Slide show: Best tools for email encryption

 The products we reviewed show good signs that encryption has finally come of age.
best tools email encryption 1

Email encryption
Recipients of encrypted email once had to share the same system as the sender. Today, products have a “zero knowledge encryption” feature, which means you can send an encrypted message to someone who isn’t on your chosen encryption service. Today’s products make sending and receiving messages easier, with advances like an Outlook or browser plug-in that gives you nearly one-button encryption. And the products we reviewed have features like setting expiration dates, being able to revoke unread messages or prevent them from being forwarded. (Read the full review.)

AppRiver CipherPost Pro
Basically, you layer CipherPost Pro on top of your existing email infrastructure via a plug-in. It has mobile apps for iOS, Android, Windows phones and BlackBerry 10s that offer the ability to send and receive encrypted messages, but not attachments. To correspond with people outside your email domain, send a message with a Web link, which recipients click on and register with the system. The heart of the product is a special “Delivery Slip” sidebar that appears on the page as you are composing your message. This is where controls are located to enable message-tracking options, and to add an extra security layer. These are all nice features. If you have to send large attachments, then CipherPost should be on your short list.

DataMotion SecureMail
DataMotion has a very mature offering that makes use of a gateway to process mail. Getting it set up will require a couple of hours, and most of that is in understanding the many mail processing rules. Users need to append a [SECURE] tag in the subject line to trigger the encryption process. You can also set up rules that will encrypt messages containing sensitive information. DataMotion doesn’t have any limits on the size of the user’s inbox. However, it does place a limit of up to 500MB worth of messages that can be sent in a user’s Track Sent Folder. Features include the ability to see exactly when your recipient opened the message and the attachment.

HP/Voltage SecureMail
Voltage was recently purchased by HP and rebranded. The technology is an email gateway, software that sits on either a Linux or Windows server or in the cloud and inserts the encryption process between mail client and server. There are numerous add-on modules that come as part of this ecosystem. You administer the gateway via a Web browser, and there are dozens of options to set, similar to the DataMotion product. Voltage has a zero download client, as it calls its software that can be used to exchange messages with someone not on their system. While parts of Voltage are showing their age, the overall experience is quite capable, and the add-ons for mobile and Outlook/Office are quite nifty.

Hushmail for Business
Hushmail is the easiest of the products we tested to set up and use. There is no software to install on the client side; all mail is accessed via two ways: First, via a secure webmail client that connects to the Hush servers. This is the only way you can send encrypted email to someone who isn’t part of the Hush network. The second method is for users fond of their existing email clients and who are communicating with other Hush users. In this situation there is literally nothing for them to do: they make use of their existing client to send an encrypted message. Between the client and the Hush server, mail is encrypted using either SSL or TLS. Once it arrives on the server, it is then encrypted via PGP. Hush has a 20MB limit on attachment size, and this could be a deal breaker for some businesses.

ProtonMail
Proton is one of the newer encrypted email services that have come along post-Snowden, with an emphasis on keeping your emails private. It makes a point of this by being based in Switzerland. However, the company is still building its product out and as a result it has a very simple Web UI for its client and admin tool. Proton uses double password protection. The first is used to authenticate the user. After that, encrypted data is sent to the user. The second password is a decryption key used to decrypt data on your device. Proton never sees that latter key so they do not have access to the decrypted data. On top of all this encryption, they also employ SSL connections so your data is encrypted across the Internet to and from their servers. There is no option for on-premises servers. While Proton is not really suitable for an enterprise deployment, it shows what the latest encryption products can deliver.

Tutao Tutanota
Of the products tested, Tutanota is the least reliable and least feature-laden. Tutanota uses a variety of clients to set up encrypted mail connections across your existing email infrastructure. There are no changes to your servers and you can continue using Outlook for sending unencrypted communications. We had some trouble with the installation, mainly because the software version has German instructions and installs the German version of .Net Framework. Once installed, though, the menus and commands are in English. Tutanota is based in Germany, which could be important for customers concerned about American email privacy. One of the distinguishing features is that its zero knowledge encryption process hides the message subject. Most of its competitors still send this information in the clear.

Virtru Pro
Virtru has a nice balance of plug-ins and mobile apps that support its easy-to-use encryption operations across a variety of email circumstances. If you have installed the necessary plug-in, when you want to send something, there is a small toggle switch on the top of the compose screen. Turning that on will bring up a “send secure” button to encrypt your message. There are tool tips that appear as you hover over the various options with your mouse, a nice touch. These include the ability to add an unencrypted introductory message that will introduce your recipient to the context of the message that you are sending, and why you want to encrypt the remainder of the message. You can also set when your message will expire or disable any forwarding for additional security.

Virtru also supports zero knowledge encryption, although it adds a separate activation step when a new user receives the first encrypted message.

---

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Next-generation endpoint protection not as easy as it sounds

Endpoint protection technology is making strides and may soon be touted as anti-virus
Rather than looking for signatures of known malware as traditional anti-virus software does, next-generation endpoint protection platforms analyze processes, changes and connections in order to spot activity that indicates foul play and while that approach is better at catching zero-day exploits, issues remain.

For instance, intelligence about what devices are doing can be gathered with or without client software. So businesses are faced with the choice of either going without a client and gathering less detailed threat information or collecting a wealth of detail but facing the deployment, management and updating issues that comes with installing agents.

Then comes the choice of how to tease out evidence that incursions are unfolding and to do so without being overwhelmed by the flood of data being collected. Once attacks are discovered, businesses have to figure out how to shut them down as quickly as possible.

Vendors trying to deal with these problems include those with broad product lines such as Cisco and EMC, established security vendors such as Bit9+Carbon Black FireEye, ForeScout, Guidance Software and Trend Micro, and newer companies focused on endpoint security such as Cylance, Light Cyber, Outlier Security and Tanium. That’s just a minute sampling; the field is crowded, and the competitors are coming up with varying ways to handle these issues.

The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected. They do this by gathering information about communications that go on among endpoints and other devices on the network, as well as changes made to the endpoint itself that may indicate compromise. The database of this endpoint telemetry then becomes a forensic tool for investigating attacks, mapping how they unfolded, discovering what devices need remediation and perhaps predicting what threat might arise next.

Agent or not?
The main aversion to agents in general is that they are one more piece of software to deploy, manage and update. In the case of next-gen endpoint protection, they do provide vast amounts of otherwise uncollectable data about endpoints, but that can also be a downside.

Endpoint agents gather so much information that it may be difficult to sort out the attacks from the background noise, so it’s important that the agents are backed by an analysis engine that can handle the volume of data being thrown at it, says Gartner analyst Lawrence Pingree. The amount of data generated varies depending on the agent and the type of endpoint.

Pingree and the NSS researchers
Without an agent, endpoint protection platforms can still gather valuable data about what machines are doing by tapping into switch and router data and monitoring Windows Network Services and Windows Management Instrumentation. This information can include who’s logged in to the machine, what the user does, patch levels, whether other security agents are running, whether USB devices are attached, what processes are running, etc.

Analysis can reveal whether devices are creating connections outside what they would be expected to make, a possible sign of lateral movement by attackers seeking ways to victimize other machines and escalate privileges.

Agents can mean one more management console, which means more complexity and potentially more cost, says Randy Abrams, a research director at NSS Labs who researches next-gen EPP platforms. “At some point that’s going to be a difference in head count,” he says, with more staff being required to handle all the consoles and that translates into more cost.

It’s also a matter of compatibility, says Rob Ayoub, also a research director at NSS Labs. “How do you insure any two agents - of McAfee and Bromium or Cylance – work together and who do you call if they don’t?”

Security of the management and administration of these platforms should be reviewed as well, Pingree says, to minimize insider threat to the platforms themselves. Businesses should look for EPP with tools that allow different levels of access for IT staff performing different roles. It would be useful, for example, if to authorize limited access for admins while incident-response engineers get greater access, he says.

Analysis engines
Analysis is essential but also complex, so much so that it can be a standalone service such as the one offered by Red Canary. Rather than gather endpoint data with its own agents, it employs sensors provided by Bit9+CarbonBlack. Red Canary supplements that data with threat intelligence gathered from a variety of other commercial security firms, analyzes it all and generates alerts about intrusion it finds on customers’ networks.

The analysis engine flags potential trouble, but human analysts check out flagged events to verify they are real threats. This helps corporate security analysts by cutting down on the number of alerts they have to respond to.

Startup Barkly says it’s working on an endpoint agent that locally analyzes what each endpoint is up to and automatically blocks malicious activity. It also notifies admins about actions it takes.

These engines need to be tied into larger threat-intelligence sources that characterize attacks by how they unfold, revealing activity that leads to a breach without using code that can be tagged as malware, says Abrams.

Most of what is known about endpoint detection and response tools is what the people who make them say they can do. So if possible businesses should run trials to determine first-hand features and effectiveness before buying. “The downside of emerging technologies is there’s very little on the testing side,” Pingree says.

Remediation
Endpoint detection tools gather an enormous amount of data that can be used tactically to stop attacks but also to support forensic investigations into how incursions progressed to the point of becoming exploits. This can help identify what devices need remediation, and some vendors are looking to automating that process.

For example Triumfant offers Resolution Manager that can restore endpoints to known good states after detecting malicious activity. Other vendors offer remediation features or say they are working on them, but the trend is toward using the same platforms to fix the problems they find.

The problem businesses face is that endpoints remain vulnerable despite the efforts of traditional endpoint security, which has evolved into security suites – anti-virus, anti-malware, intrusion detection, intrusion prevention, etc. While progressively working on the problem it leads to another problem.

“They have actually just added more products to the endpoint portfolio, thus taking us full circle back to bloated end points,” says Larry Whiteside, the CSO for the Lower Colorado River Authority. “Luckily, memory and disk speed (SSD) have kept that bulk from crippling endpoint performance.”

As a result he is looking at next-generation endpoint protection from SentinelOne. Security based on what endpoints are doing as opposed to seeking signatures of known malicious behavior is an improvement over traditional endpoint protection, he says. “Not saying signatures are totally bad, but that being a primary or only decision point is horrible. Therefore, adding behavior based detection capabilities adds value.”

So much value that he is more concerned about that than he is about whether there is a hard return on investment. “The reality is that I am more concerned about detection than I am ROI, so I may not even perform that analysis. I can say that getting into a next-gen at the right stage can be beneficial to an organization,” he says.

Anti-virus replacement?
So far vendors of next-generation endpoint protection have steered clear of claiming their products can replace anti-virus software, despite impressive test results. But that could be changing. Within a year, regulatory hurdles that these vendors face may disappear, says George Kurtz, CEO of CrowdStrike.

Within a year rules that require use of anti-virus in order to pass compliance tests will allow next-generation endpoint protection as well, he says. “That’s really our goal,” he says. “From the beginning we thought we could do that.”

He says everyone is focused on malware, but that represents just 40% of attacks. The rest he calls “malware-less intrusions” such as insider theft where attackers with credentials steal information without use of malware.

Until regulations are rewritten, it’s important for regulated businesses to meet the anti-virus requirement, Abrams says, even though other platforms may offer better protection. “It some cases that’s actually more important than the ability to protect because you won’t be protected from legal liabilities.”

Meanwhile having overlapping anti-virus and next-gen endpoint protection means larger enterprises are likely customers for now vs. smaller businesses with fewer resources, he says. But even for smaller businesses the cost may be worth it.

“What do they have to lose and how much does it cost to lose this information vs how much does it cost to protect it?” Abrams says. “

---

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Closing the security loop with automated incident response

A firmware flaw in older Apple computers could allow an attacker to slip a rootkit onto the machine, a security researcher says. Credit: IDGNS
Organizations need to automate low-complexity, high-volume tasks that are eating up their experts’ time

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Organizations have poured billions of dollars into cyber security detection solutions, and while they are exceptional at uncovering potential anomalies and threats, none of these products can guarantee against a breach. Consequently, the next logical step is to pair robust detection and prevention technology with equally efficient and effective operations solutions, including incident response.

Detection solutions are now generating an average of 10,000 alerts per day, according to a recent survey Damballa—far too many for companies to inspect and manage. Yet, security professionals are still attempting to manually separate false alarms from real threats; decide what action, if any, to take; and then perform repetitive actions like gathering data, conducting basic analysis, and generating notifications and tickets.

Forced to complete each of these tasks manually, many expert security professionals are spending the majority of their days completing what are, essentially, administrative tasks.

Automation as a Solution
Up until now, the way most organizations dealt with an escalating number of events was to add staff. Many CIOs and CISOs still think about security in terms of an alerts-to-employee ratio; that is, they determine the size of their security operations center (SOC) staff based strictly on the volume of alerts they receive from detection solutions. But with the number of alerts rising so rapidly, that strategy is quickly becoming unsustainable.

To progress into a new era for information security, organizations are going to have to automate some of the low-complexity, high-volume tasks that are eating up so much of their experts’ time, just like they’ve done with detection. When an organization has the ability to remove mundane tasks from their experts’ plates, they free them up to tackle the more-complex issues.

Process automation, at its core, is about understanding what an analyst does to protect the enterprise or the specific steps the analyst takes to deal with alerts based on factors like source, attack type, severity and other factors. So when you are considering automation, the first step is to break down existing SOC operations so you have an almost minute-by-minute understanding.

For instance, thinking about how analysts respond to particular types of alerts may involve asking them granular questions like, “What are the sources of you alerts?” This seems obvious, but alerts can come from detection technology or be reported by the Service Desk, reported via email or called in by a user. Other lines of inquiry:

“What applications do they use to investigate alerts?” Do they look up users in Active Directory, an ERP solution or a corporate address book?
“Where do they get their investigation information?” Does it come from other detection technology, external threat intelligence or an internal configuration management database (CMDB)?
“How do they make decisions about response based on the information they have available?” Is it based on severity, affected system, affected users or a particular application?

That kind of granular thinking should not be limited to simply security alerts, either. Leaders should make a concerted effort to understand how staffers currently work through particular functions like creating shift turnover reports, generating metrics for management, or assigning tasks to various team members.

Once you have gathered as much information as possible about existing processes, you can work backward to determine which operations, if automated, would free up the most time for the experts on staff. Some of the repetitive tasks a solution should automate include:

Knowing what functions to automate is a great first step toward transforming information security operations. The next step is to identify and ultimately onboard a tool that allows the organization to execute that process automation.

First and foremost, a solution must be able to solve the issues of an organization’s specific use case. That may sound obvious, but for organizations with complex, proprietary processes, it is not a simple requirement. The tool has to be flexible enough to meet those use cases, as well as the processes that don’t have a name—the ad hoc processes that are unique to that organization.

It is also important to determine what level of automation is provided out of the box. One of the cumbersome obstacles that organizations want to avoid is being forced to go back to their vendors every time they want to add a process, report or mitigation. A true enablement tool allows companies to implement new processes, reports, notification and mitigations themselves.

There is some value in pre-canned solutions but, ultimately, an organization needs a tool that can go beyond offering the automations a vendor thinks the organization will need, to enabling the specific operations it actually requires.

What automation tools can’t do is replace human expertise. They won’t be able to perform all the functions of an expert security analyst’s job. But what they can do is free up time for such experts, by eliminating the repetitive tasks that consume their days. That is critical being that attacks are changing and continuing to become more complex. And the most effective means we have of identifying the anomalous behaviors that signal these new kinds of attacks is allowing analyst to be creative and spend some of their time hunting for new attacks, rather than completing repetitive low value tasks.

Once these experts figure out how to identify and thwart these new types of attacks, they may be able to recreate the process and automate it—but only if they have the time to search for anomalies in the first place.

An incredible 71 percent of organizations surveyed admitted to having been the victims of a successful cyberattack in 2014. To begin to reduce this number, organizations in all sectors are going to have to do more than adopt new solutions; they are going to have to change the way they think about cyber security. Specifically, companies must begin to see detection—regardless of how advanced it might be—as only one-half of the entire cyber security picture.

The information security industry has arrived at a critical moment in time, faced with a threat landscape continuously growing larger and more complex. At this critical crossroad, a greater focus on automated incident response is the best way forward.

Swimlane is a developer of cyber security automation solutions which centralize an organization's security operations activities, automate incident resolution and integrates with threat intelligence.

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com