Wednesday 9 April 2008

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

2factor: Interesting Encryption Technology (RSA)

2factor is primarily an encryption technology licensing business -- the company sells its technology to OEMs. The core technology is called Real Privacy Management (RPM).

It works by calculating symmetric private keys (i.e., it doesn't use a public/private key pair). Each party in a transaction has a private key, which it presents to a trusted intermediary. The pair of keys defines a series of encryption keys, to be used in sequence.

2factor says the benefits are:
  1. Very fast encryption (the calculations can be done using register arithmetic); perhaps 100x as fast as Diffie-Hellman, for example.
  2. Provably secure, unlike elliptic curves for example.
  3. The trusted-intermediary architecture can be generalized, permitting a federated model.

Tuesday 8 April 2008

Voltage also has a Hybrid Service (RSA)

Hybrid services seem to be quite the theme on this weblog, for some reason. I just talked to Voltage Security, which announced something called "Connected VSN" today.

Now, I know what VSN is -- the Voltage Security Network. It's a hosted service that implements the key management for Voltage-style identity-based encryption (IBE). The idea being that instead of on-premise key management, you centralize the key generation in the cloud. This is similar to the architecture used by Identum (now part of Trend Micro). But what's the "Connected" bit all about?

There's a class of customer who wants to do outbound encryption at the gateway -- possibly driven by local policy -- but doesn't want to provide the decryption service to non-local users. This type of hybrid architecture is what Connected VSN is for.

The sender has an on-premise Voltage appliance that manages keys and performs outbound encryption. Recipients then use the VSN service hosted by Voltage to decrypt the message.

IronKey: an Encrypted USB Flash Drive on Steroids (RSA)

Update (April 16): IronKey yesterday “announced full FIPS 140-2 Level 2 security validation ­ at the product level, rather than the more typical component-level validation.” Shame it’s “only” level 2, but I guess that’s a start and is probably more than adequate for the vast majority of applications.

IronKey isn't just another encrypted USB flash drive-key-stick-thingy. For a start, the company makes a big thing of their claim that IronKey is the only such device designed from the start to be secure (as opposed to a flash drive that's had security "bolted-on", presumably). Well, that's an interesting claim, but of arguable merit. However, there are other aspects that are worth talking about:
  1. This key will self-destruct -- if you try to disassemble it, or if you enter the wrong password too many times, the IronKey doesn't just wipe itself, it destroys the flash memory, the company says.
  2. It's not just a device, but also a service -- if you register the device on IronKey's Web site, the company offers password recovery/escrow and access to IronKey's own TOR anonimizing network (i.e., a private network, not the usual public one).
  3. It also acts as a 2FA device -- a firmware update will add the necessary logic to make it act as a Verisign VIP device, for two-factor authentication. An "enterprise" version of the device will also have similar support for RSA SecurID.
Shipping now for Windows XP and Vista. Mac and Linux support are "nearly ready".

Love him or hate him, the episode of Steve Gibson's podcast about IronKey has more about the device, including an interview with IronKey CEO, Dave Jevans (yes, that Dave Jevans).

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.