How do we help the black sheep into a secure environment?
Why is email security such a critical issue?
Email is the number one vector of attack in all publications, with figures varying for the sad winner of being involved in around 85-95% of all attacks.
Why is that? Well, first of all, we cannot decide which sender is sending us an email and with what intention. Furthermore, the recipient, i.e. often the user, has primary control over the medium. Even if they are sensitised and should follow established rules, they have considerable room for manoeuvre compared to other areas and services.
In addition to technical measures, it is primarily the individual who decides how to handle a message at their own discretion. For example, confidential information is often obtained through phishing emails.
From the perspective of those responsible for security, email is a “horror”.
Not least because each individual email account must be seen as a “door” into the company network.
The current state of safety precautions: Sufficient safety or staff overload?
What do we see? Many of our customers already have good solutions in place that protect the on-premise environment or the mail server in the cloud. In some cases, even after cloud migration, on-premise appliances, so-called secure email gateways, are still in use, which basically fulfil their purpose, but sometimes lead to a diversion (by returning traffic from the cloud and then back to the cloud).
If these solutions are operated by the customer themselves, we often observe that these systems are neglected because the focus is on the cloud administration of the mail servers. Configuration errors or a softening of the rules and regulations often occur when the admin team is hopelessly overloaded, just as the daily system and quarantine check is omitted when everyday life prioritises other issues.
If you find yourself here … you are not alone.
The good news: there are solutions to the overload and other challenges
Modern email security solutions address many of the problems mentioned. On the one hand, they rely on AI, of course, and on the other, they are usually provided as a cloud solution.
As with many other security solutions, e.g. EDR, the quality of detection is simply increased by quantity. The more analysable and correlatable data is available, the higher the quality of the AI results.
The solutions we are familiar with from customer projects, which are usually offered under the term “email security solution”, differ significantly.
In terms of content, i.e. the scope of the solution and features, as well as commercially, we see opportunities but also pitfalls in the selection.
For example, the selection of a suitable process architecture is essential. Some providers are very flexible and offer both inline processing and API/journaling methods to assist the mail server with security features.
With InLine, as the name suggests, linear or sequential processing takes place. The MX record of the domain points to the provider’s infrastructure and incoming mails first pass through the provider’s security stack before being forwarded to the customer’s mail server.
With the API/journaling method, parallel processing takes place by accessing mail on the mail server or, as with some archiving tools, forwarding a copy of each mail to the provider’s security stack. Some providers combine the processes to create hybrid models.
The architecture usually determines which features are possible in addition to the security features. Failover solutions, data retention and long-term archiving are requirements that now serve as a second availability layer to the mail server and its primary backup concept. In addition, some solutions offer integrated encryption and key management with modern technologies, such as rule-based encryption.
Why bother with email security?
The main motivation is, of course, to avoid incidents through the highest detection quality with the lowest false positive rates and low operating costs. Many solutions already do a good job here, but, as with EDR, it is difficult for the customer to evaluate their effectiveness. However, there are providers who enable free test phases and thus allow testing in parallel or in addition to the current solution.
In this way, it is possible to simulate how the new solution would have dealt with the emails and which threats the old solution may have overlooked.
Modern solutions rely on various malware engines, sandboxing and AI to recognise fraudulent content. The quality of processing and detection goes so far that some providers, for example, permanently check links that have been entered in the database on a recurring basis so that subsequently changed targets of a URL are recognised and can be reacted to accordingly. The same applies to subsequently changed reputations of senders or entire domains. Such POST delivery measures are essential, as attackers develop sophisticated methods to circumvent the static detection of older generation solutions.
We always recommend evaluating the user and admin interfaces of relevant solutions in a demo and, if possible, a PoC. In addition to the look and feel and the logic of the menus, the options for rule templates and automation should also be examined more closely. Reducing the workload of admins should be a key component.
What is our conclusion?
We recommend that our customers pay particular attention to the area of email security. Where, if not for the top attack vector, should layered security play an essential role. Products that protect online mail servers, such as the tools of the Defender for Office plans in the Microsoft cosmos, can be supplemented by additional solutions that form a second barrier (API/journaling-based solutions). Conversely, an upstream in-line email solution, for example with a cloud-based email gateway with multi-level malware scanning and sandboxing, can strengthen the integrated protection of the mail server environment.
In our view, it is essential to analyse the individual requirements in detail in order to find the most suitable solution.
CyberCompare supports you with established methodology and project experience