This talk introduces the Lotus Protector security strategy, and features Protector for Mail Security, the first offering in the product delivery plan.
“ Don’t you wish everything was as secure as Notes?” This hard-earned reputation for protecting customers and end users is what separates Lotus from other e-mail vendors. Today we’ll be talking about Lotus Protector, a new family of security offering that extends this legendary security to the next layer, protecting against Internet-borne threats and securing sensitive or confidential information from loss via e-mail.
E-mail has proved to be a boon to communication and productivity, but also is a prime attack vector for those who would separate you from your assets – whether monetary or confidential data. Spam, viruses, trojans, targeted attacks, and spyware infest the Internet. By many accounts, the vast majority of all traffic is garbage – either garden variety spam or much more malicious content. It clogs up your bandwidth and systems and, if it gets through, it can impact your organization’s image inside and outside the firewall. Every day the sophistication and risk grows, as the bad guys increasingly seek to monetize the use of spam and malware, aided by worldwide networks of compromised servers and PCs that lower the effective cost of the activity to zero. Furthermore, companies face increasing risks that sensitive data can leak out via e-mail – intentionally but more often inadvertently or carelessly – creating competitive disadvantages, risks, and liabilities.
As this chart shows, the game of cat-and-mouse between criminals and security experts has created a fast-changing environment. IBM X-Force analysis shows several trends. Keyword spam was largely defeated, so image spam spiked until methods were devised to combat it. Recently it’s simple URL-based spam, where the only goal is to get users to click on links that either present a detailed sales pitch or, more ominously, seek to plant “drive-by” malware on their computers. Spam and phishing URLs are now engineered for short lifespans, so they can be used in the time before they are either detected by filters or taken down by their hosts.
The problem with all of these threats and risks is that they often require different tools and approaches to combat them. This leads to “security clash” – where multiple vendors and systems (“silos”) create excessive effort to deploy, and tend to suppress the overall effectiveness because they often need to be dialed down to prevent conflict. As this chart illustrates, having integrated security means you can attack the problem with less time and effort, and far greater effectiveness.
The Lotus Protector security strategy is represented by this simple chart. In one sentence, we're launching products that protect against the whole set of security challenges facing collaboration customers today. These typically are driven by external threats (such as spam and viruses) and regulatory/legal pressures (such as content control). Our unique differentiator is that, while everyone else treats this as an SMTP problem, we're doing all of this exclusively from the perspective of a Notes/Domino customer. This gives us an opportunity to create a more integrated and fundamentally better experience for our customers, by weaving the security capabilities seamlessly into the user and administrator experience. There are several distinct solution types needed to secure – even to deploy -- an SMTP e-mail system. Everyone needs a spam/virus filter, of course, as 90% plus of all e-mail traffic is now either spam, phishing, or malware. Not coincidentally, the first Lotus Protector product does just that, and it’s what we’re talking about today. But there are other needs that must be addressed as well. Encryption is a perpetual challenge, because SMTP doesn't define that kind of security. Various standards approaches (S/MIME, TLS) are so problematic that they suffer from low – often stalled -- deployment. At the same time, encryption is taken for granted by Notes users. Notes-to-Notes e-mail lets you apply security with a per-user or per-message setting, ensuring that the information is not intercepted or modified between sender and receiver. However, that’s only within the Domino system; regular Internet recipients are sent unencrypted (after a notification/warning to the sender). Our goal is to deliver an encryption system that extends Notes security, so it's a single experience for the user. Data Loss Prevention (sometimes called Data Leak Prevention), or DLP, is a growing area that we're also planning to address with Protector. With DLP, you can inspect content flowing between people, to ensure that no sensitive content leaves your organization, either intentionally or (as is most typical) inadvertently. You can log, warn, or block activities in real time. You get two big benefits: you gain visibility into where your sensitive data (confidential, personal, or regulated content) is going, and it trains your people to be careful about things. We're exploring this capability, again in the Protector Notes/Domino centric mode, as a product offering. Lastly, there's a bunch of categories that also fall into that bucket of "things you need to run a modern collaboration system," and we continue to actively investigate there. We have a number of initiatives to improve archiving and eDiscovery. We're exploring things like virtual private networking (VPN) and Web protection as well. These things will be discussed as and when they are announced, but will follow the Protector theme of great security technology, optimized for IBM and Lotus customers. That leads us to the integration opportunities, and we have two distinct categories: vertical and horizontal. Vertical integration is where all Protector products gain maximum integration with Notes/Domino so that everything fits seamlessly into the experience for the user and administrator. Horizontal integration is where Protector products are aware of each other, and keep from getting in each other's way. A great example of this is encryption; as you bring that into the equation you start inhibiting your ability to inspect content for security purposes. Lotus Protector products take care of this, basically by sharing the Notes/Domino security context.
From here on, we’re speaking specifically about Lotus Protector for Mail Security, the spam/virus filter product in the Lotus Protector family
This is the overview slide about that introduces people to what we are selling; it may be flipped/alternated with the next one. Lotus Protector for Mail Security is a software solution sold as an end user license. It is deployed as a network appliance (physical or virtual, we’ll talk about that in a minute) that sits between your Domino Server’s SMTP interface and the wild wooly Internet, and filters all the bad stuff out before Domino has to deal with it. In reality, every SMTP server needs this and virtually every customer already has something, or else they would be drowning in spam. Our differentiation is we’re applying premium security technology, molded to satisfy the unique needs and requirements of Domino customers. The filtering software itself is high quality, 100% IBM-owned technology. The IBM Proventia product that shares the Protector engine is built upon Cobion, a long-time leader in multi-language spam filtering, that came to IBM in its Internet Security Systems (ISS) acquisition in 2006. The feature list will be covered in detail, but on this page we go through some of the competetively critical and/or differentiating capabilities of Protector for Mail security. Dynamic host reputation is our implementation of what is often called IP Reputation Filtering or IP Filtering. This assigns a likelihood of spam based on its origination IP, according to a dynamic reputation system that examines the rate and ratio of spam received. Multi-level message analysis is the heart of the system, where a set of different filters is applied to look for different types of threats. This is where a lot of the proprietary stuff comes in, because it’s what makes the difference between 90-95% filter quality, or 98-99% like Protector does. Signature and behavioral virus is a “belt and suspenders” approach to protect against both known and unknown threats. Our signature antivirus is powered by the premium quality Sophos engine (the only part of Protector for mail security that isn’t 100% IBM technology), while the behavioral antivirus applies many of the same techniques as our spam analysis to spot threats that are unknown to the signature antivirus database. We’ll talk about our massive URL database, but the idea is that all spam has to have a method to fulfill its goals, and that typically is a link to somewhere on the Web. Through our database of over 84 million known bad URLs (inappropriate/pornographic or infected with malware), we can eliminate much of the most dangerous content with one simple check. Protector for Mail Security supports end user management of their own whitelists (allow) and blacklists (block), as well as a hosted version of the user’s quarantine. That’s a powerful feature in itself, but we’re extending this capability to Notes, for seamless integration of network filtering and client UI. We talked about the integration, but again the real point here is that we’ve narrowed our field of vision on behalf of our customer base, and given ourselves permission to see things from their point of view. Thus all the enhancements we’re making are toward delivering a product that extends and integrates what customer already do with Notes and Domino. Preemptive protection is a little different category of security, in this context. Whereas everything above is kind of looking out for all the bad stuff that bad people like to do, preemptive protection looks to stop things before they happen. So the rules/policy engine, which we’ll discuss in depth in a few minutes, can be applied to both incoming and outgoing e-mail to block the transmission of common categories of sensitive information, and be infinitely tuned to block customized kinds of information, specific to an industry or organization. We call out the place this product holds in the IBM Proventia security product family, because it takes advantage of all the work done in ISS to harden that line of intrusion prevention systems (IPSs), firewall, etc. This protects Protector against attacks on the software from vectors other than SMTP.
This more graphically appealing slide gives us the opportunity to talk about the main messages for Protector for Mail Security. In the first box, our unique advantage is our position within the core Notes/Domino family. We work directly with the Lotus Westford architects and development teams. We’re implementing numerous integration points in support of the Protector ideals around integration and targeted value. In the second box, we talk about how we’re delivering world class technology – a sixth generation spam filtering technology -- that is 100% proprietary (in the good way) to IBM. The IBM Proventia technology, which has its roots in Cobion Software’s advanced spam identification products, matches up very well for efficacy (quality of spam blocking) and throughput (volume of mail handled) against incumbent vendors who attack this, typically, from a security perspective. We look at it from an operational and e-mail perspective, which is closer to how Domino customers view it when we talk to them. Also in the second box, we’ve earned ICSA Labs certification on spam filtering, which requires a 95% “trap” rate for spam (Protector typically achieves 98%+), with a .001% “false positive” rate (which we typically better as well). In the third box, we call out deployment flexibility as an important differentiator. Protector for Mail Security is sold as a per-user license, like Notes or Sametime or Quickr or Connections. And like many Lotus licenses, it includes all the server software you need, so it scales cost-effectively from one user to infinity. But ultimately this is an edge server application, because that’s where the spam is coming in. Here it’s important to understand that Protector for Mail Security is different from other Lotus products in that it’s a complete server solution, containing the (Linux) OS as well as the filter application, and is designed to run all by itself on a computer. In fact, in this model it serves as an “appliance” due to that plug’n’play kind of design. We’re one of a few vendors in the market who offer both software and hardware deployment licenses – and we do it with the same per-user software license. Smaller organizations or branch offices can deploy the VMware version on standard x86 hardware, while larger organizations will order the specialized hardware version, which comes preloaded with the server software. Both contain the same filtering software, and can be mixed and matched – e.g., hardware appliance in headquarters and VMware versions at branch offices.
This slide is included to facilitate a discussion of the different approaches available to Domino e-mail customers. Typically there are three ways to filter an SMTP stream: “ Cloud” Services – The customer MX record is pointed to a SaaS data center, and only the cleaned stream is passed on to the customer network. Edge Appliances – The SMTP stream is treated at the edge of the customer network, and only the cleaned stream is passed onto the Domino server. Server tasks – Unfiltered SMTP flows directly to the Domino server, where a filter software program cleans it as the Domino server software sees it. The different approaches offer different benefits and tradeoffs. Cloud-based filtering can be done at a very low cost, and additionally they save lots of downstream bandwidth to the customer’s network. Edge appliances tend to give a lot of control and customizability, and don’t require customers to trust their user’s email to a third party. Server tasks can inspect both internal and Internet mail, which is necessary anyway, at least for virus filtering. Generally speaking the cloud/appliance options have the benefit of filtering SMTP threats before Domino has to deal with them, but are difficult to integrate with e-mail systems and other security functions. Server tasks can look at both internal and external traffic, but must accept all traffic (good and bad) and process it using the Domino’s server’s CPU – which will affect scalability and throughput for mail processing. Edge appliances and Cloud option take the load off Domino but cannot scan internal mail and aren’t integrated with Notes and Domino. In addition, the Cloud option tends to allow more spam to pass or more good email (HAM) to be withheld without direct customer control. <click> The Protector for Mail Security appliance is solving those problems through enhanced integration with Domino and Notes, so customers gain the benefits of on-server filtering without the extra CPU load, and in-the-mailbox integration for end users.
The filter process applies several different types of protection against e-mail threats. First, the system itself recognizes a myriad of attack types and intrusion methods, to blocks threats that target the filter itself. Next, the system examines methods using traditional antivirus signatures from our antivirus partner Sophos, blocking over 1200 known malware attacks and variants A behavioral antivirus module applies analysis based on known attack designs, so that even unknown malware is blocked before it can infect your users Spam control – the heart of the system, which we’ll discuss next – applies sophisticated and efficient filtering that is 98% or better effective, out of the box, with less than .001% false positives, or one in 100,000 messages. This is important because “overblocking” of good messages is a direct revenue risk to an organization. Lastly, the rich customizable policy engine can prevent messages with preset content types (e,g. hate/inappropriate language, credit card numbers, customer confidential data) or custom keywords (e.g., project code names, industry terms) from getting through. Importantly, this function (like all filters) works on both outgoing and incoming messages, so you can apply policies to prevent information from leaving your environment as well as entering it.
Protector for mail security applies a granular and highly efficient content analysis against e-mails sent to your domain. First, a set of “pre-filters” is applied that knocks out a large part of the bad e-mail – 80% or more – before your system even accepts it. First it checks that there’s actually a user at the recipient address, using LDAP lookups that are cached locally when found. Then it applies a custom “blackhole list” that filters known spammer addresses, without overblocking as many public lists are prone to do. Then it applies a proprietary dynamic reputation system, which grades the volumes of e-mail arriving from particular IP addresses or ranges, and blocks messages arriving from known IPs that have a high spam-to-ham (ham= “good e-mail”) ratio. If the percentage of “ham” from those IPs increases, the system automatically adjusts to permit traffic. This dynamic aspect is particularly useful when a computer is taken over by a spammer and subsequently removed from service. These pre-filters are particularly useful in some countries (e.g. Germany) that have strict retention rules. Since the mail is never accepted, it doesn’t need to be stored, retained, backed up, etc. The next set of filters looks for things like known spam “signatures” (including “fuzzy” variants); classifications driven by a Bayesian “learning” filter; structure analysis of words and phrases; flow control that measures traffic from different sources over time; heuristics that grade a message’s likelihood of being spam based on a set of content characteristics; “fingerprinting” (including images) against other known spam; logic that grades a message’s likelihood of being a “phishing” attack (to harvest personal information through fake versions of real Web sites such as Paypal); and a check against preset or custom keywords a customer has chosen to filter. The net result is a highly efficient filter system that works out of the box, without the training/tuning needed by many competitive products. Lastly, the system checks contained URLs against a database of over 7 billion known “bad” URLs/objects, and conducts a file analysis (including zipped files up to 100 levels deep) that, if necessary, quarantines the e-mail and sends the file attachment to the ISS lab in Kassel Germany for human analysis.
The heart of the system is a sophisticated and scientific approach to filtering driven by IBM X-Force research. IBM engineers and linguists constantly update the proprietary software behind the filters, with a global network of spam traps and Web crawlers combating new threats as they appear, for “zero-hour” protection. X-Force has built an unrivaled database of spam signatures, known “bad” URLs, and “phishing” attacks (both messages and URLs). This is the basis of the unrivaled “out of the box” performance of Protector for Mail Security, and the “set it and forget it” performance it delivers.
Phishing attacks ebb and flow on the Internet. The Protector appliance can trap (default) or notify users of suspicious messages that try to trick them into revealing personal or sensitive information. With the growing sophistication of targeted attacks (“spear phishing”), the importance of this protection continues to grow. In “spear phishing,” a customized attack is targeted at a specific user or group of users, often using publicly available information or data shared on social networks, to create authentic-looking and compelling attacks.
The policy editor in Lotus Protector is a high-value differentiator from other spam filter products. With a rich set of preconfigured policies, the system allows “checkbox” filtering of specific categories of content (hate/inappropriate language, personal/confidential information, etc.), plus infinite customer customizations. The rule set acts against all the variables used by the core filter (sender/recipient/groups, time, content analysis, etc.) and allows a wide range of predefined dispositions (block, quarantine, delete, etc.). Since this works on outgoing as well as incoming mail, the organization can deploy anything from “stock” to infinitely fine-grained control over e-mail content, without any additional products or purchases.
Independent of core software costs, customers are able to choose from among an array of server deployment options. Since the server software is always included with the user licenses, it’s up to the customer to decide how to deploy the server – or even to adjust/change approach over time. The first two options are based on VMware deployment. In these instances, throughput is rated at about 12,000 e-mails per hour (including both good e-mail (“ham”) and unsolicited bulk e-mail (UBE – a.k.a. “spam”). Customers with virtualization strategies can simply deploy Protector for Mail Security within their VMware framework, at no additional cost beyond meeting the hardware and VMware requirements listed For customers who want a new hardware-based solution – particularly smaller or price-sensitive customers – we’ve identified an IBM xSeries machine that will run Protector for Mail Security well. This x3350 1U system offers good performance and IBM reliability at a competitive cost. Our roadmap calls for future versions of Protector to run natively (no VMware required) on specific xSeries machines; while there are no guarantees that it will prove possible, the x3350 is one of the target units. While it will always be a good VMware unit, native support is likely to only improve throughput/performance. For larger customers or those with heavy mail usage, the MS3004LP unit is a good choice. While more expensive than typical VMware machines or the x3350, the MS3004LP unit is designed for high throughput of approximately 36,000 e-mails per hour. Much of this performance is related to running Protector for Mail Security “on the metal” – no VMware virtualization overhead – but also simply being tuned to the hardware and drivers of this particular unit. It also offers redundancy (power suppies, fans etc.) and multiple disks employing RAID support. This gives the unit a reliability profile much greater than the commodity hardware option. MS3004LPs are also “clusterable,” although it’s important to realize that clustering is related more to administrative benefits (centralized spam processing/access) than the same term in the Domino world (high availability, failover).
Here’s a short list of information available to you on the IBM Lotus public Web site. Check Xtreme Leverage or PartnerWorld for Sales Kit links for additional internal information