In-Depth

Q&A: Single-System Message Management

It's not just a matter of blocking unsolicited e-mail. Today's security professionals need to protect against outbound as well as inbound problems.

• By Mathew Schwartz
• 03/31/2004

To help manage such things as spam blocking, e-mail scanning, and instant messaging (IM) monitoring, many organizations want to do more with less. “Enterprises are increasingly demanding message management solutions that combine multiple security and policy enforcement features into a single, secure system,” notes Robert Mahowald an IDC analyst.

Beyond antivirus protection at the perimeter, spam is also a concern. In fact, security administrators ranked spam to the top when it came to a wish list of things to block in 2004, according to IDC.

To speak about the move toward single-system messaging management, and the messaging management issues customers face today, Security Strategies spoke with David Weld, president and CEO of MessageGate, which spun off from aerospace giant Boeing only last year.

Do customers increasingly want one box to monitor or block everything at the perimeter?

More and more customers are realizing they have multiple messaging security issues, and they’re looking for a unified solution. Historically, companies looked for one problem to solve—blocking spam, blocking viruses. In the last year, there’s been a trend to integrate those two.

Is the integration trend related to ease of management?

Sure, so you don’t have to set up multiple rules for e-mail and IM. You don’t have to learn multiple products if you’re the administrator. You don’t have to add multiple sets of users. It reduces hardware cost, processing time, and increases security. Then there’s just vendor consolidation. You’re going to reduce pricing and have fewer vendors to deal with.

How is MessageGate related to Boeing?

About five years ago, Boeing came to the realization that they had a number of issues around messaging, and in particular around e-mailing, including preventing inbound attacks, monitoring inbound and outbound traffic for compliance with corporate policy and security, and being a large company as well as a defense contractor … corporate and government regulations.

Boeing is huge, [something] like 200,000 employees. They have a number of different businesses, they have very strict corporate policies. They saw very specific needs to monitor message flow both inside and outside the company. They looked around and couldn’t find it, so they built it; … their internal IT group created it.

When it comes to messaging, what do companies want to block?

On the inbound, spam is the headline use. We do a very good job. We have what is generally called in the industry a cocktail approach—we don’t just use one way to catch spam. So there’s header information, connection information, who the sender is, are they really who they say they are, what type is it, what kind of attachment is it, are people misspelling Viagra?

Then [next] I think it’s viruses. We have an early warning system where we provide information … from a variety of [sources], then we also have a partnership with Sophos where we’ve integrated that [antivirus] technology as part of the perimeter defense.

What will the average MessageGate installation block most?

Inbound it’s spam and viruses. They have different costs, but they’re both so costly. Spam mail is so [prevalent] —50 to 70 percent of mail in some cases—so to keep it out saves you so much money in performance and time and [related issues].

In the outbound category, what people want to block is either intentional or inadvertent release of company-confidential information. That can include people stealing data from the company, or customer information, or people without thinking about it sending out customer information, which can violate the HIPPA [the Health Insurance Portability and Accountability Act].

Has legislation helped reduce spam?

No. A lot of spam originates from overseas, or at least from overseas mail servers, so no.

How do you know what is or isn’t spam?

Again, we look at the content and the context of the message. Who is it being routed to? Certain customer-support people might be able to send certain information to a law firm or outsourcing provider, but no more than five pieces of information per record to avoid theft, for example. Or we can look for [company-specific] proprietary names, or integrate with existing customer databases—say, 100,000 customers in a database. We can also point at documents and say, here is a ton of documents that are confidential, here are the ones that aren’t; then we can tune the system after we feed it these big piles.

When the software sees something questionable, what happens?

We can quarantine it until a security administrator has a look at it. In a lot of cases, people use passive [mode—the software monitors but doesn’t block messages] to get comfortable, but then they will go active to make sure that … if intellectual property is leaving the company, they’re going to catch it.

Are many companies monitoring or blocking instant messaging?

E-mails’s been around a long time, and people woke up and realized that e-mail was becoming mission critical, but … like databases and CRM [customer relationship management], so, too, with IM people are playing a little bit of catch-up in terms of securing it.

IM has surprised me in how quickly it’s been adopted and … users have just adopted IM on their own, then IT people wake up and say there are a lot of people using IM, so then they’ll put in an IM proxy server, lock it down. We’ll have a partnership announcement soon … a proxy server will see an IM message, the trade it off to us so we can block, reroute, or allow it on.

When it comes to messaging, what else are your customers worried about?

Encryption, and the challenge there is to encrypt certain types of messages going out, say with HIPPA. So if the message contains health information, you have to encrypt it on the way out. Another way is just to have secure enterprise-to-enterprise encryption.

A corollary topic is just monitoring employees’ e-mails. One of the things our software can do is monitor and look for nefarious activity, but not let [users] know. Also, some companies are worried about SEC rules that require disclaimers if a broker sends an e-mail out to more than five people at a time. Our software can catch and block that, then [IT] can circle back and talk to [the employee]. So it’s a more positive behavior modification approach to achieving compliance—and at the end of the day you’re still achieving compliance but educating employees along the way.

Can your software block spyware or other malicious applications piping information out of the enterprise?

If [the spyware is] using the messaging infrastructure to send the information, it can. A lot of these spyware applications use little SMTP servers to send [information]—there’s already a hole punched, it’s the easy way to get it out.

How is your product deployed?

For filtering, we run on the mail server. The product is very efficient, all the state information sits on the sever; we update on a periodic basis for all the rules. Our customers do need to dedicate a couple of servers—the centralized administrative console doesn’t have to be a big box, but it does need to be a standalone box. Then, for detailed reporting, you could potentially run that on another box. So the hardware spending is not huge, [even] to support a very large organization. We’re installed in a number of very large companies that handle millions of messages per day.

Related Story:

CA, SteelCloud Enter Crowded Appliance Market
http://info.101com.com/default.asp?id=6153