
0
5:0
0
10
:00
15
:00
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Mytob-HJ: 32 hrs 57 mins Lead Time!
VOF Protection
Starts
9:3
0
10
:20
11
:10
12
:00
12
:50
13
:40
14
:30
15
:20
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
VOF Protection
Starts
Kukudro-A: 3 hrs 38 mins Lead Time!
19
:00
22
:45
2:3
0
6:1
5
10
:00
13
:45
17
:30
21
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
FeebsDI-Q: 21 hrs 59 mins Lead Time!
VOF Protection
Starts
20
:00
23
:45
3:3
0
7:1
5
11
:00
14
:45
18
:30
22
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Bagle-GT: 18 hrs 28 mins Lead Time!
VOF Protection
Starts
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
How IronPort Virus Outbreak Filters WorkDynamic Quarantine In Action
T = 0–zip (exe) files
T = 5 mins-zip (exe) files
-Size 50 to 55 KB.
T = 10 mins–zip (exe) files
–Size 50 to 55KB
–“Price” in the name file
T = 8 hours–Release messages
if signature update is in place
Messages
Scanned &
Deleted
preventive protection reactive protection
IronPort Virus OutbreakFilters Advantage
Average lead time*…………………………over 13 hours
Outbreaks blocked * ………………………175 outbreaks
Total incremental protection*…………….over 94 days
* June 2005 –July 2006.
Virus Name Date Virus Description Lead Time (hh:mm)
Kukudro-A 6/27/06 Virus that spreads via zipped word document. 3:38
Feebs.AG 6/21/06 Arrives as an email attachment claiming to be sent via "Protected E-Mail service“.
17:46
Troj/Stinx-W 6/15/06 IRC backdoor Trojan. 11:12
Yabe.G 5/16/06 Trojan that attempts to download further malicious code. 13:09
Bagle-GT 4/21/06 Installs backdoor and communicates via HTTP, thus bypassing firewall filters.
18:28
Mytob-HJ 4/19/06 Turns off anti-virus applications of infected PC to avoid detection.
32:57
Nyxem-D (Kama Sutra) 1/16/06 Deletes most documents on third day of every month. 1:27
Looksky.G 1/6/06 Installs keystroke loggers onto infected PCs. 35:40
*June 2005 – July 2006. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
MyDoom Variant—MyDoom.BB (February 15, 2005)
G2000 Company Protected By IronPort’s Virus Outbreak Filters 1
:00
2:0
0
3:0
0
4:0
0
5:0
0
6:0
0
7:0
0
8:0
0
9:0
0
10
:00
11
:00
12
:00
13
:00
14
:00
17
:00
18
:00
19
:00
20
:00
21
:00
22
:00
23
:00
24
:00
20
:00
21
:00
First Anti-virus Signature Published
22:54 GMT (Next Day)
22
:00
23
:00
IronPort Threat Level Raised to 3 And Protection Starts
18:08 GMT
28 hours 46 minutes
Note: All times shown are in GMT
6503 files quarantined
24
:00
February 15, 2005 February 16, 2005
IronPort Outbreak Filters ProtectG2000 Company From MyDoom.BB
$65K saved @ $200/desktop, 5% infected
IronPort Policy EnforcementInbound/Outbound Content Filtering for Compliance
• Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance
• Compliance Solutions and Encryption keep communications private and secure
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
Flexible Policy EngineFrom Blocking Attachments to Enforcing Compliance
• Graphical Representation of
Per-Recipient Policies
• LDAP Integration Reduces
Need for Repetitive
Modifications
• Customizable Notification
Templates
• Robust Conditions and Actions
Email Compliance Solutions Next Generation Compliance Filters
• Pre-Packaged Policies and Lexicons for Common Regulations
• Multi-Category Pattern Matching Significantly Reduces False Positives
• High Performance TLS Encryption Configured Keeps Business Communications Private PRE-PACKAGED LEXICONS
Hot news: Teaming Up To Fix Email
IronPort Acquires PostXGlobal Reach And Innovative Technology
• 8/10 of the world’s largest ISPs
• 42/100 of the world’s largest corporations
• 25% of the World’s Email Traffic
• 450 employees
The Dominant Force in Global Email and Web Security…
…Combined with the leader in Email Encryption
• #1 World’s Largest Bank
• #1 F500 Largest Insurance Company
• #1 World’s Largest Credit Card Company
• 60 employees
Encryption References
Email AuthenticationSuperior Security and Identity Protection
• DomainKey Signing - establishes and protects your identity on the Internet
• IronPort Bounce Verification – protects from misdirected bounce attacks
• Directory Harvest Attack Prevention –blocks attempts to steal email directory information
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*
*Source: IronPort Threat Operations Center,
INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.
Misdirected Bounces Not
Discernible From
Legitimate Bounces
Misdirected Bounces Not
Discernible From
Legitimate Bounces
End User Confusion:
“Why did I receive this
message?”
The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*
*Source: IronPort Threat Operations Center,
INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.
“Zombies”
[email protected],[email protected]
Recipients:
Sender:
Incoming Gateway
yourcompany.comOutgoingGateway
RETURN TO
SENDER
Millions of Misdirected Bounces
More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces
More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces
IronPort Bounce Verification™
Protects Against Misdirected Bounce Attacks
• All Outgoing Mail Stamped Allowing Legitimate Bounces to
be Identified on Return
• Transparent to End Users, No Industry Adoption Required
• Eliminates Help Desk Calls and End User Confusion
• Another IronPort Technical “First"
BV
Internet
BV
+
Management for theLargest Enterprises
• Email Security Manager – unified policy management
• Email Security Monitor – enterprise-class reporting system
• Management Interfaces – simple integration and increased productivity
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort Email Security Manager™
Single view of policies for the entire organization
• Mark and Deliver Spam
• Delete Executables
• Archive all mail
• Virus Outbreak Filters disabled for .doc files
• Allow all media files
• Quarantine executables
“Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” -- PC Magazine 2/22/05
Categories: by Domain, Username, or LDAP
IT
SALES
LEGAL
IronPort Centralized Management
• Log in anywhere, control everywhere
• Interface assures configuration consistency
• Apply changes to a machine, group, or cluster
• Test on single system, “promote” to cluster
IRONPORT CLUSTER
Bratislava Group
SJ1 Machine SJ2 Machine
SJ3 Machine
Prague Group
D1 Machine D2 Machine
D3 Machine
Berlin Group
T1 Machine T2 Machine
T3 Machine
IronPort Email Security Monitor™
Advanced Reporting System
Email Security Monitor™
Search by Domain
CSV Export
Scheduled Delivery
Integrated Real-TimeGraphical Reports
System MonitoringEasy Integration with Existing Processes
Alert Center
• Alert Subscriptions per Admin
• Distinct Areas of Management
SNMP
• Exclusive IronPort MIB
• Integrates with any SNMP-compatible tools
Log Subscriptions
• 20+ Log Types Supported
• Transfer via FTP, SCP, Syslog
IronPort Evaluation Policy
• Free evaluation for 30 days– starts with activation of keys on unit
– can be extended on request
• any size and any way– you get the right unit for your individual needs
– different ways of testing (life/ stealth, parallel, offline)
– full support, full functionality
• About 85% of users who evaluate become happy
customers!
Get In Contact
Mirko Schneider IronPort Systems
Channel Manager Munich / Germany
Eastern Europe & Russia
Tel: +49 - 89 - 45 22 27 32
Fax: +49 - 89 - 45 22 27 10
Mobile: +49 - 172 - 83 96 04 7
Web: www.ironport.com
Email: [email protected]