The Threat Landscape Has Changed Beyond Anti Spam And Anti Virus
Upcoming SlideShare
Loading in...5

The Threat Landscape Has Changed Beyond Anti Spam And Anti Virus



INBOX The Messaging Industry Event ...

INBOX The Messaging Industry Event


S1: The Threat Landscape has Changed: Moving Beyond Anti-spam and Anti-virus
Today, email filtering is more than just anti-spam and anti-virus. Complex threats, combined with the fact that many spammers are also hackers, means organizations need to take a preemptive, multi-layered approach to email security to keep business-critical email flowing. This session will examine in-depth the latest preemptive techniques for staying ahead of email threats, such as profiling malicious behavior to identify, analyze and block suspicious behaviors in file attachments and executable code before they can infiltrate the network. The discussion will focus on how companies can leverage these techniques to proactively address entire classes of threats, rather than on a case by case basis, which is where the future of email security lies.

SPEAKER: Eric Hanselman, Network Protection Architect, IBM Internet Security Systems



Total Views
Views on SlideShare
Embed Views



2 Embeds 5 4 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text

The Threat Landscape Has Changed Beyond Anti Spam And Anti Virus The Threat Landscape Has Changed Beyond Anti Spam And Anti Virus Presentation Transcript

  • The Threat Landscape Has Changed: Moving Beyond Anti-Spam and Anti-Virus Eric Hanselman, CISSP Network Protection Architect
  • Email Management: An Ongoing Problem
    • Has always been an issue
    • Too easy an access path
      • Ubiquitous, anonymous access
    • Too critical to block
    • Cycles of control
      • Problem is getting worse…
  • The Problem is Complex
    • Spam
    • Attacks
    • Content management
      • Intellectual property
      • Legal liabilities
  • Nefarious Goals are Blending
    • Product sales
    • Stock manipulation
    • Money laundering
    • Bot recruitment
    • Data Theft
      • Phishing
      • Keystroke loggers
  • The Mule Trade
  • Registrant: Said Mahmod +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY , OCCUPIED 7849343 Domain Name: Record last updated at 2007-03-02 10:27:15 Record created on 2007/3/2 Record expired on 2008/3/2 Queried with " "... % [ node-1] % Whois data copyright terms inetnum: - netname: HOSTFRESH descr: HostFresh descr: Internet Service Provider country: Hong Kong [email_address] .cc - TLD “.CC” is for the Cocos (Keeling) Islands +96.485743234 International Telephone Country Codes +96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman) +964 is for IRAQ
  • Profit Motivates Innovation
    • There is a lot of money to be made!
    • Senders are smart
      • Techniques are evolving
    • Spam and attack traffic are converging!
  • Two Traditional Paths of Defense
    • Anti-spam
      • Block known bad senders
        • RBL’s
      • Block known bad words
      • Block known bad paths
    • Anti-Virus
      • Block known bad attachments
    • We expect some will get through!
  • Sender Innovations
    • Spread the senders
      • Botnet spam agents
    • Obscure the words
      • Image spam
    • Multiply the paths
    • Morph the attachments
      • Polymorphic encoding
    • Embed new attacks
  • Image Spam Gets Smarter
  • Techniques Get Smarter
  • Avoiding Detection
    • Senders are stealthy
      • No news is good news!
    • Techniques are quieter
      • Stay under the radar
      • Slip between the cracks
    • Targets are smaller
    • Keeping victims quiet
      • Social engineering
  • A Tale of Two Bots
    • Similar roots
      • Use self-replicating worm techniques to infect hosts via email
      • Establishes connection to bot network for download of additional components
        • Future activities are limitless
    • Stration
      • Great polymorphic encoder
    • SpamThru
      • Brings its own Anti-Virus
      • GIF tools
  • Masking By Morphing
    • Polymorphic encoder beats Anti-Virus protections
    • High volumes increase success probabilities
  • Self-Modifying Malware – Stration
    • Number of Variants Captured
    • 8/16/06 to 11/26/06
  • Next Generation Payloads
    • Script-based obfuscation
      • Payload is hidden by Java script
      • Can pass built-in encoder
    • Additional hiding capabilities
      • Very hard to see in transit
      • Depends on interpretation on the endpoint
    • We can’t count on clean-up
    • We can’t allow any to succeed
  • How to Approach Protection
    • Staunch the flow
      • Better mail stream filtering
      • Limit user choices
    • Protect at the end points
      • The only place to catch them
      • Ultimate user protection
  • Staunching the Flow
    • Traditional techniques need a priori knowledge
      • Elusive at best…
      • Bad Stuff is Hard to Predict
    • Time is required for analysis
      • Delay causes scaling problems
    • Statistical analysis
      • An a posteriori technique
      • Good for large volumes
    • Some still gets through
  • Better Flow Techniques
    • URL references
      • Analyze web links
    • Structure analysis
      • Better capabilities
    • Image analysis
      • Beyond OCR
    • Sender identity control
      • Still a long way off
  • Host-Based Detection
    • Best for executable content analysis
      • Highly scalable
    • Behavioral executable analysis
      • Anti-Virus isn’t enough
    • Poor statistical capabilities
    • Traditional security
      • Patching still required, but…
  • The Risks Have Expanded
    • Our protections need to expand, too!
      • Plan for action today!
      • Review existing protections
      • Coordinate email and host protection planning
      • Keep data security planning on the horizon
    • Risks aren’t standing still!
  • Threats are everywhere… and always evolving. Will you be protected?
  • Resources
    • Spam and Phishing
      • http:// /
    • Security Protections
      • /
  • Thank You! Questions?