How to Evaluate and Use Enterprise Instant Messaging Security Tools

Messaging security is not just for e-mail anymore, especially with more employees using public instant messaging platforms in the workplace. According to Gartner analyst Peter Firstbrook, public IM has become an e-mail alternative for distributing viruses and other malware. IM security vendor Akonix reported recently that it had tracked 20 new pieces of malicious code in February, an increase of 43 percent over January. On the outbound side, IMs can contain objectionable, illegal or otherwise sensitive content.

At the same time, only 10 percent of organizations have formal IM policies, according to a 2007 Burton Group survey. Of those, only half secure the application. Many don’t even know whether employees are using IM.

Enter IM security software. Whether in the form of appliances, hosted solutions, software modules or features of other Web and e-mail security systems, the role of IM security is to protect against inbound threats like viruses, worms, spyware and messaging spam (also called SpIM); use content filtering to prevent outbound threats caused by information leakage; log and archive all IM conversations; and ensure compliance through policy enforcement, auditing, archiving and access controls.

The IM Security Market Outlook

The IM security market is dominated by three companies with products that were originally dedicated solely to protecting IM: FaceTime, Akonix and Symantec (after it acquired IMlogic) See IM Security’s Three Kings for a look at these vendors’ products. But a growing number of companies offer components of IM security, including Web security gateway, e-mail compliance, archiving and security providers like St. Bernard Software, Trend Micro, Barracuda Networks, Secure Computing and Websense.

Other companies, such as MessageLabs, Postini, MX Logic and FrontBridge, offer hosted IM security solutions.

According to Firstbrook, Akonix and FaceTime are ripe for acquisition by a larger, established security vendor. “You don’t want to treat IM as an island because it’s not,” he says. IM authentication, threat protection and archiving will likely be subsumed by vendors of antivirus software, established gateway devices (firewalls, proxy servers and URL filters) and archiving vendors, Firstbrook says.

Meanwhile, IM infrastructure vendors such as Microsoft and IBM will likely enhance native IM security requirements, increasingly marginalizing vendors dedicated to IM security, he says.

Key capabilities

Archiving. According to Firstbrook, IM messages are not automatically saved by IM systems (either public or private), so companies may require a secure repository for compliance or other security reasons. Some vendors offer repositories that are searchable and/or integrate with e-mail archiving systems. At CEVA Logistics, Tony Taylor, manager of global network operations, chose FaceTime’s IMAuditor because it enables him to capture and replay actual IM conversations. “Otherwise, we don’t have pristine evidence,” he says.

Authorization. Since many organizations don’t allow all users to access IM networks, the ability to detect IM traffic and allow only authorized users and groups to communicate on approved IM clients and networks is needed, Firstbrook says.

Compliance. A key requirement for early adopters is the workflow and reporting capabilities necessary for compliances with regulations, according to Firstbrook.

Security. A core capability is threat filtering and implementation of security-driven policy. Leading vendors also provide a central repository of information about IM vulnerability, current exploits and the overall threat environment.

Manageability. IM security vendors provide a centralized point of management, consolidating policy, monitoring and reporting for disparate IM networks and clients, Firstbrook says. For instance, many companies disenable file attachments and neuter embedded URLs.

Key Strategies. It’s important to focus on the threats posed by phishing, malware and blended attacks, since IM is particularly susceptible to social engineering tricks. IM users are not as suspicious about embedded URLs and file attachments as their e-mail brethren, especially because attackers can infiltrate IM buddy lists, making it appear as though the fraudulent message originated from an IM contact. In addition, IM’s real-time nature causes malware to spread rapidly.

However, a growing number of companies are also interested in finding a tool that tracks, audits and even blocks certain IM conversations, to avoid leakage of intellectual property, enforce acceptable-use policies and comply with regulations and legal restrictions. This became a larger issue in December 2006 when the Federal Rules of Civil Procedure made IMs discoverable evidence in court.

At the Screen Actors Guild Producers Pension and Health Plans division, for instance, assistant CIO Kevin Donnellan worries about protecting the private health information of the organization’s membership, which includes some high-profile actors. Three years ago, however, he had no idea who was using IM within the organization, let alone what types of information they were sending around. To comply with HIPAA regulations, Donnellan implemented IMlogic [before it was acquired by Symantec] and used the granular controls to authorize IM use only to users who could prove they had a business need for it. “Maybe we’re a little old-school, but we don’t give IM to every staff member who comes on board,” Donnellan says. “We have a regulatory responsibility to protect patient information.”

Appliance or Hosted Service?

Companies can choose between implementing server-based software, an appliance-based solution, a hosted platform or a hybrid approach. According to IDC (a sister company to CSO’s publisher), the messaging security market will more than double from $2 billion in 2006 to $4.8 billion in 2011. Among the components of the market--software, appliance and hosted services--IDC predicts hosted services will be the fastest-growing.

Buzzword Alert

According to Maurene Caplan Grey, founder of Grey Consulting in Kent Lakes, N.Y., any communication that travels over IP is a candidate for some type of security breach, including Web mail, blogs, IM, VoIP, P2P networks and Web conferencing. This has led IM security vendors to add more coverage to their wares, beyond IM. As often happens, a buzzword has emerged to describe this effort: unified communications strategy. Caplan Grey says to ignore the buzzword and focus on what types of communications the vendor protects today, what that protection means, what they plan to protect in the future, its affiliations and OEM partners.

Evaluation Criteria

Key aspects of IM security include archiving, authorization, compliance, manageability, content inspection, spam-over-instant-messaging (SPIM) protection, IM identity registration, monitoring and integration with other security systems.

Increasingly, companies want to manage IM in accordance with other messaging media. Look for integration with enterprise IM systems, public IM systems, e-mail archival solutions, antivirus systems, corporate directories and firewalls.

Dos and Don’ts for Securing Instant Messaging

DON’T think your bases are covered with a corporate IM system. Corporate IM provides some controls and security, but analysts say additional security is needed to fully address the risks of IM. This includes restricting and/or managing public IM and complying with regulations that require auditing and archiving.

At CEVA Logistics, employees were previously allowed to instant message using Microsoft Live Communications Server with security provided by the company’s Check Point Software firewall.

But when CEVA Global Network Operations Manager Tony Taylor grew concerned about complying with the Sarbanes-Oxley Act’s auditing regulations, he tried taking IM away from employees altogether. In the end, because some customer contracts stipulated the use of real-time IM communications, he decided to implement FaceTime’s IMAuditor. “It allowed us to secure the LCS environment, and people can also use third-party IM clients,” Taylor says.

DO ensure that ever-changing IM protocols are supported. Consumer-based IM protocols are proprietary and constantly evolving, so it’s important for the IM secur-ity vendor to be able to continuously update protocol signatures on the firewall.

DO consider encryption. Some vendors, such as Presensoft and Secure Computing (with its CipherTrust IronIM), offer encryption for IM transmissions. In addition, FaceTime stores IM messages in an encrypted database.

DO get a sense of how forward-thinking the vendor is. The world of IP messaging is constantly evolving, from IM protocols to downloadable applications, and so are the attacks that threaten security. That’s why it’s important to ask vendors about future plans--the next new threat they’re working on and what you should be thinking about over the next year. “You need to find out what’s on their road map,” Caplan Grey says. “Get a picture of who’s the most forward-thinking and who has the funds and R&D staff to execute on those plans.” And because threats to IP messaging are often blended threats (for instance, enticing users to click on a URL that exposes them to bots or identity theft), vendors need to provide security across different media, in a similarly blended way, she says.

DON’T overlook your current security providers. It’s very likely that your current security providers--of Web filtering, firewall, virus protection, spam filtering, data leakage software, etc.--are building out their messaging security portfolios either through partnerships or acquisitions. That’s why Caplan Grey urges users to ask current providers about their plans in this area. “You may be able to take advantage of licensing savings, integration or support advantages,” she says.

DO ask how the system protects against malware: While vendors such as FaceTime, Akonix and Symantec continually update their virus signatures, protecting against IM viruses requires other evergreen tactics, according to a FaceTime spokesperson.

For instance, the product can unmask a bot by asking simple questions that require a human response, like, “What is 2 + 2?” “That could stop even zero-day threats before they’re detected,” she says. The system also keeps an eye out for anyone sending too many messages all at once, since that’s usually a sign they’re infected with something. “It’s one thing to run signatures, but you also need proactive measures, which stops unwelcome behavior on the network,” Firstbrook agrees. For instance, you’d want a system to detect and then isolate any computer displaying bot-like behavior, such as opening multiple sessions in a small time frame, he says.

DON’T treat IM security as an island. While vendors such as IMlogic, FaceTime and Akonix all got their start by offering dedicated IM security tools, the trend is to protect not just IM but all messaging from one platform, Firstbrook says. That’s why Symantec’s Enterprise Vault, for instance, archives data from e-mail, IM, content management and collaboration systems, and its antivirus system includes IM virus definitions.

In addition, FaceTime offers not just IMAuditor but also Unified Security Gateway, which integrates management, security and compliance for Web communications, consumer-driven Web applications (such as public IM, Skype and P2P) and enterprise IM platforms. Taylor currently uses IMAuditor, for instance, but is testing its USG product and plans to upgrade.

For its part, Secure Computing rolls IM control into its e-mail security appliance, and Akonix partners with FrontBridge Technologies to enable an integrated, hosted archiving and compliance solution for both e-mail and instant messaging. “You don’t want to archive IM in a separate archive or treat it differently from a policy perspective,” Firstbrook says. ##