IronPort Email Security Products

PROTECTING OVER 350 MILLION EMAIL BOXES WORLDWIDE

Mirko Schneider, IronPort Systems

Soft-Tronik Security Day, Bratislava June 6th 2007

„I need to say that the appliance is the best system that I‘ve been testing for our magazine since 2003. I need to find a way to bring it out objectively. Otherwise nobody will believe me... “

(an editor of a German IT magazine, Feb 2006)

Who is IronPort?

• Founded by Email pioneers from in2000 from Hotmail, ListBot, Yahoo

• idea: building the fastest and strongest gateway appliance

• based in USA, California, Silicon Valley

• Investors:– General Motors, Chevron-Texaco, NTT,

Menlo Ventures, Allegis Capital

– raised over 90 million USD

• Worldwide 500+ employees

• 75 in Europe (UK, Germany, Sweden, France, Spain, Italy)

• revenue 2005: ~ 70m USD, 2006: ~125m USD

• With Soft-Tronik in CZ/SK since 2006

Hot News:CISCO acquires IronPort

The Principles of Industry Leadership

• Analyst Leadership– Recognized as the leader by Gartner,

Meta, Radicati, IDC, Forrester, Bloor

• Customer Leadership– 52 of the World’s Largest 100 Companies

– 20+% of Global 2000

– 12 of the 15 largest ISPs

• Technology Leadership– First with custom, high performance MTA

– First with Reputation Filtering

– First with Virus Outbreak Filters

• Global Leadership– Operations in 35 countries, 600+ partners

– IronPort infrastructure currently operating in 75+ countries

Success in Czech Republic

Czech News Agency (ČTK)

- customer since December 2006

- a case study available soon!

Air Navigation Services (RLP)- customer since March 2007

E.ON Czech Republic- customer since December 2006

UPC Czech Republic- customer since December 2006

EZPADA Czech Republic- customer since December 2006

IronPort: Technology Leadership

Magic Quadrant

for E-Mail Security

Boundary 2006Source: Gartner RAS Core Research

You need that competitive analysis?

Mail me at mschneider@ironport.com!

IronPort gets stronger!

After PostX acquisition announcement Nov 06:

• “Regard this acquisition as a positive enhancement that improves IronPort's competitive position...”

• “However, consider switching to IronPort at the next

technology "refresh" to reduce administration

overhead and costs...”

After CISCO acquisition announcement Jan 07:

• “Place Cisco/IronPort at the top of your shortlists...”

IronPort Gateway Security Products

Internet

EMAILSecurity

Appliance

WEBSecurity

Appliance

Security MANAGEMENT

Appliance

IronPortSenderBase

IronPort Email Security Appliances

• High Performance Email Security

Appliances Stopping Spam, Viruses, and

Enforcing Compliance

IronPort C350/C650IronPort C100

IronPort X1050

Product Consolidation at

the Network PerimeterFor Security, Reliability and Lower Maintenance

Anti-Spam

Anti-Virus

Policy Enforcement

Mail Routing

Before IronPort

IronPort Email Security Appliance

Internet

Firewall

MTAs

Groupware

Users

After IronPort

Internet

Users

Groupware

Firewall

IronPort Architecture for Multi-Layered Email Security

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort AsyncOS™

Unmatched Scalability and Security

• AsyncOS scalable and secure OS optimized for messaging

• Advanced Email Controls protect reputation and downstream systems

• Standards-based Integration replaces legacy systems with ease

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort AsyncOS™

Revolutionary Email Platform

Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance

200Incoming/Outgoing

Connections

Low Performance/DoS Potential

Single QueueFor all Destinations

Queue BackupDelays All Mail

Per-DestinationQueues

Fault-Toleranceand

Custom Control

10,000Incoming/Outgoing

Connections

High Performance/Sure Delivery

Advanced Email ControlsOnly Available from IronPort

• Safeguard Your Reputation

• Send Different Types of Mail Via Separate IPs

• IronPort Patent Pending Technology

• Protect Your Groupware Servers

• Rate Limit Mail Sent Per Destination

• Enforce TLS Encryption Per-Destination

Internet

?

163.24.127.3

163.24.127.3

163.24.127.4

163.24.127.5

InternetNew Company

Bounces

Virtual Gateway™ TechnologyDestination Controls

Multi-layer Spam DefenseBest of Breed

• IronPort Reputation Filters – the outer layer defense

• IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

Spam volumes grow

0

10

20

30

40

50

60

70

Okt

05

Nov

05

Dez

05

Jan

06

Feb

06

Mrz

06

Apr

06

Mai

06

Jun

06

Jul

06

Aug

06

Sep

06

Okt

06

Average Daily Spam Volume (billions msgs)

+110%

0

5

10

15

20

25

30

Okt

05

Nov

05

Dez

05

Jan

06

Feb

06

Mrz

06

Apr

06

Mai

06

Jun

06

Jul

06

Aug

06

Sep

06

Okt

06

Image Spam Explodes%

+421%

% Spam with an Embedded Image

Spam Gets Sneakier – Image Spam!

1. “Polka dots” 2. “Slice & Dice”

“ASCII Art” Based Spam

• uses a series of numbers to spell out a stock symbol

• numbers randomized in different order for each email to evade signatures

• similar to image spam in that there are no actual words in the email for anti-spam engines to key on

New Spam AttacksSpam Techniques Even More Difficult to Combat

Image Spam 2.0

• Attempts to mask itself as a legitimate picture by adding “greeting card” like border”

• Inserts shapes such as rectangles and pies to spoof powerpoint / excel charts

• Wavy text more difficult for OCR technologies to decipher

Multi-Layered SecurityPreventive + Reactive = Defense in Depth

Reactive

Layer+

Immediate Reaction to Threats

Extremely High Performance

Coarse Outer Layer

Blocks or Rate Limits

Adapts Over Time

Computationally Intensive

Fine-grained Inner Layer

Delete or Quarantine

Preventive

Layer

blocks~ 80%

of spam

IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 5B+ queries daily

• 150+ Email and Web parameters

• 25% of the World’s Email Traffic

The Dominant Force in Global Email and Web Traffic Monitoring…

80%50%

40%

IronPortCipherTrust

BorderWare

Spam Caught by Reputation

Source: www.ciphertrust.com and www.borderware.com, August 6, 2006

…Results in Accuracy and Advanced Protection

120,0004,000

8,000

IronPortCipherTrust

BorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure

IronPortVirus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed

vendors.

IronPort SenderBase®

Data Makes the Difference

• Complaint Reports

• Spam Traps

• MessageComposition Data

• Global Volume Data

• URL Lists

• Compromised Host Lists

• Web Crawlers

• IP Blacklists & Whitelists

• Additional Data

150 Parameters

SenderBaseData

Data Analysis/Security Modeling

SenderBaseReputation Scores

-10 to +10

Threat Prevention in Realtime

A Broad Data Set Drives Accuracy

IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….

• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is deleted/tagged

• Reputation Filters is a switch point

• IronPort uses identity & reputation to apply policy

• Sophisticated response to sophisticated threats

Anti-Spam

Engine(reactive)

Incoming Mail

Good, Bad, and “Grey”or Unknown Email

ReputationFiltering

(preventive)

Reputation-Based Filtering:A Powerful Technique

• Beyond blacklisting—a granular view of behavior

• Scores calculated in real-time

• Pre-configured policies applied dynamically

IronPort Reputation FiltersDell Case Study

• Dell’s challenge:– Dell currently receives 26M messages per day

– Only 1.5M are legitimate messages

– 68 existing gateways running Spam Assassin

were not accurate

• IronPort solution:– Reputation Filters block over 19M messages per day

– 5.5M messages per day scanned by

anti-spam engine

– Replaced 68 servers with 8 IronPort C60s

• Accuracy of spam filtering increased 10x

• Servers consolidated by 70%

• Operating costs reduced by 75%

“IronPort hasincreased the

quality andreliability ofour networkoperations,

whilereducing our

costs.”

-- Tim HelmsetetterManager, Global

Collaborative Systems

Engineering and

Service Management,

DELL CORPORATION

Multi-Layered SecurityPreventive + Reactive = Defense in Depth

+

Immediate Reaction to Threats

Extremely High Performance

Coarse Outer Layer

Blocks or Rate Limits

Adapts Over Time

Computationally Intensive

Fine-grained Inner Layer

Delete or Quarantine

Preventive

LayerReactive

Layer

IronPort AntiSpam Broadens the Context with Web Reputation

• Content filtering techniques alone are inadequate

• Email reputation systems improved protection

• Combating new attacks demands Web reputation

Time

TODAY

EffectivenessWhere? Web Reputation

Where does the call to action take you?

Who? Email Reputation

Who is sending you this message?

How? Message Structure

How was this message constructed?

What? Message Content

What content is included in this message?

URL

No attachment - Payload delivered via web

IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 5B+ queries daily

• 150+ Email and Web parameters

• 25% of the World’s Email Traffic

The Dominant Force in Global Email and Web Traffic Monitoring…

80%50%

40%

IronPortCipherTrust

BorderWare

Spam Caught by Reputation

Source: www.ciphertrust.com and www.borderware.com, August 6, 2006

…Results in Accuracy and Advanced Protection

120,0004,000

8,000

IronPortCipherTrust

BorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure

IronPortVirus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed

vendors.

Web Reputation Data Makes the Difference

• URL Blacklists

• URL Whitelists

• URL Categorization Data

• HTML Content Data

• URL Behavior

• Global Volume Data

• Domain Registrar Information

• Dynamic IP Addresses

• Compromised Host Lists

• Web Crawler Data

• Network Owners

• Known Threats URLs

• Offline data (F500, G2000…)

• Web Site History

SenderBaseData

Data Analysis/Security Modeling

Web ReputationScores (WBRS)

-10 to +10

Parameters

THREAT PREVENTION IN REALTIME

IronPort Anti-Spam Customer LeadershipTrusted Throughout the World

Installed in over 20% of Fortune 100 Companies

Deployed at over 2,000 customers in over 40 countries

IronPort Anti-SpamPress Reviews

2007 Technology of the Year: Best Anti-Spam

Jan 2007

Competitors tested: Symantec, Microsoft, Mirapoint, ProofPoint

“easy setup”

“excellent spam filtering”

“no tuning necessary”

“the fewest false positives of

any solution tested”

Anti-Spam Bake-Off WinnerDec 2006

Competitors tested: CipherTrust, Borderware, Sophos,

SonicWall

“The superiority of IronPort . . .

seems abundantly clear”

“We did not have to rescue a

single legitimate message”

“(IronPort) is the absolute must

from this test”

Multi-layer Virus DefenseBest of Breed

• IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures

• Sophos Anti-Virus signature based solution with industry leading accuracy

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort Virus Outbreak Filters™

First Line of Defense

Early Protection

with

IronPort Virus

Outbreak Filters

Traditional AV Solutions Aren’t Responding Quickly Enough . . .

4:0

0

9:0

0

14

:00

19

:00

0:0

0

5:0

0

10

:00

15

:00

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Mytob-HJ: 4-19-06

9:3

0

10

:20

11

:10

12

:00

12

:50

13

:40

14

:30

15

:20

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Kukudro-A: 6-27-06

0

20

40

60

80

100

120

20

:00

23

:45

3:3

0

7:1

5

11

:00

14

:45

18

:30

22

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Bagle-GT: 4-21-06

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

19

:00

22

:45

2:3

0

6:1

5

10

:00

13

:45

17

:30

21

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

FeebsDI-Q: 6-07-06

IronPort SenderBase® NetworkFirst, Biggest, Best Reputation System

Over 100,000 contributing networksOver 20M IP addresses tracked globally

View into over 25% of email trafficOver 150 parameters tracked

Global Email and Web Traffic Monitoring

What is going onRIGHT NOW?

Introducing Virus Outbreak Filters4

:00

9:0

0

14

:00

19

:00

0:0

0

5:0

0

10

:00

15

:00

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Mytob-HJ: 32 hrs 57 mins Lead Time!

VOF Protection

Starts

9:3

0

10

:20

11

:10

12

:00

12

:50

13

:40

14

:30

15

:20

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

VOF Protection

Starts

Kukudro-A: 3 hrs 38 mins Lead Time!

19

:00

22

:45

2:3

0

6:1

5

10

:00

13

:45

17

:30

21

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

FeebsDI-Q: 21 hrs 59 mins Lead Time!

VOF Protection

Starts

20

:00

23

:45

3:3

0

7:1

5

11

:00

14

:45

18

:30

22

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Bagle-GT: 18 hrs 28 mins Lead Time!

VOF Protection

Starts

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

How IronPort Virus Outbreak Filters WorkDynamic Quarantine In Action

T = 0–zip (exe) files

T = 5 mins-zip (exe) files

-Size 50 to 55 KB.

T = 10 mins–zip (exe) files

–Size 50 to 55KB

–“Price” in the name file

T = 8 hours–Release messages

if signature update is in place

Messages

Scanned &

Deleted

preventive protection reactive protection

IronPort Virus OutbreakFilters Advantage

Average lead time*…………………………over 13 hours

Outbreaks blocked * ………………………175 outbreaks

Total incremental protection*…………….over 94 days

* June 2005 –July 2006.

Virus Name Date Virus Description Lead Time (hh:mm)

Kukudro-A 6/27/06 Virus that spreads via zipped word document. 3:38

Feebs.AG 6/21/06 Arrives as an email attachment claiming to be sent via "Protected E-Mail service“.

17:46

Troj/Stinx-W 6/15/06 IRC backdoor Trojan. 11:12

Yabe.G 5/16/06 Trojan that attempts to download further malicious code. 13:09

Bagle-GT 4/21/06 Installs backdoor and communicates via HTTP, thus bypassing firewall filters.

18:28

Mytob-HJ 4/19/06 Turns off anti-virus applications of infected PC to avoid detection.

32:57

Nyxem-D (Kama Sutra) 1/16/06 Deletes most documents on third day of every month. 1:27

Looksky.G 1/6/06 Installs keystroke loggers onto infected PCs. 35:40

*June 2005 – July 2006. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

MyDoom Variant—MyDoom.BB (February 15, 2005)

G2000 Company Protected By IronPort’s Virus Outbreak Filters 1

:00

2:0

0

3:0

0

4:0

0

5:0

0

6:0

0

7:0

0

8:0

0

9:0

0

10

:00

11

:00

12

:00

13

:00

14

:00

17

:00

18

:00

19

:00

20

:00

21

:00

22

:00

23

:00

24

:00

20

:00

21

:00

First Anti-virus Signature Published

22:54 GMT (Next Day)

22

:00

23

:00

IronPort Threat Level Raised to 3 And Protection Starts

18:08 GMT

28 hours 46 minutes

Note: All times shown are in GMT

6503 files quarantined

24

:00

February 15, 2005 February 16, 2005

IronPort Outbreak Filters ProtectG2000 Company From MyDoom.BB

$65K saved @ $200/desktop, 5% infected

IronPort Policy EnforcementInbound/Outbound Content Filtering for Compliance

• Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance

• Compliance Solutions and Encryption keep communications private and secure

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

Flexible Policy EngineFrom Blocking Attachments to Enforcing Compliance

• Graphical Representation of

Per-Recipient Policies

• LDAP Integration Reduces

Need for Repetitive

Modifications

• Customizable Notification

Templates

• Robust Conditions and Actions

Email Compliance Solutions Next Generation Compliance Filters

• Pre-Packaged Policies and Lexicons for Common Regulations

• Multi-Category Pattern Matching Significantly Reduces False Positives

• High Performance TLS Encryption Configured Keeps Business Communications Private PRE-PACKAGED LEXICONS

Hot news: Teaming Up To Fix Email

IronPort Acquires PostXGlobal Reach And Innovative Technology

• 8/10 of the world’s largest ISPs

• 42/100 of the world’s largest corporations

• 25% of the World’s Email Traffic

• 450 employees

The Dominant Force in Global Email and Web Security…

…Combined with the leader in Email Encryption

• #1 World’s Largest Bank

• #1 F500 Largest Insurance Company

• #1 World’s Largest Credit Card Company

• 60 employees

Encryption References

Email AuthenticationSuperior Security and Identity Protection

• DomainKey Signing - establishes and protects your identity on the Internet

• IronPort Bounce Verification – protects from misdirected bounce attacks

• Directory Harvest Attack Prevention –blocks attempts to steal email directory information

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*

*Source: IronPort Threat Operations Center,

INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.

Misdirected Bounces Not

Discernible From

Legitimate Bounces

Misdirected Bounces Not

Discernible From

Legitimate Bounces

End User Confusion:

“Why did I receive this

message?”

The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*

*Source: IronPort Threat Operations Center,

INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.

“Zombies”

joe1@enterprise.com,jane88@enterprise.com

billing@yourcompany.com

Recipients:

Sender:

Incoming Gateway

yourcompany.comOutgoingGateway

RETURN TO

SENDER

Millions of Misdirected Bounces

More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces

More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces

IronPort Bounce Verification™

Protects Against Misdirected Bounce Attacks

• All Outgoing Mail Stamped Allowing Legitimate Bounces to

be Identified on Return

• Transparent to End Users, No Industry Adoption Required

• Eliminates Help Desk Calls and End User Confusion

• Another IronPort Technical “First"

BV

Internet

BV

+

Management for theLargest Enterprises

• Email Security Manager – unified policy management

• Email Security Monitor – enterprise-class reporting system

• Management Interfaces – simple integration and increased productivity

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort Email Security Manager™

Single view of policies for the entire organization

• Mark and Deliver Spam

• Delete Executables

• Archive all mail

• Virus Outbreak Filters disabled for .doc files

• Allow all media files

• Quarantine executables

“Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” -- PC Magazine 2/22/05

Categories: by Domain, Username, or LDAP

IT

SALES

LEGAL

IronPort Centralized Management

• Log in anywhere, control everywhere

• Interface assures configuration consistency

• Apply changes to a machine, group, or cluster

• Test on single system, “promote” to cluster

IRONPORT CLUSTER

Bratislava Group

SJ1 Machine SJ2 Machine

SJ3 Machine

Prague Group

D1 Machine D2 Machine

D3 Machine

Berlin Group

T1 Machine T2 Machine

T3 Machine

IronPort Email Security Monitor™

Advanced Reporting System

Email Security Monitor™

Search by Domain

CSV Export

Scheduled Delivery

Integrated Real-TimeGraphical Reports

System MonitoringEasy Integration with Existing Processes

Alert Center

• Alert Subscriptions per Admin

• Distinct Areas of Management

SNMP

• Exclusive IronPort MIB

• Integrates with any SNMP-compatible tools

Log Subscriptions

• 20+ Log Types Supported

• Transfer via FTP, SCP, Syslog

IronPort Evaluation Policy

• Free evaluation for 30 days– starts with activation of keys on unit

– can be extended on request

• any size and any way– you get the right unit for your individual needs

– different ways of testing (life/ stealth, parallel, offline)

– full support, full functionality

• About 85% of users who evaluate become happy

customers!

Get In Contact

Mirko Schneider IronPort Systems

Channel Manager Munich / Germany

Eastern Europe & Russia

Tel: +49 - 89 - 45 22 27 32

Fax: +49 - 89 - 45 22 27 10

Mobile: +49 - 172 - 83 96 04 7

Web: www.ironport.com

Email: mschneider@ironport.com