Tech Events – Sep 2020 Email Security
Peter Rusanovski Sales Engineer
© 2020 Forcepoint Forcepoint Proprietary © 2020 Forcepoint Products
Email Security CASB Data Guard
Web Security SD-WAN & NGFW
FIT DLP UEBA Insider Threat
DEP Boldon James RBI DUP Classification Isolation DDP
© 2020 Forcepoint Agenda • Email Hybrid / Cloud • Azure deployments • Security Hardening (Settings & Filters) o DKIM o SPF o DMARC • Business Email Compromise • Sandbox (File & URLs) • URL wrapping • Phishing Education • System Health Check • Troubleshooting steps • Tips and Tricks • End Of Life Products Status
© 2020 Forcepoint 3 Forcepoint Email Security
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 4 FORCEPOINT OFFERS THE MOST COMPREHENSIVE EMAIL SECURITY
Inbound Outbound • Anti-Malware, Anti-Spam, • Email Encryption • Anti-Spoofing (DKIM & DMARC) • Incident Risk Ranking • Phishing Defenses • DLP for free • Content Filtering • Content Filtering • Attachment Filters • Lexical Rule • DLP inbound • Disclaimer • Exploited Document Discovery • Attachment Filters • Advanced Malware Detection • Drip DLP (Stateful) • Phishing Education • Anti-Malware, • URL Wrapping • Anti-SPAM, • Inappropriate Image Filter • OCR (Optical Character • Spam Controls Analysis Tools Recognition) • ACE Analytics • ThreatSeeker Intelligence Cloud • Sandboxing / Forensic Reporting • High Risk User Behavior • Yara definitions © 2020 Forcepoint Email Deployment
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 6 Deploy How, Where, and When You Want
IaaS, PaaS SAAS
On-Premises Hybrid Cloud
Three Options, One SKU Start anywhere – and move to the cloud when you’re ready
© 2020 Forcepoint The Right Appliances For Your Needs
Virtual Appliance
V5000 V10000 V20000
~2000 ~8000 20,000+ Users Users Users
© 2020 Forcepoint CLOUD EMAIL SECURITY - SAAS
NEW VIEW, NEW FEATURES MORE SECURE
© 2020 Forcepoint FORCEPOINT EMAIL CLOUD DEPLOYMENT
© 2020 Forcepoint FORCEPOINT EMAIL HYBRID DEPLOYMENT AND ADDITIONAL PROTECTION LAYER • HYBRID –“BEST OF BOTH WORLDS”, • GOOD SPAM/VIRUS EFFICACY, • SAME DEPLOYMENT REQUIREMENTS AS ON PREM, INCLUDES FULL EMAIL DLP
© 2020 Forcepoint Azure Deployment
© 2020 Forcepoint ESG is available in Azure
The cloud deployment installation is now standardized with Forcepoint Email Security installation, meaning that the installed product is identical for both cloud and on-premises deployment.
There is an option to also install the management in Azure (FSM).
© 2020 Forcepoint ESG is available in Azure Install is done from Azure Market
© 2020 Forcepoint Hardening DKIM & DMARC
© 2020 Forcepoint Brief introduction to DKIM
DKIM(Domain Keys Identified Mail) is an email authentication technology based on digital signatures to help protect both email receivers and email senders from forged and phishing email. A DKIM-compliant must provide one or more pairs of asymmetric keys, then installs private keys into the signing MTA, and publishes public keys on the DNS. The DNS labels are structured as “selector._domainkey.example.com”, where “selector” identifies the key pair, and “_domainkey” is a fixed keyword, followed by the signing domain's name (example.com, in this example)
© 2020 Forcepoint DKIM signing process
• The signing MTA uses stored private key to generate a digital signature that covers selected fields of the message header and body, such as “From:”, “To:”, “Date:”, and “Subject:” • Insert the digital signature into the message as a header • Deliver the message to next hop as normal
Note: In ESG, smtp service generates DKIM signature and insert it into message as header before deliver to next hop.
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 17 DKIM verification process
• The DKIM-enabled receiving email server extracts the domain from message header “From:” • Query DNS and retrieve the public key, for example: “test1._domainkey.es.com” • The receiving email server then uses this public key to decrypt the hash value in the header field and recalculates the message hash value (headers and body) • If the two values match, it indicates that the mail was truly sent from and the content has not been modified during transport • Receiving email server applies local policies based on the DKIM verification result (content filter)
Note: In ESG, filter service is responsible for DKIM verification
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 18 DKIM Diagram
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 19 DKIM signature & verification
Signature added by MTA
Public key stored on DNS
© 2020 Forcepoint 20 DKIM signature & verification
▪The DKIM signature consists of a list of “tag=value” parts. ▪ v is the DKIM version. ▪ a is the signing algorithm. ‘rsa-sha1’ means use SHA-1 as the cryptographic hash and RSA as the public key encryption scheme. The encrypted result is encoded using Base64. ▪ c is the canonicalization algorithm(s) for header and body ▪ d is the signing domain ▪ s is the selector. In this example, the FQDN of the DNS is “test1._domainkey.es.com” ▪ t is the signature timestamp ▪ bh is the body hash ▪ l is the length of the canonicalized part of the body that has been signed ▪ h is the list of signed header fields. The DKIM-Signature header field itself is always implicitly included in h, with the value of tag b treated as though it were an empty string. ▪b is the actual digital signature of the contents (headers and body) of the mail message.
© 2020 Forcepoint 21 DKIM Configuration on ESG
▪ There is a new setting page to configure the DKIM on Triton Email. (Settings -> Inbound/Outbound -> DKIM Settings) ▪ From this page, we can manage private keys and public keys. ▪ And manage DKIM rules for how to sign the mail messages ▪ We can also enable or disable DKIM for inbound, outbound or internal messages separately.
© 2020 Forcepoint 22 DKIM Configuration on Email Cloud
Cloud Email Security Policy > Antispoofing > DKIM
© 2020 Forcepoint 23 DKIM Cloud Email records These are the Forcepoint CNAME records you must publish in order to enable DKIM signing. Map fpkey11-1._domainkey and fpkey11-2._domainkey to the corresponding values in out.mailcontrol.com. The same DKIM signing domain can be used for all sender domains.
© 2020 Forcepoint 24 Brief introduction to DMARC
DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. It is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrator and that the email has not been modified during transport. It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DKIM, coordinating their results on the alignment of the domain in the “From:” header field, which is often visible to end users. It allows specification of policies and provides for reporting of actions performed under those policies. The DMARC reporting consists in supplying feedback to the author domain on how its authentication methods do, thereby providing for informed policy crafting. DMARC is specified in RFC 7489.
© 2020 Forcepoint 25 DMARC and email authentication process
© 2020 Forcepoint 26 DMARC Configuration on ESG
▪ There is a new setting page to configure DMARC on Triton Email (Settings -> Inbound/Outbound -> DMARC Settings) ▪ We can configure the DMARC verification for the 3 directions separately. The direction is relative to the recipients. ▪ If there are multiple recipients, it’s possible that some recipients can’t receive the message due to violate DMARC checking
© 2020 Forcepoint 27 DMARC Configuration on Cloud Email
Select Filter inbound messages that spoof external domains using DMARC to detect spoofed incoming messages that appear to be sent from legitimate external domains, but which fail DMARC validation checks. This option validates both the Mail From sending address and the From address. DMARC is built on SPF and DKIM validation and allows the owner of a domain to publish a policy (via DNS TXT records) that defines how the receiver should deal with spoofed messages.
© 2020 Forcepoint 28 Business Email Compromise
Internal Executive Spoofing
© 2020 Forcepoint CLOUD EMAIL - INTERNAL EXECUTIVE SPOOFING
The Internal Executive Spoofing feature provides protection against spear phishing attacks targeting individuals within your organization. Such emails may come from legitimate (non-spoofed) email addresses, thereby passing other spoofing checks, but use the display name of a known user (often an executive), with the intention of tricking employees into sending money or information.
© 2020 Forcepoint ESG - INTERNAL EXECUTIVE SPOOFING
➢ Protect your self from finance scammers asking to transfer $ while spoofing themselves to C level employee ([email protected]) ➢Very easy to do in our email cloud / doing it on the local ESG nee to create a new filter & regex to identify this C level users.
© 2020 Forcepoint ESG – ANTISPOOF Rule Antispoof analysis helps determine the validity of message senders. Select the relevant sender address combinations you want to compare. With Advanced Options, use SPF, DKIM, and SIDF authentication results to determine the message validity.
The filter is triggered when at least one address comparison fails or one authentication result is met. If both address comparison and authentication conditions are enabled, then at least one address comparison must fail and one authentication condition must be met in order to trigger the filter.
© 2020 Forcepoint Forcepoint AMD Advanced Malware Detection
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 33 How AMD Works
END-USER UNKNOWN or Advanced Suspicious File: Malware INSPECT Detection
SAFE FILE: BAD FILE: ALLOW BLOCK © 2020 Forcepoint The Deep Content Inspection Difference
WEB FIREWALL CASB EMAIL
Signature-less inspection Application Layer Identification of malicious and analysis scripts and macros OS Layer True kernel visibility with Dynamic code analysis CPU Layer minimal OS dependencies elicits malicious behaviors Memory Layer Inspection of malware memory including encrypted strings
Forcepoint Proprietary © 2020 Forcepoint 36 Enhance security capabilities and intelligence sharing
AMD Engine 1 NGFW
Web AMD AMD Engine 2 Advanced UNKNOWN or Security Manager Suspicious File: INSPECT Malware
Email AMD Engine 3 Detection Security
SAFE FILE: BAD FILE: 37 USER ALLOW BLOCK
Forcepoint Private © 2020 Forcepoint AMD Differentiators
Unlimited Manual URL and File Submissions AMD Cloud: CSI OnDemand subscription included Level 3 Access: https://csi.forcepoint.com/ AMD On-Prem: Available in AMD Manager UI
Fast Time to Protection (AMD Cloud) Nothing to install/download No additional hardware or IT resources needed Quick to enable and set up policies
Strong Security Efficacy Full system emulation → Harder for malware to evade detection Lower rate of false positives → more accurate results and less time wasted on unnecessary investigations
Forcepoint Proprietary © 2020 Forcepoint 38 Why Does Full System Emulation Matter? Common Sandbox Evasion Techniques The Difference with Forcepoint AMD
Environmental Awareness Full system emulation, not virtualization • Programmed to detect devices or indicators that belong • #1 behavior observed by malicious files submitted to to a virtual environment Forcepoint AMD? Ability to check disk size.
Detecting User Interactions Simulates user interactions • Malware only detonates after a specific user action • Forcepoint AMD can manipulate and interact with takes place artifacts to elicit certain behaviors
Time-Based Techniques Deep content inspection • Sandbox analysis typical takes < 5 minutes, so • Monitors calls to the operating system's sleep function malware stalls or “sleeps” until the analysis is complete • Every instruction the malware preforms is evaluated and any object that attempts to stall is detected
Data Encryption • Encrypt API calls so that traditional malware sandboxed can’t read them
Forcepoint Private © 2020 Forcepoint 40 Advanced Malware Detection – 3 Deployment Options
AMD Cloud AMD On Prem AMD AirGap
Manager Engines
Manager Manager NGFW NGFW NGFW Web Email Web Email Security Security Security Engines Security Engines
Forcepoint Private © 2020 Forcepoint 41 Flexible Deployment Options to Meet Differing Needs
Cloud On-Premises Air Gapped • File signatures are updated • No IT resources needed for sandbox• Keeps scanned files local to manually by customer network • Fast time-to-protection • Available for NGFW only • Minimizes latency in select • Protects users everywhere geographies • NGFW forwards files to the sandboxing capability as normal • Adds onto cloud & on-prem • Controlled by appliance team appliances • Ensures physical isolation from (Web, Email, NGFW, CASB) • Adds onto on-prem appliances unsecured networks (Web, Email, NGFW)
Forcepoint Private © 2020 Forcepoint 42 File Sandboxing on ESG Verify the feature is enabled (works only if you bought this module , based on LastLine technology) & the filter is set to trigger the proper action to block.
© 2020 Forcepoint URL Sandboxing (Hybrid Required)
Will replace any suspicious links in an email with a redirection link that scans the content of the page at Point of Click not matter when or where the email is viewed
Benefits • Ensures that the link is inspected even if the link is benign when received but activated days later.
• Protection follows the embedded URLs no even when they are forwarded out of the organization
• Around the clock real time protection
© 2020 Forcepoint EMAIL URL WRAPPING
1 00:00 2 00:00 3 00:00
www.xyz.com www.xyz.com www.xyz.com
Email arrives with links to Link modified for additional harmless page ACE detects inconclusive, analysis later suspicious indicators
4 04:00 5 08:00 6 08:00
www.xyz.com
After passing security, the page Later, user clicks link and ACE Threat identified, is hacked reassesses user protected
© 2020 Forcepoint URL Sandboxing (Hybrid Connection Required)
The URL sandbox provides real-time analysis of uncategorized URLs embedded in inbound email. Navigate to Settings > Inbound/Outbound > URL Sandbox Simply select Analyze suspicious URLs to activate.
© 2020 Forcepoint File Sandboxing Detailed Report
© 2020 Forcepoint Phishing Education
© 2020 Forcepoint PHISHING EDUCATION
Reduce risk of compromise Real-time education based on real threats • “Tips-n-Tricks” educational material template • Customizable notification pages for phishing
© 2020 Forcepoint PHISHING EDUCATION: EASY TO CONFIGURE POLICIES
Define policy to disarm and educate users
© 2020 Forcepoint System Health Check
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public © 2020 Forcepoint 51 SYSTEM HEALTH CHECK - DASHBOARD
➢ Check f you see any alerts in the dashboard
➢ Check if something is stuck in the queue
© 2020 Forcepoint SYSTEM HEALTH CHECK - HYBRID
➢ Check hybrid status by click on button,
➢ domains should be ownership and verified
© 2020 Forcepoint SYSTEM HEALTH CHECK – LOG SERVER
➢ Check status Log Server ➢ Check Log database ➢ Check Maintenance configuration
© 2020 Forcepoint SYSTEM HEALTH CHECK – DATABASE UPDATES
➢ Check Database Updates
© 2020 Forcepoint SYSTEM HEALTH CHECK – FSAM > STATUS
➢ Check Services ➢ Check Resources ➢ CPU ➢ Memory ➢ Disk ➢ Check Email Spool
© 2020 Forcepoint SYSTEM HEALTH CHECK – FSAM > SOFTWARE HOTFIX
➢ Check Available Hotfixes ➢ Check Available Upgrade
© 2020 Forcepoint SYSTEM HEALTH CHECK – FSAM > TOOLBOX
➢ Configuration Summary ➢ Backup Appliance
PCAP file for support
© 2020 Forcepoint SYSTEM HEALTH CHECK – FSAM > SNMP
➢ SNMP ➢ Appliance health
© 2020 Forcepoint Troubleshooting & Tips and Tricks CLI #diagnose> CLI >diagnose#
Perform command: nc and nslookup, to verify connectivity and resolving: download.forcepoint.com download.websense.com ddsdom.websense.com ddsint.websense.com emailsecurity.cloud.threatseeker.com – best results with 8.8.8.8 Product Support Life Cycle
Add Classification Label: Forcepoint Private | Forcepoint Proprietary | 63 Thank You
Peter Rusanovski Sales Engineer
© 2020 Forcepoint Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public