Bringing IQ to anti-spam tools

I recently interviewed Matthew Dircks, vice president of Security Management Products of NetIQ in Houston, Texas (mailto:matt.dircks@netiq.com). We discussed his views on spam and how his company is attacking the problem through sophisticated rule-based anti-spam engines.

MK: Tell me about your company.

MD: NetIQ has been around since 1994, centering on performance and availability of Microsoft systems. We added Active Directory security through acquisitions in 1999 and 2000. In October 2002 we acquired Pentasafe, the company that handles Charles Cresson Woods’ well-known text on security policy (_Information Security Policies Made Easy_). Pentasafe also provides policy-centric vulnerability management and log-analysis solutions.

In December 2002 we acquired Marshal Software and its series of content-security products, MailMarshal and WebMarshal.

In our own company, we found a year ago that about half of the total e-mail traffic was spam. This has implications not only for normal security such as confidentiality and vulnerability to malicious software but also for just plain availability. How can you be highly available if you’re not secure? And if you are so secure your business owners can’t get timely access to their resources, you sacrifice performance – so we help companies ensure availability with security. To do this you really need a policy-based approach to balance controls with availability. How do you take policies out of the employee manuals on the shelf, implement them technically and enforce them?

Being able to instantiate policy in your content controls is enormously powerful, and it characterizes our approach to security in mail security or policy-management products. Regardless of which area of policy you’re dealing with, you need to be able to prove enforcement. That applies to Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, GLBA (Gramm-Leach-Bliley Act), European Union (EU) Privacy Directives, and your own IT or legal policies for proof of due diligence.

MK: So what’s the fundamental approach underlying your products?

MD: We provide standard rule sets out of the box and allow people to reorder them and adapt them to their particular needs. These can be statutory requirements or best practices (e.g., from SANS, the System Administration and Network Security Institute). We’re concerned with providing an irrefutable chain of evidence and a rapid response time. The client sits and configures the policies to suit using a text-based editor for rule sets. A good example is our TextCensor technology. TextCensor provides weighted keyword analysis and Boolean logic operators to identify phrases or other text characteristics common to spam. NetIQ Marshal Solutions provides TextCensor scripts out of the box along with rich user-definable rules.

You can set up filtering on subject lines, content, keywords (e.g., no Social Security numbers), forcing anti-virus checks on outbound or inbound traffic.

MarshalSMTP works at the gateway; it doesn’t matter what client you’re using. It’s the easiest to administer and the most effective because it captures bad stuff before it penetrates the corporate network, and you don’t have to interfere every time a copy gets forwarded from one workstation to another. It reduces the administrative challenges of administrating a client-centric approach. It’s less visible to the user; there’s less pushback and less training. We’ve had very large customers deploy this for 75,000 users in four days because they only had a handful of SMTP servers.

The other product is an Exchange server flavor. Some people use it for spam, but many organizations use it for internal controls. For example, some banks or investment houses have a Chinese wall between the retail brokers and the research groups, and they’re using the controls of MailMarshal Exchange to limit transfer of sensitive data.

MK: How does the outbound blocking affect users?

MD: You can configure specific messages explaining why a particular message has been blocked or if an attachment has been stripped. Even on the way in, you can quarantine messages or stamp them on the way in with “SPAM” in the header so people are aware of danger if they do open it.

MK: Tell me about false-positive and false-negative issues.

MD: We have very good experience from both our own applications and from customers. We’re seeing 90%-plus at allowing mail through and blocking spam out of the box, and higher with specific configurations.

In one case where the product was carefully tuned, the client received about 140,000 e-mail messages a month, of which 37% were spam. They implemented MailMarshal and found a false positive rate of 0.01% to 0.1%, with a success rate of 95% in flagging and stopping the junk.

* * *

Disclaimer: I have no financial interest in or association whatsoever with NetIQ.