Improving messaging security continues to be a moving target for many organizations and security administrators. To provide comprehensive protection, today’s messaging security solutions must cover three categories of threats: advanced spam and phishing, malware and viruses, and concentrated attacks on the messaging infrastructure. While some solutions protect against one or two of these categories, few fight against all three.
Today, the fight is more important than ever. Spam statistics are at their highest levels in history—in December 2007, Osterman Research said that more than 80 percent of all messages sent over the Internet were unsolicited. And phishing has created entirely new categories of identity theft. Even malware such as viruses and worms has grown—in 2007, also according to Osterman Research, 84 percent of companies said that their networks had been affected by malware introduced via email.
The best solution to clamping down on messaging security is to use a perimeter UTM appliance that takes a multi-faceted approach.
Beyond these numbers, there are other, larger potential pitfalls. Containment is one—once a virus makes it past the network perimeter, companies have a hard time slowing it down. Response time is another because spam, phishing, and email-borne malware are most often released in vast quantities over a relatively short period. Many corporations lack the ability to adapt quickly enough to the rapidly changing distribution and infiltration techniques of spammers and virus authors.
A six-pronged strategy
Until the advent of unified threat management (UTM), security solutions from most vendors had been focused on one or two specific problems. However, as threats have proliferated, even this centralized strategy fails to protect many networks across the board. Moving forward, perhaps the best solution to clamping down on messaging security is to use a perimeter UTM appliance that takes a multi-faceted approach. The very best of these solutions protect against problems in six key areas:
- Scanning IP reputation
- Pattern-based anti-spam
- White- and blacklists
- Signature-based antivirus
- Zero-hour outbreak protection
- Email intrusion prevention system software
Scanning the IP reputation of each message is the first line of defense. The best services check each email connection request against a comprehensive database of IP addresses to determine whether a sender is a legitimate correspondent or a sender of spam or malware. Once the software identifies a sender as undesirable, it drops the connection before a message is even accepted. The device refreshes its dynamic database of IP addresses regularly to ensure that IP addresses no longer exhibiting bad behavior are not blocked indefinitely.
Next, pattern-based anti-spam uses proprietary algorithms to create unique fingerprint-like signatures of email messages. When a message comes in, the technology calculates a message’s pattern on-the-fly and checks it against this database of known email patterns. This approach provides content-agnostic protection and effectively blocks spam without looking at any of the actual message content. It also protects against spam that utilizes multiple languages, complex images, or slices of images.
Other measures offer additional protection. For instance, white- and blacklisting enable administrators to create a list of IP addresses or domains that they want to block or allow. This provides an added layer of granularity and ensures that trusted sources are explicitly allowed and unwanted sources are explicitly denied access. Signature-based antivirus scans POP3, SMTP, and IMAP email protocols to block a wide range of virus and malware attacks that can be recognized by their signatures.
The fifth line of defense is zero-hour outbreak protection, which helps protect networks before signatures are actually available. By globally analyzing large numbers of messages, this technology identifies outbreaks along with their corresponding messages. The software then flags the message patterns as malicious, providing the most up-to-date information about a given attack. With this information, outbreaks usually are blocked within approximately 0.5 to 2 seconds.
Finally, with email intrusion prevention system (IPS) software, companies can implement signature-based defenses at the network perimeter to stop attacks targeting the messaging infrastructure. These include attacks that aim to access the protected network, those that attempt to bring down a piece of the messaging server, and attacks that try to utilize the messaging infrastructure as a resource for launching new invasions, such as DDoS attacks.
The Check Point approach
Taken as a whole, this six-pronged
strategy blocks more than 97 percent of spam. It also stops both known
and unknown malware and protects a company’s messaging infrastructure
from a wide range of attacks. The strategy is the centerpiece of the
new UTM-1 Total Security appliances
from Check Point Software. These integrated appliances provide
firewall, VPN, IPS, antivirus, and messaging security, delivering
comprehensive network protection in a single, easy-to-manage platform.
Specifically, UTM-1 Total Security appliances are equipped to analyze repeating patterns in email to identify massive outbreaks. The tools also offer highly accurate real-time outbreak analysis and automatically block spam and malware attacks without the need for human intervention or waiting for user feedback. With the moving target of messaging security, this kind of flexible and scalable approach is the best defense yet.