Business Ready Security: Microsoft Exchange Server 2010 and the Microsoft Forefront Secure Messaging Solution, Better Together

Alex NikolayevProgram Manager Identity and Security DivisionMicrosoft Corporation

SESSION CODE: SIA324

Cristian MoraProduct Manager Identity and Security DivisionMicrosoft Corporation

AgendaBusiness Ready Security OverviewMicrosoft Exchange and Forefront Better together scenarios

Forefront Protection for on-premisesForefront Protection in the CloudHybrid Protection

Demo!

Top E-Mail Threat Concerns

Malware via URLsMalware via AttachmentsPhishingSpamData Leakage

Source: “Messaging Security Survey: The Good, Bad, and Ugly Study,” IDC, 2009.

“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1,000-user organization spends over $1.8 million annually to manage spam.”

… Around $8 Billion Lost to Viruses, Spyware, and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime…

— “E-mail Security Market, 2009-2013,” The Radicati Group, Inc.

— 2009 State of the Net Survey

“As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam” — “Forrester Wave E-mail filtering Q2 2009,” April 2009

“Almost 60% of organizations reported spam blocking effectiveness of less than 95%” — Brian E. Burke, “Messaging Security Survey,” IDC, 2009.

Multiple locations and devices

Difficulty in discovering and securing sensitive information

Financially motivated evolving threats

Advanced spam technologies bypassing scanners

Agility and Flexibility ControlBUSINESS Needs IT Needs

Prevent sensitive information from leaking

Protection from advanced threats

Secure access to messaging from virtually anywhere

Receive messaging free of spam

Business Needs and IT Challenges

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

Secure Messaging Secure Collaboration

Information Protection

Identity and Access Management

Secure Endpoint

Business Ready Security Solutions

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential information

INTEGRATE and EXTEND security

Secure Messaging

• Best-in-class anti-malware and anti-spam on-premises / in-the-cloud

• Protect sensitive information in e-mail

• Secure, seamless access

• Deep Microsoft Exchange integration

• Extend secure e-mail to partners

• Centralized Management across on-premises and cloud

• Improved visibility across business productivity application security

Separate gateway to detect sensitive content

External websites sending spam and malware

Virus threats from internal senders

Remote access solution w/ separate identities

Internal users sending sensitive information to partners in e-mail

Separate SMTP virus scanner to detect and remove spam and

malware

Separate gateway to enable remote access

Spam

Spam

Spam

SpamSpam

Spam

Spam

Spam

SpamSpam

Current SituationMultiple Products for secure messaging

Always-on access built into platform

Internal mail protected withForefront Protection for Exchange

Information Protection built into the platform

Malware and spam cleaning in the cloud with FOPE

Secure Messaging Simple and easy

Integrated Security

An easy to manage Premium Antimalware and Antispam Protection Solution for Microsoft Exchange Server

Simplified Management

Intelligent engine selection Monitoring security state in real-time

New: Integration with Exchange 2007 and

2010/IRM Hybrid Model

• Automated updating

• Inclusive management console with security/protection views

New : Manage on premises and off premises

security policies Fast response to security incidents

Forefront Protection 2010 for Exchange Server Summary

Premium Antispam protection (on premises and in the cloud)

Multiple Malware engine protection against emerging threats

Content and Keyword Filtering

New: Spyware protection: MSAV Encrypted messages scanning

Comprehensive Protection

Forefront Protection 2010 Architecture: built-in not bolted on into Exchange

PickupDirectory

Submission Queue

Categorizer

Recipient API

DeliveryQueue

SMTPSend SMTPSMTP

AD

Forefront antispam

Transport Agent/Message API

Forefront antimalware

Exchange Biz Logic

Ex Submit(MAPI/SMTP)

SMTPReceive

Agent Run Time Engine (MEx)

FPE 2010 architecture is built-in into Exchange via Transport APIs on Transport Roles and hooked into the Mailbox role via VSAPI,Premium antispam agents co-exist and compliment Exchange basic antispam agents sharing the configuration data,Forefront agents enable End To End scenarios for the end users and Exchange administrators.

Extensibility Platform

Forefront Protection 2010 for Exchange Server Deployment

Enterprise Network

External Mail

Unified MessagingVoice mail & voice access

Hub TransportRouting & Policy

Web browser

Outlook (remote user)

Mobile phone

Outlook (local user)Line-of-business applications

MailboxStorage of mailbox

items

Protection 2010 for Exchange ServerProtection 2010 for Exchange Server

Phone system (PBX or VoIP)

Protection 2010 for Exchange ServerThreat Management Gateway

Edge TransportThreat Management Gateway

Protection Availability:Exchange 2010Exchange 2007 SP1

Client AccessClient connectivity

Web services

Surpassing Security Expectations

Exchange 2010 Forefront 2010

Encryption Antivirus

Default Intra-Org ∙

Inter-Org mTLS support∙

IRM support

Multiple Engine Malware Detection

Unified ManagementHosted, Hybrid Protection

Premium

Antispam

Basic

Standard CAL Enterprise CAL

Forefront/Exchange Better Together:

Forefront Protection 2010 AntispamFunctional Highlights

Exchange 2010

+ Forefront 2010 Benefits

Connection Filtering Forefront DNS Block List • Aggregated RBL data from multiple external and internal vendors

• No configuration required

Protocol FilteringUnified Management • Consolidated Connection/Sender/Recipient/Sender ID filtering for simplified

management

Backscatter Filter • Blocks NDR (backscatter) spam

Content Filtering

Cloudmark CMAE Engine • Option of alternative third-party content filter • Above 99% detection rate• No configuration required (installs with smart defaults)

Forefront True Type File Filtering

• Real file type inspection (not just extension)• Actionable scanning of nested files/within ZIP

Global Exception Lists • Single access point to sender and recipient exception lists (allow and block actions)

Streamlined SCL • Less ambiguous ratings for less false positives end to end

Hybrid Model • Integration with Forefront™ Online Protection for Exchange

Forefront Protection 2010 Antispam Features

IP Block List

Sender ID FilterDNSBL Filter

Sender Filter Backscatter Filter Junk E-mail FilterRecipientFilter

ContentFilter

Layered Antispam TechnologiesConnection Filtering (IP Block/Allow, DNSBL, SenderID filters)Protocol Filtering (Sender, Recipient, Backscatter filters)Content Filtering (spam/phishing)

New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model

Reducing the Carbon Footprint of Spam: Forefront DNSBL

Implemented as SMTP Receive Agent, configuration/maintenance-free featureMultiple external and internal RBL providers with continuous flow of feedsQueries sent to Forefront-owned DNS infrastructureEfficiency: based on internal MSIT numbers 85-90% of all incoming connection requests being denied by DNSBLRejection response is actionable (to help with the corrective actions: “550 5.7.1 Do this to get the IP removed from the DNSBL list…”

New Content Filter: Based on Cloudmark Authority Engine with industry-leading performance metrics Embedded into the Forefront antispam architecture via Exchange transport agents framework Executes in SMTP Receive pipeline Scans MIME stream – body + headers of the message Fingerprints-based engine

Forefront Protection for Exchange Content Filter

Implementation details: Incorporates Anti-Phishing protection Enables feedback loop for better engine accuracy Simplifies administration and management Supports custom 3rd party ISVs business logic based

on existing extensibility model Seamlessly integrates into the End-To-End Antispam framework

Benefits Reduced spam and phishing penetration Enhanced server performance Increased IT Pro and IW productivity Improved end user satisfaction

DEMO: Under the Antispam Hood

DEMO

Forefront Protection 2010 for Exchange:Malware Filtering

Protect Messages from Malware

Microsoft Solution“Defense in Depth”Competitors’ Solutions

On premises or in the cloud

Automatic Engine Updates

Single Engine Multiple Engines

99% spam detection*

* With premium antispam services

38 times faster

An AV-Test of consumer antivirus products revealed:• On average, Forefront engine sets provided a response in

3.1 hours or less.• Single-engine vendors provided responses in 5 days, 4

days, and 6 days respectively.

Protect everywhere,

access anywhere

Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230

“Forefront Security for Exchange Server can support up to five scanning engines at the same time. Thus, it offers a more secure environment, compared with products that support using only a single engine.” - Akihiro Shiotani, Deputy Director of the Infrastructure Group“

Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages

Leading antimalware engines deployment via integrated solutionAllows multi-directional protection of messaging stream: inbound, outbound, internal, and data at restIntelligent Engine Selection:

Automatically chooses the most current and effective engines firstAllows administrators to balance security with performance needs

Removal of a single point of failure in the organizationLower TCO – all engines included in base cost

Remote Update Services

Automatic Updates

Forefront Antimalware Engines Updates

Directly from vendor

Manual Config

Redistribution

MSAV/CMAE

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP NO SCAN NO SCAN

INTERNET

Mail scanned only once at the Edge - saves processing load on Hub and Mailbox servers

Malware detected on Edge deleted immediately

Internal mail is routed through Hub role

Proactive scanning at the Mailbox server (Store) is turned off by default to save processing load on Mailbox servers

Forefront FPE Malware Filtering: Transport

On Access ScanningTurned on by defaultFollows settings of real-time scanScans only message that have not been scanned before

Schedule ScanningScan mailboxes or folders not covered by real-time scan or messages that predate FPEYou may use different enginesUsually deep scans that forgo performance concerns

On Demand ScanningImmediate scan specific mailboxes and public folders to assess malware concerns that may ariseYou may also use this to scan with different engines

Forefront FPE Antimalware Scanning: Store

MS AV engine should be enabledEnable antispyware scanning for the transport/ real-time/scheduled scan:

Set the action (AV takes precedence):

Forefront Antispyware Filtering

Entire worm message is deleted, including the full message body

Worm is stopped before it enters the networkNetwork impact is minimizedNo impact on the mail store or the email services

Message or attachment is never quarantinedQuarantine kept smaller and more efficient

No notifications are sentUsers are not alarmed but an option to send notice to specific Worm Admins

Worm purging is enabled by default, to disable:Set-FseTransportScan -EnableWormPurge $false

Forefront Worms Filtering

Microsoft® Forefront™ Online Protection 2010 for Exchange Server: Antimalware Configurations and Options Demo

DEMO

Forefront Protection 2010 for Exchange Server: An Extension into Online Services

Forefront Online Protection for Exchange:Inbound E-Mail Filtering

SPAM Protection

Safe senders

SpamPrevention

If server down, E-mail queued for up

to 5 days

E-mail enters the global data center network – MX

(mail.messaging.microsoft.com)

DirectoryServices

SPAM prevention

Real time attack prevention (RTAP)

IP-based authentication

Reputation database

Connections from all senders are analyzed,

Connections from illegitimate senders

are blocked

Look up e-mail filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engines

Content and Policy Quarantine

SPAM Quarantine

SPAMSPAMSPAM

E-mail server available?

Delivered in a flow-controlled fashion when

server is available

Queue

Corporate Network

SPAMSPAM

SMTP Reject: 55x

Spam Analysts

Customer Feedback

False +ve / -ve

Sync

Filtering Technique Description Cumulative Effectiveness

IP addresses are added:• thru automated feedback loops

• that identify repeat spam (30 minutes application time)• Snowshoeing IP Address Ranges

• Manually by spam analysts, in response to observed spam

~ 95%

Community Gold Standard for IP reputation Above 90%

Image filtering Using Smartscreen technology Above 99%

Fingerprinting

Using Smartscreen and fingerprint technology• Fingerprint DB is continuously updated by spam analysts

Scoring system based on 30k active rules and a corpus of 400k rules• Points are deducted for good mail characteristics• Points are added for Spam characteristics• A score of ≥ 30 qualifies as Spam

Inbound E-Mail Filtering

Forefront Online Protection for Exchange:Outbound E-Mail Filtering

Look up e-mail filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

SPAM Protection

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engine

Content and Policy Quarantine

Corporate Network

Spam Analysts

NDR Pool

Score > 30

Outbound Pool

Score < 30

SEWR

Safe senders

Forefront Protection 2010 for Exchange Server Benefits

Integrated multiple engine malware protectionBest-of-breed spam protection for on-the-premises and in-the-cloud customers:

Precise spam detection with above 99% catch rateReduction in carbon footprint of spam by early rejection of unwanted messaging stream

Hybrid model and ease of administration:Low TCO with high ROI for Exchange organizationsFlexible implementation

Exchange 2010 provides…Default encryption and broader support for IRMExtensive infrastructure for per-user SCLIncremental Edge Sync for safe/blocked sendersPer recipient list aggregation from Microsoft® Office Outlook®

Forefront 2010 extends foundation with…Premium multiple engine antimalware Auto-configuration of antispam agentsUnified management of FPE, Exchange, FOPELeading antispam content filter engine (above 99% detection rate) Option of hosted and hybrid protection for lower TCOConfig/maintenance-free setup

Exchange + Forefront Better Together Security Summary

Related ContentSIA314 |Secure Messaging: Microsoft Forefront Protection 2010 for Exchange ServerSIA316 | Behind the Spam: A Look at Botnets, Malware, and the Spammers Who Run ThemSIA04-INT |Secure Messaging: Implementing Microsoft Forefront Online Protection for Exchange - Best Practices, Pitfalls and Support

SIA04-HOL | Microsoft Forefront Online Protection for Exchange Administration and ReportingSIA10-HOL | Secure Messaging Solution: Business Ready Security with Microsoft Forefront and Active Directory

Red SIA-1 | Microsoft Forefront Secure Messaging Solution

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA