Outsourcing Network Protection: An Interview with MessageLabs CTO Mark Sunner

The past year has had no shortage of costly and complicating computer viruses and worms — SoBig, Swen, Klez and Yaha, among others — but what might be more troubling is the intersection of these attacks with the world of spam, which not only is pouring on in quantity, but also is carrying more destructive payloads.

Tack on to these issues the related troubles that arrive to plague corporations via millions of employee e-mail inboxes — pornography, spyware and the potential for embarrassing disclosures — and one of the most basic and necessary Internet communication venues becomes a recipe for a variety of disasters. All of these factors have helped propel one of the recommended and required security layers — Internet e-mail filtering — to a more prominent place in the IT defensive arsenal.

MessageLabs, among rivals Postini, FrontBridge, MX Logic and others, has seized on this need by providing an outsourced system that the company says involves significantly less administration than its competitors. The main idea driving MessageLabs technology is that the virus protection sits outside your network, eliminating e-mail threats — both inbound and outbound — before they reach you. However, a maturing market and a move toward in-house security could put competitive pressure on companies like MessageLabs.

To talk about the tactical advantages associated with outsourcing the battle against malware and junk e-mail, TechNewsWorld turned to MessageLabs CTO Mark Sunner for an exclusive interview.

TechNewsWorld: This year was marked by some significant worm outbreaks. What were the worst three from MessageLabs’ point of view and why?

Mark Sunner: Our Top 10 Virus List for 2003 shows SoBig.F was, by far, the most prevalent virus ever seen by MessageLabs, with more than 32 million infected e-mail messages intercepted since August 19th and the first virus ever to have 1 million infected e-mails stopped in a single 24-hour period by MessageLabs. The second and third most prevalent viruses were Swen.A and Klez.H, with a combined infected e-mail volume of 8 million copies, less than a quarter of SoBig.F’s volume.

MessageLabs qualifies viruses based on a number of criteria. First and foremost is volume, or the number of copies we stop on behalf of our customers. We also look at how quickly a virus spreads, the payload and the actual physical or financial damages caused by the attack. Millions of copies of SoBig.F infected computers before desktop or gateway antivirus companies were able to release protective signatures for it — something our customers don’t ever need to worry about because we protect proactively against all known and unknown viruses. SoBig.F was also estimated to have cost $1 billion in damages — in lost business, lost productivity and clean-up costs. These are bottom-line costs our customers don’t have to pay out either.

TNW: How big of a priority is the elimination of spam among your customers?

Sunner: Unlike a year ago, when volumes were manageable and it was one of many IT priorities, today it is a top priority. Demand for our antispam service is clearly driving our business and growing every quarter as spam volumes continue their dramatic increase. At least 90 percent of our U.S. customers take this service.

TNW: Is there a new threat in the form of converged worm or spam strategies that — regardless of infection — can clog e-mail servers?

Sunner: We are seeing a growing trend in spam using the kind of behavior that is typically associated with viruses and vice versa. For example, an increasing number of spam messages incorporate methods for harvesting e-mail addresses and bypassing detection. Spam also has been known to introduce spyware into a recipient’s machine. And viruses such as SoBig.F have manipulated open relay servers and open proxies to spread further — typically a spammer tactic.

Often seen as two different groups, the line between spammers and virus writers is beginning to blur as each makes use of tactics usually employed by the other.

SoBig.F, which hit in August, was the first widely successful example of a converged threat where a spammer used viral techniques to infect and harvest e-mail addresses and innocent users’ machines for spam-relaying purposes.

While they are not as prevalent as viruses such as SoBig.F, threats such as Mimail.J and Mimail.L are two other examples of converged threats. Mimail.J used spoofed spam e-mail and Web sites targeted to PayPal users with the purpose of stealing identities for financial gain. Mimail.L used a spam message with a Zip file that when unzipped unleashed a worm instructed to launch a denial-of-service attack against Spamhaus and other public blacklist organizations.

TNW: What other e-mail evils are hitting inboxes?

Sunner: Pornography continues to be a universal concern for a variety of human resources, legal and financial reasons. Identity theft and online fraud scams are increasingly the end results of existing threats — spam and virus — and simply show that spammers are becoming a lot more devious to avoid detection and capture and that new types of criminals — perhaps involving organized crime — are using technology for financial gain.

TNW: What about spyware? Is this an increasing concern?

Sunner: Spyware programs are a ripe target for crackers and malicious coders looking for holes into systems. In general, spyware, and, in particular, keylogging, are definitely growing concerns. Spyware comes preinstalled in many desktop applications and can download itself when certain Web sites are viewed. It can also be distributed via e-mail through spam that includes executable files that download spyware onto a user’s computer.

TNW: How do concerns over liability, harassment and human relations rank among customer issues when it comes to e-mail?

Sunner: It’s difficult to say which is the greatest concern. While most companies want to protect their employees from hostile work environments, we’re finding small businesses are using our porn-filtering service, while enterprise and global companies are demanding content-control services. All of our services can help companies meet best-practice guidelines and enforce acceptable usage policies.

The greater concerns still seem to be associated with the costs incurred with spam and viruses, estimated in the billions per year for lost productivity; wasted IT time; increases in bandwidth, storage and processing costs; and whatever costs are incurred in cleaning up files and systems.

TNW: Where do companies stand in the battle against worms, spam and other e-mail-borne threats and damages?

Sunner: In a September report, Gartner Group stated that spam affects approximately 100 percent of companies, up to 50 percent of the average business mailboxes contain spam and less than 10 percent of enterprises have effective spam-filtering technologies in place. Companies have recognized that spam is a major issue affecting productivity, and they’re starting to fight back.

IDC reported in April of this year that virus infection is still the number one concern regarding e-mail security. Yet in spite of increased spending on so-called solutions to combat these problems, MessageLabs data shows that the ratio of spam to legitimate e-mail increased 77 percent in 2003, and the ratio of virus-infected e-mail to clean e-mail increased 84 percent.

These numbers increasingly make the case for MessageLabs’ managed services that protect 100 percent against known and unknown viruses, virtually eliminate all types of spam and, with content control, help companies enforce acceptable usage policies that reduce legal and financial liabilities related to misuse of e-mail. Desktop and gateway solutions just don’t offer the same levels of protection.

TNW: How is the interception technology keeping up with faster, more complex attacks and increasingly cunning attackers?

Sunner: Our technology, which has 10 patents, is predictive and self-learning. The bigger we get, the better we get. The key is having a service that constantly tunes itself based on the threats we are seeing globally and proactively protects customers. Having a global infrastructure that scans 28 million messages a day and is monitored and managed 24/7 puts us in a unique position to be the first to detect, stop and in many cases name new threats. All of this saves companies from ever having to worry about new types of threats, having the latest patches, distributing the latest patches and dealing with cleanup if the latest patches are not installed.

TNW: Is it difficult to convince people or corporations that they should move their e-mail filtering outside of their own network so it can be done on MessageLabs’ infrastructure instead?

Sunner: No. It’s usually a question that comes up. People understand that the Internet is insecure by nature, but they do see there is a means to secure it. It depends on a corporate culture. Any company that has used an outsourcer before will likely see this as an actual evolution. That said, companies need to be assured about service availability, network uptime and security measures. It’s also key if a company has ISO 17799 certification, which we do.

TNW: You often talk about the inability of traditional antivirus to guard against unknown or fast-developing threats. Do you think traditional AV is becoming obsolete?

Sunner: Traditional AV solutions do have a role to play in the battle against viruses. But they are not able to defend against threats coming from the Internet. MessageLabs believes the solution needs to be interwoven with fabric of the Internet. Traditional desktop AV solutions are only as good as their last update. When a new threat emerges, the AV companies are playing catch-up. They have to write a signature and issue it to customers, meaning that there is always a time lag between when the virus appeared and when protection gets issued.

The user then has to download the new signature file. In the meantime, several companies will usually have been infected. To their benefit, while we protect against known and unknown e-mail-borne viruses — the majority of viruses — traditional antivirus protects against other types of viruses, such as boot-sector viruses, macro viruses and viruses that spread via network shares.

TNW: You also called AV vendors’ missing the Swen worm “almost inexcusable.” Explain MessageLabs’ relationship with the traditional antivirus companies and how you see them — as competitors or collaborators?

Sunner: In general, we have a good relationship with the majority of AV vendors, and there is a great deal of information-sharing between us. We rarely come up against traditional AV vendors in a sales situation, as we have two very different offerings. What usually happens is that a company using a traditional product recognizes the need to prevent e-mail security breaches at the Internet level and looks to us to help. We provide an additional service, one that is increasingly being recognized as essential in today’s climate.

TNW: Anything else you would like to add?

Sunner: We believe managed e-mail security services — antispam, antivirus and content control — will be increasingly considered as the only way to fight e-mail-borne viruses and spam. We also expect to see higher volumes of spam in 2004, in spite of best efforts — including legislative efforts — to prevent and eliminate it. We expect viruses to continue growing in size and scope and to see additional converged threats emerging as spammers create more devious ways to reach consumers and avoid detection.