sia311 better together: microsoft exchange server 2010 and microsoft forefront secure messaging...
DESCRIPTION
Come learn how Forefront and Exchange Server 2010 work better together! This session covers how Forefront Protection 2010 for Exchange Server (FPE) and Forefront Online Protection for Exchange (FOPE) will facilitate protection of Microsoft Exchange Server 2010 from malware and unsolicited mail.TRANSCRIPT
Better Together: Microsoft Exchange Server 2010 and Microsoft Forefront Secure Messaging Solution
Alexander NikolayevProgram ManagerMicrosoft CorporationSIA 311
Cristian MoraTechnical Product ManagerMicrosoft CorporationSIA 311
Agenda
Spam & Malware Phishing & Viruses
E-mail Security Threats
Forefront/ExchangeBetter Together Security
Premium Antimalware ProtectionPremium Antispam ProtectionAdministration and Management
Summary Forefront Protection 2010 for Exchange: Key Differentiators Forefront/Exchange Better Together:
Benefits and Better Together Security
Top E-mail Threat Concerns
Malware via URLs,Malware via Attachments,Phishing,Spam,Data Leakage.
Source: Messaging Security Survey: The Good, Bad, and Ugly Study. IDC, 2009
“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1,000-user organization spends over $1.8 million annually to manage spam.”
… Around $8 Billion Lost to Viruses, Spyware and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime…
— The Radicati Group, Inc., E-mail Security Market, 2009-2013
— 2009 State of the Net Survey
“As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam”- Forrester Wave Email filtering Q2 2009, April
2009
“Almost 60% of organizations reported spam blocking effectiveness of less than 95%” - Brian E. Burke, “Messaging Security Survey” IDC February 2009
New Phishing Sites By Month
Dec04
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05
7,197
4,6304,367
5,2425,2594,564
4,2803,326
2,8542,8702,6252,560
1,707
Source: http://www.antiphishing.org
So, what’s the
Solution???
Protect everywhere,access anywhere
Simplify the security experience,
manage compliance
Integrate and extendsecurity across the
enterprise
Highly Secure & Interoperable Platform
Identity
Blockfrom:
Enable
Cost Value
Siloed Seamless
to:
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Information Protection
Identity and Access Management
Business Ready Security Solutions
Secure EndpointSecure CollaborationSecure Messaging
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
INTEGRATE and EXTEND security
Secure Messaging
• Best-in-class anti-malware on-premise / in-the-cloud
• Protect sensitive information in e-mail
• Secure, seamless access
• Built-in information protection
• Extend secure e-mail to partners
• Enterprise-wide visibility and reporting
• Unified management
Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential
information
Innovative TechnologiesIndustry Collaboration and CooperationUser EducationEffective Legislation
Forefront Protection 2010 for Exchange Server
Support for earlier Exchange server versions (Exchange 2003)
Multiple engines
Antispam ProtectionDNSBL
Enhanced FilteringKeyword Filtering
Exchange 2007 Integration Integrated into the Transport Pipeline
Hybrid Model
Administration
Improved Performance
Multiple Engine SupportAntivirus protectionAntispam protection
New content filter engine Anti-Backscatter
Microsoft Antispyware engine
FOPE Integration Integrated provisioning
and Management
Powershell supportNew Interface dashboard
Hyper V support
VSAPI for virus scanning
Edge, Hub, and Mailbox
File Filtering
Surpassing Security Expectations
Exchange 2010 Forefront 2010
Encryption Antivirus
Default Intra-Org ∙
Inter-Org mTLS support∙
IRM support
Multiple Engine Malware
Detection
Unified ManagementHosted, Hybrid Protection
Premium
Antispam
Basic
Standard CAL Enterprise CAL
Forefront/Exchange Better Together:
Industry-Leading Performance
West Coast Labs:Spam Catch Rate above 99%Premium Antispam certification
Virus Bulletin:Continuous Spam Catch Rate above 99%:
99.77% (September 2009)99.46% (November 2009)
3600 Malware and Spam Protection
Forefront Protection 2010 for Exchange Server Deployment
Options
Protection 2010 for Exchange Server
Forefront Protection 2010 for Exchange Server
Enterprise Network
External Mail
Unified MessagingVoice mail & voice access
Hub TransportRouting & Policy
Web browser
Outlook (remote user)
Mobile phone
Outlook (local user)Line of business applications
MailboxStorage of
mailbox items
Protection 2010 for Exchange ServerProtection 2010 for Exchange Server
Phone system (PBX or VOIP)
Protection 2010 for Exchange ServerThreat Management Gateway
Edge TransportThreat Management Gateway
Protection Availability:Exchange 2010Exchange 2007 SP1
Client AccessClient connectivity
Web services
Forefront Protection 2010 for Exchange Server Malware
Protection
Protection 2010 for Exchange Server
Protect Messages from MalwareMicrosoft Solution“Defense in Depth”Competitors’ Solutions
On premises or in the cloud
Automatic Engine Updates
Single Engine Multiple Engines
99% spam detection*
* With premium antispam services
38 times faster
An AV-Test of consumer antivirus products revealed:• On average, Forefront engine sets
provided a response in 3.1 hours or less.• Single-engine vendors provided responses
in 5 days, 4 days, and 6 days respectively.
Protect everywhe
re,access
anywhere
Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230
“Forefront Security for Exchange Server can support up to five scanning engines at the same time. Thus, it offers a more secure environment, compared with products that support using only a single engine.” - Akihiro Shiotani, Deputy Director of the Infrastructure Group“
Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages
Leading antimalware engines deployment via integrated solution,Allows multi-directional protection of messaging stream: inbound, outbound, internal, and data at rest,Intelligent Engine Selection:
Automatically chooses the most current and effective engines first,Allows administrators to balance security with performance needs.
Removal of a single point of failure in the organization,Lower TCO – all engines included in base cost.
Message throughput improvement
15% in CPU Utilization improvement
Reduction in Context Switches
Improvements in CPU Utilization
Technology investment Results (5 engines test)
Measured reduction is 30%
From 25 to 40 messages/second
Coming in SP1Native 64-bit supportC
Performance ImprovementsForefront Protection 2010 for Exchange Server vs. Forefront Security for Exchange 2007
Gated by the Exchange Server perfSpam Filtering throughput
Remote Update Services
Automatic Updates
Forefront Engines Updates
Directly from vendor
Manual Config
Redistribution
MSAV/CMAE
Managing Multi-Engine Environment demo
Forefront Protection 2010 for Exchange Server
Antispam Overview
Protection 2010 for Exchange Server
Forefront Protection 2010 AntispamFunctional Highlights
Exchange 2010
+ Forefront 2010 Benefits
Connection Filtering
Forefront DNS Block List
• Aggregated RBL data from multiple external and internal vendors
• No configuration required
Protocol Filtering
Unified Management • Consolidated Connection/Sender/Recipient/Sender ID filtering for simplified management
Backscatter Filter • Blocks NDR (backscatter) spam
Content Filtering
Cloudmark CMAE Engine
• Option of alternative 3rd party content filter • Above 99% detection rate• No configuration required (installs with smart defaults)
Forefront True Type File Filtering
• Real file type inspection (not just extension)• Actionable scanning of nested files/within ZIP
Global Exception Lists • Single access point to sender and recipient exception lists (allow and block actions)
Streamlined SCL • Less ambiguous ratings for less false positives end to end.
Hybrid Model • Integration with Forefront Online Protection for Exchange
Forefront Protection 2010 Antispam Features
IP Block List
Sender ID Filter
DNSBL Filter
Sender Filter
Backscatter Filter
Junk E-mail Filter
RecipientFilter
ContentFilter
Layered Antispam TechnologiesConnection Filtering (IP Block/Allow, DNSBL, SenderID filters)Protocol Filtering (Sender, Recipient, Backscatter filters)Content Filtering (spam/phishing)
New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model
Reducing the Carbon Footprint of Spam: Forefront DNSBL
Implemented as SMTP Receive Agent, configuration/maintenance-free feature,Multiple external and internal RBL providers with continuous flow of feeds,Queries sent to Forefront-owned DNS infrastructure,Efficiency: based on internal MSIT numbers 80-85% of all incoming connection requests being denied by DNSBL,Rejection response is actionable (to help with the corrective actions: “550 5.7.1 Do this to get the IP removed from the DNSBL list…”
External recipient
Anti-Backscatter Agent:• Implemented as RoutingAgent • Acts only on Outbound mail• Attaches a token to P1.MailFrom:
Token Definition:• BATV-compliant• Hashed tag (based off a key,
time, sender, expiration, etc.)• Keys maintained and rotated
"Why I'm getting this NDR??!" Forefront Backscatter Protection
Exchange internalsender
Categorizer
Outbound
ExchangeNDR recipient
Backscatter Filter logic:• NDR discovery• Token verification• Acceptance decision
SMTP Receive Agent:• Disabled by default• Acts upon DSNs only
Forefront Backscatter protection
NDR generatingMTA
Transport Pipeline
Inbound
Token Verification:• Decrypt the sig using proper key• Verify integrity of the sig• If correct – strip off the sig, stamp the header,
and accept NDR• If incorrect – Discard
Fingerprinting applied to every incoming message *
Relevant parts of the entire message are fingerprinted
Message reduced to anonymous fingerprints
Fingerprints don’t indicate whether the message is legit or spam
Fingerprints compared to local cache of known bad fingerprints
Cache data updated every 45 seconds
Match: message is identified as abuse
No match: message is identified as legitimate
Spam
Legitimate
Fingerprint Cache Reject
Forefront Content Filter Fingerprinting
* Exceptions apply (Safe Senders/Recipients/Safe Listed IPs etc.)
Content Filter SCL definitions
Forefront Content Filter enables normalization of raw spam score from CMAE engine to SCLForefront normalization logic:
All messages classified as not spam get SCL:-1SCL assignment logic can be reverted to SCL:0 via powershell (New-FseExtendedOption –Name CFAllowBlockedSenders –Value true)
SCL:-1 boundaries are within -1 to 4 in ExchangeActions available for messages within SCL range 5 to 9:
Reject/Delete/Stamp and Continue/Quarantine
SCL assigned to the message and can be enforced on a per-recipient basis
SCL Value Spam Confidence Level Definitions (Exchange)-1 Messages coming from a trusted source (AUTH’d or safe
listed)
0 Messages categorized as not spam
1- 4 The likelihood of messages being spam is extremely low low
5 - 9 The likelihood of messages being spam is high extremely high
Spam Configuration and Management demo
Forefront Unified Monitoring and Reporting
Single Node – basic reports available for each technology layer,Multi Node – advanced reports available via Forefront Protection Manager,Single connection point to reporting via Forefront UI,Agent Logs, Perfmon Data,Incidents and Quarantine Database, Rich Eventing Model.
Author policy
Deploy
Collect Events
View Alerts & Reports
Correct
Analyze
Simplify Security Management
• Unified policy management for on-premise and cloud-based messaging servers
• Enterprise-wide visibility into e-mail threats through a single console
• Help enable compliance with in-depth reporting capabilities
• Easy to use inerfaces and templates for system configuration and threat response
Simplify security,manage
compliance
Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230
"It let them bring everything together into one package for ease of management in the network“- Amy Babinchak, Harbor Computer Services, Inc.“
Malware protectiondemo
Forefront Protection 2010 for Exchange Server: an extension
into Online Services
Protection 2010 for Exchange Server
Hybrid Messaging SecurityWith FPE + FOPE + Exchange
Firewall
Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles
On-Premise Software
Mailbox ServerSMTP
Internet
Exchange Edge
FOPE Gateway
Exchange Hub
Spam policy
Spam policy
Full Management Policy
Protection 2010 for Exchange Server
Ease of Administration, Monitoring, and Reporting
Malware Protection: Multiple Engines
Spam Protection:Layered Defense Key
Differentiators
Hybrid Model:Integration with Online Service
Protection 2010 for Exchange Server
Forefront Protection 2010 for Exchange Server Benefits
Integrated multiple engine malware protection,Best of breed spam protection for on the premises and in the cloud customers:
Precise spam detection with above 99% catch rate,Reduction in Carbon Footprint of spam by early rejection of unwanted messaging stream.
Hybrid Model and Ease of Administration:Low TCO with High ROI for Exchange organizations,Flexible implementation.
Exchange 2010 provides…Default encryption and broader support for IRMExtensive infrastructure for per-user SCLIncremental Edge Synch for safe/blocked sendersPer recipient list aggregation from Outlook
Forefront 2010 extends foundation with…Premium multiple engine antimalware Auto-configuration of antispam agentsUnified management of FPE, Exchange, FOPELeading antispam content filter engine (above 99% detection rate) Option of hosted and hybrid protection for lower TCOConfig/maintenance-free setup.
Exchange + Forefront Better Together Security Summary
More Info….
• Microsoft FPE Web Site• NEW! Microsoft FPE Whitepapers
• Forefront Protection 2010 for Exchange Server Antispam Framework
• Forefront Protection 2010 For Exchange Server Antispam• Forefront Protection 2010 for Exchange Server• Forefront Protection 2010 for Exchange Server Scan Actions
And Sequence• Monitoring Forefront Protection 2010 for Exchange Server
• Microsoft BRS – Secure Messaging• Microsoft Edge - FPE
Additional Sessions
• SIA317 – Microsoft Forefront Online Services – Overview, Architecture and Roadmap
• SIA02-DEMO – End-to-End E-mail Protection• SIA05-IS – Secure Messaging using AD RMS and
Exchange 2010• SIA304 – Windows Server 2008 R2 AD RMS
question & answer
Please Complete An Evaluation FormYour input is important!
Multiple ways to access Online Evaluation Forms:
CommNet stations located throughout conference venuesVia a Windows Mobile deviceVia the CommNet “Julian” offline Windows Mobile evaluation and session scheduling toolFrom any wired or wireless connection to:https://www.MyTechReady.com
For more information please refer to your Pocket Guide
1.2.
Speaker – Click Hereto Launch Video
3.
4.
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Content Filter Updates
ECAL customers receive premium Forefront content filter and updates,ECAL customers will always have the freshest spam fingerprints,“Lights Out” engine updates
Better Together for ECAL customers
Content Filter Updates (Exchange 2007)
Content Filter Updates(Forefront Protection 2010)
Type Signatures Fingerprints
Update Frequency Sigs - every 6 hours,Engine updates via
service packs
~45 seconds (micro) ~5 minutes (full)
Engine updates “On The Fly”
Source Machine Learning(consumer)
Global Feedback Loop (enterprise)
Secure Messaging – The Road AheadCurrently Shipping CY 2009
H2
Subject to Change
CY 2010H1
Manage-
ment
Pro
tect
ion &
Acc
ess
Pla
tform
Management Consoles