Post on 19-Jul-2020
Presenter Date
Email Security
Dr. Rattipong
Putthacharoen,
Com. Eng.,
SE Lead.
Jan 2019
2Copyright © 2017 Symantec Corporation
Challenges
Architecture
Technologies
Advanced Email Security
1
Agenda
2
3
4
Data Protection5
Demo6
3Copyright © 2017 Symantec Corporation 3Copyright © 2017 Symantec Corporation
Challenges
4Copyright © 2017 Symantec Corporation
Email Continues To Be The Attack Vector Of Choice
Spear Phishing
Business Email Compromise
Spam
Ransomware
Malicious Websites
NegligentEmployees
Other
EndpointsEmail
Network& Web
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Evolving Email Threat Landscape
Source: ISTR Report 2017, Email ISTR Report 2017, ISTR Report 2016, Verizon DBIR 2016, 2016 SANS Incident Response Survey
36%Increase in ransomware
72%Incident responders use
security analytics to speed detection & response
Delivery mechanism for malwareEmail is the #1
55%Increase in spear
phishing campaigns
8,000Businesses targeted each
month by BEC scams
30%Users opened
phishing emails
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
EVO
LVIN
G TH
REA
T LAN
DSC
AP
E
OPERATIONAL COMPLEXITY
Email Security Challenges / Chaos
BUSINESS EMAIL
COMPROMISE
SPEAR PHISHING
RANSOM-WARE
EMAIL VENDOR
DLP VENDOR
ENDPOINT VENDOR
WEB
VENDOR
TARGETED & ADVANCED
THREATS
Sensitive data shared
Uninformedusers
VULNERABLE ORGANIZATIONS
Social Engineered Poor Visibility Attacks
6
PO
INT
PR
OD
UC
TS =
DIS
JOIN
TED
SEC
UR
ITY
SHORTAGE OF SECURITY PERSONNEL
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Integrated
Solution
Email Security Technologies
PREVENT DATA LEAKAGE• Advanced Detection Technologies
• Multi-Channel Data Protection
• Policy-Driven Controls
• Push & Pull Encryption
PROACTIVELY PREVENT ATTACKS• Customizable Security Assessments
• Detailed Reporting & Visibility
• Integrated User Education
ISOLATE DANGEROUS THREATS• Malicious URL Isolation
• Attachment Isolation
• Credential Theft Protection
PROTECT AGAINST EMERGING THREATS• Machine Learning & Sandboxing
• Click-Time Protection
• Advanced Email Security Analytics
• SOC Integration
• Threat Remediation
STOP PHISHING ATTACKS• Real-Time Link Following
• Impersonation Controls
• Phishing Variant Detection
• Behavioral Analysis
• Deep Code Analysis
BLOCK COMMON THREATS• Heuristics
• Reputation Analysis
• Connection-Level Detection
• AV Engine
8Copyright © 2017 Symantec Corporation 8Copyright © 2017 Symantec Corporation
Architecture
9Copyright © 2017 Symantec Corporation
Symantec Email Security Solutions
Messaging Gateway
On-premises Appliance Multi-Tenant Cloud
Protect against spear phishing, ransomware, and BEC attacks
Quickly respond to targeted & advanced email attacks
Keep your emails secure and confidential
10Copyright © 2017 Symantec Corporation
Rainmaker Training Series
Symantec Email Security SolutionsCloud-Based or On-premises Appliance
Solution Overview
• Protects against targeted attacks, ransomware, spear phishing & business email compromise
• Provides deep visibility into targeted attacks and accelerates remediation
• Controls sensitive data and helps meet compliance & privacy requirements
Inbound/Outbound
Third-Party Email Server
FirewallUsers On-Premise or Cloud
Email Server
File IP & URL Senders & Recipients
Malware BehaviorThreat Context
Inbound/Outbound
Advanced Email Analytics
Over 60 Data PointsATP Platform
MSS
Advanced Threat Protection
Anti-SpamAnti-Malware
Data ProtectionPolicy-Based Encryption
Messaging Gateway
Phishing Detection Phishing Awareness
11Copyright © 2017 Symantec Corporation
File
UR
L
Wh
itel
ist
Bla
cklis
t
Cer
tifi
cate
Mac
hin
e Le
arn
ing
182M web
attacks blocked last year
Discovered
430 millionnew unique piecesof malware last year
12,000+ Cloud applications discovered and protected
100Msocial engineering scams blocked last year
1Bmalicious emails stopped last year
175M Consumer and Enterprise endpoints
protected
9 global threat response centers with
3,000 Researchers and Engineers
1 Billion previously unseen web requests
scanned daily
2 Billion emails scanned per day
CLOUD GLOBAL INTELLIGENCE SOURCED FROM:
Powered by GIN
12Copyright © 2017 Symantec Corporation 12Copyright © 2017 Symantec Corporation
Technologies
13Copyright © 2017 Symantec Corporation
Overview of the Symantec Cloud Email Security Solution
Multi-Tenant, Cloud-Based Solution
Solution Overview
• Blocks spear phishing, ransomware, BEC attacks, malware, spam, and bulk mail
• Protects sensitive data shared via email to help meet compliance & privacy requirements
• Detects new and stealthy targeted & advanced attacks
• Provides deep visibility into targeted attacks and accelerates threat response
Inbound/Outbound
Third-party
FirewallUsers On-Premise Email Server
Advanced Threat Protection
Anti-Spam
Anti-Malware
Data Protection
Policy-Based Encryption
Users Cloud-Based Email Server
14Copyright © 2017 Symantec Corporation
Effectively Protect Office 365 From Threats with Intelligent Multi-Layered Defense
Effectively stops new and emerging threats with multi-layered technologies and intelligence from the world’s largest GIN
Blocks stealthy threats with cloud sandboxing and deep visibility into targeted & advanced threats
Outbound Mail
Delivered Mail
Protects Against:
• Spear Phishing
• Ransomware
• Business Email Compromise
• Targeted & Advanced Threats
• Viruses and Malware
• Spam Emails
• Newsletters & Marketing Emails
Incoming Mail
Symantec Advanced Threat Protection for Email
Symantec Email Security.cloud
Email Protect Scanning Overview
Copyright © 2017 Symantec Corporation
ConnectionProcess
Clean Email Delivered
SignaturesPredictive Detection
Inbound Messages
Connection Process
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Traffic Shaping slows inbound SMTP traffic based on a number of criteria.
o IP Reputationo Concurrent connectionso Bandwidth requested per connectiono Speed of the connection
SMTP Heuristics ensures that only RFC compliant SMTP connections are made; anomalous connection attempts are dropped.
Connection Process
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Address Registration utilizes a customer’s list of valid user email addresses and rejects invalid recipients.
When the SMTP connection is accepted, the service checks the inbound mail against the customer’s Approved and Blocked Lists.
3rd Party Blocked Lists are also available.
Spoofed Sender Detection enables customers to check that traffic matches a sending domain’s SPF Record, DKIM or their DMARCpolicy.
Signatures
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Anti-Malware Signatures identify any known malicious files contained within the email and/or it’s attachments.
Convicted messages are quarantined for 30 Days.
Signatures
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Action options
• Block and delete• Quarantine• Append a header and redirect• Append a header and allow• Tag the subject line
Anti-Spam Signatures identify any known spam messages.
Convicted messages from Block Lists and Anti-Spam technologies can have different actions taken.
Skeptic is suspicious!
Copyright © 2017 Symantec Corporation
Delivery Behavior
Message Attributes
How Attachment Is Linked To Email
Abnormal Content Inside Documents To Identify Anomalies
Signature Evasion Techniques
Extracted Executable AndHow It Is Attached
Final Payload
Social Engineering Tricks
Heuristic engine which looks at all email characteristics
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Skeptic: Pseudo equation for heuristic analysis
+ Questionable source
+ Suspect attachment
+ Suspicious code in attachment
(+ Evidence of obfuscation)
(+ Unexpected encryption) ______
Heuristically detected malcode
Not all suspicious elements are required for conviction.
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
PDF CONTAINSMALICIOUSJAVASCRIPT
ZIP CONTAINS A DOC,WHICH CONTAINS AN EXE,
WHICH CONTAINS AMALICIOUS URL
Skeptic Advanced Message Analysis
ZIP
DOC EXE URL
PDF JSCRIPT
ANALYZERS EXTRACT INFORMATION FROM THE FILE AND EITHER PASS IT TOANOTHER ANALYZER, OR PRESENT THE INFORMATION TO SKEPTIC’S HEURISTICS
EXAMPLE
EXAMPLE
Copyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Advanced code analysers for over 90 file types
Real Time Link Following
LINK ANALYSEDhttp://ow.ly/1234
REDIRECTS TOhttp://www.mundo12345.com/images/logos/Z1/img.php
REDIRECTS TOhttp://www.newtonp12345.com.br/images/fotos/fotos/A/
REDIRECTS TOhttp://www.newton12345.com.br/images/fotos/fotos/A/html/content/home/index.html
MALICIOUS CONTENT
IDENTIFIED
INTELLIGENCE UPDATED
EMAIL STOPPED IN REAL-TIME PRIOR
TO DELIVERY
23Copyright © 2016 Symantec CorporationCopyright © 2017 Symantec Corporation
ConnectionProcess
CleanEmailDelivered
SignaturesPredictiveDetection
InboundMessages
Overview of Business Email Compromise
BEC scams involve crafted emails sent to recipients by fraudsters pretending to be senior executives. These emails leverage social engineering and urgent requests to get employees to carry out large wire transfers or send over sensitive information such as W2 forms.
BEC emails are typically characterized by:
• Impersonation of a high-level executive of your company
• Email domains similar to yours (Typosquatting)
• Prominent use of freeweb mail service providers (Gmail, Yahoo etc.)
• Emails that do not contain URLs, phone numbers, or attachments .
Anatomy of a Business Email Compromise Scam
From: gregg_clark@symanlec.comTo: Finance or Accounting userSubject Line: Request
I need you to process a wire transfer today. Please confirm so that I can forward you the instructions.
RegardsGreg ClarkChief Executive Officer
Sent from my iPad
Impersonated User
Simple Subject Line
Urgent Request
Social Engineering
Impersonated Domain
Targeted User
No Attachment or Link
Symantec Defends Your Organization from Business Email Compromise ScamsNEW! Simplified Impersonation Controls
Proactively block Business Email Compromise and other spoofing attacks with new impersonation controls
• Protect specific executives or all users from attacks impersonating an user
• Stop attacks that impersonate email domains
• Whitelist specific users, domains, and IP addresses
Symantec Defends Against Business Email Compromise
NEW! Simplified Impersonation Controls
User Impersonation ControlsBlocks attacks masquerading as a user in your organization
Stops scams impersonating senior executives
1
Domain Impersonation ControlsPrevents attacks imitating a legitimate email domain in your
organization
Identifies attacks using spoofed or cousin domains
2
Email Attribute Controls*Guards against attacks exhibiting suspicious behavior such
as mismatched email headers
Blocks attacks that spoof display names
3
Global Intelligence Network
Business Email Compromise Scam
28Copyright © 2017 Symantec Corporation
Advanced Email Security
Complete Cyber Defense Platform–Email, Web, Endpoint
Monitoring & enforcement point for sensitive information shared over email
Policy-based data encryption from cloud service or on-premises appliance
Monitoring & enforcement point for sensitive information shared over email
Policy-based data encryption from cloud service or on-premises appliance
Messaging Gateway
ContentAnalysis (Sandboxing)
Internal Messaging
Server
Global Intelligence Network
INTERNET
Email ThreatIsolation
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Content Analysis
Advanced File Analysis
Hash ReputationCustom user whitelist/blacklist + Risk Scoring
5 Billion file reputation database2
Predictive File AnalysisStatic Code Analysis / Machine Learning
Parse and collect files / Match code to 4B “bad”4
Dual Anti-Malware/Anti-VirusCombine Symantec, Kaspersky, Sophos or McAfee
Files up to 5GB / Signature updates every 5 minutes3
Passes acceptable files to user
Signatures evaluated for known bad
Analyzes code for malicious character
Detonates only truly unknown files
Dynamic SandboxingVM + Emulation Sandboxing using custom
“Gold Images” Behavior and YARA rule analysis5
Global Intelligence Network
1 SMG .JAR .EXE
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Dynamic Sandboxing
Content Analysis
Unique Dual-Sandbox Architecture & Mobile Pattern Matching
Detailed Reports
Gold ImageProfile Replication
Quickly analyze and prioritize advanced malware and zero-day threats for remediation and continuous security improvement
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Complete Cyber Defense Platform–Email, Web, Endpoint
Monitoring & enforcement point for sensitive information shared over email
Policy-based data encryption from cloud service or on-premises appliance
Monitoring & enforcement point for sensitive information shared over email
Policy-based data encryption from cloud service or on-premises appliance
Messaging Gateway
ContentAnalysisProxySG
SEP Manager
Internal Messaging
Server
Global Intelligence Network
SEP Agent
INTERNET
Email ThreatIsolation
Copyright © 2018 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2018 Symantec Corporation
Malicious Attachment Protection – Disarm
Threat Defense
Office & PDF Files
• Flash
• Macros
• Javascript
• 3D components
• Fonts
• XFA (and its Javascript)
• Launch execution
• Fullscreen execution
Rewrite URLs in email body
• Disable
• Replace
Email with file attachment containing
active content Disable active content and
reassemble file
Reattach file to original
email User receives email with revised file
attachment
Messaging Gateway
Pro-active Post Delivery Malware Alerting: Click-time Analysis
URL intercepted
URL Decoded
Web request made
Any redirects followed
Page scanned
Copyright © 2017 Symantec Corporation
35
36
Phishingemail
Isolated site+
Read-only
User clickson link
Mail serverSymantec Cloud Email Security
Links transformed to redirect through Web Isolation
Email Isolation Portal
How Email Threat Isolation Works
Allow Link & Attachment
Trusted Websites
Get Complete Ransomware Link Protection
Isolate Links and
Attachments
Email Threat Isolation Isolate Attack
RansomwareAttack
3
Symantec Cloud Email Security
Evaluate LinksAt Delivery Time
1Block Attack
Users Evaluate LinksAt Click Time
2 Block Attack
39Copyright © 2017 Symantec Corporation
Symantec Provides the Deepest Visibility Into Targeted & Advanced Attacks
Advanced Email Security Analytics
EmailVolume
Malicious Email Senders & Recipients
Severity Level
Attack Technology Used
Malware Category
URLInformation
Malicious Email Theme or Topic
Detection Method
File Hashes
ATP Platform
Symantec Managed Security Services
Correlation & Response Benefits
Identify targeted attack recipients
Correlate threats with endpoints
Feed URLs into web proxy
Accelerate Threat Response
Find patterns in threats
Monitor email logs
Export Intelligence
Accelerate Threat Response
60+ Data Points on Clean and Blocked Emails
Copyright © 2018 Symantec Corporation 40Copyright © 2017 Symantec Corporation
Enhanced mobile experience
Show additional message information such as attachment names and direction
Quarantine data protection & image control messages
Clearly differentiatesbetween spam andinformation protection messages
Enhanced reportingoptions with more details on usage
Can hold DLP violating message for quarantine admin review and release or release to an admin
Remediate Threats by Quarantining Dangerous Emails
41Copyright © 2017 Symantec Corporation 41Copyright © 2017 Symantec Corporation
Data Protection
42Copyright © 2017 Symantec Corporation
Granular DLP policies protect sensitive data and help address legal and compliance requirements
Policy-based encryption policies automatically safeguard the security and privacy of confidential emails
Protect Your Confidential Data In Cloud Email
PCI✓ GLBAHIPAA ITAR✓ ✓ ✓
Sensitive Information Protected
Advanced Multi-Channel
Coverage
Symantec Email Security.cloud Symantec DLP
CustomizableControl
Seamless Encryption or
Decryption
Quick, Secure Message Delivery
Encryption Services
TLS
• Used when a customer has a business partner that it wants to ensure all communications are encrypted. This can be specified on a domain by domain basis
Policy Based Encryption Essentials
• Used when a customer wants emails encrypted based on the content of a mail
• Used when private data is sent to a 3rd party who may not be able to enforce TLS
Copyright © 2017 Symantec Corporation
Copyright © 2018 Symantec Corporation 44
Data Loss Prevention and Encryption Integration
2Inspection
3Hold for
Remediation
DLP NETWORK PREVENT FOR
SMTPDLP ENFORCE
Policies
Incidents
RemediationQuarantine
Management 4
Third-Party Email Server
Email Delivery to Recipient5
CONTENT ENCRYPTION
End User sends Email1
MESSAGINGGATEWAY
UpstreamMailserver
• Monitoring and enforcement point for sensitive information shared over email through integration with multi-channel DLP platform
• Remediation Management enforced via DLP through integrated SMG Quarantine APIs
• Policy-based encryption from Content Encryption service or on-premises appliance
44
Copyright © 2018 Symantec Corporation 45
Email Security Summarry
CONNECTION LEVEL
MALWARE & SPAM DEFENSE
ADVANCED MACHINE LEARNING
LINK PROTECTION
BEHAVIOR ANALYSIS
IMPERSONATION CONTROL
SANDBOXING
SMTP firewall, sender reputation
and authentication
reduce risks and throttle bad connections
Evaluates malicious links at
email delivery and time of click with advanced
phishing variant detection
Analyzes code for malicious
characteristics
Heuristics, reputation, and signature based engines evaluate files and URLs for
email malware & spam
Detonates only truly unknown files in both
physical and virtual environments
Global Intelligence Network
MALWARE & SPAM PROTECTION
Identifies new, crafted, and
hidden malware by examining the
behavior of suspicious email
PHISHING DEFENSE EMERGING THREAT PREVENTION
Blocks Business Email Compromise and other spoofing
attacks
Copyright © 2018 Symantec Corporation 4646Copyright © 2017 Symantec Corporation
Demo
47Copyright © 2017 Symantec Corporation 47Copyright © 2017 Symantec Corporation
Q & A
48Copyright © 2017 Symantec Corporation 48Copyright © 2017 Symantec Corporation
Thank You!