Educause Security Discussion mailing list archives
Re: Email Security Product That Supports Customer Entry of Malicious Messages
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Wed, 22 Mar 2017 20:39:24 +0000
Proofpoint and similar solutions rewrite the URLs in email messages before delivering them to user mailboxes. The rewritten URLs point to the email security device. When a user clicks the URL, they are taken to the email security device. . If the email security device has determined that the message or link is malicious, the user is shown a warning message and blocked from reaching the original URL destination. Happiness. Go fight some other fire. . If the email security device is not aware of maliciousness, the user is redirected to the original destination. . If the email security device later finds out the message or link is malicious, it makes available the identity of people who clicked it before it was blocked. Such products are able to tell you: 1. Who clicked a malicious link before it was determined to be malicious. Those users are at risk because they visited a known malicious site. They may have entered credentials into a phishing site or had unpatched software exploited. So even if the message was not immediately blocked, you have some information to help assess risk and aid incident response. 2. Who clicked a malicious link after it was determined to be malicious. Those users are blocked from the malicious site. Happiness. Though if you have a large number of people clicking malicious links, you may want to review security awareness programs and backup security controls. J The problem comes when the device does not detect a message as malicious ever or too late to do any damage control. Then there are no statistics on who clicked the malicious link and no protection from it. Proofpoint detects a high percentage of malicious messages. But just like other anti-spam, anti-virus, and other blacklist security control, it is not perfect and some always get through. Not very often in Proofpoint's case but often enough that it would be valuable to have the capability to tell the appliance, "Here, don't wait for your algorithms or cloud analysis to tell you this is bad, I'm telling you it is bad and I want it blocked and audited locally RIGHT NOW! ". It was that feature I was asking about to see if it is included in any other URL rewrite type email security products. I know Cisco Ironport and Microsoft ATP both have rewrite capabilities, there are probably others. I don't know if any of them support that feature. Gary Flynn JMU IT Security James Madison University My brain can handle preemptive and cooperative multitasking pretty well. Parallel processing, not so much.
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Harwood
Sent: Wednesday, March 22, 2017 3:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email Security Product That Supports Customer
Entry
of Malicious Messages
Hi Gary,
Are you saying that you want a product that can block the URLs in the
emails
that your spam filtering solution didn't catch and forwarded to your users
(without rewriting the emails) mailboxes. That being said, you have emails
in
users mailboxes that have malicious URLs? If that's the case, I'm not
sure if
you will find anything like that since the mailboxes have the email, and
are
left to put these IPs/DNS into blacklists on the firewall to block
outgoing
traffic (which doesn't protect your mobile users).
We are looking to buy Proofpoint in the coming months so I was interested
in
your question.
Sent from my iPhone
On Mar 22, 2017, at 1:59 PM, Flynn, Gary - flynngn
< <mailto:flynngn () JMU EDU%3cmailto:flynngn () JMU EDU>
flynngn () JMU EDU<mailto:flynngn () JMU EDU>> wrote:
Hi,
We use Proofpoint and most of the time it works great. It has protected us
from major attacks many times.
It's URL rewrite component is missing one feature that would make it much
better. As with any blacklist oriented security product, some malicious
messages get through. Unfortunately, the product does not allow us to
teach
our appliance about those messages so it can block the URL and provide us
exposure information.
Is anyone aware of an email security product that supports such a feature?
thanks,
Gary Flynn
JMU IT Security
James Madison University
My brain can handle preemptive and cooperative multitasking pretty well.
Parallel processing, not so much.
________________________________
This e-mail, including any attachments, is intended only for the
addressee's
use and may contain confidential and proprietary information. If you are
not
the intended recipient, you are hereby notified that any retention,
dissemination, reproduction, or use of the information contained in this
e-
mail is strictly prohibited. If you have received this e-mail by error,
please
delete it and immediately notify the sender. Thank you for your
cooperation.
Attachment:
smime.p7s
Description:
Current thread:
- Email Security Product That Supports Customer Entry of Malicious Messages Flynn, Gary - flynngn (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Justin Harwood (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Flynn, Gary - flynngn (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Valdis Kletnieks (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Flynn, Gary - flynngn (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Pifer, Michael (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Davis, Kevin (Mar 22)
- Re: Email Security Product That Supports Customer Entry of Malicious Messages Justin Harwood (Mar 22)