Behavioral Based Email Security Systems

January 31, 2010 by ADMIN

Share |

By Simon Heron, CISSP Internet Security Analyst

There needs to be a change to email security if we want to stop seeing high profile security breeches such as the ones that hit Hotmail and Google in 2009, and the America law firm Gipson Hoffman & Pancione more recently.

The pattern of the attacks is simple enough.

The attacker sends you an email which looks like it’s from a contact, someone you trust, which prompts you to open the email which contains a link, which, when clicked on, will lead you to a malicious program which could infect your computer or network and steal your personal or corporate data.

The problem is, most email filtering systems will trust the email address and therefore allow it through.

What’s needed is a new approach to preventing spam. We need intelligent systems that can learn the behavior of the sender and the recipient and predict behavior.

In short, as the attacks get more sophisticated, so must the defense.

In 2009 Network Box released a system called ‘eMail Relationship Manager’, which tracks the features of the sender by envelope analysis to provide additional identifiers like source IP address and country of origin.

So, a fake email would be automatically blocked because the IP address of the sender would not be the same as the one stored in the system.

eMail Relationship Manager analyses and learns from the behavior of the sender and recipient of an email, and gives a score to the email which is applied in addition to traditional anti-spam filter analysis. It works by:

1. Maintaining a central database to store existing email accounts managed by Network Box on behalf of the email recipient (so genuine email from addresses kept in a users address book will be white-listed, assuming their content passes the traditional filter analysis which naturally includes the reputation of the sender).

This records and analyses historical information about the relationship in order to judge the likelihood of that email containing malware or unwanted content.

The database can be queried and adjusted at any time by Network Box, the organisation’s administrator, or the user.

It’s continually updated with every email passing through the system, and will challenge new behaviour, flagging up when a white-listed email address changes its shape – e.g. if a contact in Hong Kong suddenly starts sending emails from Russia.

2. All relationships are defined using a score based on sender + recipient + type analysis, and given a score based on the trust and strength of the relationship.

3. The system learns from user behaviour. For example, if the email user A sends an email to email user B, then the system understands that user A trusts user B, and therefore will strengthen the score of trust in that relationship.

4. If an email relationship is scored as low, then there are number of options open to the system, depending on its configuration. It can quarantine the email and notify the recipient (it can be released with a single click from the recipient if required); challenge the sender to confirm their identity; or defer the email.

To discover more about ‘eMail Relationship Manager’ or for more information about other Network Box products and services, please visit the Network Box website.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

Simon Heron has over 19 years experience in the IT industry, including nine years experience in Internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Simon has an MSc (attained with Distinction) in Microprocessor Technology and Applications, and a BSc (Hons) in Naval Architecture and Shipbuilding and is a CISSP (Certified Information Systems Security Professional). Prior to Net Caboose, Simon co-founded Network Box Corporation (UK) Ltd and was Managing Director, finally merging this franchise with the parent company in 2006. Before Network Box, Simon joined the British Antarctic Survey (B.A.S.) as science project leader, and spent two Antarctic winters at the research station Halley in the Antarctic, developing and enhancing graphical technologies in the harshest of conditions. Simon also has a company called Net Caboose which deals with Identity and Access Management and is also development house.

Network Box Limited (NBL) is an international managed security services company, specialising in unified threat management (UTM). It continuously defends the networks of its customers using PUSH technology to instantaneously update protection, from 12 Security Operations Centres spread around the globe. NBL’s customers in Asia, Australia, North America and Europe include companies such as BMW, Nintendo and Toyota, as well as banks, utilities companies and government organisations.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.

Share |

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, Sarbanes-Oxley, Simon Heron, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy

Tags: (ISC)2, 2009, access, advice, Anthony M. Freed, Apple, best practices, botnets, Breach, breaches, bypass, CGEIT, China, CIPP, CISA, CISM, CISSP, computer, confidential, consumer product liability, control, Costs, CPA, criminal, CSI, cyber security, cyber-crime, cybersecurity, D and O liability, Data, DRI, due diligence, Economy, electronic database, email, facebook, Finance, Financial, Financial Identity, Financial InfoSec, firewall, fraud, Gipson Hoffman & Pancione, Google, governance, hackers, homeland Security, Hotmail, how to, ID, identity thief, IIA, infection, Infoduciary, Information, Information Fiduciary, Information-Security-Resources.com, InfoSec, infrastructure, iphone, ISACA, ISR, ISSA, ITRC, law, legal, liability, malware, misuse, Network Box Limited, News, online fraud, passwords, PC, Report, risk, scams, scareware, Security, Simon Heron, Social Networking, spam, spoofed email header, spoofed IP address, SQL Injection Attacks, stealing data, students, System, systems, theft, third party, Trojan, trojans, tutorial, vendors, web aps, zero day attack

Comments

One Comment on Behavioral Based Email Security Systems

Deborah Galea on Tue, 9th Feb 2010 11:37 am

Interesting article. I certainly agree that email filtering systems should not rely on the email address that is supplied in the From: field or X-Sender field as necessarily being the real sender of an email. Many spam filters are already making use of Sender Policy Framework (SPF). SPF allows companies to submit the legitimate IP addresses for their domain. Spam filters will then check whether the originating IP address is listed for the domain. If it is not, the spam filter will not accept the email. SPF is already widely used, but the accuracy of this method is of course dependent on the number of companies that are listing their IP addresses (and updating them if IP addresses change). For more information, go to: http://www.openspf.org/.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Categories
- Anthony M. Freed (25)
- Bill Brenner (2)
- Bob Violino (1)
- Bozidar Spirovski (23)
- Breach (539)
- Britt Womelsdorf (5)
- By Dr. InfoSec (2)
- Cara Garretson (7)
- CCCNews (1)
- Chorey Taylor & Feil (8)
- Christophe Veltsos (2)
- Christopher Burgess (7)
- CIOZone (26)
- Class Action Lawsuit (111)
- Cloud computing (103)
- Coby Royer (5)
- CTO Forum (9)
- D&O Liability (591)
- Daniel Wallace (5)
- Danny Lieberman (11)
- DataLine (10)
- David Alexander (2)
- Derek Crawford (1)
- Doug Pollack (7)
- due diligence (300)
- Fame Foundry (1)
- FEATURE ARTICLE (427)
- Financial (577)
- Fred Leland (7)
- Gene Kim (3)
- Government (363)
- Greg George (5)
- H1N1 (15)
- hackers (529)
- healthcare (124)
- Heather Bourgoin (1)
- HomeATM (8)
- identity-theft (525)
- IDExperts (17)
- Ike Z. Devji (1)
- Infosec Island Network (28)
- Insider Threat (480)
- Internet Crime Complaint Center (1)
- Internet Security Alliance (61)
- ISR News (321)
- Jacqueline Herships (2)
- Jenni Hesterman (3)
- John M. Salomon (2)
- John Watkins (7)
- John-Patrick Skaar (2)
- Kaliber Data Security and Compliance Consultants (3)
- Kat Sanders (2)
- Ken Leeser (3)
- Kevin L. Jackson (10)
- Kevin M. Nixon (21)
- Larry Ketchersid (1)
- Laton McCartney (7)
- Lauren Taylor (1)
- Linda McGlasson (1)
- malware (491)
- Mark Smail (1)
- Mark Wright (1)
- Mel Duvall (3)
- Michael Eggebrecht (3)
- Michael Lohr (1)
- Michael O'Conner (4)
- MicroSolved (1)
- Mike Duncan (3)
- Mike Meikle (4)
- Mike Spinney (1)
- Military (201)
- national security (443)
- PCI (299)
- PCI Security Standards Council (32)
- Physical Security (11)
- privacy (542)
- Rachel James (10)
- reach (2)
- Rebecca Herold (16)
- Richard Stiennon (44)
- Robert Siciliano (34)
- Sarbanes-Oxley (492)
- ScamStop (2)
- Sean Wilkins (2)
- Semyon Dukach (1)
- Simon Heron (14)
- Software Associates (11)
- Steven Fox (19)
- SUPERAntiSpyware (3)
- Sybase (6)
- Symplified (5)
- The Jester (7)
- The Privacy Professor (16)
- Thomas R. Fox (8)
- Tom Groenfeldt (2)
- Tom McLain (2)
- Trefis (13)
- Tripwire (18)
- Uncategorized (620)
- virtualization (91)
- Webcast (48)

Information Security Resources

Behavioral Based Email Security Systems

Comments

One Comment on Behavioral Based Email Security Systems

ISR Headline Index

Recent Comments

Categories