email security - etda · effectively stops new and emerging threats with multi-layered technologies...

Presenter Date

Email Security

Dr. Rattipong

Putthacharoen,

Com. Eng.,

SE Lead.

Jan 2019

2Copyright © 2017 Symantec Corporation

Challenges

Architecture

Technologies

Advanced Email Security

1

Agenda

2

3

4

Data Protection5

Demo6

3Copyright © 2017 Symantec Corporation 3Copyright © 2017 Symantec Corporation

Challenges


Email Continues To Be The Attack Vector Of Choice

Spear Phishing

Business Email Compromise

Spam

Ransomware

Malicious Websites

NegligentEmployees

Other

EndpointsEmail

Network& Web

Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY

Evolving Email Threat Landscape

Source: ISTR Report 2017, Email ISTR Report 2017, ISTR Report 2016, Verizon DBIR 2016, 2016 SANS Incident Response Survey

36%Increase in ransomware

72%Incident responders use

security analytics to speed detection & response

Delivery mechanism for malwareEmail is the #1

55%Increase in spear

phishing campaigns

8,000Businesses targeted each

month by BEC scams

30%Users opened

phishing emails


EVO

LVIN

G TH

REA

T LAN

DSC

AP

E

OPERATIONAL COMPLEXITY

Email Security Challenges / Chaos

BUSINESS EMAIL

COMPROMISE

SPEAR PHISHING

RANSOM-WARE

EMAIL VENDOR

DLP VENDOR

ENDPOINT VENDOR

WEB

VENDOR

TARGETED & ADVANCED

THREATS

Sensitive data shared

Uninformedusers

VULNERABLE ORGANIZATIONS

Social Engineered Poor Visibility Attacks

6

PO

INT

PR

OD

UC

TS =

DIS

JOIN

TED

SEC

UR

ITY

SHORTAGE OF SECURITY PERSONNEL


Integrated

Solution

Email Security Technologies

PREVENT DATA LEAKAGE• Advanced Detection Technologies

• Multi-Channel Data Protection

• Policy-Driven Controls

• Push & Pull Encryption

PROACTIVELY PREVENT ATTACKS• Customizable Security Assessments

• Detailed Reporting & Visibility

• Integrated User Education

ISOLATE DANGEROUS THREATS• Malicious URL Isolation

• Attachment Isolation

• Credential Theft Protection

PROTECT AGAINST EMERGING THREATS• Machine Learning & Sandboxing

• Click-Time Protection

• Advanced Email Security Analytics

• SOC Integration

• Threat Remediation

STOP PHISHING ATTACKS• Real-Time Link Following

• Impersonation Controls

• Phishing Variant Detection

• Behavioral Analysis

• Deep Code Analysis

BLOCK COMMON THREATS• Heuristics

• Reputation Analysis

• Connection-Level Detection

• AV Engine


Architecture


Symantec Email Security Solutions

Messaging Gateway

On-premises Appliance Multi-Tenant Cloud

Protect against spear phishing, ransomware, and BEC attacks

Quickly respond to targeted & advanced email attacks

Keep your emails secure and confidential


Rainmaker Training Series

Symantec Email Security SolutionsCloud-Based or On-premises Appliance

Solution Overview

• Protects against targeted attacks, ransomware, spear phishing & business email compromise

• Provides deep visibility into targeted attacks and accelerates remediation

• Controls sensitive data and helps meet compliance & privacy requirements

Inbound/Outbound

Third-Party Email Server

FirewallUsers On-Premise or Cloud

Email Server

File IP & URL Senders & Recipients

Malware BehaviorThreat Context

Inbound/Outbound

Advanced Email Analytics

Over 60 Data PointsATP Platform

MSS

Advanced Threat Protection

Anti-SpamAnti-Malware

Data ProtectionPolicy-Based Encryption

Messaging Gateway

Phishing Detection Phishing Awareness


File

UR

L

Wh

itel

ist

Bla

cklis

t

Cer

tifi

cate

Mac

hin

e Le

arn

ing

182M web

attacks blocked last year

Discovered

430 millionnew unique piecesof malware last year

12,000+ Cloud applications discovered and protected

100Msocial engineering scams blocked last year

1Bmalicious emails stopped last year

175M Consumer and Enterprise endpoints

protected

9 global threat response centers with

3,000 Researchers and Engineers

1 Billion previously unseen web requests

scanned daily

2 Billion emails scanned per day

CLOUD GLOBAL INTELLIGENCE SOURCED FROM:

Powered by GIN


Technologies


Overview of the Symantec Cloud Email Security Solution

Multi-Tenant, Cloud-Based Solution

Solution Overview

• Blocks spear phishing, ransomware, BEC attacks, malware, spam, and bulk mail

• Protects sensitive data shared via email to help meet compliance & privacy requirements

• Detects new and stealthy targeted & advanced attacks

• Provides deep visibility into targeted attacks and accelerates threat response

Inbound/Outbound

Third-party

FirewallUsers On-Premise Email Server

Advanced Threat Protection

Anti-Spam

Anti-Malware

Data Protection

Policy-Based Encryption

Users Cloud-Based Email Server


Effectively Protect Office 365 From Threats with Intelligent Multi-Layered Defense

Effectively stops new and emerging threats with multi-layered technologies and intelligence from the world’s largest GIN

Blocks stealthy threats with cloud sandboxing and deep visibility into targeted & advanced threats

Outbound Mail

Delivered Mail

Protects Against:

• Spear Phishing

• Ransomware

• Business Email Compromise

• Targeted & Advanced Threats

• Viruses and Malware

• Spam Emails

• Newsletters & Marketing Emails

Incoming Mail

Symantec Advanced Threat Protection for Email

Symantec Email Security.cloud

Email Protect Scanning Overview

Copyright © 2017 Symantec Corporation

ConnectionProcess

Clean Email Delivered

SignaturesPredictive Detection

Inbound Messages

Connection Process


ConnectionProcess

CleanEmailDelivered

SignaturesPredictiveDetection

InboundMessages

Traffic Shaping slows inbound SMTP traffic based on a number of criteria.

o IP Reputationo Concurrent connectionso Bandwidth requested per connectiono Speed of the connection

SMTP Heuristics ensures that only RFC compliant SMTP connections are made; anomalous connection attempts are dropped.

Connection Process


ConnectionProcess

CleanEmailDelivered


InboundMessages

Address Registration utilizes a customer’s list of valid user email addresses and rejects invalid recipients.

When the SMTP connection is accepted, the service checks the inbound mail against the customer’s Approved and Blocked Lists.

3rd Party Blocked Lists are also available.

Spoofed Sender Detection enables customers to check that traffic matches a sending domain’s SPF Record, DKIM or their DMARCpolicy.

Signatures


ConnectionProcess

CleanEmailDelivered


InboundMessages

Anti-Malware Signatures identify any known malicious files contained within the email and/or it’s attachments.

Convicted messages are quarantined for 30 Days.

Signatures


ConnectionProcess

CleanEmailDelivered


InboundMessages

Action options

• Block and delete• Quarantine• Append a header and redirect• Append a header and allow• Tag the subject line

Anti-Spam Signatures identify any known spam messages.

Convicted messages from Block Lists and Anti-Spam technologies can have different actions taken.

Skeptic is suspicious!


Delivery Behavior

Message Attributes

How Attachment Is Linked To Email

Abnormal Content Inside Documents To Identify Anomalies

Signature Evasion Techniques

Extracted Executable AndHow It Is Attached

Final Payload

Social Engineering Tricks

Heuristic engine which looks at all email characteristics

ConnectionProcess

CleanEmailDelivered


InboundMessages

Skeptic: Pseudo equation for heuristic analysis

+ Questionable source

+ Suspect attachment

+ Suspicious code in attachment

(+ Evidence of obfuscation)

(+ Unexpected encryption) ______

Heuristically detected malcode

Not all suspicious elements are required for conviction.


ConnectionProcess

CleanEmailDelivered


InboundMessages

PDF CONTAINSMALICIOUSJAVASCRIPT

ZIP CONTAINS A DOC,WHICH CONTAINS AN EXE,

WHICH CONTAINS AMALICIOUS URL

Skeptic Advanced Message Analysis

ZIP

DOC EXE URL

PDF JSCRIPT

ANALYZERS EXTRACT INFORMATION FROM THE FILE AND EITHER PASS IT TOANOTHER ANALYZER, OR PRESENT THE INFORMATION TO SKEPTIC’S HEURISTICS

EXAMPLE

EXAMPLE


ConnectionProcess

CleanEmailDelivered


InboundMessages

Advanced code analysers for over 90 file types

Real Time Link Following

LINK ANALYSEDhttp://ow.ly/1234

REDIRECTS TOhttp://www.mundo12345.com/images/logos/Z1/img.php

REDIRECTS TOhttp://www.newtonp12345.com.br/images/fotos/fotos/A/

REDIRECTS TOhttp://www.newton12345.com.br/images/fotos/fotos/A/html/content/home/index.html

MALICIOUS CONTENT

IDENTIFIED

INTELLIGENCE UPDATED

EMAIL STOPPED IN REAL-TIME PRIOR

TO DELIVERY

23Copyright © 2016 Symantec CorporationCopyright © 2017 Symantec Corporation

ConnectionProcess

CleanEmailDelivered


InboundMessages

Overview of Business Email Compromise

BEC scams involve crafted emails sent to recipients by fraudsters pretending to be senior executives. These emails leverage social engineering and urgent requests to get employees to carry out large wire transfers or send over sensitive information such as W2 forms.

BEC emails are typically characterized by:

• Impersonation of a high-level executive of your company

• Email domains similar to yours (Typosquatting)

• Prominent use of freeweb mail service providers (Gmail, Yahoo etc.)

• Emails that do not contain URLs, phone numbers, or attachments .

Anatomy of a Business Email Compromise Scam

From: [email protected]: Finance or Accounting userSubject Line: Request

I need you to process a wire transfer today. Please confirm so that I can forward you the instructions.

RegardsGreg ClarkChief Executive Officer

Sent from my iPad

Impersonated User

Simple Subject Line

Urgent Request

Social Engineering

Impersonated Domain

Targeted User

No Attachment or Link

Symantec Defends Your Organization from Business Email Compromise ScamsNEW! Simplified Impersonation Controls

Proactively block Business Email Compromise and other spoofing attacks with new impersonation controls

• Protect specific executives or all users from attacks impersonating an user

• Stop attacks that impersonate email domains

• Whitelist specific users, domains, and IP addresses

Symantec Defends Against Business Email Compromise

NEW! Simplified Impersonation Controls

User Impersonation ControlsBlocks attacks masquerading as a user in your organization

Stops scams impersonating senior executives

1

Domain Impersonation ControlsPrevents attacks imitating a legitimate email domain in your

organization

Identifies attacks using spoofed or cousin domains

2

Email Attribute Controls*Guards against attacks exhibiting suspicious behavior such

as mismatched email headers

Blocks attacks that spoof display names

3

Global Intelligence Network

Business Email Compromise Scam


Advanced Email Security

Complete Cyber Defense Platform–Email, Web, Endpoint

Monitoring & enforcement point for sensitive information shared over email

Policy-based data encryption from cloud service or on-premises appliance



Messaging Gateway

ContentAnalysis (Sandboxing)

Internal Messaging

Server


INTERNET

Email ThreatIsolation


Content Analysis

Advanced File Analysis

Hash ReputationCustom user whitelist/blacklist + Risk Scoring

5 Billion file reputation database2

Predictive File AnalysisStatic Code Analysis / Machine Learning

Parse and collect files / Match code to 4B “bad”4

Dual Anti-Malware/Anti-VirusCombine Symantec, Kaspersky, Sophos or McAfee

Files up to 5GB / Signature updates every 5 minutes3

Passes acceptable files to user

Signatures evaluated for known bad

Analyzes code for malicious character

Detonates only truly unknown files

Dynamic SandboxingVM + Emulation Sandboxing using custom

“Gold Images” Behavior and YARA rule analysis5


1 SMG .JAR .EXE


Dynamic Sandboxing

Content Analysis

Unique Dual-Sandbox Architecture & Mobile Pattern Matching

Detailed Reports

Gold ImageProfile Replication

Quickly analyze and prioritize advanced malware and zero-day threats for remediation and continuous security improvement


Complete Cyber Defense Platform–Email, Web, Endpoint





Messaging Gateway

ContentAnalysisProxySG

SEP Manager

Internal Messaging

Server


SEP Agent

INTERNET

Email ThreatIsolation

Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2018 Symantec Corporation

Malicious Attachment Protection – Disarm

Threat Defense

Office & PDF Files

• Flash

• Macros

• Javascript

• 3D components

• Fonts

• XFA (and its Javascript)

• Launch execution

• Fullscreen execution

Rewrite URLs in email body

• Disable

• Replace

Email with file attachment containing

active content Disable active content and

reassemble file

Reattach file to original

email User receives email with revised file

attachment

Messaging Gateway

Pro-active Post Delivery Malware Alerting: Click-time Analysis

URL intercepted

URL Decoded

Web request made

Any redirects followed

Page scanned


Phishingemail

Isolated site+

Read-only

User clickson link

Mail serverSymantec Cloud Email Security

Links transformed to redirect through Web Isolation

Email Isolation Portal

How Email Threat Isolation Works

Allow Link & Attachment

Trusted Websites

Get Complete Ransomware Link Protection

Isolate Links and

Attachments

Email Threat Isolation Isolate Attack

RansomwareAttack

3

Symantec Cloud Email Security

Evaluate LinksAt Delivery Time

1Block Attack

Users Evaluate LinksAt Click Time

2 Block Attack


Symantec Provides the Deepest Visibility Into Targeted & Advanced Attacks

Advanced Email Security Analytics

EmailVolume

Malicious Email Senders & Recipients

Severity Level

Attack Technology Used

Malware Category

URLInformation

Malicious Email Theme or Topic

Detection Method

File Hashes

ATP Platform

Symantec Managed Security Services

Correlation & Response Benefits

Identify targeted attack recipients

Correlate threats with endpoints

Feed URLs into web proxy

Accelerate Threat Response

Find patterns in threats

Monitor email logs

Export Intelligence

Accelerate Threat Response

60+ Data Points on Clean and Blocked Emails

Copyright © 2018 Symantec Corporation 40Copyright © 2017 Symantec Corporation

Enhanced mobile experience

Show additional message information such as attachment names and direction

Quarantine data protection & image control messages

Clearly differentiatesbetween spam andinformation protection messages

Enhanced reportingoptions with more details on usage

Can hold DLP violating message for quarantine admin review and release or release to an admin

Remediate Threats by Quarantining Dangerous Emails


Data Protection


Granular DLP policies protect sensitive data and help address legal and compliance requirements

Policy-based encryption policies automatically safeguard the security and privacy of confidential emails

Protect Your Confidential Data In Cloud Email

PCI✓ GLBAHIPAA ITAR✓ ✓ ✓

Sensitive Information Protected

Advanced Multi-Channel

Coverage

Symantec Email Security.cloud Symantec DLP

CustomizableControl

Seamless Encryption or

Decryption

Quick, Secure Message Delivery

Encryption Services

TLS

• Used when a customer has a business partner that it wants to ensure all communications are encrypted. This can be specified on a domain by domain basis

Policy Based Encryption Essentials

• Used when a customer wants emails encrypted based on the content of a mail

• Used when private data is sent to a 3rd party who may not be able to enforce TLS


Copyright © 2018 Symantec Corporation 44

Data Loss Prevention and Encryption Integration

2Inspection

3Hold for

Remediation

DLP NETWORK PREVENT FOR

SMTPDLP ENFORCE

Policies

Incidents

RemediationQuarantine

Management 4

Third-Party Email Server

Email Delivery to Recipient5

CONTENT ENCRYPTION

End User sends Email1

MESSAGINGGATEWAY

UpstreamMailserver

• Monitoring and enforcement point for sensitive information shared over email through integration with multi-channel DLP platform

• Remediation Management enforced via DLP through integrated SMG Quarantine APIs

• Policy-based encryption from Content Encryption service or on-premises appliance

44

Copyright © 2018 Symantec Corporation 45

Email Security Summarry

CONNECTION LEVEL

MALWARE & SPAM DEFENSE

ADVANCED MACHINE LEARNING

LINK PROTECTION

BEHAVIOR ANALYSIS

IMPERSONATION CONTROL

SANDBOXING

SMTP firewall, sender reputation

and authentication

reduce risks and throttle bad connections

Evaluates malicious links at

email delivery and time of click with advanced

phishing variant detection

Analyzes code for malicious

characteristics

Heuristics, reputation, and signature based engines evaluate files and URLs for

email malware & spam

Detonates only truly unknown files in both

physical and virtual environments


MALWARE & SPAM PROTECTION

Identifies new, crafted, and

hidden malware by examining the

behavior of suspicious email

PHISHING DEFENSE EMERGING THREAT PREVENTION

Blocks Business Email Compromise and other spoofing

attacks


Q & A


Thank You!