Posted under: Research and Analysis
It’s 2019, and we’re revisiting email security. Wait; what? Did we step out of the time machine and end up in 2006? Don’t worry; you didn’t lose the past 13 years in a cloud of malware (do you see what we did there?). But before we provide a current state of email security, we thought we should revisit what we wrote in our 2012 RSA Guide about email security.
We thought we were long past the anti-spam discussion, isn’t that problem solved already? Apparently not. Spam still exists, that’s for sure, but any given vendor’s efficiency varies from 98% to 99.9% effective on any given week. Just ask them. Being firm believers in Mr. Market, clearly there is enough of an opportunity to displace incumbents, as we’ve seen new vendors emerge to provide new solutions, and established vendors to blend their detection techniques to improve effectiveness. There is a lot of money spent specifically for spam protection, and it’s a visceral issue that remains high profile when it breaks, thus it’s easy to get budget. Couple that with some public breaches from targeted phishing attacks or malware infections through email, and anti-spam takes on a new focus. Again.
To be clear, that was seven years ago. The more things change, the more they stay the same. We, as an industry, still struggle with protecting email and it remains the number one attack vector. Now that’s some staying power! We can be a little tongue in cheek here, but it underlies a continued problem that seems to defy a solution – your employees. Email users remain the weakest link, clicking on all sorts of stuff they shouldn’t. Over and over again.
You’ve probably increased your investment in security awareness training, as it seems most enterprises are moving in that direction. We recently wrote a paper titled Making an Impact with Security Awareness Training to cover that very topic. So check that out. In this series, Selecting Enterprise Email Security, we’re going to hit on the technologies and how to evaluate them, so you can use to protect your email.
Before we get into that, let’s first thank our initial licensee, Mimecast, who has graciously agreed to potentially license this report at the end of the project. Remember, you get to benefit by gaining access to our research, gratis, because folks like Mimecast understand the importance of educating the industry.
We can joke a bit about the Groundhog Day reality of email security, but let’s be clear that the industry’s made progress. The email providers (like Microsoft and Google) take security far more seriously, bundling detection capabilities into their base email SaaS offerings. Although not the best (and we’ll dig into that later in the series), we prefer having even mediocre security built-in rather than not at all.
The arms race of detecting email-borne threats continues, with security vendors making significant investments in complementary technologies (like malware analysis and security awareness training), purpose-built phishing solutions emerging, and a focus on threat intelligence to make sure the industry learns from common attacks.
Similar to many other aspects of security, the emergence of better and more accurate analytics has also improved detection. Security vendors have access to billions and billions of both good and bad emails to train their machine learning engines, and they have. All of the major companies hire as many data scientists as they can find to refine their detection methods continually. We’ll dig into how to figure out what detection capabilities make an impact (and which don’t) in the next post.
It turns out the adversaries aren’t standing still either. They continue to advance their phishing techniques, especially when their campaigns now last hours, not days. They hit fast, and they hit hard, and then their phishing site is taken down. The financial fraudsters have automated many of their processes and packaged them up into easily accessible phishing kits to continue to overwhelm the ability of defenders to keep up.
We also see new attacks, like BEC (Business Email Compromise), where the attackers spoof an internal email address to make it seem like a senior executive (like the CFO) is requesting a lower level employee to transfer a lot of money to a random bank account. And unfortunately far too many of those employees fall for the ruse, assuming what looks like an internal email is legit.
And that’s not all, we see continued innovation in both defeating endpoint defenses (even with your fancy new next-generation AV product) and preying on the gullibility of said employees with social engineering-based attacks. So your email system is still a major delivery vehicle for attacks, whether you run it in your data center or someone else’s.
That means we need to make sure your email security platform can protect your environment. We’ll go through the latest technological advancements and define some selection criteria that should drive your evaluation of enterprise email security solutions. We’ll start by digging into the latest and greatest detection techniques, and then go through the enterprise features needed to scale up your email security. Finally, we’ll wrap up the series by providing some perspectives on the procurement process including how to most effectively test email security services.
Again, thanks to Mimecast for licensing this content so that you can be brought up to date on the latest and greatest in the email security world.
*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by [email protected] (Securosis). Read the original post at: http://securosis.com/blog/selecting-enterprise-email-security-introduction