Just a quick note about recent news reports (such as PCWorld, "Huge Spamming Botnet Injured but Still Alive"and InfoWorld, "What it Takes to Shut Down a Botnet") about efforts to curtail the activities of the so-called Pushdo or Cutwail botnet. This network of compromised computers is suspected of being one of the largest sources of spam and malware-infected email (see the coverage I mention previously or this interesting study on that botnet, published by Trend Micro last year).
Late last week, security researchers contact ISPs that were apparently hosting various command and control servers used by the botnet in an attempt to shut the network down (not unlike the original takedown of botnets hosted by rogue ISP McColo). Apparently approximately 20 out of 30 of the C&C servers used by the Pushdo/Cutwail botnet were cut off from the internet, possibly having a short-lived effect on overall spam volume.
As other vendors have seen, spam fighters in the Proofpoint Attack Response Center tell me that Proofpoint's own spamtraps (sometimes referred to as "honeypots") have not seen a volume decrease, but noted that the volume pattern—the natural rises and falls in spam volume that accompany new spam campaigns—have been more "spikey", with bigger fluctuations between high and low volume than we are used to seeing. It's unclear if this behavior is at all related to activities around the Pushdo/Cutwail botnet.
As always, email volumes, especially those received by large enterprises, can fluctuate wildly. This is driven in part by general spam and malware sending activity, but also from attacks that attempt to target specific organizations whether they are attempts at denial-of-service, directory harvest attacks, or targeted phishing attacks.
This ongoing unpredictability is one of the key reasons that many organizations have (or are looking at) moving their inbound email security protection to a SaaS model. The rationale being, "Why worry about properly scaling your email and email security infrastructure to meet worst case scenarios when the same type of protection and control is available "in the cloud" at a much lower total cost-of-ownership?"
Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.
You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.
I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:
Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:
36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.
Enterprise concerns and data loss events from social media continued to rise in the past 12 months:
Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.
Financial services firm National Financial Partners has been a long-time user of Proofpoint's SaaS email archiving solution and, more recently, also deployed Proofpoint's SaaS solutions for inbound and outbound email security.
Dán Salomon, NFP's Senior Vice President of Technology, kindly took the time to speak with me about how his organization uses Proofpoint's SaaS solutions and why he feels that performing email archiving and email security functions "in the cloud" is more secure than taking an on-premesis approach. Beyond the cost advantages of SaaS, Dán explains the other business drivers for adopting Software-as-a-Service in this video (recorded on location at Proofpoint's 2010 "Inner Circle" customer event in New York).
My thanks to Dán and NFP for his willingness to discuss his approach and for allowing us to share this interview here!
In a move that surprised many, but will make a lot of sense to regular readers of this blog, Intel announced today that it has entered into a definitive agreement to buy diversified security vendor McAfee for $7.68 billion, a significant premium over McAfee's share price at yesterday's market close.
Echoing many of the same issues that Proofpoint CEO Gary Steele noted in his recent guest blog post at Byron Acohido's "Last Watchdog" blog (see "Why Wall Street is Boosting Investments in Tech Security"), Intel and McAfee gave the following rationale for the acquisition:
First, security is fundamental to today's computing environment. Intel CEO Paul Otellini is quoted as saying, "In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences."
And those "computing experiences" are becoming more and more pervasive. The explosive growth of Internet connected devices—not just PCs but smartphones, tablet computers (like the iPad, the rumored Google Chrome OS pad, etc.), even ATMs, medical diagnostic equipment and on and on—requires better security for those devices to prevent exploitation and protect private data held and processed by those devices.
As security vendors regularly point out, security threats continue to proliferate rapidly and are becoming more complex and more costly to remediate. In the email security space, for example, targeted attacks such as spear phishing, the use of multiple attack vectors (combining email, web and social media components) and more clever social engineering are now commonplace. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month,” says McAfee CEO Dave DeWalt.
McAfee's online announcement also notes that, "The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security." Which I think is a rather verbose way of saying that network security in today's world needs a major "re-think" and that certain security functions and controls need to migrate further down the IT application stack and be more of an integral part of the hardware and firmware that power new devices.
Additionally, Intel notes that this acquisition is part of their ongoing effort to broaden its IT footprint, delivering not just hardware but software components. Notes the Intel announcement, "Intel has made a series of recent and successful software acquisitions to pursue a deliberate strategy focused on leading companies in their industry delivering software that takes advantage of silicon. These include gaming, visual computing, embedded device and machine software and now security." (Intel's acquisitions of embedded/mobile software vendor Wind River and gaming AI/physics vendor Havok are cited.)
Expect this news to spur ongoing M&A activity in the security space. And, more importantly, the trend toward making security more of a core component of computing devices—rather than an afterthought—will make for a safer computing world.
In a press release issued today, Proofpoint recapped quarterly results from Q2 2010, announcing 7 years (28 consecutive quarters) of increasing quarterly revenue. As we've seen in previous quarters, data privacy and regulatory compliance concerns were an important driver for new business once again.
Proofpoint CEO Gary Steele said that, “There are four key issues driving enterprise IT security spend right now—an increasingly sophisticated spam and malware threat landscape, urgency around protecting consumer and data privacy, pressure to address electronic discovery issues and a realization that SaaS can greatly reduce security and compliance costs. Proofpoint’s solutions are ideally suited to meeting these needs.”
Regular readers of this blog will recognize that the trend toward more strict data protection regulations and increasing eDiscovery needs isn't particularly new. However, one very interesting new trend reported in Proofpoint's latest release is that the Federal market for SaaS solutions is definitely heating up.
One new deal mentioned in the press release is the adoption of Proofpoint's SaaS email archiving solution by a large US Federal agency for an initial 6000 mailboxes with plans to eventually roll the solution out to archive email for more than 70,000 of the agency's employees.
Commenting on the deal, Steele says, “To date, Federal agencies have been extremely cautious about adoption of SaaS solutions and this deployment of Proofpoint Archive will be among the first and largest SaaS deployment—of any kind—in the Federal market. The selection of Proofpoint is a strong validation of the unique security, reliability and scalability features of our SaaS architecture and applications.”
There's been quite a bit of news coverage recently about Federal adoption of cloud computing-based solutions—for example, the ongoing battle between Google and Microsoft to provide email hosting services for 15,000 employees at the GSA (see, "Google cloud-computing applications get certification for federal government use," in Sunday's Washington Post for just one example).
"Over the years, Proofpoint has gained strong momentum in the public sector, protecting more than one million government email inboxes including many federal civilian agencies, department of defense organizations such as the US Coast Guard, and the intelligence community. By achieving important information assurance certifications such as NIAP’s Common Criteria EAL2+ and NIST FIPS 140-2, Proofpoint is trusted to protect mission-critical applications and mitigate risk through its email security, archiving and data loss prevention solutions. "
Of course, it's not just the Federal government market that's moving to SaaS: Enterprises in the private sector continue to move to SaaS. As just one example, Proofpoint's release notes that the number of messages under management by its SaaS email archiving solution doubled in the past 12 months and that this trend is accelerating.
For more on the trends that drove Proofpoint's revenues to record levels once again, see the full press release:
The anti-spam team over in the Proofpoint Attack Response Center shared some statistics with me about spam trends in Q2 (April through June) of 2010 that I thought I would relate here.
First, the spam team provided a breakdown of the top 10 spam-sending countries for Q2 and you can see a graphical view of that at right (click the image for a larger view).
This data, compiled from spam messages that hit Proofpoint's spam "honeypots" (email addresses and email servers that attract and collect spam email messages), shows that the US was the top spam sending nation during the second quarter. Brazil and India took the #2 and #3 positions—unsurprisingly as the recently released Proofpoint/Commtouch Q2 Internet Threats Trend Report showed those two nations as the top hotspots for botnet infestation.
Another interesting trend observed during Q2 is that, in general, malicious email messages continued to become more difficult to detect—that is, spammers continued to innovate and use more complex obfuscation techniques. The percentage of messages containing an obvious spam URL destination, for example, fell by more than half. Similarly, image-based spam messages declined by more than a third and messages with virus-infected attachments fell by more than a quarter.
Since overall spam levels didn't decline during the quarter, what's taking the place of those easier-to-detect spam messages?
Proofpoint anti-spam engineer Scott Panzer tells me that "spoof" messages (the type commonly used in phishing attacks) have been generally on the rise and that Proofpoint's anti-spam technology catches these using more predictive approaches. (For a great deal of information on the unique, machine learning techniques that Proofpoint uses to stop spam, see our whitepaper about Proofpoint MLX.)
Proofpoint customers weren't affected by the increasing complexity of spam messages during the quarter, however, as Proofpoint's anti-spam effectiveness actually increased from an average of 99.93% during Q1 to 99.94% during Q2. As noted in Gartner's latest Magic Quadrant for Secure Email Gateways, Proofpoint is one of the few email security vendors that publicly publishes its ongoing anti-spam effectiveness. You can view Proofpoint's spam detection accuracy for the last 190 days by visiting:
A couple of recent video interviews featuring Proofpoint execs hit the web recently:
Proofpoint CEO Gary Steele talks with SC Magazine reporter Angela Moscaritolo about recent merger and acquisition activity in the IT security space. Gary talks about the need for security vendors to make their solutions available as SaaS – and the difficulty of building such functionality “from scratch” – as one of the key drivers. You can watch the full video here:
Proofpoint's director of channel marketing, Dave Crilley, discusses the value propositions for IT security solutions "in the cloud" and addresses some of the issues that the reseller channel faces in selling SaaS solutions in this interview with ChannelWeb's senior security editor, Stefanie Hoffman. You can watch the full video here:
[Updated July 6, 2010: Complete multi-part interview is now online.]
Proofpoint CEO Gary Steele (pictured at left) recently spoke with entrepreneurship blogger and Forbes writer, Sramana Mitra at length about his background, Proofpoint's business and trends around email security, SaaS and other topics related to the enterprise markets that Proofpoint serves.
The first part of Mitra's multi-part interview is now posted at sramanamitra.com. In segment one of "Rolling Up Email Security SaaS," Gary talks about his early background, education and how he made the leap from the engineering world to high-tech marketing to CEO and how he came to join Proofpoint in its pre-funding days.
Read the interview here: "Rolling Up Email Security SaaS, Part 1," Gary Steele in conversation with Sramana Mitra. Even though I know Gary pretty well, I learned a few things about him by reading this and look forward to the rest of the series.
Update 7/6/2010: The rest of this series is now online at Sramana Mitra's site. I've put direct links to all six parts below, along with short notes about the topics covered:
Is privacy the new black? Certainly seems that way with a constant stream of news about privacy snafus, data loss/exposure incidents and increasing scrutiny of data privacy policies at all levels.
A couple of the latest sightings: Yesterday, the FTC issued a decision based on its investigation of Twitter's security practices (text of the FTC's decision on Twitter here), which came under scrutiny after several high-profile compromises of that social media service.
E-commerce Times has a good summary of the situation today, including some commentary from yours truly about what this ruling means for all types of online services, especially those with a messaging component. I also suggest that some of the FTC's prescription for Twitter is generally good advice when it comes to password security. Rather than repeat all of that stuff here, I refer you to Katherine Noyes's excellent article over at ecommercetimes.com for the whole story:
On a related tip, I see that the always excellent Healthcare Info Security has posted a new podcast with IT lumiary Guy Kawasaki talking about social media strategies, including security concerns. Taking a bit of a contrarian view, Guy says that security and privacy concerns about social media are, "massively overblown."
I get where Guy's coming from - he's really commenting on some individuals over-sensitivity to targeted marketing campaigns and the difference between regulated info like personal healthcare and financial information and info that might be considered "private", but doesn't so much represent something risky or exploitable.
But at the same time, enterprises (especially in regulated industries) need to mindful of the fact that - just as with email - it's fairly easy to run afoul of data protection and privacy regulations over social media.
Regular readers know that I've got a whole raft of facts about that (if you've never seen those before, you can find many of those here in the blog, or download my latest report at http://www.proofpoint.com/outbound.)
NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.
Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.
The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.
As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).
Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:
Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):
... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.
The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:
