Addressing Email Security Holistically

Jeff Lake

Vice President, Federal Operations

Proofpoint, Inc.

August 17, 2011

Jeff LakeSpeaker Background

Vice President, Federal Operations, Proofpoint, Inc.

Former Vice President, Federal Operations for Fortinet, Inc. and CipherTrust, Inc.

20 years of IT experience, 10 in messaging security

Former US Army, Military Intelligence Officer

Objectives

Understand Email landscape changes Review the government agency landscape Learn about CUI Discuss how an agency can ‘control’

information Define ESI and retention policies Discover why eDiscovery is important Review how the “Cloud-First” Policy can help

Understanding Email Landscape Changes

Presentation Title—4—March 5, 2010

Malware Sophistication

Aggregate volumes increasing

· 50% increaseover 3 months

Massive bursts and concentration of attacks

· 100,000 spams/daysingle user

Distribution channels

· Spammers leverage others’ resources

Message Volumes Continue to Rise

Rising spam and email complexity demand a holistic strategy

Spam message sizes are increasing as well

· Update

Botnet activity continually increasing

Botnets continue to drive spam growth»New Internet users coming online in

developing countries with no (or pirated) AV protection

»Hackers rent out portions of their botnets to spammers and sell stolen credentials

Email Today:More than Just the Mail Server

Mail Servers

Email Today:Soaring Costs and Complexity

Routing MTAs

Mail Servers

Mobility (BES)

Mail ServerAnti-Virus

DisasterRecovery

eDiscoveryArchiving Compliance

Anti-spam Anti-virusContentFiltering

Data LossPrevention Encryption

Email Today:Soaring Costs and Complexity

Routing MTAs

Mail Servers

Mobility (BES)

Mail ServerAnti-Virus

DisasterRecovery

eDiscoveryArchiving Compliance

Anti-spam Anti-virusContentFiltering

Data LossPrevention Encryption

Mail Servers $50- $100

Routing MTAs $0 - $20

Anti-spam $10 - $20

Anti-virus $2 - $4

Content Filtering $0 - $30

Data Loss Prevention $10 - $20

Encryption $10 - $15

Mobility (BES) $5 - $10

Mail Server Anti-Virus $0 - $5

Disaster Recovery $0 - $25

Archiving $0 - $80

Compliance $0 - $30

eDiscovery $0 - $20

TOTAL $87 - $259

The Email World Has Changed

InboundSecurity

DLP/Encryption Archiving eDiscovery Budgets

· Spam Volumes· Focused

Attacks· Spam

Sophistication

· Government Regulations – FISMA, DFARS

· PCI, HIPAA, FERPA

· Frequent Data Breaches

· OMB Memorandum 07-16

· NIST Special Pub 800-122

· GAO Report 08-343

· Records retention - EMPA

· FRCP Rules· Increased

Litigation· Bloated Mail

Server· Records

Definition (44 USC 3301)

· NARA Rule 1234

· DoD 5015.2

• Shift from On-Premises to Cloud

• FCCI, FedRAMP

• TCO and security driving deployment choice

• Marketplace confusion regarding options

· 11% decrease in total receipts from 2009

Government Agency Landscape

Focus on protection of PII and CUI

Demands: records preservation, access

Consolidation of Agency networks

Interest in SaaS

Budgets: pressured for efficiency

More Regulations and Scrutiny

CNCI

Comprehensive National Cybersecurity Initiative

Launched by President Bush withNSPD-54/HSPD-23 in January, 2008

3 Major Goals:»Establish a front line defense against

immediate threats»Defend against the full spectrum of threats

…»Strengthen the future cybersecurity

environment…

TIC

Trusted Internet Connection (TIC) Initiative

»Headed by OMB and DHS»Common security solution which

includes:• Reduced access points• Baseline security capabilities• Validating agency adherence to

baseline capabilities

Trusted Internet Connection(TIC)

Agencies have a choice:

»TICAP - TIC Access Providers • agency rolls their own, and/or provides

for others»MTIPS - Managed Trusted IP Service• agency “seeking service”• Networx contract vehicle managed by GSA• 4 approved Networx Universal MTIPS

providers– ATT, Verizon, Qwest, Sprint

A new government acronym:

CUI

Presentation Title—17—March 5, 2010

Controlled Unclassified Information (CUI)

Background:»107+ unique markings»130+ different labeling or handling

processes for Sensitive But Unclassified (SBU) information• E.g. “For Official Use Only” and “Law

Enforcement Sensitive Definition

»Federal agencies routinely generate, use, store, and share information that, while not meeting standards for classified national security information, requires safeguarding measures and dissemination controls

Presidential Directive:Controlled Unclassified Information

Presidential memorandum on Classified Information and Controlled Unclassified Information Formation of Task Force, which recommended “Controlled Unclassified Information” (CUI) Framework Requirement for safeguarding and dissemination controls for CUI

Data Loss Prevention for

Controlled Unclassified information

How can an agency “control” information?

Presentation Title—20—March 5, 2010

Controlling Information

CUI Framework tag »COTS products, or manual effort

Data Loss Prevention technologies to stop information from being sent in the clear»DAR – Data At Rest»DIM – Data in Motion

• Two most prevalent protocols are SMTP and HTTP(s)

DIM technology to identify CUI Policy enforcement should include list of

possible actions to include notify, quarantine, discard, encrypt

Multi-layered defense in depth» Utilize smart intelligence for SSNs,

PANs, ABA Routing Numbers, etc.» Proximity and correlation analysis» Enforce policy on emails containing

sensitive authorization data

Integrated encryption» Ensure DLP is tightly integrated with

strong encryption technology» Encrypt messages automatically,

based on presence of sensitive data

Easy to implement and use» Today’s DLP and encryption solutions

are not yesterday’s PKI nightmares» Should not require any end-user

training

Policy Driven Email Disposition

Data Loss Prevention to web protocols» Webmail, blog posts, etc. sent

to SEG for DLP filtering» SEG returns allow or block

Single management interface» All policies managed through

single administrative interface (email and web)

» Easily leverage existing policies or create new ones

Easy to implement and use» Configure Proxy to deliver

content to SEG» No licensing required for use

of ICAP interface from SEG or proxy vendors

Protect HTTP(S) with Web DLP

ICAP

Content

Allow/Block

SMTP

HTTP(S)

Internet

Web proxy SEG

What is ESI? and What is a Retention Policy?

Presentation Title—24—March 5, 2010

Defining ESI

Electronically Stored Information»Sources: email, mainframes, local servers,

laptops, backup tapes, external hard drives

»Common forms: email with attachments, text files, powerpoints, spreadsheets, instant messaging, etc.

»Federal Rules of Civil Procedures (FRCP) Rule 26(f) – rule which governs pre-trial conference on the disclosure and discovery of ESI

NARA Retention Policy Guidelines on ESI

C.F.R = Code of Federal Regulations Transitory email

»6 month retention cycle Federal Record

»Old requirement – print the email and store before the electronic record can be deleted (36 C.F.R. 1234.24)

»Permanent Electronic Mail – must be archived

»Temporary Electronic Mail – varied retention period

»Transitory Electronic Mail Records – 180 day retention

Federal Archiving Regulations

Litigation demands preservation and access Includes “electronically stored information” or

“ESI”

NARA Records Management Guidance & Regulations (36 CFR 1236)

• Guidelines for email archiving

NARA Records Management Guidance & Regulations (36 CFR 1236)

• Guidelines for email archiving

Electronic Message Preservation Act (2010)

• Electronically capture, manage, preserve records

Electronic Message Preservation Act (2010)

• Electronically capture, manage, preserve records

Federal Rules for Civil Procedure (Rule 34)

• Huge penalties for not adhering

Federal Rules for Civil Procedure (Rule 34)

• Huge penalties for not adhering

DoD 5015.2 Records Management Program

• Create, maintain, preserve as records in any media

DoD 5015.2 Records Management Program

• Create, maintain, preserve as records in any media

Why is eDiscovery important?

Presentation Title—28—March 5, 2010

The need for eDiscovery

Government litigation incidents»Deepwater Horizon Response (BP oil spill)

• Claims citing the Oil Pollution Act (OPA)• BP, Haliburton Co, and Cameron

International Corp• USCG and FEMA also involved with

litigation»Hurricane Katrina

• Judgments against US Army Corps of Engineers

• Various claims remain open with FEMA»Many other examples

Enforce Policy Expedite Discovery

Centralize Data

How an Archive Helps

Build a centralized, deduped repository that can’t be tampered with for legal usage

Provide end users with access to their historical mail to eliminate need for PST’s

Enforce retention policy with flexible rules

Initiate a litigation hold without dependency on end-user compliance

Early case assessment with real-time full text search

Cull data to reduce review costs

Quickly export data to PSTs

Mailbox Management Considerations

Benefits:

• IT can impose tighter quotas on mailboxes while preventing PST creation

• Less data in Exchange improves performance

• Less data in Exchange shortens backup and recovery times

• Prevents ongoing storage growth within Exchange

Access archive directly within mail clientIntuitive search with full text indexing to find

historical mailSelf-serve retrieval of accidentally deleted

mail

End-User Search

Larger, older attachments replaced with shortcut to archiveend-user access to stubbed attachmentsAutomated restoration of original when

forwarding

Stubbing

eDiscovery Considerations

Automated enforcement w/ AD integration

Real-time, Flexible

People, content holds beyond standard period

Export data for review tools, Fast exports to PST

Instant for active archive, legal hold

Forensically compliant storage, capture

Disposition

Retention Policy

Repository

Search

Legal Holds

Export

US Federal CIO’s Cloud-First Policy

Presentation Title—33—March 5, 2010

Cloud-First Policy

First introduced November, 2010 Detailed in the “Federal Cloud Computing

Strategy” paper by Vivek Kundra, 2/8/11 Targeting $20b of the $80b annual IT spend

by Federal agencies Goal: Each agency identifies 3 “must move”

services, 1 moved within 12 months, remaining 2 within 18 months

Moving to the Cloud

• Unify Cloud Computing Standards

• Federal Cloud Computing Initiative

FCCI

• Federal Risk & Authorization Management Program

FedRAMP

• NIST security evaluation guidelinesFIPS

How Cloud Computing Can Help Reduce email risks and costs 

» Consolidated compliance and cloud-powered platforms» eDiscovery solution for reducing retention and litigation

costs» Policy-based encryption ensures security is not user

dependent

Adhere to regulations and privacy best practices» DLP and policy-based encryption» Built-in remediation / workflow» Multiple archive retention policies

Raise the quality of services » Enable and promote secure communication for your

agency, ensuring continued public trust» Automate privacy training and raise awareness

internally

Benchmarking YourCloud-based Security

Accuracy· Should have 99% spam

effectiveness

· Should have100% virus control

· Should have < 1 in 350,000 false positives

Speed · Should have sub-minute email latency

· Should have < 20 second archive search results

Reliability· Should have

99.999% service availability

SaaS Architecture Advantages(if done correctly)

Requirement Consideration

ResilienceMulti-datacenter processing across all applications

Security Encryption of data at rest

Isolation No co-mingling of data

Integration Tied to directory services (LDAP/AD)

Cost

Leverage inexpensive storage via grid architectureLeverage multi-customer load processing for economies of scale

Security and Compliance Are Top Priorities For Federal and Commercial Organizations

Enterprise 2.0 Data Everywhere –

Public/Private Clouds Consumerization of IT Rise of Mobile Rise of Social Media

LITIGATION

PRIVACYSECURITY

Global 2000Government Orgs.

• Spam Volumes• Focused Attacks• Phish Attacks• Botnets

• Government Regulations• PCI, HIPAA, FERPA• Frequent Data Breaches• Confidential Information Leaks

• Being Brought In-house To Reduce Costs

• FRCP Rules• Freedom of Information (FOIA)• Increased, Costly Litigation• Compliance• Records retention

On-Premises (Private Cloud)(Virtual Appliance)

Anti-Spam/Anti-VirusData Loss PreventionPolicy enforcement

In the Cloud

Anti-Spam/Anti-VirusData Loss PreventionPolicy enforcementEmail archiving/eDiscovery

Common Services

Applications

Underlying Infrastructure

CPU, Memory, Network

Cloud Services for Email Security, Compliance, and Archiving

DynamicUpdate Service

ReputationServices

Encryption KeyService

StorageService

Reporting& Analytics

A Holistic View of email security, compliance, and archiving

SecureCommunicationEncrypt emailsand send largeattachments securely

Email ThreatProtectionProtect the infrastructurefrom outside threats

Archiving andeDiscovery

Enable search,eDiscovery, storage

management andcompliance

Email Security &Compliance Cloud

Platform

Data LossPrevention

Ensure externalrequirements and

internal policiesare met

Questions?