Just a quick note about recent news reports (such as PCWorld, "Huge Spamming Botnet Injured but Still Alive"and InfoWorld, "What it Takes to Shut Down a Botnet") about efforts to curtail the activities of the so-called Pushdo or Cutwail botnet. This network of compromised computers is suspected of being one of the largest sources of spam and malware-infected email (see the coverage I mention previously or this interesting study on that botnet, published by Trend Micro last year).
Late last week, security researchers contact ISPs that were apparently hosting various command and control servers used by the botnet in an attempt to shut the network down (not unlike the original takedown of botnets hosted by rogue ISP McColo). Apparently approximately 20 out of 30 of the C&C servers used by the Pushdo/Cutwail botnet were cut off from the internet, possibly having a short-lived effect on overall spam volume.
As other vendors have seen, spam fighters in the Proofpoint Attack Response Center tell me that Proofpoint's own spamtraps (sometimes referred to as "honeypots") have not seen a volume decrease, but noted that the volume pattern—the natural rises and falls in spam volume that accompany new spam campaigns—have been more "spikey", with bigger fluctuations between high and low volume than we are used to seeing. It's unclear if this behavior is at all related to activities around the Pushdo/Cutwail botnet.
As always, email volumes, especially those received by large enterprises, can fluctuate wildly. This is driven in part by general spam and malware sending activity, but also from attacks that attempt to target specific organizations whether they are attempts at denial-of-service, directory harvest attacks, or targeted phishing attacks.
This ongoing unpredictability is one of the key reasons that many organizations have (or are looking at) moving their inbound email security protection to a SaaS model. The rationale being, "Why worry about properly scaling your email and email security infrastructure to meet worst case scenarios when the same type of protection and control is available "in the cloud" at a much lower total cost-of-ownership?"
Financial services firm National Financial Partners has been a long-time user of Proofpoint's SaaS email archiving solution and, more recently, also deployed Proofpoint's SaaS solutions for inbound and outbound email security.
Dán Salomon, NFP's Senior Vice President of Technology, kindly took the time to speak with me about how his organization uses Proofpoint's SaaS solutions and why he feels that performing email archiving and email security functions "in the cloud" is more secure than taking an on-premesis approach. Beyond the cost advantages of SaaS, Dán explains the other business drivers for adopting Software-as-a-Service in this video (recorded on location at Proofpoint's 2010 "Inner Circle" customer event in New York).
My thanks to Dán and NFP for his willingness to discuss his approach and for allowing us to share this interview here!
The anti-spam team over in the Proofpoint Attack Response Center shared some statistics with me about spam trends in Q2 (April through June) of 2010 that I thought I would relate here.
First, the spam team provided a breakdown of the top 10 spam-sending countries for Q2 and you can see a graphical view of that at right (click the image for a larger view).
This data, compiled from spam messages that hit Proofpoint's spam "honeypots" (email addresses and email servers that attract and collect spam email messages), shows that the US was the top spam sending nation during the second quarter. Brazil and India took the #2 and #3 positions—unsurprisingly as the recently released Proofpoint/Commtouch Q2 Internet Threats Trend Report showed those two nations as the top hotspots for botnet infestation.
Another interesting trend observed during Q2 is that, in general, malicious email messages continued to become more difficult to detect—that is, spammers continued to innovate and use more complex obfuscation techniques. The percentage of messages containing an obvious spam URL destination, for example, fell by more than half. Similarly, image-based spam messages declined by more than a third and messages with virus-infected attachments fell by more than a quarter.
Since overall spam levels didn't decline during the quarter, what's taking the place of those easier-to-detect spam messages?
Proofpoint anti-spam engineer Scott Panzer tells me that "spoof" messages (the type commonly used in phishing attacks) have been generally on the rise and that Proofpoint's anti-spam technology catches these using more predictive approaches. (For a great deal of information on the unique, machine learning techniques that Proofpoint uses to stop spam, see our whitepaper about Proofpoint MLX.)
Proofpoint customers weren't affected by the increasing complexity of spam messages during the quarter, however, as Proofpoint's anti-spam effectiveness actually increased from an average of 99.93% during Q1 to 99.94% during Q2. As noted in Gartner's latest Magic Quadrant for Secure Email Gateways, Proofpoint is one of the few email security vendors that publicly publishes its ongoing anti-spam effectiveness. You can view Proofpoint's spam detection accuracy for the last 190 days by visiting:
Proofpoint exhibited recently at the 2010 Infosecurity Europe show, held in London, and as we did at the 2010 RSA conference, we conducted an electronic survey about email trends that 140 attendees (81% of them with IT, security or messaging titles and the balance with analyst/legal/compliance or non-IT titles) took the time to fill out.
Among the findings:
43% of respondents said they are "very concerned" about inadvertent leakage of private or personal information from their organizations via email. Fully half said they are "somewhat concerned" about this issue. Just 7% claim that they are "not concerned" about these sorts of data leaks.
That concern is well justified since nearly two-thirds (64%) of respondents said that their organizations are subject to data protection regulations that require certain types of email to be encrypted or handled with particular care, because the contain private or confidential email. Only 25% said their organizations were not subject to such data protection regulations.
In this short video, several attendees discuss the various regulations (such as the UK's Data Protection Act, PCI-DSS, etc.) that apply to their company's use of email:
The trend toward increasing the security around private data is something we've reported on quite frequently here in the blog and the growing awareness of data loss issues is reflected in some of our other survey findings. For example, 94% of respondents who have a corporate laptop said that it was password protected and more than half (58%) said that their corporate laptop used full disk encryption.
In addition, nearly half of respondents (49%) said their organization had already deployed an email encryption solution. Another 21% said that their organization intends to deploy an email encryption solution in the future.
On the topic of inbound email security, 40% of respondents said their organizations had been the target a "spear phishing" attack in the past 12 months. That is, they were targeted by a phishing email designed specifically to compromise their own email users. (Our survey from RSA, where most respondents were US-based, found that nearly half of respondents believed their organizations had been the target of spear phishing attack in the last 12 months.)
35% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 26% cited cost. 20% said that "ease of administration" was the most important factor. 8% cited available deployment method (e.g., SaaS vs. appliance) and 4% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (48% and 21%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
17% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
9% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (As I mentioned in my post on RSA survey findings, I still fall into this camp!)
Just 2% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
In the following video, attendees on the Infosecurity Europe show floor discuss their top email annoyances:
We've had a couple of recent reviews of Proofpoint's email security solutions and wanted to share them with you here.
First up, Proofpoint was reviewed in the March 2010 issue of SC Magazine (this review appeared in both the US and UK editions at different times) and we've licensed a reprint of that review, which you can download in PDF format at the following link:
Proofpoint scored a perfect 5-star review for features, performance, ease-of-use, documentation, support, value for money and overall rating.
Secondly (and I may have mentioned this previously), eWeek's David Strom took a close look at our SaaS-powered email encryption solution, Proofpoint Encryption, which turned into a more of a full-featured review of our entire email security solution.
You can read that review online at eWeek at the following URL:
In that review, Strom points out many of the unique features of Proofpoint Encryption, the power of Proofpoint's email policy engine, DLP features and much more. Of our email security solution as a whole, he says, "The bottom line is that [Proofpoint] Protection Server is a worthwhile product (or service, if you purchase the Web version) that you may want to look at if your existing e-mail system is ready to be replaced."
Something I've been meaning to post for a while but hadn't had the chance... The latest Internet Threats Trend Report from Proofpoint and our partner Commtouch is now available.
As usual, this Q1 2010 version reviews the latest spam techniques, spam trends, spam topics and spam sources. Highlights in this latest edition include:
A SpamAssassin bug caused numerous false positives for users of open source email security... The latest spam template techniques being used by spammers... CNN redirect exploited to send work-at-home scam emails... An analysis of how much spam comes form gmail.com... Rises in spam, zombie trends, malware variants, the "hottest" spam topics... and much more. Visit the following link to download a free copy of this email security report:
At Proofpoint's recent Inner Circle New York customer event I got a chance to talk with Thomas Wonica, director of information technology for Moelis & Company, an investment bank that specializes in mergers and acquisitions, restructurings and other strategic investments. Moelis uses Proofpoint's SaaS email archiving solution, Proofpoint ARCHIVE, as well as our Proofpoint ENTERPRISE email security solution.
In this video, Tom talks about how they use Proofpoint for archiving and eDiscovery to radically reduce the time it takes to find email during discovery events. He also talks about consolidating both archiving and email security with Proofpoint to simplify his organization's email environment.
Proofpoint CEO Gary Steele says, “We believe Proofpoint’s positioning in the leaders quadrant by Gartner is a great confirmation of our continued success in helping global enterprises take control of email risks. Our continued innovation and unique focus on email security, encryption, data loss prevention and email archiving—combined with the ability to deliver those solutions in all of the popular form factors including SaaS, appliance or hybrid deployments—makes Proofpoint the ideal choice for organizations that want to reduce costs while making email more secure, compliant and easier to manage.”
Writing in the “Magic Quadrant for Secure E-mail Gateways,” (previously known as the “Magic Quadrant for Email Security Boundaries”) Gartner analysts Peter Firstbrook and Eric Ouellet note that the email security market is “defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound e-mail threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers' data centers, or multitenancy SecaaS that exists in multiple data centers around the globe.”
Gartner also says that, “The e-mail security market is very mature. Targeted phishing detection, outbound e-mail inspection, encryption and delivery form factor are the major differentiators.”
If that darn volcano hasn't interfered with your travel plans and you're in London for this week's Infosecurity Europe 2010 show, do make sure you visit Proofpoint at stand L90 to learn about our latest SaaS solutions for email security, data loss prevention, email encryption and email archiving.
In an announcement we issued yesterday, Proofpoint introduced its Proofpoint 6.1 platform (which powers our flagship Proofpoint ENTERPRISE email security solution) to the European market. New features include multi-protocol (email and Web) DLP capabilities, a new data loss prevention dashboard, an Outlook plug-in for easier access to on-demand email encryption (via Proofpoint Encryption) and other security and performance enhancements. You can read all about it (in English) at the following URL:
That release is also available in French and German, as well.
Now today, we've announced a new partnership with Titus Labs, an company that provides email classification and document classification solutions. I have to admit that, before we started working with Titus Labs, I didn't know much about issues such as email classification, protective markings and such, but it turns out that there are a wide variety of regulations that government organizations and other types of enterprises need to comply with that involve the proper classification and marking of both communications (such as email) and documents themselves.
Titus makes some really great solutions in this area and, as you might imagine, there are some terrific synergies between solutions like this and data loss prevention, email encryption and archiving. For example, our press release today describes a couple of use cases:
Titus Labs Message Classification and Document Classification products are widely used by government, military and commercial organizations to classify and protectively mark Microsoft Outlook messages and Office documents. Explicit visual labels and corresponding metadata properties that are applied to email messages and their attachments by Titus Labs solutions can automatically trigger a wide variety of policy enforcement, data loss prevention, encryption and archiving policies applied by Proofpoint solutions.
For example, using Proofpoint ENTERPRISE™ Privacy, protectively marked emails and documents can be automatically encrypted, blocked or quarantined for further review before transmission via email, depending upon what labels have been applied. Similarly, different data retention periods can be enforced based on the classification of a message or its attachments (using Proofpoint ARCHIVE™).
Applications include compliance with a wide variety of regulations including the UK’s GPMS (Government Protective Marking Scheme) and Data Protection Act, the Australian E-Protective Marking standard, ITAR (International Traffic in Arms Regulations), HIPAA and other healthcare privacy rules and GLBA, PCI-DSS and other financial data privacy regulations.
This is a really interesting new area and Titus Labs will be joining us for an upcoming webinar to explain how their solution works and the benefits of using email classification and email security technology together to better protect data.
When you visit Proofpoint's booth, you can also be entered to win an Apple iPad, just by taking our Infosecurity Europe email security trends survey. We have a couple of the new tablet computers on hand that you can use to take our short survey about email security trends in Europe and one lucky respondent will get to take one home!
At the risk of posting a blog entry that's nothing but links to other resources and commentary, several friends of the Proofpoint blog pointed out this article—about San Francisco area security startup eCert and the introduction of their "eCert Email Domain eCertification Service"—as something I might want to comment on:
In that article, Ben Worthen describes eCert's efforts to stop phishing and targeted attacks with a service that, "confirms that an email is from the company it says it's from." The timing for this article coincides with eCert's introduction of a new service (see press release "eCert Partners With Google and Yahoo! to Protect Businesses and Consumers From Email Fraud").
Regular email security blog readers will no doubt say that this sounds like yet another email authentication idea and wonder if this is some sort of new approach or if it builds on other existing email authentication schemes such as SPF and DKIM. Certainly, there's a great need to help reduce the impact of phishing activites (especially as targeted phishing - aka spear phishing - attacks have become so prevalent).
And, indeed, it looks like the service that eCert has announced is aimed at helping financial institutions and other heavily phished organizations use existing email authentication mechanisms to best effect, even though that's not entirely obvious from their press release. From their press release:
"The eCert Email Domain eCertification Service is a centralized service to register, manage and monitor domains that send email. Three key features of eCert’s groundbreaking new service include: monitoring email traffic and threat activity, protecting member company emails against major forms of phishing, and ‘eCertification’ that enables advanced security, improved delivery and other important benefits, including delivery of critical data on email traffic activity and phishing attack alerts."
While one could be cynical about the commercialization of SPF/DKIM technologies, in practice, it can be very difficult for a large organization to properly configure SPF and/or DKIM, in part due to the large number of third parties who may, in fact, send legitimate email on behalf of that organization. So it makes sense for a company like eCert to provide an end-to-end service that takes care of all the minutia involved in email authentication.
And this brings me to what may be the most useful link in this post... In cooperation with BITS, eCert published a really good whitepaper on email authentication deployment that they make freely available. I haven't read this document in great detail, but it provides a really good overview of (1) what email authentication is and what it does, (2) what email authentication does not do, (3) basic info about how SPF and DKIM operate, (4) pre-deployment considerations for large organizations, and even a sample project plan.
Heck, they don't even require registration to download this paper. You can snag a copy at this link:
While I was researching this post, I also ran across some pretty amusing commentary from the unknown blogger at "What The Hell? Security", which is a very interesting and opinionated security blog.
The "9 laws" is especially worth reading, I think, and probably deserves its own post here in the Email Security Blog at a later time. But right now, I have to get back to not clicking on bad links.
