Cisco IronPortCisco IronPort메일 솔루션을 통한

메일 보안 강화메일 보안 강화

Cisco SystemsCisco Systems

홍 관 희 (Kevin Hong), kevhong@cisco.com, kwanhee.hong@gmail.com

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Overview

© 2008 Cisco Systems, Inc. All rights reserved. 2

Spam 동향Through December, 2007

120

100

ons)

2007: 1-5월 사이증가 없음

60

80

lum

e (b

illio

2006: 1-4월 사이 증가

40

vg D

aily

Vo 없음

0

20

Av

0Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Oct-06 Dec-06 Feb-07 Apr-07 Jun-07 Aug-07 Oct-07 Dec-07

DateDec – Dec: 100% year-over-year

increase 38B additional messagesDec – Dec: 58% year-over-year

increase: 44B additional messages

© 2008 Cisco Systems, Inc. All rights reserved. 3

increase, 38B additional messages increase: 44B additional messages

첨부 파일 스팸 동향

스팸 메일에서 첨부 파일 Type 통계

Rapid Onset Spam Attacks:PDF XLS MP3 spam attachments 스팸 메일에서 첨부 파일 Type 통계PDF, XLS, MP3 spam attachments

Excel Spam MagnitudeCount of Attachment Types Seen in Spam

August 2007

© 2008 Cisco Systems, Inc. All rights reserved. 4

From Images to LinksURL-only Spam is Increasing

스팸은 지속적으로 증가

첨부파일 스팸은 감소

Percent of Spam Containing

URL 삽입 스팸은 지속적으로 증가

(현재 83%의 SPAM에 URL 포함)(현재 83%의 SPAM에 URL 포함)

© 2008 Cisco Systems, Inc. All rights reserved. 5

SPAM 의 진화Spammers Testing New Techniques

Text Spam PDF Spam MP3 Spam2005 2007 2nd Qtr

2006

p

3rd Qtr

4th Qtr

Image Spam

Excel Spam

“2007 has seen a proliferation of different attachment types…Spammers are

© 2008 Cisco Systems, Inc. All rights reserved. 6

2007 has seen a proliferation of different attachment types…Spammers are using these different attachments in order to try and get past email security gateways that are unable to look into complicated file types”

- 2008 Internet Security Trends Report Published By Cisco and IronPort

Cisco IronPort Reputation and Spam Filteringand Spam Filtering

© 2008 Cisco Systems, Inc. All rights reserved. 7

Cisco IronPort® Gateway 보안 제품

Internet

IronPortSenderBase

BLOCK Incoming Threats

InternetInternet

APPLICATION-SPECIFIC

EMAILSecurity Appliance

WEBSecurity Appliance

APPLICATION SPECIFICSECURITY GATEWAYS

PROTECT Corporate AssetsCENTRALIZE Administration

ENCRYPTIONAppliance

Security MANAGEMENT

Appliance

PROTECT Corporate AssetsData Loss Prevention

CLIENTS

© 2008 Cisco Systems, Inc. All rights reserved. 8

Web Security | Email Security | Security Management | Encryption

Cisco IronPortExtending Market Leadership

Customer Leadership

99% 재계약

전세계 100대 기업 중 38 곳에서 사용

미국 10대 ISP 중 8 곳에서 사용서 사용

Technology LeadershipLeadership

Email 및 웹 보안 시장선도선

Global Leadership

© 2008 Cisco Systems, Inc. All rights reserved. 9

전세계 지사 및 지원

국내 Reference

© 2008 Cisco Systems, Inc. All rights reserved. 10

The SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 1일 30억 이상의 질의

• 150 이상의 email 및 웹parameter 수집 및 분석

• 전 세계 25% Traffic• 전 세계 25% Traffic• 향후 Cisco Network Devices

Combines Email & Web Traffic Analysisemail & Web traffic 검사를 통한 탐지 성능 향상

IronPort SenderBase

한 탐지 성능 향상

스팸 메일의 80% 이상이 URL 참조

이 웹 악성 전

IronPort EMAILSecurity Appliances

IronPort WEBSecurity

Appliances

email 이 웹 based 악성코드 전파에 주요 방법으로 사용

Spam Zombie의 감염에 악성코드가 주요 방법

© 2008 Cisco Systems, Inc. All rights reserved. 11

Appliances코드가 주요 방법

IronPort AsyncOS™Multi-Layered E-Mail 보안

MANAGEMENT TOOLS (관리도구)

SPAMDEFENSE(스팸 차단)

VIRUSDEFENSE

(바이러스 차단)

EMAIL ENCRYPTION(EMAIL 암호화)

DATA LOSS PREVENTION

(정보 유출)

• AsyncOS 는 messaging을 위한 최적화 확장성 및 보안 운영체계

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

AsyncOS 는 messaging을 위한 최적화, 확장성 및 보안 운영체계

• Advanced Email Controls protect reputation and downstream systems• 기존의 legacy 시스템을 손쉽고, 간단하게 대체

• IronPort Reputation Filters – 1차 사전 침입 차단

• IronPort Anti-Spam – 다양한 종류의 위협 제거 (스팸, 사기성 메일, 악성코드)

© 2008 Cisco Systems, Inc. All rights reserved. 12

SenderBase Reputation Filtering vs. Black Lists & White Lists

BLACK LISTS &REPUTATION BLACK LISTS & WHITE LISTS

REPUTATION FILTERING특징

정확성

점수의 세분화

정확성

맞춤 응대

관리비용 절감

메시지 전달 향상 (성능)

© 2008 Cisco Systems, Inc. All rights reserved. 13

Stop More SpamIronPort Spam Defense

Multi-Layer Spam Defense

IronPort Anti-Spam

How?Who?

Senderbase Reputation Filtering

CASEScore

How?

Where?

Who?

What?Data Modeling ReputationData Modeling Reputation

90% 이상 차단>98% 탐지 및 차단

< 1 in 1 milFalse PositivesFalse Positives

© 2008 Cisco Systems, Inc. All rights reserved. 14

IronPort Anti-Spam

Reputation 점수 IPAS WBRS

Who(누가)

What (무엇을)

Where(어디서)

Reputation 점수 IPAS WBRS

(누가)

SenderBase 는어느 에서

(무엇을)

IronPort Anti-S 은메시지

(어디서)

Web Reputation 은메시지에+ +어느 IP에서

어떠한 email 을보냈는지를 추적

및 DB화

Spam 은메시지내용및구조를

분석

은메시지에삽입된 URL

link를검사및추적

+ +

및 DB화

90% 이상의불필요한

Image Spam 같은신종위협에즉각적인대응

추적

피싱 공격과 같은공격 사전 차단

차단불필요한

EMAIL사전차단즉각적인대응 공격 사전 차단

© 2008 Cisco Systems, Inc. All rights reserved. 15

= Unprecedented Spam Detection

IronPort Anti-Spam: Web Reputation

I P t i ti : il에 삽입된 URLIronPort innovation: email에 삽입된 URL에 대하여 신용평가(reputation)점수를 가지고 판단 후 차단.

E lExample:

Sender (발신자)

"Barclays Bank PLC" onlinebanking@ibay gnk.barclays.co.uk

mail-from address 변조

Host IP:196.218.185.156

URL

http://ibank.barclays.co.uk.massivereach.com/olb/x/LoginMember.do/login.htmlh.com/olb/x/LoginMember.do/login.html

Mauritius ISP 에 등록되어 있음

© 2008 Cisco Systems, Inc. All rights reserved. 16

Web Reputation in Action

HOW?• Message leaves trace

WHERE? WHO?

gof malware tools

• URL only just registered• URL already blacklisted• URL seeing large traffic

• IP address recently started sending email

• Message originated g gspikes

• Hosts many unique sites (rock phish kit)

from dial-up IP address• Sending IP address

located in Ukraine

VerdictVerdict

BLOCK

© 2008 Cisco Systems, Inc. All rights reserved. 17

Cisco IronPort Targeted Phishing Solutions

Email

Sender Base D/B 이용한 신용평가 필터

IPAS (IronPort Anti-Spam) Web ReputationIPAS (IronPort Anti Spam) Web Reputation

Email 인증 지원

HTML ConversionHTML Conversion

Complementary Solutions

암호화

Web 보안 (Web reputation, Anti-malware, Anti-( p , ,virus)

© 2008 Cisco Systems, Inc. All rights reserved. 18

관리 시간 감소

Easy 5 Step InstallationEmail Security Manager For

ConfigurationConfiguration

Message Tracking R l Ti R ti

© 2008 Cisco Systems, Inc. All rights reserved. 19

Message Tracking Real Time Reporting

IronPort Reputation FiltersDell 사례

“IronPort has• Dell 현황:

– 하루 2 600만건메시지수increased the

quality andreliability of

하루 2,600만건메시지수– 150만건정도가정상메일– Spam Assassin 으로스팸차단장비 68대를운영하였으나정확성결여 y

our networkoperations,

while

운영하였으나정확성결여• IronPort solution:

– Reputation 필터가하루 1,900만건메일삭제 whilereducing our

costs.”

p– 550만건스팸메일이 2차스팸차단– 68대 기존 장비가 Ironport 8대로 대체됨

• 정확성 10배 향상 -- Tim HelmsetetterManager, Global

Collaborative SystemsEngineering and

Service Management,

• 정확성 10배 향상

• 서버 대수 70% 감소

• 운영비 75% 감소

© 2008 Cisco Systems, Inc. All rights reserved. 20

DELL CORPORATION

Comprehensive Reporting

© 2008 Cisco Systems, Inc. All rights reserved. 21

Cisco IronPort Data Loss Prevention TechnologyPrevention Technology

© 2008 Cisco Systems, Inc. All rights reserved. 22

Evolution of Data LossEmail Remains A Primary Loss Vector

Record Type Lost

Credit Card Numbers 45%

Email Address 13%

Other 12%

Social Security Numbers 30%

© 2008 Cisco Systems, Inc. All rights reserved. 23

Stop More Data LossIronPort Data Loss Prevention

Integrated Scanning & Remediation

Scanning RemediationDictionaries Notify? ?

Filters

Quarantine?

?

? ?Smart Identifiers Secure Messaging

??

“Email has become the de facto filing system for nearly all corporate information, making it even more critical to protect the outbound flow of messages.”

© 2008 Cisco Systems, Inc. All rights reserved. 24

- Brian Burke, Security Products Research Manager, IDC

Data Loss Prevention FoundationIntegrated Scanning

Compliance pDictionaries

Users

Custom Content Filters

Users

Smart IdentifiersOutbound Mail

Integrated Scanning

Weighted Content Dictionaries

Integrated Scanning Makes DLP

Deployments Quick

© 2008 Cisco Systems, Inc. All rights reserved. 25

& Easy Attachment Scanning

Data Loss Prevention: Integrated Scanning and Remediation

Scanning Work Flow Remediation Work Flow

Pre-Defined Filters

Pre-Defined Filters

DLP Notification

DLP Notification

Compliance Dictionaries

Compliance Dictionaries Smart IdentifiersQuarantine View Of Violation

Quarantine View Of Violation

Encrypt The MessageEncrypt The Message

Smart Identifiers

© 2008 Cisco Systems, Inc. All rights reserved. 26

View HIPAA Violation ReportView HIPAA Violation Report

Email Authentication

© 2008 Cisco Systems, Inc. All rights reserved. 27

Email 인증SPF and DKIM

Sender Policy Framework (SPF) + DomainKeys Identified Mail (DKIM)

Technologies 보완: Path-based and cryptographic methods

Technology 보급: >50% of Legitimate Emails use SPF/DKIM

Phishing Attacks 차단: Protect your Brand and Customers

Public DKIM

SPF Record:

Private DKIM

DNS SPFDKIM

Internet

ISPsISPs

SPFDKIM FAILED

FAILED

Scammer

© 2008 Cisco Systems, Inc. All rights reserved. 28

Example: Which is legitimate?

© 2008 Cisco Systems, Inc. All rights reserved. 29

Example: Which is legitimate?

From: eBay.com

IP: 216.33.244.124

From: eBay.com

IP: 64.8.244.90

DKIM Header: s=main; d=ebay.com; c=nofws; q=dns; b=BVOKQjGvI…mQ8d8OygW

DKIM Header: None

© 2008 Cisco Systems, Inc. All rights reserved. 30

Example: How it works

A SIDF Record 216.33.244.1241BSigned

216 33 244 124 64 8 244 90 eBay DNS Server

1

2 3

Signed

216.33.244.124 64.8.244.90 y2 3

Publish Records in DNSA Signed from 216 33 244 124

4

5 12

A th ti ti

A: Signed, from 216.33.244.124B: Unsigned, from 64.8.244.90Query eBay SIDF & DKIM records6 7

234

Authentication Results:

DKIM = passX-SID-Result: Pass

Authentication Results:

DKIM = neutralX-SID-Result:

F il

Receive SIDF & DKIM recordsDetermine verdicts for email ADetermine erdicts for email B

567

© 2008 Cisco Systems, Inc. All rights reserved. 31

X-SID-Result: Pass Fail Determine verdicts for email B7

IronPort Security Feature

© 2008 Cisco Systems, Inc. All rights reserved. 32

HTML Conversion

© 2008 Cisco Systems, Inc. All rights reserved. 33

HTML Sanitization Further Protection for Targeted Phishing

HTML 방식의 email을 text 방식으로 변환

사 자 의에 의하여 릭 차단사용자 부주의에 의하여 URL Link 클릭 차단

숨겨진 email link 등을 txt로 변환하여 사용자에게 보여지게 함

User would have to copy/paste the link into web browser for rendering

Authentication Results:

DKIM = neutraleBay sent this message!Your registered name is included to DKIM neutral

X-SID-Result:Fail

ou eg ste ed a e s c uded toshow this message originated from eBay.Learn more[Bad link location which you would never go to]

Targeted Phishing Email Authentication Results Fail HTML-convert to plain text

© 2008 Cisco Systems, Inc. All rights reserved. 34

Email Encryption

© 2008 Cisco Systems, Inc. All rights reserved. 35

IronPort PXE: Sending a MessageInstant Deployment, Zero Management Costs

자동 사용자 생성

CISCO REGISTERED ENVELOPE SERVICE

사용자 인증 및 Key 전달

메시지 추적 기능

보안 답신

© 2008 Cisco Systems, Inc. All rights reserved. 36

안 답신

NEVER stores email message → highest security

Recipient Experience: Receiving a Message

First-Time Registration

© 2008 Cisco Systems, Inc. All rights reserved. 37

Recipient Experience: Receiving a Message

Simple & Intuitive

Open AttachmentEnter passwordp

© 2008 Cisco Systems, Inc. All rights reserved. 38

Secure Messaging Email Encryption That’s Easy For Receivers

2. Enter password1. Open AttachmentSend To AnyoneyNo Certificates

No Plug-Ins

3. View message

© 2008 Cisco Systems, Inc. All rights reserved. 39

© 2008 Cisco Systems, Inc. All rights reserved. 40