Email Security For Advanced Malware And Evasive Persistent Threats

Enhancing Email Gateway Technologies

Email is a key mission-critical application.  Unfortunately, it is also one of the most dominant vectors for delivery of traditional viruses and advanced malware.  Traditional Secure Email Gateways (SEG) have addressed traditional threats such as spam and viruses.  However, they are insufficient to detect and stop today’s evasive malware intended to bypass detection from SEG systems.

Lastline Enterprise is a complementary layer of defense to enhance your SEG investments and provide you email security against advanced malware.  Presently, there are three deployment options available, as illustrated below.

email_security

 

 

Option  Deployment Description  Detect And Block In-Line
1 SMTP Monitoring Detect Only  No
2A MTA Mode W/ Email Delivery Detect & Block Yes
2B MTA Mode W/ No Email Delivery Dectect Only No
3 BCC Configuration Detect Only No

Lastline Enterprise is comprised of Sensor, Manager, Engine and Threat Intelligence components, as described here.  You can configure these components to complement SEG and MTA (Mail Transport Agent) systems.

Option 1:  SMTP Monitoring

You can deploy the Sensor off of a network tap to passively monitor SMTP (Simple Mail Transport Protocol) traffic and extract attachments for all inbound emails for further analysis.

There is no integration required with your SEG or MTA server.  You can easily detect and generate alerts on email attachments delivering evasive malware.  To enable blocking, you will have to import these alerts to a SIEM (Security Information Event Management) system that could help modify and configure policies on your SEG or MTA server.  Ideal to conduct a spot audit of your SEG or evaluate Lastline Enterprise detection capabilities.

Option 2:  MTA Mode 

Your SEG or MTA server can be instructed to route emails to the Lastline Enterprise Sensor with email delivery (in-line) or no email delivery (not-inline) via the SMTP protocol.

Under MTA mode with email delivery, the sensor can remove attachments and URLs that contain advanced malware and generate appropriate alerts to the security administrator.  Under MTA mode with no email delivery, the sensor can only inspect attachments and generate alerts.  Recommended deployment for optimal flexibility and operational environments handling large volume of inbound emails.

Option 3: BCC Configuration

You can configure your SEG or MTA to BCC (Blind Carbon Copy) emails into an account that the Sensor later accesses via IMAP (Instant Message Access Protocol) or POP (Post Office Protocol).

Email content attachments can be inspected for evasive malware.  The Sensor can generate alerts that can be imported into your existing SIEM (Security Information Event Management) system.  Optimal to monitor a batch of users by creating a single inbox (account) for them.  Recommended alternative if you cannot implement SMTP monitoring.With Lastline you have multiple deployment methods at your disposal to detect and stop advanced malware over email.  For more information, please request a Lastline Enterprise evaluation.


Common Secure E-Mail Gateways:  Cisco, Proofpoint, Symantec, Microsoft, McAfee, Mimecast, WebSense, Barracuda Networks, Sophos, Trend Micro, Clearswift, SilverSky, TrustWave, Fortinet, WatchGuard, and Dell.