Managed Security Services

2006 MSSP Survey, Part 6:
Managed Anti-Spam and Content Filtering

ISP-Planet's biennial survey of MSSPs finds that, when it comes to spam and web content filtering, service featurs and packaging are so varied that consumers must examine their own business needs to carefully to match them to increasingly-available offerings.

by Lisa Phifer VP Core Competence, Inc. [December 22, 2006]

Each year, unwanted internet content wastes a tremendous amount of bandwidth, storage, and CPU power. Unsolicited e-mail (spam) now consumes an estimated 819 terabytes of bandwidth per day, representing 85 percent of global mail traffic. A growing portion are phishing messages that try to steal identities to conduct fraudulent financial transactions. Spam messages often link back to phony look-alike web sites that plant drive-by-spyware, without user awareness or interaction. E-mail and web have become our primary internet interfaces and are thus the most popular vectors for internet misuse and attack.

From privacy regulations to corporate espionage, out-of-policy e-mail and web activity can be costly. To safeguard their business resources and data, many companies are being compelled to adopt content security measures that go well beyond traditional anti-virus. According to Infonetics, content security appliance sales will grow 150 percent through 2009, fueled by innovative features, performance, and prices. As shown in the following chart (below), this year's survey turnout reflect this continuing trend. Managed Anti-Spam services have achieved par with virus defenses, and Managed Content Filtering services are experiencing significant growth, resurging from the decline we saw in 2001-2003.

Stopping Spam
Eleven (11) of the MSSPs participating in this year's survey offer managed anti-spam services, detailed by the chart shown at right (click to view full size). Three are bundled with Managed Firewall and IPS services (firewall or IPS), but all are available as stand-alone offerings. Five of these services also appeared in our Managed Anti-Virus table, reflecting the role of virus detection in providing comprehensive e-mail defenses.

Why delegate your spam problems to an MSSP? Traditional spam defenses are being degraded by new evasion techniques. To bypass internally-configured blacklists and externally-maintained Realtime Block Lists (RBLs, also known as DNS Block Lists), a significant portion of bulk e-mail now originates from botnets—large clusters of remotely-controlled broadband hosts that have been compromised by trojans. To elude filters that search for banned words or analyze text with Bayesian filters, 20 to 30 percent of spam content is now conveyed through in-line images. Traditional defenses are still effective against many unwanted messages, but the writing on the wall is clear: spammers are adapting, and so must your defenses.

You could purchase, configure, fine-tune, and maintain your own mail security appliance. But remember, that appliance must have the horsepower and reliability to sustain heavy bursts of unwanted e-mail traffic—nearly two orders of magnitude beyond the number of legitimate messages you expect to receive.

If you'd rather hire someone else to deal with the traffic load, track spam evolution, and adapt on your behalf, consider outsourcing spam defenses to a provider—either the provider who hosts mail for your domain, or the MSSP that meets your other managed security needs. This year's surveyed services include both types of offerings. Symantec, Verizon, and Virtela provide network-based ("in the cloud") spam filtering services that focus exclusively on SMTP. The most popular network-based platform in this year's survey is MessageLabs. Many other surveyed services filter spam on customer premises equipment (CPE), using UTM appliances from Fortinet, ISS, and other vendors. Three MSSPs even offer both network and CPE-based Anti-Spam services.

Filtered protocols and filtering techniques have expanded since our last survey. As shown in the following charts, POP and IMAP protocol support has grown. And most MSSPs now apply multiple filtering techniques, including heuristics. The latter is a bit of a catch-all term that providers may have checked to cover newer methods of spam recognition, like intention analysis. A few MSSPs mentioned additional techniques—for example, "Stacked Classification Framework" (Altoria) and " imaged content control" (Unisys). Symantec, who sells the spam-fighting program Brightmail, mentioned "over 17 filtering technologies backed by Symantec Security Response" but did not elaborate.

In fairness, filtering techniques are the "secret sauce," but anyone purchasing a managed service should push for more detail. In particular, understand the techniques that you will be able to control. Effective spam filtering is a balancing act between aggressively deflecting the bad mail, keeping the good mail, and making informed decisions on those messages that fall somewhere in between. For example, are configurable white/black lists and Bayesian rules maintained for individual users, groups, or globally? Are whitelists accompanied by sender authentication? How are users notified of quarantined spam, and how is that quarantine managed? Finally, carefully review the reporting and monitoring features available for each service. Do they give you enough visibility into service performance without overwhelming you with details or unwanted alerts? These are just a few of the questions you should ask to determine fit for your business.

Controlling Content
Nine (9) of the MSSPs participating in this year's survey offer managed content filtering services, detailed by the chart shown at right (click to view full size). These services are largely (but not exclusively) focused on attack mitigation and policy enforcement for web content exchanged over HTTP or SSL or carried by related web responses.

As business applications move steadily towards the web browser as the de facto human interface method, a significant share of confidential data is being exchanged over HTTP. Inspecting web content can help you deter accidental or intentional disclosure of intellectual property, sensitive financial information, or regulated data. Blocking access to porn, gambling, or other non-business web sites can reduce both resource waste and your legal liability for employee internet abuse. As previously noted in part 5, web traffic is frequently exploited by Spyware, used as a vector to deliver malware and establish back-channels. These risks and more are motivating many businesses to use content filtering as a means of enforcing web (and e-mail) usage policies.

Here again, MSSPs deliver managed services that can offload this task from your own IT department. In this year's survey, we found 5 network-based services based on WebSense, Fortinet, MessageLabs, or proprietary platforms. But CPE-based managed content filtering services are still more common, with 8 services. Most are based on firewalls or UTM appliances, but at least two appear to use dedicated web filtering appliances like 8e6 and Blue Coat.

Some web content—especially confidential content—is encrypted by SSL. All but two of the services in this year's survey support SSL, which can range from controlling requests made to https:// websites to using web proxies to encrypt/decrypt message content. AT&T's service also covers Instant Messaging and protocols like FTP when initiated in response to a web request.

When web requests or responses would violate defined policy, possible actions include log and/or reject/deny (available from all services in this year's survey), or redirect to an administrator-defined error page (common, but not universally supported). The latter can be useful to educate users when they attempt to access spyware web sites, or to reduce frustration when innocuous business-related web activity unexpectedly trips a keyword filter. Most services let you define your web policy using based on multiple parameters, ranging from category, keyword, and content type filters to URL, black, and white lists. Policy configuration and activity reports are typically made available to customer administrators through a web portal.

When choosing a web filtering service, examining service attributes more closely to ensure that the provider can really implement your defined corporate security policies. For example, do you require whitelist exceptions on an individual user or group level? Can the service tie policies to users or groups defined in your existing ActiveDirectory or other enterprise user database? Are users authenticated before they access the internet, explicitly or transparently? Do you require integrated support for related traffic, like P2P file sharing or streaming media activities? Our survey did not delve into these questions, but you should when selecting a managed content filtering service for your business.

Conclusion
By conducting this annual survey, our goal is to provide useful insight for companies that might be in the market for Managed Security Services—and for ISPs searching for security partners to expand their business services portfolio.

Although we have attempted to cover today's most popular Managed Security Service categories and characteristics, most security services are far too complex to represent completely in any survey. We encourage readers to use our survey as a starting point for launching your own RFP to reflect the security needs and policies of your business. Evaluate qualitative factors, like history, reputation, and longevity are just as important as the details documented here. Finally, ask for customer references, and talk to those who have walked in your shoes.

We would like to thank the providers that participated in this year's survey. The information presented herein is reflects questionnaires completed by each participant in 4Q06. In formatting and summarizing those responses, we have attempted to accurately convey those responses. But these details will change. Every good provider continually expands and refines its managed security service offerings. We urge our readers to contact these MSSPs directly for further information regarding the services described in this survey.

—End