Better Together: Microsoft Exchange Server 2010 and Microsoft Forefront Secure Messaging Solution

Alexander NikolayevProgram ManagerMicrosoft CorporationSIA 311

Cristian MoraTechnical Product ManagerMicrosoft CorporationSIA 311

Agenda

Spam & Malware Phishing & Viruses

E-mail Security Threats

Forefront/ExchangeBetter Together Security

Premium Antimalware ProtectionPremium Antispam ProtectionAdministration and Management

Summary Forefront Protection 2010 for Exchange: Key Differentiators Forefront/Exchange Better Together:

Benefits and Better Together Security

Top E-mail Threat Concerns

Malware via URLs,Malware via Attachments,Phishing,Spam,Data Leakage.

Source: Messaging Security Survey: The Good, Bad, and Ugly Study. IDC, 2009

“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1,000-user organization spends over $1.8 million annually to manage spam.”

… Around $8 Billion Lost to Viruses, Spyware and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime…

— The Radicati Group, Inc., E-mail Security Market, 2009-2013

— 2009 State of the Net Survey

“As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam”- Forrester Wave Email filtering Q2 2009, April

2009

“Almost 60% of organizations reported spam blocking effectiveness of less than 95%” - Brian E. Burke, “Messaging Security Survey” IDC February 2009

New Phishing Sites By Month

Dec04

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05

7,197

4,6304,367

5,2425,2594,564

4,2803,326

2,8542,8702,6252,560

1,707

Source: http://www.antiphishing.org

New Phishing Sites By Month

Source: http://www.antiphishing.org

So, what’s the

Solution???

Protect everywhere,access anywhere

Simplify the security experience,

manage compliance

Integrate and extendsecurity across the

enterprise

Highly Secure & Interoperable Platform

Identity

Blockfrom:

Enable

Cost Value

Siloed Seamless

to:

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Information Protection

Identity and Access Management

Business Ready Security Solutions

Secure EndpointSecure CollaborationSecure Messaging

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

INTEGRATE and EXTEND security

Secure Messaging

• Best-in-class anti-malware on-premise / in-the-cloud

• Protect sensitive information in e-mail

• Secure, seamless access

• Built-in information protection

• Extend secure e-mail to partners

• Enterprise-wide visibility and reporting

• Unified management

Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential

information

Innovative TechnologiesIndustry Collaboration and CooperationUser EducationEffective Legislation

Forefront Protection 2010 for Exchange Server

Support for earlier Exchange server versions (Exchange 2003)

Multiple engines

Antispam ProtectionDNSBL

Enhanced FilteringKeyword Filtering

Exchange 2007 Integration Integrated into the Transport Pipeline

Hybrid Model

Administration

Improved Performance

Multiple Engine SupportAntivirus protectionAntispam protection

New content filter engine Anti-Backscatter

Microsoft Antispyware engine

FOPE Integration Integrated provisioning

and Management

Powershell supportNew Interface dashboard

Hyper V support

VSAPI for virus scanning

Edge, Hub, and Mailbox

File Filtering

Surpassing Security Expectations

Exchange 2010 Forefront 2010

Encryption Antivirus

Default Intra-Org ∙

Inter-Org mTLS support∙

IRM support

Multiple Engine Malware

Detection

Unified ManagementHosted, Hybrid Protection

Premium

Antispam

Basic

Standard CAL Enterprise CAL

Forefront/Exchange Better Together:

Industry-Leading Performance

West Coast Labs:Spam Catch Rate above 99%Premium Antispam certification

Virus Bulletin:Continuous Spam Catch Rate above 99%:

99.77% (September 2009)99.46% (November 2009)

3600 Malware and Spam Protection

Forefront Protection 2010 for Exchange Server Deployment

Options

Protection 2010 for Exchange Server

Forefront Protection 2010 for Exchange Server

Enterprise Network

External Mail

Unified MessagingVoice mail & voice access

Hub TransportRouting & Policy

Web browser

Outlook (remote user)

Mobile phone

Outlook (local user)Line of business applications

MailboxStorage of

mailbox items

Protection 2010 for Exchange ServerProtection 2010 for Exchange Server

Phone system (PBX or VOIP)

Protection 2010 for Exchange ServerThreat Management Gateway

Edge TransportThreat Management Gateway

Protection Availability:Exchange 2010Exchange 2007 SP1

Client AccessClient connectivity

Web services

Forefront Protection 2010 for Exchange Server Malware

Protection

Protection 2010 for Exchange Server

Protect Messages from MalwareMicrosoft Solution“Defense in Depth”Competitors’ Solutions

On premises or in the cloud

Automatic Engine Updates

Single Engine Multiple Engines

99% spam detection*

* With premium antispam services

38 times faster

An AV-Test of consumer antivirus products revealed:• On average, Forefront engine sets

provided a response in 3.1 hours or less.• Single-engine vendors provided responses

in 5 days, 4 days, and 6 days respectively.

Protect everywhe

re,access

anywhere

Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230

“Forefront Security for Exchange Server can support up to five scanning engines at the same time. Thus, it offers a more secure environment, compared with products that support using only a single engine.” - Akihiro Shiotani, Deputy Director of the Infrastructure Group“

Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages

Leading antimalware engines deployment via integrated solution,Allows multi-directional protection of messaging stream: inbound, outbound, internal, and data at rest,Intelligent Engine Selection:

Automatically chooses the most current and effective engines first,Allows administrators to balance security with performance needs.

Removal of a single point of failure in the organization,Lower TCO – all engines included in base cost.

Message throughput improvement

15% in CPU Utilization improvement

Reduction in Context Switches

Improvements in CPU Utilization

Technology investment Results (5 engines test)

Measured reduction is 30%

From 25 to 40 messages/second

Coming in SP1Native 64-bit supportC

Performance ImprovementsForefront Protection 2010 for Exchange Server vs. Forefront Security for Exchange 2007

Gated by the Exchange Server perfSpam Filtering throughput

Remote Update Services

Automatic Updates

Forefront Engines Updates

Directly from vendor

Manual Config

Redistribution

MSAV/CMAE

Managing Multi-Engine Environment demo

Forefront Protection 2010 for Exchange Server

Antispam Overview

Protection 2010 for Exchange Server

Forefront Protection 2010 AntispamFunctional Highlights

Exchange 2010

+ Forefront 2010 Benefits

Connection Filtering

Forefront DNS Block List

• Aggregated RBL data from multiple external and internal vendors

• No configuration required

Protocol Filtering

Unified Management • Consolidated Connection/Sender/Recipient/Sender ID filtering for simplified management

Backscatter Filter • Blocks NDR (backscatter) spam

Content Filtering

Cloudmark CMAE Engine

• Option of alternative 3rd party content filter • Above 99% detection rate• No configuration required (installs with smart defaults)

Forefront True Type File Filtering

• Real file type inspection (not just extension)• Actionable scanning of nested files/within ZIP

Global Exception Lists • Single access point to sender and recipient exception lists (allow and block actions)

Streamlined SCL • Less ambiguous ratings for less false positives end to end.

Hybrid Model • Integration with Forefront Online Protection for Exchange

Forefront Protection 2010 Antispam Features

IP Block List

Sender ID Filter

DNSBL Filter

Sender Filter

Backscatter Filter

Junk E-mail Filter

RecipientFilter

ContentFilter

Layered Antispam TechnologiesConnection Filtering (IP Block/Allow, DNSBL, SenderID filters)Protocol Filtering (Sender, Recipient, Backscatter filters)Content Filtering (spam/phishing)

New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model

Reducing the Carbon Footprint of Spam: Forefront DNSBL

Implemented as SMTP Receive Agent, configuration/maintenance-free feature,Multiple external and internal RBL providers with continuous flow of feeds,Queries sent to Forefront-owned DNS infrastructure,Efficiency: based on internal MSIT numbers 80-85% of all incoming connection requests being denied by DNSBL,Rejection response is actionable (to help with the corrective actions: “550 5.7.1 Do this to get the IP removed from the DNSBL list…”

External recipient

Anti-Backscatter Agent:• Implemented as RoutingAgent • Acts only on Outbound mail• Attaches a token to P1.MailFrom:

Token Definition:• BATV-compliant• Hashed tag (based off a key,

time, sender, expiration, etc.)• Keys maintained and rotated

"Why I'm getting this NDR??!" Forefront Backscatter Protection

Exchange internalsender

Categorizer

Outbound

ExchangeNDR recipient

Backscatter Filter logic:• NDR discovery• Token verification• Acceptance decision

SMTP Receive Agent:• Disabled by default• Acts upon DSNs only

Forefront Backscatter protection

NDR generatingMTA

Transport Pipeline

Inbound

Token Verification:• Decrypt the sig using proper key• Verify integrity of the sig• If correct – strip off the sig, stamp the header,

and accept NDR• If incorrect – Discard

Fingerprinting applied to every incoming message *

Relevant parts of the entire message are fingerprinted

Message reduced to anonymous fingerprints

Fingerprints don’t indicate whether the message is legit or spam

Fingerprints compared to local cache of known bad fingerprints

Cache data updated every 45 seconds

Match: message is identified as abuse

No match: message is identified as legitimate

Spam

Legitimate

Fingerprint Cache Reject

Forefront Content Filter Fingerprinting

* Exceptions apply (Safe Senders/Recipients/Safe Listed IPs etc.)

Content Filter SCL definitions

Forefront Content Filter enables normalization of raw spam score from CMAE engine to SCLForefront normalization logic:

All messages classified as not spam get SCL:-1SCL assignment logic can be reverted to SCL:0 via powershell (New-FseExtendedOption –Name CFAllowBlockedSenders –Value true)

SCL:-1 boundaries are within -1 to 4 in ExchangeActions available for messages within SCL range 5 to 9:

Reject/Delete/Stamp and Continue/Quarantine

SCL assigned to the message and can be enforced on a per-recipient basis

SCL Value Spam Confidence Level Definitions (Exchange)-1 Messages coming from a trusted source (AUTH’d or safe

listed)

0 Messages categorized as not spam

1- 4 The likelihood of messages being spam is extremely low low

5 - 9 The likelihood of messages being spam is high extremely high

Spam Configuration and Management demo

Forefront Unified Monitoring and Reporting

Single Node – basic reports available for each technology layer,Multi Node – advanced reports available via Forefront Protection Manager,Single connection point to reporting via Forefront UI,Agent Logs, Perfmon Data,Incidents and Quarantine Database, Rich Eventing Model.

Author policy

Deploy

Collect Events

View Alerts & Reports

Correct

Analyze

Simplify Security Management

• Unified policy management for on-premise and cloud-based messaging servers

• Enterprise-wide visibility into e-mail threats through a single console

• Help enable compliance with in-depth reporting capabilities

• Easy to use inerfaces and templates for system configuration and threat response

Simplify security,manage

compliance

Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230

"It let them bring everything together into one package for ease of management in the network“- Amy Babinchak, Harbor Computer Services, Inc.“

Malware protectiondemo

Forefront Protection 2010 for Exchange Server: an extension

into Online Services

Protection 2010 for Exchange Server

Hybrid Messaging SecurityWith FPE + FOPE + Exchange

Firewall

Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles

On-Premise Software

Mailbox ServerSMTP

Internet

Exchange Edge

FOPE Gateway

Exchange Hub

Mail

Mail

Spam policy

Spam policy

Full Management Policy

Protection 2010 for Exchange Server

Ease of Administration, Monitoring, and Reporting

Malware Protection: Multiple Engines

Spam Protection:Layered Defense Key

Differentiators

Hybrid Model:Integration with Online Service

Protection 2010 for Exchange Server

Forefront Protection 2010 for Exchange Server Benefits

Integrated multiple engine malware protection,Best of breed spam protection for on the premises and in the cloud customers:

Precise spam detection with above 99% catch rate,Reduction in Carbon Footprint of spam by early rejection of unwanted messaging stream.

Hybrid Model and Ease of Administration:Low TCO with High ROI for Exchange organizations,Flexible implementation.

Exchange 2010 provides…Default encryption and broader support for IRMExtensive infrastructure for per-user SCLIncremental Edge Synch for safe/blocked sendersPer recipient list aggregation from Outlook

Forefront 2010 extends foundation with…Premium multiple engine antimalware Auto-configuration of antispam agentsUnified management of FPE, Exchange, FOPELeading antispam content filter engine (above 99% detection rate) Option of hosted and hybrid protection for lower TCOConfig/maintenance-free setup.

Exchange + Forefront Better Together Security Summary

More Info….

• Microsoft FPE Web Site• NEW! Microsoft FPE Whitepapers

• Forefront Protection 2010 for Exchange Server Antispam Framework

• Forefront Protection 2010 For Exchange Server Antispam• Forefront Protection 2010 for Exchange Server• Forefront Protection 2010 for Exchange Server Scan Actions

And Sequence• Monitoring Forefront Protection 2010 for Exchange Server

• Microsoft BRS – Secure Messaging• Microsoft Edge - FPE

Additional Sessions

• SIA317 – Microsoft Forefront Online Services – Overview, Architecture and Roadmap

• SIA02-DEMO – End-to-End E-mail Protection• SIA05-IS – Secure Messaging using AD RMS and

Exchange 2010• SIA304 – Windows Server 2008 R2 AD RMS

question & answer

Please Complete An Evaluation FormYour input is important!

Multiple ways to access Online Evaluation Forms:

CommNet stations located throughout conference venuesVia a Windows Mobile deviceVia the CommNet “Julian” offline Windows Mobile evaluation and session scheduling toolFrom any wired or wireless connection to:https://www.MyTechReady.com

For more information please refer to your Pocket Guide

1.2.

Speaker – Click Hereto Launch Video

3.

4.

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Content Filter Updates

ECAL customers receive premium Forefront content filter and updates,ECAL customers will always have the freshest spam fingerprints,“Lights Out” engine updates

Better Together for ECAL customers

Content Filter Updates (Exchange 2007)

Content Filter Updates(Forefront Protection 2010)

Type Signatures Fingerprints

Update Frequency Sigs - every 6 hours,Engine updates via

service packs

~45 seconds (micro) ~5 minutes (full)

Engine updates “On The Fly”

Source Machine Learning(consumer)

Global Feedback Loop (enterprise)

Secure Messaging – The Road AheadCurrently Shipping CY 2009

H2

Subject to Change

CY 2010H1

Manage-

ment

Pro

tect

ion &

Acc

ess

Pla

tform

Management Consoles