Whatever your job description, there's a fair chance that you spend a considerable part of your day doing email. And the odds are that you're using Microsoft Outlook as your client application and that on the back-end, you're connecting to a Microsoft Exchange server.
Now if your responsibilities include security, you're acutely aware that email is the classic vector for phishing attempts from the outside and is a key means of data exfiltration by insiders, inadvertant or otherwise. Spear-phishing, where a highly targeted attack against a specific individual or group is attempted, is probably the top-of-mind threat of the moment, deployed in such famed penetrations as the RSA attack of early 2011. All of this would suggest that you'd be very interested in examining the contents of emails coming to and from your users.
The typical way this is done is by using a network traffic analyzer that understands SMTP or one that can be used as an MTA to plug into your email infrastructure. These rely on standards-based approaches for monitoring emails going between MTAs, essentially email servers. There are a number of solutions that would enable you to do this, including ones that we at Fidelis offer. Depending on your enterprise IT and security architecture, you might see limitations to this approach and it's worth talking through these.
A happy trend for the enterprise over the past few years has been the consolidation of IT resources driven by better software, management tools, Moore's law and virtualization. Instead of every branch office, division or business unit deploying it's own Exchange servers, it's quite likely that your organization has decided to centralize this setup.
But a somewhat less happier outcome for you as the security guy is that you may no longer have visibility into your organization's email. If your Exchange servers are outside your control or security perimeter, instead of inspecting SMTP or deploying MTAs to do content examination, what you're stuck with on the network is Microsoft's proprietary MAPI protocol, which is what Outlook clients use to talk to Exchange Servers. Most network sensors today aren't capable of inspecting messages travelling over MAPI.
This is a real problem, because you've just lost visibility into the inbound and outbound threats carried over enterprise email. You might choose to rely on your enterprise-level security team to take care of this with their monitoring of SMTP. But consider the data exfiltration case where it's highly likely that you're the best judge of what is sensitive to your organization. Your enterprise security team might be able to deploy standard rules to look for PII leakage but your operational security vocabulary is probably your own - codenames, project plans ... the kind of stuff you don't want showing up on Wikileaks or even Gizmodo.
Even worse, you really have no control over email between users on the same Exchange server. Everyone is familiar with viruses that blast out emails to all addresses in the victim's address book. Imagine someone in your domain getting infected with such a virus and sending emails to his colleagues. This is a fantastic phishing vector, since a user is a lot more likely to open an attachment coming from a sender inside their organization. Emails within an Exchange domain never make their way to SMTP or other MTAs and are likely to get no inspection whatsoever.
All of this points to the need for network-based sensors that can understand and inspect sessions carried over MAPI - the protocol that Outlook user-agents use to connect to Exchange servers.
Today Fidelis announced addition of the Exchange/MAPI decoder to our XPS product family. Our policy framework can now be utilized against MAPI-based sessions, thus giving you visibility and control into email (and Calender) based threats inside your organization, whether or not you have the ability to wrap your Exchange sever with security tools of your choice. Even better, the Exchange/MAPI decoder gives you visibility into intra-organization emails that you never had before. If email based threats matter to you, your outlook just brightened up. To read more about the Exchange/MAPI decoder, see our press release.
