Cisco IronPortCisco IronPort메일 솔루션을 통한
메일 보안 강화메일 보안 강화
Cisco SystemsCisco Systems
홍 관 희 (Kevin Hong), [email protected], [email protected]
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Overview
© 2008 Cisco Systems, Inc. All rights reserved. 2
Spam 동향Through December, 2007
120
100
ons)
2007: 1-5월 사이증가 없음
60
80
lum
e (b
illio
2006: 1-4월 사이 증가
40
vg D
aily
Vo 없음
0
20
Av
0Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Oct-06 Dec-06 Feb-07 Apr-07 Jun-07 Aug-07 Oct-07 Dec-07
DateDec – Dec: 100% year-over-year
increase 38B additional messagesDec – Dec: 58% year-over-year
increase: 44B additional messages
© 2008 Cisco Systems, Inc. All rights reserved. 3
increase, 38B additional messages increase: 44B additional messages
첨부 파일 스팸 동향
스팸 메일에서 첨부 파일 Type 통계
Rapid Onset Spam Attacks:PDF XLS MP3 spam attachments 스팸 메일에서 첨부 파일 Type 통계PDF, XLS, MP3 spam attachments
Excel Spam MagnitudeCount of Attachment Types Seen in Spam
August 2007
© 2008 Cisco Systems, Inc. All rights reserved. 4
From Images to LinksURL-only Spam is Increasing
스팸은 지속적으로 증가
첨부파일 스팸은 감소
Percent of Spam Containing
URL 삽입 스팸은 지속적으로 증가
(현재 83%의 SPAM에 URL 포함)(현재 83%의 SPAM에 URL 포함)
© 2008 Cisco Systems, Inc. All rights reserved. 5
SPAM 의 진화Spammers Testing New Techniques
Text Spam PDF Spam MP3 Spam2005 2007 2nd Qtr
2006
p
3rd Qtr
4th Qtr
Image Spam
Excel Spam
“2007 has seen a proliferation of different attachment types…Spammers are
© 2008 Cisco Systems, Inc. All rights reserved. 6
2007 has seen a proliferation of different attachment types…Spammers are using these different attachments in order to try and get past email security gateways that are unable to look into complicated file types”
- 2008 Internet Security Trends Report Published By Cisco and IronPort
Cisco IronPort Reputation and Spam Filteringand Spam Filtering
© 2008 Cisco Systems, Inc. All rights reserved. 7
Cisco IronPort® Gateway 보안 제품
Internet
IronPortSenderBase
BLOCK Incoming Threats
InternetInternet
APPLICATION-SPECIFIC
EMAILSecurity Appliance
WEBSecurity Appliance
APPLICATION SPECIFICSECURITY GATEWAYS
PROTECT Corporate AssetsCENTRALIZE Administration
ENCRYPTIONAppliance
Security MANAGEMENT
Appliance
PROTECT Corporate AssetsData Loss Prevention
CLIENTS
© 2008 Cisco Systems, Inc. All rights reserved. 8
Web Security | Email Security | Security Management | Encryption
Cisco IronPortExtending Market Leadership
Customer Leadership
99% 재계약
전세계 100대 기업 중 38 곳에서 사용
미국 10대 ISP 중 8 곳에서 사용서 사용
Technology LeadershipLeadership
Email 및 웹 보안 시장선도선
Global Leadership
© 2008 Cisco Systems, Inc. All rights reserved. 9
전세계 지사 및 지원
국내 Reference
© 2008 Cisco Systems, Inc. All rights reserved. 10
The SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 1일 30억 이상의 질의
• 150 이상의 email 및 웹parameter 수집 및 분석
• 전 세계 25% Traffic• 전 세계 25% Traffic• 향후 Cisco Network Devices
Combines Email & Web Traffic Analysisemail & Web traffic 검사를 통한 탐지 성능 향상
IronPort SenderBase
한 탐지 성능 향상
스팸 메일의 80% 이상이 URL 참조
이 웹 악성 전
IronPort EMAILSecurity Appliances
IronPort WEBSecurity
Appliances
email 이 웹 based 악성코드 전파에 주요 방법으로 사용
Spam Zombie의 감염에 악성코드가 주요 방법
© 2008 Cisco Systems, Inc. All rights reserved. 11
Appliances코드가 주요 방법
IronPort AsyncOS™Multi-Layered E-Mail 보안
MANAGEMENT TOOLS (관리도구)
SPAMDEFENSE(스팸 차단)
VIRUSDEFENSE
(바이러스 차단)
EMAIL ENCRYPTION(EMAIL 암호화)
DATA LOSS PREVENTION
(정보 유출)
• AsyncOS 는 messaging을 위한 최적화 확장성 및 보안 운영체계
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
AsyncOS 는 messaging을 위한 최적화, 확장성 및 보안 운영체계
• Advanced Email Controls protect reputation and downstream systems• 기존의 legacy 시스템을 손쉽고, 간단하게 대체
• IronPort Reputation Filters – 1차 사전 침입 차단
• IronPort Anti-Spam – 다양한 종류의 위협 제거 (스팸, 사기성 메일, 악성코드)
© 2008 Cisco Systems, Inc. All rights reserved. 12
SenderBase Reputation Filtering vs. Black Lists & White Lists
BLACK LISTS &REPUTATION BLACK LISTS & WHITE LISTS
REPUTATION FILTERING특징
정확성
점수의 세분화
정확성
맞춤 응대
관리비용 절감
메시지 전달 향상 (성능)
© 2008 Cisco Systems, Inc. All rights reserved. 13
Stop More SpamIronPort Spam Defense
Multi-Layer Spam Defense
IronPort Anti-Spam
How?Who?
Senderbase Reputation Filtering
CASEScore
How?
Where?
Who?
What?Data Modeling ReputationData Modeling Reputation
90% 이상 차단>98% 탐지 및 차단
< 1 in 1 milFalse PositivesFalse Positives
© 2008 Cisco Systems, Inc. All rights reserved. 14
IronPort Anti-Spam
Reputation 점수 IPAS WBRS
Who(누가)
What (무엇을)
Where(어디서)
Reputation 점수 IPAS WBRS
(누가)
SenderBase 는어느 에서
(무엇을)
IronPort Anti-S 은메시지
(어디서)
Web Reputation 은메시지에+ +어느 IP에서
어떠한 email 을보냈는지를 추적
및 DB화
Spam 은메시지내용및구조를
분석
은메시지에삽입된 URL
link를검사및추적
+ +
및 DB화
90% 이상의불필요한
Image Spam 같은신종위협에즉각적인대응
추적
피싱 공격과 같은공격 사전 차단
차단불필요한
EMAIL사전차단즉각적인대응 공격 사전 차단
© 2008 Cisco Systems, Inc. All rights reserved. 15
= Unprecedented Spam Detection
IronPort Anti-Spam: Web Reputation
I P t i ti : il에 삽입된 URLIronPort innovation: email에 삽입된 URL에 대하여 신용평가(reputation)점수를 가지고 판단 후 차단.
E lExample:
Sender (발신자)
"Barclays Bank PLC" onlinebanking@ibay gnk.barclays.co.uk
mail-from address 변조
Host IP:196.218.185.156
URL
http://ibank.barclays.co.uk.massivereach.com/olb/x/LoginMember.do/login.htmlh.com/olb/x/LoginMember.do/login.html
Mauritius ISP 에 등록되어 있음
© 2008 Cisco Systems, Inc. All rights reserved. 16
Web Reputation in Action
HOW?• Message leaves trace
WHERE? WHO?
gof malware tools
• URL only just registered• URL already blacklisted• URL seeing large traffic
• IP address recently started sending email
• Message originated g gspikes
• Hosts many unique sites (rock phish kit)
from dial-up IP address• Sending IP address
located in Ukraine
VerdictVerdict
BLOCK
© 2008 Cisco Systems, Inc. All rights reserved. 17
Cisco IronPort Targeted Phishing Solutions
Sender Base D/B 이용한 신용평가 필터
IPAS (IronPort Anti-Spam) Web ReputationIPAS (IronPort Anti Spam) Web Reputation
Email 인증 지원
HTML ConversionHTML Conversion
Complementary Solutions
암호화
Web 보안 (Web reputation, Anti-malware, Anti-( p , ,virus)
© 2008 Cisco Systems, Inc. All rights reserved. 18
관리 시간 감소
Easy 5 Step InstallationEmail Security Manager For
ConfigurationConfiguration
Message Tracking R l Ti R ti
© 2008 Cisco Systems, Inc. All rights reserved. 19
Message Tracking Real Time Reporting
IronPort Reputation FiltersDell 사례
“IronPort has• Dell 현황:
– 하루 2 600만건메시지수increased the
quality andreliability of
하루 2,600만건메시지수– 150만건정도가정상메일– Spam Assassin 으로스팸차단장비 68대를운영하였으나정확성결여 y
our networkoperations,
while
운영하였으나정확성결여• IronPort solution:
– Reputation 필터가하루 1,900만건메일삭제 whilereducing our
costs.”
p– 550만건스팸메일이 2차스팸차단– 68대 기존 장비가 Ironport 8대로 대체됨
• 정확성 10배 향상 -- Tim HelmsetetterManager, Global
Collaborative SystemsEngineering and
Service Management,
• 정확성 10배 향상
• 서버 대수 70% 감소
• 운영비 75% 감소
© 2008 Cisco Systems, Inc. All rights reserved. 20
DELL CORPORATION
Comprehensive Reporting
© 2008 Cisco Systems, Inc. All rights reserved. 21
Cisco IronPort Data Loss Prevention TechnologyPrevention Technology
© 2008 Cisco Systems, Inc. All rights reserved. 22
Evolution of Data LossEmail Remains A Primary Loss Vector
Record Type Lost
Credit Card Numbers 45%
Email Address 13%
Other 12%
Social Security Numbers 30%
© 2008 Cisco Systems, Inc. All rights reserved. 23
Stop More Data LossIronPort Data Loss Prevention
Integrated Scanning & Remediation
Scanning RemediationDictionaries Notify? ?
Filters
Quarantine?
?
? ?Smart Identifiers Secure Messaging
??
“Email has become the de facto filing system for nearly all corporate information, making it even more critical to protect the outbound flow of messages.”
© 2008 Cisco Systems, Inc. All rights reserved. 24
- Brian Burke, Security Products Research Manager, IDC
Data Loss Prevention FoundationIntegrated Scanning
Compliance pDictionaries
Users
Custom Content Filters
Users
Smart IdentifiersOutbound Mail
Integrated Scanning
Weighted Content Dictionaries
Integrated Scanning Makes DLP
Deployments Quick
© 2008 Cisco Systems, Inc. All rights reserved. 25
& Easy Attachment Scanning
Data Loss Prevention: Integrated Scanning and Remediation
Scanning Work Flow Remediation Work Flow
Pre-Defined Filters
Pre-Defined Filters
DLP Notification
DLP Notification
Compliance Dictionaries
Compliance Dictionaries Smart IdentifiersQuarantine View Of Violation
Quarantine View Of Violation
Encrypt The MessageEncrypt The Message
Smart Identifiers
© 2008 Cisco Systems, Inc. All rights reserved. 26
View HIPAA Violation ReportView HIPAA Violation Report
Email Authentication
© 2008 Cisco Systems, Inc. All rights reserved. 27
Email 인증SPF and DKIM
Sender Policy Framework (SPF) + DomainKeys Identified Mail (DKIM)
Technologies 보완: Path-based and cryptographic methods
Technology 보급: >50% of Legitimate Emails use SPF/DKIM
Phishing Attacks 차단: Protect your Brand and Customers
Public DKIM
SPF Record:
Private DKIM
DNS SPFDKIM
Internet
ISPsISPs
SPFDKIM FAILED
FAILED
Scammer
© 2008 Cisco Systems, Inc. All rights reserved. 28
Example: Which is legitimate?
© 2008 Cisco Systems, Inc. All rights reserved. 29
Example: Which is legitimate?
From: eBay.com
IP: 216.33.244.124
From: eBay.com
IP: 64.8.244.90
DKIM Header: s=main; d=ebay.com; c=nofws; q=dns; b=BVOKQjGvI…mQ8d8OygW
DKIM Header: None
© 2008 Cisco Systems, Inc. All rights reserved. 30
Example: How it works
A SIDF Record 216.33.244.1241BSigned
216 33 244 124 64 8 244 90 eBay DNS Server
1
2 3
Signed
216.33.244.124 64.8.244.90 y2 3
Publish Records in DNSA Signed from 216 33 244 124
4
5 12
A th ti ti
A: Signed, from 216.33.244.124B: Unsigned, from 64.8.244.90Query eBay SIDF & DKIM records6 7
234
Authentication Results:
DKIM = passX-SID-Result: Pass
Authentication Results:
DKIM = neutralX-SID-Result:
F il
Receive SIDF & DKIM recordsDetermine verdicts for email ADetermine erdicts for email B
567
© 2008 Cisco Systems, Inc. All rights reserved. 31
X-SID-Result: Pass Fail Determine verdicts for email B7
IronPort Security Feature
© 2008 Cisco Systems, Inc. All rights reserved. 32
HTML Conversion
© 2008 Cisco Systems, Inc. All rights reserved. 33
HTML Sanitization Further Protection for Targeted Phishing
HTML 방식의 email을 text 방식으로 변환
사 자 의에 의하여 릭 차단사용자 부주의에 의하여 URL Link 클릭 차단
숨겨진 email link 등을 txt로 변환하여 사용자에게 보여지게 함
User would have to copy/paste the link into web browser for rendering
Authentication Results:
DKIM = neutraleBay sent this message!Your registered name is included to DKIM neutral
X-SID-Result:Fail
ou eg ste ed a e s c uded toshow this message originated from eBay.Learn more[Bad link location which you would never go to]
Targeted Phishing Email Authentication Results Fail HTML-convert to plain text
© 2008 Cisco Systems, Inc. All rights reserved. 34
Email Encryption
© 2008 Cisco Systems, Inc. All rights reserved. 35
IronPort PXE: Sending a MessageInstant Deployment, Zero Management Costs
자동 사용자 생성
CISCO REGISTERED ENVELOPE SERVICE
사용자 인증 및 Key 전달
메시지 추적 기능
보안 답신
© 2008 Cisco Systems, Inc. All rights reserved. 36
안 답신
NEVER stores email message → highest security
Recipient Experience: Receiving a Message
First-Time Registration
© 2008 Cisco Systems, Inc. All rights reserved. 37
Recipient Experience: Receiving a Message
Simple & Intuitive
Open AttachmentEnter passwordp
© 2008 Cisco Systems, Inc. All rights reserved. 38
Secure Messaging Email Encryption That’s Easy For Receivers
2. Enter password1. Open AttachmentSend To AnyoneyNo Certificates
No Plug-Ins
3. View message
© 2008 Cisco Systems, Inc. All rights reserved. 39
© 2008 Cisco Systems, Inc. All rights reserved. 40