Selecting Enterprise Email Security: IntroductionBy Mike Rothman
It’s 2019, and we’re revisiting email security. Wait; what? Did we step out of a time machine and end up in 2006? Don’t worry – you didn’t lose the past 13 years in a cloud of malware (see what we did there?). But before we discuss the current state of email security, we thought we should revisit what we wrote in our 2012 RSA Guide about email security.
We thought we were long past the anti-spam discussion, isn’t that problem solved already? Apparently not. Spam still exists, that’s for sure, but any given vendor’s efficiency varies from 98% to 99.9% effective on any given week. Just ask them. Being firm believers in Mr. Market, clearly there is enough of an opportunity to displace incumbents, as we’ve seen new vendors emerge to provide new solutions, and established vendors to blend their detection techniques to improve effectiveness. There is a lot of money spent specifically for spam protection, and it’s a visceral issue that remains high profile when it breaks, thus it’s easy to get budget. Couple that with some public breaches from targeted phishing attacks or malware infections through email, and anti-spam takes on a new focus. Again.
To be clear, that was seven years ago. The more things change, the more they stay the same. We, as an industry, still struggle with protecting email – which remains the number one attack vector. That’s some staying power! We can be a little tongue-in-cheek here, but it underlies a continued problem that seems to defy a solution – employees. Email users remain the weakest link, clicking all sorts of stuff they shouldn’t. Over and over again.
You’ve probably increased your investment in security awareness training, as it seems most enterprises are moving in that direction. We recently wrote a paper on Making an Impact with Security Awareness Training to cover that very topic. So check that out. In this series, Selecting Enterprise Email Security, we’re going to hit on the technologies and how to evaluate them to protect your email.
Before we get into that, let’s first thank our initial licensee, Mimecast, who has graciously agreed to potentially license this report at the end of the project. Remember, you benefit by gaining access to our research, gratis, because folks like Mimecast understand the importance of educating the industry.
We can joke a bit about the Groundhog Day nature of email security, but let’s acknowledge that the industry’s made progress. Email providers (including Microsoft and Google) take security far more seriously, bundling detection capabilities into their base email SaaS offerings. Although not the best (we’ll dig into that later in this series), but we prefer even mediocre security built-in to none at all.
The arms race of detecting email-borne threats continues, with security vendors making significant investments in complementary technologies (such as malware analysis and security awareness training), purpose-built phishing solutions emerging, and a focus on threat intelligence to help the industry learn from common attacks.
As in many other aspects of security, the emergence of better and more accurate analytics has improved detection. Security vendors have access to billions and billions of both good and bad emails to train machine learning engines, and they have. All the major companies hire as many data scientists as they can find to continually refine detection. We’ll dig into how to figure out which detection capabilities make an impact (and which don’t) in our next post.
Unfortunately it turns out adversaries aren’t standing still either. They continue to advance phishing techniques, especially for campaigns which last hours rather than days. They hit fast and hard, and then their phishing sites are taken down. Financial fraudsters have automated many of their processes and packaged them up into easily accessible phishing kits to keep overwhelming defenders.
We also see new attacks, like BEC (Business Email Compromise), where attackers spoof an internal email address to impersonate a senior executive (perhaps the CFO) requesting a lower-level employee transfer money to a random bank account. And unfortunately far too many employees fall for the ruse, assuming what looks like an internal email is legit.
And that’s not all. We see continued innovation in both defeating endpoint defenses (even fancy new next-generation AV products) and preying on the gullibility of employees with social engineering attacks. So your email system is still a major delivery vehicle for attacks, whether you run it in your data center or someone else’s.
That means we need to make sure your email security platform can protect your environment. We’ll go through the latest technological advancements, and define selection criteria to drive your evaluation of enterprise email security solutions. We’ll start by digging into the latest and greatest detection techniques, then walk through enterprise features needed to scale up email security. Finally we’ll wrap up by providing perspective on procurement, including how to most effectively test email security services.
Again, thanks to Mimecast for licensing this content so you can be brought up to date on the latest and greatest in email security.