SIA311 Better Together: Microsoft Exchange Server 2010 and Microsoft Forefront Secure Messaging Solution

Better Together: Microsoft Exchange Server 2010 and Microsoft Forefront Secure Messaging Solution
Cristian Mora
Technical Product Manager
Microsoft Corporation
SIA 311
Alexander Nikolayev
Program Manager
Microsoft Corporation
SIA 311

Agenda
E-mail Security Threats
Spam & Malware
Phishing & Viruses
Premium Antimalware Protection
Premium Antispam Protection
Administration and Management
Forefront/Exchange
Better Together Security
Forefront Protection 2010 for Exchange: Key Differentiators
Forefront/Exchange Better Together: Benefits and Better Together Security
Summary

Top E-mail Threat Concerns
Malware via URLs,
Malware via Attachments,
Phishing,
Spam,
Data Leakage.
Source: Messaging Security Survey: The Good, Bad, and Ugly Study. IDC, 2009

“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1,000-user organization spends over $1.8 million annually to manage spam.”
— The Radicati Group, Inc., E-mail Security Market, 2009-2013
… Around $8 Billion Lost to Viruses, Spyware and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime…
— 2009 State of the Net Survey
“As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam”
- Forrester Wave Email filtering Q2 2009, April 2009
“Almost 60% of organizations reported spam blocking effectiveness of less than 95%” - Brian E. Burke, “Messaging Security Survey” IDC February 2009

7,197
5,259
5,242
4,564
4,630
4,367
4,280
3,326
2,854
2,870
2,625
2,560
1,707
May
Jun
Jul
Apr
Aug
Mar
Sep
Feb
Oct
Jan
Nov
Dec04
Dec05
New Phishing Sites By Month
Source:http://www.antiphishing.org

New Phishing Sites By Month
Source:http://www.antiphishing.org

So, what’s the Solution???

Business Ready SecurityHelp securely enable business by managing risk and empowering people
Protection
Access
Protect everywhere,
access anywhere
Identity
Simplify the security experience,
manage compliance
Management
Highly Secure & Interoperable Platform
Integrate and extend
security across the enterprise
from:
to:
Block
Enable
Cost
Value
Siloed
Seamless

Information Protection
Identity and Access Management
Business Ready Security Solutions
Secure Endpoint
Secure Collaboration
Secure Messaging

Secure Messaging
Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential information
PROTECT everywhere
ACCESS anywhere
SIMPLIFY security,
MANAGE compliance
INTEGRATE and
EXTEND security

Best-in-class anti-malware on-premise / in-the-cloud
Protect sensitive information in e-mail
Secure, seamless access
Enterprise-wide visibility and reporting
Unified management
Built-in information protection
Extend secure e-mail to partners

Innovative Technologies
Industry Collaboration and Cooperation
User Education
Effective Legislation

Forefront Protection 2010 for Exchange Server
Antispam Protection
DNSBL
New content filter engine
Anti-Backscatter
Multiple engines
Hybrid Model
Enhanced Filtering
Keyword Filtering
Support for earlier Exchange server versions (Exchange 2003)
FOPE Integration
Integrated provisioning
and Management
File Filtering
Multiple Engine Support
Antivirus protection
Antispam protection
Exchange 2007 Integration
Integrated into the Transport Pipeline
Administration
Powershell support
New Interface dashboard
Edge, Hub, and Mailbox
Hyper V support
Improved Performance
VSAPI for virus scanning
Microsoft Antispyware engine

Forefront/Exchange Better Together:
Surpassing Security Expectations
Exchange 2010
Forefront 2010
Encryption
Antivirus
Antispam
Default Intra-Org
∙
Inter-Org mTLS support
∙
IRM support
Multiple Engine Malware Detection
Basic
Premium
Unified Management
Hosted, Hybrid Protection
Standard CAL
Enterprise CAL

Industry-Leading Performance
3600 Malware and Spam Protection
West Coast Labs:
Spam Catch Rate above 99%
Premium Antispam certification
Virus Bulletin:
Continuous Spam Catch Rate above 99%:
99.77% (September 2009)
99.46% (November 2009)

Protection 2010 for Exchange Server
Forefront Protection 2010 for Exchange Server Deployment Options

Threat Management Gateway
Enterprise Network
Edge Transport
Protection Availability:
Exchange 2010
Exchange 2007 SP1
Hub Transport
Routing & Policy
External Mail
Unified Messaging
Voice mail & voice access
Mailbox
Storage of mailbox items
Mobile phone
Threat Management Gateway
Client Access
Client connectivity
Web services
Web browser
Phone system (PBX or VOIP)
Outlook (remote user)
Line of business applications
Outlook (local user)

Forefront Protection 2010 for Exchange Server Malware Protection

Protect Messages from Malware
Protect everywhere,
access anywhere
Microsoft Solution
“Defense in Depth”
Competitors’ Solutions
Multiple Engines
Single Engine
38 times faster
An AV-Test of consumer antivirus products revealed:

On average, Forefront engine sets provided a response in 3.1 hours or less.
Single-engine vendors provided responses in 5 days, 4 days,and 6 days respectively.

Automatic Engine Updates
On premises or in the cloud
99% spam detection*
* With premium antispam services
“
“Forefront Security for Exchange Server can support up to five scanning engines at the same time. Thus, it offers a more secure environment, compared with products that support using only a single engine.”
- Akihiro Shiotani, Deputy Director of the Infrastructure Group
Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230

Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages
Leading antimalware engines deployment via integrated solution,
Allows multi-directional protection of messaging stream: inbound, outbound, internal, and data at rest,
Intelligent Engine Selection:
Automatically chooses the most current and effective engines first,
Allows administrators to balance security with performance needs.
Removal of a single point of failure in the organization,
Lower TCO – all engines included in base cost.

Performance Improvements
Forefront Protection 2010 for Exchange Server vs.
Forefront Security for Exchange 2007
Results (5 engines test)
Technology investment
Message throughput improvement
From 25 to 40 messages/second
Measured reduction is 30%
Reduction in Context Switches
Improvements in CPU Utilization
15% in CPU Utilization improvement
Native 64-bit supportC
Coming in SP1
Gated by the Exchange Server perf
Spam Filtering throughput

Automatic Updates
Remote Update Services
Forefront Engines Updates
MSAV/CMAE
Directly from vendor
Redistribution
Manual Config

Managing Multi-Engine Environment
demo

Antispam Overview

Forefront Protection 2010 AntispamFunctional Highlights

Forefront Protection 2010 Antispam Features
Recipient
Filter
Sender ID Filter
Sender Filter
Content
Filter
DNSBL
Filter
Backscatter Filter
Junk E-mail Filter
IP Block
List
Layered Antispam Technologies
Connection Filtering (IP Block/Allow, DNSBL, SenderID filters)
Protocol Filtering (Sender, Recipient, Backscatter filters)
Content Filtering (spam/phishing)
New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model

Reducing the Carbon Footprint of Spam: Forefront DNSBL
Implemented as SMTP Receive Agent, configuration/maintenance-free feature,
Multiple external and internal RBL providers with continuous flow of feeds,
Queries sent to Forefront-owned DNS infrastructure,
Efficiency: based on internal MSIT numbers 80-85% of all incoming connection requests being denied by DNSBL,
Rejection response is actionable (to help with the corrective actions: “550 5.7.1 Do thisto get the IP removed from the DNSBL list…”

"Why I'm getting this NDR??!" Forefront Backscatter Protection
Outbound
Categorizer
Exchange internal
sender
External recipient
Token Definition:

BATV-compliant
Hashed tag (based off a key, time, sender, expiration, etc.)
Keys maintained and rotated

Anti-Backscatter Agent:

Implemented as RoutingAgent
Acts only on Outbound mail
Attaches a token to P1.MailFrom:

Forefront Backscatter protection
Inbound
Transport Pipeline
NDR generating
MTA
Exchange
NDR recipient
Token Verification:

Decrypt the sig using proper key
Verify integrity of the sig
If correct – strip off the sig, stamp the header, and accept NDR
If incorrect – Discard

Backscatter Filter logic:

NDR discovery
Token verification
Acceptance decision

SMTP Receive Agent:

Disabled by default
Acts upon DSNs only

Forefront Content Filter Fingerprinting
Fingerprint Cache
Spam
Reject
Legitimate

Fingerprints compared to local cache of known bad fingerprints
Cache data updated every 45 seconds
Match: message is identified as abuse
No match: message is identified as legitimate
Message reduced to anonymous fingerprints
Fingerprints don’t indicate whether the message is legit or spam
Fingerprinting applied to every incoming message *
Relevant parts of the entire message are fingerprinted

* Exceptions apply (Safe Senders/Recipients/Safe Listed IPs etc.)

Content Filter SCL definitions
Forefront Content Filter enables normalization of raw spam score from CMAE engine to SCL
Forefront normalization logic:
All messages classified as not spam get SCL:-1
SCL assignment logic can be reverted to SCL:0 via powershell (New-FseExtendedOption –Name CFAllowBlockedSenders –Value true)
SCL:-1 boundaries are within -1 to 4 in Exchange
Actions available for messages within SCL range 5 to 9:
Reject/Delete/Stamp and Continue/Quarantine
SCL assigned to the message and can be enforced on a per-recipient basis

Spam Configuration and Management
demo

Forefront Unified Monitoring
and Reporting
Single Node – basic reports available for each technology layer,
Multi Node – advanced reports available via Forefront Protection Manager,
Single connection point to reporting via Forefront UI,
Agent Logs, Perfmon Data,
Incidents and Quarantine Database, Rich Eventing Model.
Author policy
Deploy
Correct
Collect Events
Analyze
View Alerts & Reports

Simplify Security Management
Simplify security,
manage compliance

Unified policy management for on-premise and cloud-based messaging servers
Enterprise-wide visibility into e-mail threats through a single console
Help enable compliance with in-depth reporting capabilities
Easy to use inerfaces and templates for system configuration and threat response

“
"It let them bring everything together into one package for ease of management in the network“
- Amy Babinchak, Harbor Computer Services, Inc.
Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000002230

Malware protection
demo

Forefront Protection 2010 for Exchange Server: an extension into Online Services

Firewall
Hybrid Messaging SecurityWith FPE + FOPE + Exchange
On-Premise Software
Internet
Spam policy
Mail
Spam policy
FOPE Gateway
Full Management Policy
SMTP
Mail
Exchange Hub
Mailbox Server
Exchange Edge
Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles

Malware Protection:
Multiple Engines
Spam Protection:
Layered Defense
Key Differentiators
Ease of Administration,
Monitoring, and Reporting
Hybrid Model:
Integration with
Online Service

Forefront Protection 2010 for Exchange Server Benefits
Integrated multiple engine malware protection,
Best of breed spam protection for on the premises and in the cloud customers:
Precise spam detection with above 99% catch rate,
Reduction in Carbon Footprint of spam by early rejection of unwanted messaging stream.
Hybrid Model and Ease of Administration:
Low TCO with High ROI for Exchange organizations,
Flexible implementation.

Exchange + Forefront Better Together Security Summary
Exchange 2010 provides…
Default encryption and broader support for IRM
Extensive infrastructure for per-user SCL
Incremental Edge Synch for safe/blocked senders
Per recipient list aggregation from Outlook
Forefront 2010 extends foundation with…
Premium multiple engine antimalware
Auto-configuration of antispam agents
Unified management of FPE, Exchange, FOPE
Leading antispam content filter engine (above 99% detection rate)
Option of hosted and hybrid protection for lower TCO
Config/maintenance-free setup.

More Info….

Microsoft FPE Web Site
NEW! Microsoft FPE Whitepapers
Forefront Protection 2010 for Exchange Server Antispam Framework
Forefront Protection 2010 For Exchange Server Antispam
Forefront Protection 2010 for Exchange Server Scan Actions And Sequence
Monitoring Forefront Protection 2010 for Exchange Server
Microsoft BRS – Secure Messaging
Microsoft Edge - FPE

Additional Sessions

SIA317 – Microsoft Forefront Online Services – Overview, Architecture and Roadmap
SIA02-DEMO – End-to-End E-mail Protection
SIA05-IS – Secure Messaging using AD RMS and Exchange 2010
SIA304 – Windows Server 2008 R2 AD RMS

question & answer

Please Complete An Evaluation FormYour input is important!
Multiple ways to access Online Evaluation Forms:
CommNet stations located throughout conference venues
Via a Windows Mobile device
Via the CommNet “Julian” offline Windows Mobile evaluation and session scheduling tool
From any wired or wireless connection to:https://www.MyTechReady.com
1.
2.
3.
4.
For more information please refer to your Pocket Guide
Speaker – Click Hereto Launch Video

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Content Filter Updates
Better Together for ECAL customers
ECAL customers receive premium Forefront content filter and updates,
ECAL customers will always have the freshest spam fingerprints,
“Lights Out” engine updates

Secure Messaging – The Road Ahead
Currently Shipping
CY 2009
CY 2010
H2
H1
Manage-ment
Management Consoles
Protection & Access
Platform
Subject to Change