FAQ:  Email Threat Prevention (ETP Cloud)

Version 10




    This article is meant to give a brief introduction and broad overview of FireEye's Email Threat Prevention (ETP) Cloud offering. It addresses many of the questions and concerns our Sales and Sales Engineers encounter when introducing this product to potential customers or existing EX customers.




    What is Email Threat Prevention (ETP) Cloud?


    Launched in December of 2013, FireEye’s Email Threat Prevention (ETP Cloud) solution is a cloud-based platform that protects against today's advanced email attacks. The service addresses the lack of advanced, cloud-based email security for organizations that wish to fully embrace the cloud. Using the FireEye MVX architecture, the service preserves multi-vector threat correlation with the entire FireEye deployment.



    How does ETP Cloud work?


    FireEye's ETP Cloud uses the MVX engine in the cloud to detonate email attachments against a cross-matrix of operating systems and applications, including multiple Web browsers and plug-ins like Adobe Reader and  Flash. Like the on-premise EX series platforms, the cloud-based FireEye MVX engine does not use signatures to stop advanced attacks exploiting unknown OS, browser, and application vulnerabilities as well as malicious code embedded in file and multimedia content.


    ETP Cloud integrates with on-premise NX platforms to coordinate real-time protections against multi-vector, blended attacks as well as leverages the broad FireEye ecosystem by exchanging threat intelligence through the FireEye Dynamic Threat Intelligence (DTI) cloud. It also integrates with email hygiene technologies to secure your enterprise email.



    What is the value  of ETP Cloud for subscribers?


    • With no hardware or software to install, the cloud-based ETP Cloud is easy to deploy.
    • ETP Cloud offers the most advanced, signature-less protection against today’s advanced attacks and zero-day exploits.
    • It is a particularly good fit for organizations already moving their overall infrastructure into the cloud.
    • ETP Cloud Integrates with the NX for real-time protection and rich correlation – Blocks malicious attachments and URLs delivered via emails while also gaining context into the APT attack campaign.
    • ETP Cloud can be combined with FireEye's anti-spam and anti-virus solution for a complete email security solution



    What does ETP Cloud protect against?


    Just like the FireEye EX platform, ETP Cloud protects against advanced email attacks that utilize,

    • Malicious attachments carrying a zero-day exploit
    • An embedded URL that links to a malicious website
    • Malicious binaries (exe and zip files) pointed to by URLs


    Who uses ETP Cloud?


    Anyone can leverage ETP Cloud.

    • Small and midsize business customers (esp. 500 to 2,000 user mailboxes)
    • Government agencies
    • Educational institutions
    • Large federated enterprises



    We currently use EX; should we evaluate ETP Cloud?


    Large enterprises that are looking for ways to embrace the Cloud (Gmail, Office365, etc.) for all their email needs should evaluate the ETP Cloud solution.


    Large enterprises that protect their users’ on-premise mailboxes using the EX appliances, will most likely want to continue with on-premise EX appliances. The EX appliance allows the application of policy, as decided by the IT admin of the enterprise, e.g. the ability to specify file type attachments, or a whitelisting feature that allows all emails belonging to a particular recipient domain to bypass scanning. The ETP Cloud currently does not provide per-Enterprise policy.



    How is ETP Cloud different from the EX platform? Which should I consider?


    Consider ETP Cloud if:

    • the bandwidth cost of bringing email into your premises (to send to EX) and then back into the Cloud into the mailbox is prohibitive
    • you don't have experienced teams to install and manage the EX appliances
    • you're looking to evaluate and deploy email protection very quickly
    • your team needs a simpler UI with policy control, email trace, etc. features
    • you desire the quick updates and faster release cycles offered by a Cloud solution
    • you want  to correlate alerts from an on-premise NX without purchasing a CX
    • you need a flexible operating expense and a solution that will scale quickly as you grow


    Consider the EX Platform if:

    • you need granular and customizable policy controls per enterprise (e.g. Profile selection, custom YARA rules) etc.
    • you have privacy concerns about or are unwilling to invest in Cloud solutions
    • your business is looking for a one-time capital expenditure rather than an ongoing subscription service



    How does ETP Cloud complement antivirus and anti-spam products?


    The ETP Cloud allow integration with existing anti-spam and antivirus technologies as well as allow customers to migrate to a complete FireEye offering for all email security needs.






    What deployment modes are supported?


    Active Protection Inline (MTA) deployment


    In this mode, FireEye analyzes emails and quarantines email-based threats. Organizations deploy in this mode by setting up the next hop of their receiving MTA to point to the FireEye cloud. Malicious emails can be quarantined for further analysis or deleted by administrators.


    Monitor-only BCC/Out-of-band (OOB) deployment


    In this mode, FireEye analyzes copies of emails sent to the FireEye cloud for MVX analysis. Organizations enable this mode by setting up a transparent BCC rule. Malicious emails will trigger an alert that is sent to administrators.



    What does a typical customer deployment look like?


    The image below demonstrates typical BCC and Inline (MTA) deployments.




    Where can I find official documents on ETP Cloud services like our SLA or certifications?




    Will ETP Cloud work for customers who already have their mailboxes in the cloud? Email hygiene (anti-spam) in the cloud? Both?


    Yes, ETP Cloud will work under both of these conditions. The only requirement is that the email be scrubbed by antivirus or antispam technologies before being sent to the ETP Cloud.


    For Office365 or Gmail:  Microsoft and Google also offer the basic email hygiene (BEH) themselves; it doesn't make sense for an email to leave after their BEH, go to FireEye Cloud, and then go back to their mailbox. We recommend that the email MX record can directly to the ETP Cloud so that FireEye analysis occurs first, then only emails deemed "Safe" are sent to Office 365/Gmail.



    What cloud-based email service work with ETP Cloud?


    In general, ETP Cloud can integrate with most cloud-based email services. We have done testing and documented the integration with the following services. For other services not listed here, please reach out to ask-etp@fireeye.com


    Email ServicesBccInline
    Office 365Supported
    (Need enterprise license)
    (Need enterprise license)
    MessageLab (Symantec.Cloud)Supported
    (Need content control license)

    *Gmail is supported in inline mode only when the MX record points to the ETP Cloud as the initial
    hop/analysis. Ask your sales represented for more information.



    How many ETP Cloud datacenters are there? Where are they located?


    Currently, ETP Cloud has two datacenters, both located in the United States. One is in Sacramento, CA; the other is located in Virginia.



    Are ETP Cloud services redundant across datacenters? Will customer alerts and logs be available in case of fail over?


    Services will fail over to the second site (located in Virginia) without customer impact in the event of an outage. Datacenters at both locations will be synced, so customers will still be able to see their logs and alerts.



    How does ETP handle downtimes and failovers?


    The second ETP Cloud site in Virgina is a warm site with an approximately 20 min delay for cut-over in the case of an unplanned downtime. For planned maintenance downtime, ETP Cloud will stop accepting connections while letting the system finish processing all current messages. Once queues are cleared, the maintenance will be performed and connections re-allowed afterwards. During the maintenance window, no new messages will be accepted, and messages will be queued on the sender's MTA. As the sender MTA will continue to try resending, ETP Cloud will process messages once connections are allowed after maintenance.



    When will ETP Cloud be hosted in datacenters in other theaters?


    Expansion to other theaters is on the roadmap. Please ask your sales representative for the most current information.



    What are the scale limits for ETP Cloud? Are there any limitations on message volumes?


    ETP Cloud will scale dynamically based on user demand. It has been designed to scale from small enterprises to large organizations with several 100K mailboxes. There are no limits on message volume by ETP, although the downstream MTA may impose limitations. If the downstream MTA stops accepting connections, ETP Cloud will also not accept any new messages.



    Can ETP Cloud handle periodic spikes in traffic?


    ETP Cloud's infrastructure has been provisioned to be able to handle customer load spikes. Since ETP Cloud is cloud-based, additional capacity can also be easily added if required.



    Does ETP have SIEM integration?


    Yes, ETP CLoud supports a TLS encrypted SIEM feed for alerts in CEF format. CEF alerts are sent via TCP port 6514, and the customer would have to configure systems to accept connections on that port from ETP IP ranges.







    Is Antivirus/Antispam/Reputation Filtering available?


    Antivirus, antispam, and reputation filtering is available as of the June 23, 2014 release of ETP Cloud



    Who do you use for antivirus/antispam/reputation filtering?


    ETP Cloud runs multiple AV/AS engines, resulting in a very flexible architecture with the ability to add new engines and/or replace old ones. The engines within ETP Cloud are best-in-class and are used by large email providers and service providers. Since the AV/AS engine(s) is subject to change, FireEye does not disclose the specific OEM vendors used in ETP Cloud.



    Does ETP Cloud offer the same functionality as the EX platform?


    The security functionality is equivalent to the FireEye EX platforms. ETP Cloud has the same default profiles as the FireEye EX version 7.1. However, customers would not be able to have the custom detection settings on the ETP Cloud whereas the on-premise EX can have detection settings tailored to a specific company.The latencies around Email Threat Prevention are along the same lines as the EX platform. Latency over the WAN transport is additive. ETP Cloud is a high availability infrastructure offering such that there is no single point of failure in the entire infrastructure.



    Can end users receive a notification messages when emails get quarantined?


    As of the Cloudbreak release in July 2014, end users have the capability to receive a daily email of all their quarantined emails as well as manage their quarantined emails through a web portal.



    Can ETP Cloud see alerts from NX/CM?


    Yes, ETP Cloud can see alerts from NX. Customers can configure their NX to send alerts to ETP Cloud. ETP Cloud can then use the alert information to do web/email correlation. If the URL is detected by NX as malicious, ETP Cloud can then identify if the emails seen by ETP Cloud contain the malicious URL and alert the user. It can also detect future emails which contain the malicious URL.



    Can NX/CM see alerts from ETP Cloud?


    As of the writing of this FAQ, ETP Cloud does not send alerts into a customer CM. Please check with your sales representative to see if this is currently available.



    How does ETP Cloud handle incoming email messages if the delivery destination is unavailable? Does ETP Cloud queue messages?


    ETP Cloud does not accept emails if the destination is unavailable when taking in email. If the destination becomes unavailable sometime between acceptance and delivery, then ETP Cloud will queue the message. The maximum queue time is one day (86,400 seconds). ETP Cloud will retry the delivery at 60, 90, 135 seconds up to 3600 seconds and then will retry every hour up to one day. After one day (24 hours), the email will be dropped, and the sender will receive a notification that their email did not go through.



    How does quarantine work for cloud-based AV/AS and on-premise EX?


    AV/AS is offered with ETP Cloud but not in the on-premise EX platform.


    When ETP Cloud AV/AS is enabled, emails will be checked for policy violations, virus, and spam first. If an email fail any of those checks, it will be quarantined (in inline mode). If there are no policy violations, viruses, or spam, the email will be sent to MVX for analysis. MVX can again quarantine emails if advanced threats are detected. If a policy violation, virus, or spam was detected, and the admin releases the email, the email will be sent to the MVX engine. In this case, the email would end back up in the quarantined list, and the admin will have to re-release to be able to send the email to the end user.



    Does ETP Cloud scan outbound messages?


    Currently there is no capability to route outbound emails to ETP, however, outbound analysis is on the roadmap. Please contact your sales representative for the most current information.



    Does ETP Cloud do recipient verification? How? Is there LDAP integration?


    While there is currently no LDAP integration, ETP Cloud does do recipient validation using SMTP to test the customer server. If the recipient is valid, results are cached for one minute. (Approximately 100,000 entries can be cached.) If the recipient is not valid, the message will not be sent. ETP Cloud also requires the downstream MTA to perform recipient validation as part of the architecture as well.



    Is Role-based Access Control (RBAC) available for the ETP portal?


    Currently, only the admin role is available, although multiple users can log in/have accounts with admin privileges. RBAC for the portal is on the roadmap.



    Do end users have access to the ETP portal to see their quarantined emails?


    Currently, only admins have access to the ETP portal. However, end users can get a daily digest of all their quarantined emails. If enabled by the admin, the end user may be able to release some of the emails him/herself.



    Can content policies be based on users/groups?


    The ETP portal allows for whitelisting, blacklisting, and throttling based on sender or receiver emails. However, since ETP Cloud currently does not have LDAP integration, policies cannot be based on usergroups at this time.



    What do the content policy accept and deny rules do?


    The Accept Rule policy is similar to a whitelist. When a message matches the Accept Rule criteria, e.g. sender domain, recipient, etc., the spam processing is bypassed. The message still goes through advanced threat detection.


    The Deny Rule policy is similar to a a blacklist. When a message matches the Deny Rule criteria, it will be rejected.



    How can customers troubleshoot if mails are stuck?


    In the ETP portal, admins can search for mail via the Email Trace tab. Admins can then view message details to see the email trace in real time and find out where the mail is in the queue.



    Does ETP Cloud have directory harvest detection and protection?


    Yes, ETP Cloud does protect against directory harvesting. If there are more than 100 recipient lookup failures within an hour, ETP Cloud will not accept emails from the sender for 4 hours.



    Can directory harvesting be disabled for trusted hosts?


    There is no granular bypass for DHAP, but accept rules can be configured on the ETP portal to bypass RBL/DHAP/SPF/DKIM/DMARC.



    What is the MTA queue size?


    The MTA queue size is not currently set, but can be capped at a custom value for each customer by submitting a service ticket.



    What is the maximum size of messages that can be scanned for AV/AS and MVX analysis? What happens if a message is too large?


    The max size for both AV/AS and MVX analysis is 35MB by default. If a message is larger than the maximum, the message will pass unchecked by MVX. This maximum size can be changed by raising a support ticket.



    What is the maximum time required to scan a message? What happens if analysis takes too long?


    On average, the MVX analysis takes no longer than 5 minutes to complete analysis. Customers using ETP AV/AS should expect results much sooner for commodity malware/spam analysis than 5 minutes. MVX message analysis times out at 10 minutes. If the message does not complete scanning after 10 minutes, ETP will take a fail open approach and send the message. Scanning does not continue in the background if the message is sent with an incomplete scan.



    Can ETP Cloud enforce TLS?


    ETP Cloud has the ability to enforce TLS. If TLS is required, connections without TLS will be dropped. This is only recommended in inline mode with transport rules (only available for Microsoft email/hygiene products) with no AV/AS to ensure the upstream MTA is pointing to the ETP server. There is currently no support for certificate validation; ETP Cloud only provides the encryption between the two gateways (MTA and ETP CLoud). If TLS enforcement is not enabled, opportunistic TLS will be used. If TLS cannot be established, plain text will be used. This option is available for both inline and BCC mode.



    Can max message size be defined by the admin on the ETP Cloud portal for policy management? (e.g. "quarantine all messages above 30MB")


    Currently, message max size can only be changed on the back end through a support ticket. Policies based on size of message are currently not supported.



    Does ETP Cloud support SPF, DKIM, BATV? Can ETP Cloud protect against backscatter?


    ETP Cloud supports SPF, DKIM, and DMARC, and uses the AS engines to block backscatter. If a message fails for SPF, DKIM, or DMARC, the email will not be accepted by ETP, and the failure will be logged in the message trace on the portal.BATV is currently not supported, but will come with outbound email support on the roadmap.



    Does ETP support any type of encryption?


    The only encryption ETP supports is the same encrypted file attachment support on the EX (e.g. examining email body for password of the attachment, etc.)



    How many levels deep can ETP inspect archived files?


    As with the on-premise EX, ETP can scan up to 10 levels of archived files.


    Licensing & Cost



    What is ETP licensing based on?


    Licensing is based on mailbox count. Shared mailboxes are counted as single mailboxes. Distribution lists are not counted but each recipient on a distribution list is counted individually.



    Is AV/AS an additional license for ETP or included by default?


    AV/AS is available as an optional bundle.



    What is the pricing?


    Email Threat Prevention is priced on a per user mailbox per year basis. For example:

    • For a 500 user mailbox company, pricing starts at $xx.xx/user/year
    • For a 750 user mailbox company, pricing starts at $xx.xx/user/year
    • For a 1,000 user mailbox company, pricing starts at $xx.xx/user/year
    • For a 2,000 user mailbox company, pricing starts at $xx.xx/user/year


    Please see your local FireEye Sales representative for current offerings and prices.