Alex Nikolayev Program Manager Identity and Security Division Microsoft Corporation SESSION CODE:...
-
Upload
easter-cunningham -
Category
Documents
-
view
215 -
download
0
Transcript of Alex Nikolayev Program Manager Identity and Security Division Microsoft Corporation SESSION CODE:...
Business Ready Security: Microsoft Exchange Server 2010 and the Microsoft Forefront Secure Messaging Solution, Better Together
Alex NikolayevProgram Manager Identity and Security DivisionMicrosoft Corporation
SESSION CODE: SIA324
Cristian MoraProduct Manager Identity and Security DivisionMicrosoft Corporation
AgendaBusiness Ready Security OverviewMicrosoft Exchange and Forefront Better together scenarios
Forefront Protection for on-premisesForefront Protection in the CloudHybrid Protection
Demo!
Top E-Mail Threat Concerns
Malware via URLsMalware via AttachmentsPhishingSpamData Leakage
Source: “Messaging Security Survey: The Good, Bad, and Ugly Study,” IDC, 2009.
“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1,000-user organization spends over $1.8 million annually to manage spam.”
… Around $8 Billion Lost to Viruses, Spyware, and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime…
— “E-mail Security Market, 2009-2013,” The Radicati Group, Inc.
— 2009 State of the Net Survey
“As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam” — “Forrester Wave E-mail filtering Q2 2009,” April 2009
“Almost 60% of organizations reported spam blocking effectiveness of less than 95%” — Brian E. Burke, “Messaging Security Survey,” IDC, 2009.
Multiple locations and devices
Difficulty in discovering and securing sensitive information
Financially motivated evolving threats
Advanced spam technologies bypassing scanners
Agility and Flexibility ControlBUSINESS Needs IT Needs
Prevent sensitive information from leaking
Protection from advanced threats
Secure access to messaging from virtually anywhere
Receive messaging free of spam
Business Needs and IT Challenges
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
Secure Messaging Secure Collaboration
Information Protection
Identity and Access Management
Secure Endpoint
Business Ready Security Solutions
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential information
INTEGRATE and EXTEND security
Secure Messaging
• Best-in-class anti-malware and anti-spam on-premises / in-the-cloud
• Protect sensitive information in e-mail
• Secure, seamless access
• Deep Microsoft Exchange integration
• Extend secure e-mail to partners
• Centralized Management across on-premises and cloud
• Improved visibility across business productivity application security
Separate gateway to detect sensitive content
External websites sending spam and malware
Virus threats from internal senders
Remote access solution w/ separate identities
Internal users sending sensitive information to partners in e-mail
Separate SMTP virus scanner to detect and remove spam and
malware
Separate gateway to enable remote access
Spam
Spam
Spam
SpamSpam
Spam
Spam
Spam
SpamSpam
Current SituationMultiple Products for secure messaging
Always-on access built into platform
Internal mail protected withForefront Protection for Exchange
Information Protection built into the platform
Malware and spam cleaning in the cloud with FOPE
Secure Messaging Simple and easy
Integrated Security
An easy to manage Premium Antimalware and Antispam Protection Solution for Microsoft Exchange Server
Simplified Management
Intelligent engine selection Monitoring security state in real-time
New: Integration with Exchange 2007 and
2010/IRM Hybrid Model
• Automated updating
• Inclusive management console with security/protection views
New : Manage on premises and off premises
security policies Fast response to security incidents
Forefront Protection 2010 for Exchange Server Summary
Premium Antispam protection (on premises and in the cloud)
Multiple Malware engine protection against emerging threats
Content and Keyword Filtering
New: Spyware protection: MSAV Encrypted messages scanning
Comprehensive Protection
Forefront Protection 2010 Architecture: built-in not bolted on into Exchange
PickupDirectory
Submission Queue
Categorizer
Recipient API
DeliveryQueue
SMTPSend SMTPSMTP
AD
Forefront antispam
Transport Agent/Message API
Forefront antimalware
Exchange Biz Logic
Ex Submit(MAPI/SMTP)
SMTPReceive
Agent Run Time Engine (MEx)
FPE 2010 architecture is built-in into Exchange via Transport APIs on Transport Roles and hooked into the Mailbox role via VSAPI,Premium antispam agents co-exist and compliment Exchange basic antispam agents sharing the configuration data,Forefront agents enable End To End scenarios for the end users and Exchange administrators.
Extensibility Platform
Forefront Protection 2010 for Exchange Server Deployment
Enterprise Network
External Mail
Unified MessagingVoice mail & voice access
Hub TransportRouting & Policy
Web browser
Outlook (remote user)
Mobile phone
Outlook (local user)Line-of-business applications
MailboxStorage of mailbox
items
Protection 2010 for Exchange ServerProtection 2010 for Exchange Server
Phone system (PBX or VoIP)
Protection 2010 for Exchange ServerThreat Management Gateway
Edge TransportThreat Management Gateway
Protection Availability:Exchange 2010Exchange 2007 SP1
Client AccessClient connectivity
Web services
Surpassing Security Expectations
Exchange 2010 Forefront 2010
Encryption Antivirus
Default Intra-Org ∙
Inter-Org mTLS support∙
IRM support
Multiple Engine Malware Detection
Unified ManagementHosted, Hybrid Protection
Premium
Antispam
Basic
Standard CAL Enterprise CAL
Forefront/Exchange Better Together:
Forefront Protection 2010 AntispamFunctional Highlights
Exchange 2010
+ Forefront 2010 Benefits
Connection Filtering Forefront DNS Block List • Aggregated RBL data from multiple external and internal vendors
• No configuration required
Protocol FilteringUnified Management • Consolidated Connection/Sender/Recipient/Sender ID filtering for simplified
management
Backscatter Filter • Blocks NDR (backscatter) spam
Content Filtering
Cloudmark CMAE Engine • Option of alternative third-party content filter • Above 99% detection rate• No configuration required (installs with smart defaults)
Forefront True Type File Filtering
• Real file type inspection (not just extension)• Actionable scanning of nested files/within ZIP
Global Exception Lists • Single access point to sender and recipient exception lists (allow and block actions)
Streamlined SCL • Less ambiguous ratings for less false positives end to end
Hybrid Model • Integration with Forefront™ Online Protection for Exchange
Forefront Protection 2010 Antispam Features
IP Block List
Sender ID FilterDNSBL Filter
Sender Filter Backscatter Filter Junk E-mail FilterRecipientFilter
ContentFilter
Layered Antispam TechnologiesConnection Filtering (IP Block/Allow, DNSBL, SenderID filters)Protocol Filtering (Sender, Recipient, Backscatter filters)Content Filtering (spam/phishing)
New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model
Reducing the Carbon Footprint of Spam: Forefront DNSBL
Implemented as SMTP Receive Agent, configuration/maintenance-free featureMultiple external and internal RBL providers with continuous flow of feedsQueries sent to Forefront-owned DNS infrastructureEfficiency: based on internal MSIT numbers 85-90% of all incoming connection requests being denied by DNSBLRejection response is actionable (to help with the corrective actions: “550 5.7.1 Do this to get the IP removed from the DNSBL list…”
New Content Filter: Based on Cloudmark Authority Engine with industry-leading performance metrics Embedded into the Forefront antispam architecture via Exchange transport agents framework Executes in SMTP Receive pipeline Scans MIME stream – body + headers of the message Fingerprints-based engine
Forefront Protection for Exchange Content Filter
Implementation details: Incorporates Anti-Phishing protection Enables feedback loop for better engine accuracy Simplifies administration and management Supports custom 3rd party ISVs business logic based
on existing extensibility model Seamlessly integrates into the End-To-End Antispam framework
Benefits Reduced spam and phishing penetration Enhanced server performance Increased IT Pro and IW productivity Improved end user satisfaction
DEMO: Under the Antispam Hood
DEMO
Forefront Protection 2010 for Exchange:Malware Filtering
Protect Messages from Malware
Microsoft Solution“Defense in Depth”Competitors’ Solutions
On premises or in the cloud
Automatic Engine Updates
Single Engine Multiple Engines
99% spam detection*
* With premium antispam services
38 times faster
An AV-Test of consumer antivirus products revealed:• On average, Forefront engine sets provided a response in
3.1 hours or less.• Single-engine vendors provided responses in 5 days, 4
days, and 6 days respectively.
Protect everywhere,
access anywhere
Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230
“Forefront Security for Exchange Server can support up to five scanning engines at the same time. Thus, it offers a more secure environment, compared with products that support using only a single engine.” - Akihiro Shiotani, Deputy Director of the Infrastructure Group“
Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages
Leading antimalware engines deployment via integrated solutionAllows multi-directional protection of messaging stream: inbound, outbound, internal, and data at restIntelligent Engine Selection:
Automatically chooses the most current and effective engines firstAllows administrators to balance security with performance needs
Removal of a single point of failure in the organizationLower TCO – all engines included in base cost
Remote Update Services
Automatic Updates
Forefront Antimalware Engines Updates
Directly from vendor
Manual Config
Redistribution
MSAV/CMAE
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP NO SCAN NO SCAN
INTERNET
Mail scanned only once at the Edge - saves processing load on Hub and Mailbox servers
Malware detected on Edge deleted immediately
Internal mail is routed through Hub role
Proactive scanning at the Mailbox server (Store) is turned off by default to save processing load on Mailbox servers
Forefront FPE Malware Filtering: Transport
On Access ScanningTurned on by defaultFollows settings of real-time scanScans only message that have not been scanned before
Schedule ScanningScan mailboxes or folders not covered by real-time scan or messages that predate FPEYou may use different enginesUsually deep scans that forgo performance concerns
On Demand ScanningImmediate scan specific mailboxes and public folders to assess malware concerns that may ariseYou may also use this to scan with different engines
Forefront FPE Antimalware Scanning: Store
MS AV engine should be enabledEnable antispyware scanning for the transport/ real-time/scheduled scan:
Set the action (AV takes precedence):
Forefront Antispyware Filtering
Entire worm message is deleted, including the full message body
Worm is stopped before it enters the networkNetwork impact is minimizedNo impact on the mail store or the email services
Message or attachment is never quarantinedQuarantine kept smaller and more efficient
No notifications are sentUsers are not alarmed but an option to send notice to specific Worm Admins
Worm purging is enabled by default, to disable:Set-FseTransportScan -EnableWormPurge $false
Forefront Worms Filtering
Microsoft® Forefront™ Online Protection 2010 for Exchange Server: Antimalware Configurations and Options Demo
DEMO
Forefront Protection 2010 for Exchange Server: An Extension into Online Services
Forefront Online Protection for Exchange:Inbound E-Mail Filtering
SPAM Protection
Safe senders
SpamPrevention
If server down, E-mail queued for up
to 5 days
E-mail enters the global data center network – MX
(mail.messaging.microsoft.com)
DirectoryServices
SPAM prevention
Real time attack prevention (RTAP)
IP-based authentication
Reputation database
Connections from all senders are analyzed,
Connections from illegitimate senders
are blocked
Look up e-mail filtering settings for domain
Virus Scanning
Kaspersky
Symantec
Authentium
Policy Enforcement
Custom Policy Rules
Attachment and message attribute
management
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engines
Content and Policy Quarantine
SPAM Quarantine
SPAMSPAMSPAM
E-mail server available?
Delivered in a flow-controlled fashion when
server is available
Queue
Corporate Network
SPAMSPAM
SMTP Reject: 55x
Spam Analysts
Customer Feedback
False +ve / -ve
Sync
Filtering Technique Description Cumulative Effectiveness
IP addresses are added:• thru automated feedback loops
• that identify repeat spam (30 minutes application time)• Snowshoeing IP Address Ranges
• Manually by spam analysts, in response to observed spam
~ 95%
Community Gold Standard for IP reputation Above 90%
Image filtering Using Smartscreen technology Above 99%
Fingerprinting
Using Smartscreen and fingerprint technology• Fingerprint DB is continuously updated by spam analysts
Scoring system based on 30k active rules and a corpus of 400k rules• Points are deducted for good mail characteristics• Points are added for Spam characteristics• A score of ≥ 30 qualifies as Spam
Inbound E-Mail Filtering
Forefront Online Protection for Exchange:Outbound E-Mail Filtering
Look up e-mail filtering settings for domain
Virus Scanning
Kaspersky
Symantec
Authentium
Policy Enforcement
Custom Policy Rules
Attachment and message attribute
management
SPAM Protection
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engine
Content and Policy Quarantine
Corporate Network
Spam Analysts
NDR Pool
Score > 30
Outbound Pool
Score < 30
SEWR
Safe senders
Forefront Protection 2010 for Exchange Server Benefits
Integrated multiple engine malware protectionBest-of-breed spam protection for on-the-premises and in-the-cloud customers:
Precise spam detection with above 99% catch rateReduction in carbon footprint of spam by early rejection of unwanted messaging stream
Hybrid model and ease of administration:Low TCO with high ROI for Exchange organizationsFlexible implementation
Exchange 2010 provides…Default encryption and broader support for IRMExtensive infrastructure for per-user SCLIncremental Edge Sync for safe/blocked sendersPer recipient list aggregation from Microsoft® Office Outlook®
Forefront 2010 extends foundation with…Premium multiple engine antimalware Auto-configuration of antispam agentsUnified management of FPE, Exchange, FOPELeading antispam content filter engine (above 99% detection rate) Option of hosted and hybrid protection for lower TCOConfig/maintenance-free setup
Exchange + Forefront Better Together Security Summary
Related ContentSIA314 |Secure Messaging: Microsoft Forefront Protection 2010 for Exchange ServerSIA316 | Behind the Spam: A Look at Botnets, Malware, and the Spammers Who Run ThemSIA04-INT |Secure Messaging: Implementing Microsoft Forefront Online Protection for Exchange - Best Practices, Pitfalls and Support
SIA04-HOL | Microsoft Forefront Online Protection for Exchange Administration and ReportingSIA10-HOL | Secure Messaging Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-1 | Microsoft Forefront Secure Messaging Solution
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA