Email security remains a threat

Email security could be the single biggest issue facing enterprise security professionals. Its importance for communication, its attractiveness to criminals and its sheer volume are all contributory factors. Additionally, the sector is one of the most densely populated areas in the IT security market, due to its maturity and business relevance. SC takes a look at the products and managed services aimed at keeping the corporate inbox clean.

The battleground to secure email has seen a huge amount of development. From using signature-based technology to prevent the script-kiddie worms and related malware of ten years ago, through to battling blended threats and targeted phishing attacks using DLP and encryption today, the field of technologies and products is vast.

Spam
One of the biggest threats if judged by volume, spam accounts for around 96.5 per cent of all business email (according to research from Sophos), or 200 billion messages a day (Cisco) and can cause a range of severe issues for enterprises, ranging from simply drowning out legitimate communications, to Trojan infection through socially-targeted phishing attacks. Solutions can be either software- or hardware-based, and hosted either on the network or the endpoint, depending on the size of the organisation.

Some products attempt to cover all bases, such as MailMarshal SMTP from Marshal8e6, which claims to filter all incoming and outgoing email at the gateway and blocks spam, malware, spyware, DoS attacks and phishing. MailMarshal SMTP can be deployed as software, an appliance or SaaS, according to Marshal8e6, and is used to provide deep content inspection of incoming and outgoing email traffic and to enforce acceptable email use policies. Marshal8e6 says its product is used by half of UK police forces and more than 40 per cent of global Fortune 500 companies.

Malware
Until relatively recently, email was the most popular way to spread malware; and even though web has overtaken email as the top attack vector, scanning incoming mail for unwanted malware attachments is a basic essential.

Anti-virus vendors have been offering signature-based products to battle this for some time, initially fairly successful.

Attackers moved on rapidly from the old .exe attachment, first hiding executable code in standard Office formats, such as Word and Excel, and more recently PDF files, to take advantage of Adobe vulnerabilities. As anti-virus (AV) companies began to scan all attachments more carefully, attackers began to use web links to malware, often in a layered attack, where the first link would install a dropper, that would then open an encrypted channel and download the malware. In reply, as the sophistication of malware writers has increased, AV companies have augmented their products with heuristic and behavioural detection.

Cloud-based filtering
Increasingly, enterprises are opting for cloud-based spam filters, removing an intensive strain from internal IT resources. This also provides a green aspect, by reducing the corporate data centre's energy and physical footprint, so cutting power, cooling and operational expenses. Additionally, cloud-based services are far more rapidly scalable, so can deal with sudden fluctuations in volume more seamlessly.

For example, Cisco's IronPort Hosted Email Security provides a dedicated email infrastructure hosted in a network of Cisco data centres. Customers retain control of hosted devices with co-managed device access and can access real-time reports and modify configurations without service ticket response delays, according to the vendor.

Proofpoint Shield is another example, a cloud-based service that reduces by a claimed 80 to 90 per cent the volume of inbound email that must be processed by on-premises email security gateways. The company claims it can be deployed in minutes in front of any on-premises email security appliance, including solutions from Cisco (IronPort), McAfee (Secure Computing/CipherTrust), Symantec, Trend Micro and Tumbleweed.

Proofpoint says that after processing, the remaining messages are delivered to the customer's on-premises email security gateway, which can apply additional features. Administrators retain full control of routing, policy, reporting and end-user functions delivered by their existing on-premises gateway.

Even Google has attempted to move into this market, launching a Message Security product, a cloud-based service based on Postini technology.

Encryption
Once the preserve of secretive government agencies, strong encryption has now firmly entered the corporate mainstream as a method of protecting data at rest - especially stored customer data and emails. Increasing media interest in data breaches has raised awareness of the necessity of encryption, a de facto standard in the US, due to disclosure laws. Recent European and UK regulation also requires many sectors, such as financial services, to store customer communications for several years - a potential problem if such data were unencrypted. These pressures have produced a huge expansion in email encryption products, both for storage and for PKI-based communication architectures.

One example is PGP's Desktop Email, a transparent email encryption solution using open standards. The desktop software can be deployed by the PGP Universal Server, which takes care of key management, policy and software updates and supports the two global email encryption standards, OpenPGP and S/MIME, automatically discovering keys and certificates, says PGP.

Old favourites such as PGP's have come under increasing attack from competitors, such as Trend Micro Email Encryption, developed by cryptographers at the University of Bristol. It uses identity-based encryption (IBE) to avoid the pre-registration and certificate management of earlier Public Key Infrastructure (PKI) technology. Encrypted content is simply pushed from senders to recipients.

PineApp offers another centralised mail encryption solution, which can be integrated with its Mail-SeCure appliance that provides perimeter security and anti-spam, anti-virus, content filtering and email management tools. The encryption product is designed to protect only sensitive content, so system administrators can define rules that determine what gets encrypted, for example all email coming into or leaving the legal department. Once configured, the encryption process is automatic, although recipients need to register with the system.

Other standalone products for the SME market include Steganos, whose latest standalone software suite comes with mailbox encryption.

Data loss prevention (DLP)
After encryption, the latest hot topic is data loss prevention (DLP). Similar market drivers have spurred corporate interest, and the huge fraud at Société Générale last year - when a rogue trader separated the French bank from £3.7bn - has drawn attention to the importance of DLP strategies and technology.

One recent launch has been InterGuard's Datalock desktop product, which screens all email, email attachments and removable media for types of data rather than proscribed documents. This has a significant advantage over traditional document "fingerprinting" methods, which depend on the compilation and availability of a list of an organisation's highly sensitive documents.

Mobile
Once a novelty sideline, mobile email has been business-critical for some time, and products to secure access and content are readily available. Many AV companies offer handset-based endpoint clients with centralised management to prevent attacks on email content and corporate address books. F-Secure, Sophos and McAfee all offer AV clients for Symbian and Windows.

However, the popularity of the iPhone and BlackBerry as business tools has changed the game. BlackBerry claims its Enterprise Solution has FIPS 140 validation and a Common Criteria certification, in addition to a Secure Information Technology (SIT) certificate from the Fraunhofer Institute. Apple has made few security claims on behalf of the iPhone, and experts are divided - many point to the higher penetration of Symbian and BlackBerry devices as a mitigating factor in the short term, as well as the lack of an SDK for the iPhone. However, various vulnerabilities have been widely reported to date.