Update on Email Security

31 July 2018
Marko Jung

The University procured as part of the Email Security workstream of the Nexus365 project two email security products from Trend Micro: Hosted Email Security and Cloud Application Security. These will provide greater protection against email-borne threats and malware for students and  colleagues across the collegiate-University, and minimise the likelihood of related information security incidents. This article gives an overview of the upcoming architectural changes to the University's email system, some insights in the on-going pilot at IT Services, and a brief overview of the next steps.

The Trend Micro products were selected following a highly competitive tender process with representation of experts in security, email, and networking. The Trend Micro solution offers the University the ability to add additional protection in two locations: at the gateway level by implementing Trend Micro Hosted Email Security (HES) as mail relays, and within Nexus365 using Trend Micro Cloud Application Security (CAS). The following schematic drawing illustrates how the two new products interfaces with the University's existing email infrastructure:

 

Email security architecture

The advantage of the proposed solution is that we are able to scan and filter the vast majority of unwanted messages using Hosted Email Security before the messages hit the existing email servers. Furthermore, we will be able to better protect our cloud hosted Nexus365 system using the Cloud Application Security product. Overall, the University benefits from the addition of an additional vendor's malware and threat detection engine for external and internal email messages.

It is important to highlight that the addition of these two products is an infrastructure change that does not require our members to take any action. There may be some minor changes required by IT support staff when the solution is implemented for their college or department, but we would like to emphasise this being envisioned to be transparent for all our students and colleagues.

Policy Development and Pilot within InfoSec and IT Services

The Information Security Team has been testing the Hosted Email Security product in May and June to develop an initial policy configuration matching the existing IT Services Email Content Scanning Service including the blocking of emails with high risk attachments. The new solution offers some additional features including the identification of phishing, emails with malicious web links (web reputation), business email compromise, sender fraud protection, and social engineering attack protection. The configuration of these features was carefully tested and refined within the Information Security Team before considering a wider pilot within the IT Services department.

The Hosted Email Security product was successfully implemented on Thursday, 19th July 2018 around 10am, following a failed initial deployment due to a configuration error that was not picked up due to an error in our testing protocol. Both issues were rectified promptly and in spite of the failed initial deployment, this deployment failure allowed us to confirm the roll-back plan working and also gain confidence in other areas, like for example OxMail continuing to route emails for a managed domain where the MX record pointed elsewhere.

The solution has been operational for 11 days without any known service interruptions. In the period of 19th July 2018 10am to 30th July 2018 10am, the system scanned 113,034 email messages for 518 email addresses. Out of these 76,631 messages (67.8%) were blocked and 36,403 messages (32.2%) were delivered:

  • 13,442 clean messages
  • 9,025 bulk newsletters/graymail (delivered with additional email header tag)
  • 3,307 potential spam (delivered with additional email header tag)
  • 5,381 failed domain-based authentication (delivered with additional email header tag)
  • 16 potential business email compromise attempts (delivered with additional email header tag)
  • 42 pattern-based malware (cleaned malware and delivered with additional email header tag)
  • 21 advanced persistent threats (cleaned threat and delivered with additional email header tag)
  • 172 other 

 

Hosted Email Security Statistics for it.ox.ac.uk (19/07/2018 10am to 30/07/2018 10am)

The project delivery team's test suite identified a bug with the Trend Micro product that allowed for email containing an EICAR test virus to be delivered without being cleaned. This issue was escalated promptly by the vendor and remediated within four working days. This demonstrates Trend Micro's ability to react quickly to issues with its platform. Furthermore, the email security team was able to gain deeper insights in the threat detection capabilities of the product and obtained valuable information to verify the chosen policy configuration.

There was one support request to OxCERT from a colleague within IT Services, which was not related to the email security product. The team knew the solution to the problem and helped the individual to identify the correct team to liaise with. OxCERT is not aware of any email security related support requests to the IT Services Service Desks. There were no reported issues from the Nexus team and Nexus365 project team. This gives us confidence that the adoption of the additional email security products will not increase support load for our colleagues in departments and colleges.

Next Steps

The pilot at IT Services is expect to run until the end of August. The effectivity of the solution is constantly monitored and compared to the existing email infrastructure. This helps the email security team to refine the future email security policy, which is based on the existing security model before it undergoes the required approval processes. The service design including a service level description is in development and the project team hugely benefits from the information obtained from the pilot within the IT Services department.

We intend to widen the pilot to a few additional email domains covering a broad selection of University departments and colleges before the University wide deployment in Michaelmas term.

If you have any questions feel free to contact the email security team at emailsecurity@infosec.ox.ac.uk or reach out to Marko Jung (Senior Supplier) or James Smith (Workstream Sponsor).