Re: Email Security Product That Supports Customer Entry of Malicious Messages

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

Proofpoint and similar solutions rewrite the URLs in email messages before
delivering them to user mailboxes. The rewritten URLs point to the email
security device. When a user clicks the URL, they are taken to the email
security device. 

.         If the email security device has determined that the message or
link is malicious, the user is shown a warning message and blocked from
reaching the original URL destination. Happiness. Go fight some other fire.

.         If the email security device is not aware of maliciousness, the
user is redirected to the original destination. 

.         If the email security device later finds out the message or link
is malicious, it makes available the identity of people who clicked it
before it was blocked.

 

Such products are able to tell you:

 

1.       Who clicked a malicious link before it was determined to be
malicious. Those users are at risk because they visited a known malicious
site. They may have entered credentials into a phishing site or had
unpatched software exploited. So even if the message was not immediately
blocked, you have some information to help assess risk and aid incident
response.

2.       Who clicked a malicious link after it was determined to be
malicious. Those users are blocked from the malicious site. Happiness.
Though if you have a large number of people clicking malicious links, you
may want to review security awareness programs and backup security controls.
J

 

The problem comes when the device does not detect a message as malicious
ever or too late to do any damage control. Then there are no statistics on
who clicked the malicious link and no protection from it. 

 

Proofpoint detects a high percentage of malicious messages. But just like
other anti-spam, anti-virus, and other blacklist security control, it is not
perfect and some always get through. Not very often in Proofpoint's case but
often enough that it would be valuable to have the capability to tell the
appliance, "Here, don't wait for your algorithms or cloud analysis to tell
you this is bad, I'm telling you it is bad and I want it blocked and audited
locally RIGHT NOW! ". It was that feature I was asking about to see if it is
included in any other URL rewrite type email security products. I know Cisco
Ironport and Microsoft ATP both have rewrite capabilities, there are
probably others. I don't know if any of them support that feature.

 

Gary Flynn

JMU IT Security

James Madison University

 

My brain can handle preemptive and cooperative multitasking pretty well.
Parallel processing, not so much.

 

 

> -----Original Message-----

> From: The EDUCAUSE Security Constituent Group Listserv

> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Harwood

> Sent: Wednesday, March 22, 2017 3:54 PM

> To: SECURITY () LISTSERV EDUCAUSE EDU

> Subject: Re: [SECURITY] Email Security Product That Supports Customer
Entry

> of Malicious Messages

>

> Hi Gary,

>

> Are you saying that you want a product that can block the URLs in the
emails

> that your spam filtering solution didn't catch and forwarded to your users

> (without rewriting the emails) mailboxes. That being said, you have emails
in

> users mailboxes that have malicious URLs?  If that's the case, I'm not
sure if

> you will find anything like that since the mailboxes have the email, and
are

> left to put these IPs/DNS into blacklists on the firewall to block
outgoing

> traffic (which doesn't protect your mobile users).

>

> We are looking to buy Proofpoint in the coming months so I was interested
in

> your question.

>

> Sent from my iPhone

>

> On Mar 22, 2017, at 1:59 PM, Flynn, Gary - flynngn

> < <mailto:flynngn () JMU EDU%3cmailto:flynngn () JMU EDU>
flynngn () JMU EDU<mailto:flynngn () JMU EDU>> wrote:

>

> Hi,

>

> We use Proofpoint and most of the time it works great. It has protected us

> from major attacks many times.

>

> It's URL rewrite component is missing one feature that would make it much

> better. As with any blacklist oriented security product, some malicious

> messages get through. Unfortunately, the product does not allow us to
teach

> our appliance about those messages so it can block the URL and provide us

> exposure information.

>

> Is anyone aware of an email security product that supports such a feature?

>

> thanks,

>

> Gary Flynn

> JMU IT Security

> James Madison University

>

> My brain can handle preemptive and cooperative multitasking pretty well.

> Parallel processing, not so much.

>

>

> ________________________________

>

> This e-mail, including any attachments, is intended only for the
addressee's

> use and may contain confidential and proprietary information. If you are
not

> the intended recipient, you are hereby notified that any retention,

> dissemination, reproduction, or use of the information contained in this
e-

> mail is strictly prohibited. If you have received this e-mail by error,
please

> delete it and immediately notify the sender. Thank you for your
cooperation.

Attachment: smime.p7s
Description: