Given “innovation” by spammers and fraudsters, keeping content filtering algorithms accurate and timely is proving very difficult for content-focused security vendors. In 2006, heuristics-based detection cocktails fall out of favor, pushing the pendulum back towards signatures that favor entrenched AV vendors. Users increasingly embrace “in the cloud” content filtering for e-mail, IM, and web traffic because it allows them to get rid of another box in the perimeter and stop worrying about exponentially increasing message volumes.

It’s funny, just as some are projecting the “end of spam [1],” others are of the opinion that spam is here to stay [2]. I tend to fall into the latter camp. Spam is not going to stop because of the economic incentive. But harmless spam is the least of our worries, as innovative fraud techniques (phishing, pharming, spear phishing, etc.) present a much more significant danger.

I guess it’s probably wrong to say “harmless” spam because every unwanted message burns resources, so there is a cost. But if you are anything like me, you are kind of numb to it. Why? Detection has gotten better and since you don’t pay for the pipes, how much it costs big companies to process all that spam is not your concern. I can also say from personal experience that the web mail services have gotten much better at detecting spam and dropping it way before it hits my mailbox. If I have 5 per day in my spam folder, it was a pretty bad day. Just 12 months ago, I’d get an average of 25-30.

Most people think security is just security. Isn’t protection designed for the network, for content or applications all the same? Well, NO! When I was in the anti-spam business that was the hardest point to get across to the common man. You need to use the right tool and technique for the job. A firewall is not particularly suited to do content inspection and process the sophisticated algorithms needed to accurately detect unwanted messages.

Unfortunately I think we’ve been lulled into a false sense of complacency relative to spam and other content-based attacks. Content security has become an arms race. Spammers, driven by the compelling economics of fraud, are innovating fast. They are coming up with interesting new ruses to separate unsuspecting users from their personal information. And I’m not sure the “good guys” can keep pace.

From a technical perspective just 18 months ago, vendors maintained a bunch of detection techniques and weighted them using a “cocktail” correlation approach. This was pretty effective. Most customers even liked to tune the cocktail for their own environment. There were lots of knobs and the customers enjoyed turning them. In buying situations, there would be great religious battles to determine the most effective way to block spam.  The heuristics guys on one hand argued their approach blocked “unknown” spam more effectively. On the other hand, the folks that used spam signatures said they are just as effective and have no false positives. But a strange thing happened within the last year. CUSTOMERS STOPPED CARING. They now expect the spam to go away without them turning knobs or knowing how it's done.

And God help you if effectiveness goes down at all. Two years ago, you were a hero because the users were only getting 10 spam per day, down from a couple of hundred. How quickly things change. Now you get nasty-grams from users if they get 2 or 3. Ah, the thankless life of the IT professional.

So who ultimately wins in an arms race with the bad guys?  It’s the vendors with scale, who have dedicated resources (plural, as in many) spending all day, every day working to stop content attacks. The bad guys continue to move fast, so vendors cannot skimp on making that investment. Over time it’s the AV vendors who will win in this market. The techniques used to provide top flight content security look an awful lot like those that fight viruses.

The e-mail security business is in step 5 of my 8 step market evolution cycle [2]. Brutal competition, pricing under pressure, start-ups missing unrealistic VC revenue targets; yep, that’s where the market is. Step 6 is right around the corner, indicating fervent consolidation and a few fire sales of vendors that have hit the wall. That’s the second half of this year.

If you are a user, what does that mean? First, you still need to evaluate the products using actual content from your environment. Depending on your traffic makeup, one approach may be more effective for you. Second, do not get caught up in any of the religion about heuristics vs. signatures. It doesn’t matter. Third, make sure you are comfortable with the technology investments the vendor is making. If they can’t keep pace with the bad guys, you lose. Finally, make sure the vendor’s focus is in the right place. The larger security vendors are big enough to play in all spaces. Smaller companies are not. If a vendor is announcing all sorts of stuff and doesn’t seem focused, run…fast. The product you are buying will be starved of resources that are chasing the next market.

Now let’s talk about managed content security services. There are now robust, mature, and stable “in the cloud” offerings for e-mail security, IM security and web filtering. You should strongly consider these services. Why? Basically to handle increasing traffic and message volumes. Equipment-based solutions require you to continually invest in more and more hardware as volumes go up. So if you are a big company, this is a huge problem. If you are a small company, it’s an even bigger problem because budgets are tighter.

The second advantage of a content security service is to screen the bad stuff before it hits your network. The idea of doing content inspection within your mail server is dumb. By then it’s too late. Inspection and blocking needs to be done at a minimum at the perimeter of your network, optimally in someone else’s network. The further removed from your users, the better. Finally, with a service, you don’t have to manage availability. Service providers have built highly available systems. Your mail server will go down before the service does, and in that case they just queue the messages until you are back up. So it adds a level of enterprise availability that is hard for smaller customers to replicate.

The services are priced per user each month. So you get into that buy vs. lease discussion. Obviously services minimize the amount of up front investment, but historically make it up on the back end. That isn't the case anymore. This market is very crowded and the vendors need to gain share. These deals turn out to be bare knuckle brawls. Utilize this to your advantage by negotiating hard and bringing in multiple vendors to bid. Moreover, the switching costs are nil (just redirect some MX records), so do not sign a long term contract.

Is there a catch with services? Performance is fine. Effectiveness is fine. Implementation time is actually a bit faster. End user controls are fine. The answer is there is no catch. Unless you are absolutely huge or heavily regulated and you need to “control” your content, services will be the best option for you. To be clear, I do not recommend you go rip out your appliances tomorrow, especially if they are working. BUT, when your maintenance renewal comes up, it may be worthwhile to take a look at what a service will cost, relative to your ongoing maintenance. I suspect you’ll be surprised at the answer.