The creativity of attackers continues unabated in their attempts to lure your users into providing access to critical assets. Vishing and smishing have joined the phishing family as popular methods for baited attempts to steal credentials or deliver malicious links. Vishing (voice phishing) attacks use phone calls to the intended victims, while smishing uses SMS/text messaging.
While these newer tactics are certainly ones you should be aware of and prepared to guard against, email phishing remains the top risk vector and 94% of malware is delivered by email.
The rapid rise in remote work makes this an even more viable method for attackers. As workers move beyond the corporate perimeter, establishing an email security program should be a top priority.
Setting up that strategy requires a number of elements, including threat prevention, end-user education, selecting a technology partner and monitoring your email security program to consistently deliver to your strategy. Among the most crucial components should be selecting an email hygiene and security platform. Working with an experienced, trusted technology partner can help you evaluate and compare the available solutions.
7 Essentials for email hygiene and security platforms
Taken at a surface-level, available email security platforms can seem to be a one-and-the-same proposition. But, before you select one, take a deeper look under the hood to ensure that you are getting these fundamental features.
In addition to mailbox continuity, archiving and additional adjacent technologies, your solution should cover these seven essential areas:
- Inbound email hygiene
- Inbound email threat protection
- Email threat detection and response
- Internal email threat protection
- Outbound email hygiene
- Outbound email DLP and encryption
- Email end-user services
1. Inbound hygiene
Email hygiene is seen as a commodity capability for email security platforms, but choose a platform that does this function poorly and it can lead to lost productivity, user frustration and wasted time in your SOC. Because it is seen as basic, there will be little focus on it from the provider. Understanding a particular solution’s capabilities might require consulting the “owner’s manual.” Press those vendors under consideration for more than passing mentions to what their solution provides in this area.
Their inbound email hygiene offering should include fundamental controls such as recipient validation, volume and connection rate controls, file type controls, and definitions to detect spam, bulk and adult messages based on sender details and message contents.
Inbound email hygiene should also be tied to end-user services. Users who are empowered to block, allow, white list and report messages can play an integral role in your overall email security success.
It might not rate a high level of importance in the day-to-day evaluation of your email security program, but its absence would be immediately noticed.
2. Inbound threat protection
In today’s threat landscape, email threat prevention success serves to differentiate certain providers from their competition. You should expect to see broad protection from the following threats:
- Known viruses
- Hybrid threats that include URLs in attachments, URLs that lead to files, etc.
Of these, addressing impersonation is among the most important. Designed to look like it came from a legitimate sender, impersonation attacks were up 30% in the first half of 2020 as attackers took advantage of the larger attack vector created by the increase in remote workers.
Impersonation is at the heart of most email attacks, including business and vendor email compromise (BEC and VEC), credential phishing, and the distribution of viruses and malware. Relying on social engineering, impersonation consistently takes the winner’s circle over other methods. Impersonation has the highest success rate when it comes to eliciting a user response. User actions include clicking a URL link, downloading an attachment, enabling a macro, or even wiring money to an account.
Impersonation detection is the most important capability that your email security provider should deliver. These threats range from domain spoofing to impersonating known contacts. Ensure that your email security provider can detect the following impersonation use cases through envelope, header, display and text analysis:
3. Threat detection and response
Even with the best of intentions and ongoing efforts for improved results—including developing spam definitions, participating in threat intel-sharing communities, using honeypots and sensors across the internet, analyzing malware and phishing attempts, and identifying and adjusting to new threat tactics—no email security provider is perfect at preventing all unwanted and malicious email from landing in the inbox.
Place priority on solutions that provide recursive analysis of delivered email. You should look for a solution that uses threat intel updates provided regularly by the vendor and that allows you to integrate threat information you receive from additional sources, such as a digital risk provider or open source threat intelligence. This analysis process should include notification when a delivered message is found to be weaponized or malicious, and the ability to either automatically or manually take action.
Solutions with automated features to purge delivered messages from users’ inboxes should also allow for easy, manual search-and-destroy capabilities. This feature can be especially valuable as part of your organization’s threat-hunting program. The automated capabilities should include spam, URL, attachment, impersonation, hybrid and user-submitted messages.
4. Internal threat protection (email analysis)
The digital world we live in amplifies opportunities for insider threats to damage your organization, whether done mistakenly or maliciously.
Insider threats take one of three forms:
- mistake-makers who fall prey to a phishing attempt
- malicious insiders who use and abuse their current access with the intent to cause harm or loss
- imposters who have gained access through dishonest means
It’s important to include internal threat protection as part of your overall email security strategy and as an essential capability required of your email security platform. The impact of a breach from the inside is among the most damaging, often because the threat is not immediately recognized and goes undetected for an extended time. On average, the time from incident to detection is over two months according to a recent Ponemon Institute study.
Desirable solutions should have the ability to analyze internal email communications for spam, unwanted content and inappropriate content, and threats. Ideally, you should look for a solution that delivers internal email threat protection via API. This approach is faster and less expensive, and it provides analysis in seconds. API solutions are also less complex to configure and manage than those leveraging journaling, blind carbon copy (BCC) or some other approach which can take minutes to analyze and can add a layer of risk if the email is sent externally for that analysis.
5. Outbound hygiene
Outbound hygiene is seen as a basic function, with features that include the assessment of outbound messages to detect known spam and threats, and the management of pushed messaging characteristics such as disclaimers and intended recipients.
With the right use of these features, outbound controls can help you discover instances of account compromise or other suspicious user behavior. Your selected platform should be able to detect and alert on users who have started to send large volumes of outbound email, including bulk messages. This activity can be an indicator of compromise.
6. Outbound data loss protection (DLP) and encryption
Effective DLP strategies for email are intertwined with encryption. DLP controls help ensure that emails containing sensitive, confidential content cannot be shared through email unless the appropriate encryption is in place. DLP and encryption may be available with your security platform through additional subscriptions or licensing, or they may require an additional integrated solution.
Your selected email DLP provider should use smart identifiers—pre-defined expressions—for specific data types such as financial information, personal information and banking information. These identifiers should be combined with the presence of specific language from the email and further understood through proximity analysis (for example, a Social Security number is found within 20 characters of the term Social Security number).
These providers should also allow for optical character recognition (OCR) and exact data matching (EDM). OCR will allow scans and other images to be analyzed for sensitive content and EDM will enable organizations to treat information such as credit cards and account numbers that are specifically tied to the organization to be treated differently than general violations. General credit card information doesn’t carry the risk of actual credit card numbers.
Volume controls used with DLP rules can help detect account compromise or insider threats. For example, if it’s normal behavior for a user to include one or two Social Security numbers in an email, the email can be encrypted and allowed. If a user attempts to send more than the accepted number, that communication can be prevented from sending.
Encryption should be available in both a push and pull format and transport layer security (TLS) should generally be used in any email that is sent. Push encryption is when an email containing sensitive content is saved as a file, encrypted and sent as an attachment with instructions for access. Pull encryption is when an email is routed to a secure inbox to which the recipient can authenticate, view the message and reply as needed. Whichever method is used (push or pull), multi-factor authentication—even just an SMS code—should be available to further control access.
An encryption provider should also provide post-delivery controls that dictate access duration, available message actions (forward, download, etc.) and the ability to retract or disable message access.
7. End-user services
While the human element is the largest threat vector for email, people can also be enlisted to help in the fight for safer, more secure email. Training and empowerment gives users the tools they need to work in alignment with the organization’s security goals. Provide your users with a mechanism to report suspicious emails, manage their individual safe and block senders lists, and a way to review and release non-malicious messages marked as spam and blocked from delivery.
Most providers offer an email digest and a web portal where users can see blocked messages and manage their safe and block list. Some providers also provide a mobile app to deliver these services.
Two aapproaches to delivering email security
The solution areas listed here exist because of the different points of risk that need to be addressed. These solutions are now being delivered by two different approaches—secure email gateway (SEG) which has been the industry standard for years, and API which is emerging in the market.
Secure email gateway (SEG)
The providers of legacy SEG solutions are familiar names in the industry. They’ve been around for years and generally meet most of the requirements listed above. One disadvantage of legacy SEG solutions can be that they are weighed down by the baggage of years of defunct code, technical debt, tens of thousands of definitions for spam and ham (generally marketing-type messages from senders you have approved), constant efforts to strike a balance between block rate and false positives, and acquisition and integration efforts to expand into new markets. Most importantly, with little exception, legacy SEG providers struggle to comprehensively address impersonation.
API providers are more recent to the industry and less recognized. Most API solutions use data science techniques to detect the many different forms of impersonation, offering improved results over legacy SEGs. These techniques track a number of different behaviors of external and internal senders to identify anomalies. Many of these solutions can also serve a function that is similar to endpoint detection and response (EDR) function for the inbox—residing in the inbox to analyze messages at the moment they are received, and purging malicious messages the moment they are delivered. Some of these solutions also integrate into platforms like Office 365 via transport rule, performing analysis prior to message delivery, rather than the EDR-at-the-inbox use case.
Beyond impersonation, API providers are also uniquely positioned relative to legacy SEG solutions to better address threat detection and response, and internal threat protection use cases. API solutions fall behind legacy SEG solutions in their less robust inbound and outbound hygiene, DLP and encryption, and end-user services capabilities.
Legacy SEG and API together are the most secure strategy
Rather than being a question of a legacy SEG solution or a newer API approach, the most successful email security strategy uses both solutions in tandem.
If vendor consolidation trends continue, it is likely that API solutions and vendors will be acquired by, and integrated into, legacy SEG providers, and then those ultimately integrated into secure web gateways (SWGs) and secure access service edge (SASE) solutions. Until then, leveraging the power of both legacy SEG and API solutions that deliver on the essentials listed above will provide the best email security strategy outcomes.