95% of organizations utilize email as the primary form of communication in today’s modern and transformative business world. With email being prevalent in almost all business, for both internal and external communications, adversaries have developed attacks that abuse email to deliver payloads or gain initial access to the victim. According to the 2022 Verizon DBIR report, Email is the second most utilized action vector in data breaches and phishing was in the top five action varieties used in data breaches. This has been a recurring theme, and therefore made it imperative that email is secured in the same manner as other parts of the organizational environment.
Native Email Security is Not Enough
Most email providers offer a base level of security features in their products. This native protection includes basic levels of encryption, blocking known bad actors, spam filtering, some attachment scanning, and a few other capabilities that focus on signature-based protection. However, attackers have developed attack patterns that circumvent these protections and make these protections unreliable in defending an organization’s email environment. It is necessary to implement additional security features offered by Secure Email Gateway (SEG) and/or Integrated Cloud Email Security (ICES) vendors to stay ahead of these complex attacks and effectively protect against them.
What are the Major Threats Facing Email?
Email threats are direct attacks, or the initial access point to complex attack patterns. Threats come in all shapes and sizes and most attacks look exactly like legitimate email traffic. Major email threats currently in use include phishing and all of its sub-categories, spam, malware delivery, brand impersonation, scams, etc. These threats use advanced methods that circumvent the security measures offered by email services and leave organizations at risk for compromise.
It only takes one click of a link or response to an email sent by a malicious actor to begin a chain of attack that may lead to severe damage of an organization. Malware delivered through attachments or links can infect an endpoint which then spreads laterally through an organization. Another example is a Business Email Compromise (BEC) message asking to change the routing information for company funds, leading to a quick payday for the attacker and a financial loss for the victim. It is with these quick style attacks, two types of email security have come into the marketspace: SEGs and ICES vendors.
SEG – The Traditional Security Email Gateway
A Secure Email Gateway sits in line with an email’s delivery path (usually through a Mail Exchange (MX)-record change) and is scanned through the security engine before making its way to the end user’s inbox. These security engines deliver spam and graymail filtering, phishing protection, attachment scanning and sandboxing, and other security functionality. Some advanced SEGs provide internal email scanning capabilities, data loss prevention capabilities, and stronger encryption standards for email.
In purchasing a SEG, it is important to consider the deployment method desired (on-prem, cloud, or hybrid), and how it will interact with other security solutions in the environment. Depending on the deployment, this may have a significant impact on the total cost of ownership with keeping the product up to date both on a patch management front and threat intelligence front. Cloud-based deployments lower this cost but require trust on the vendor to maintain the product and ensure the functionality promised.
ICES – The New Wave of Email Security
Integrated Cloud Email Security vendors (ICES) offer different deployment methods depending on the vendor. They sit out of band and connect to the email server through Application Program Interfacing (API) calls or a routing connector. Most often these solutions are used for post-delivery scanning of messages and offer many of the same capabilities as a SEG. One differentiator for this style of security is the use of end user behavior analysis capabilities. These solutions create behavior baselines and alert when anomalous emails or user behavior is detected.
There are of course considerations to be had with these vendors. Originally, these vendors were used as supplements to traditional SEGs and have only recently been developing functionality to be considered separate solutions. It is important that an organization looking to purchase this type of vendor be vigilant in ensuring the solution provides necessary protection if looking for a standalone product. An additional consideration is that these solutions are cloud only deployments, meaning that the organization must have the appetite and the skill set to deploy to a cloud infrastructure.
How K logix Helps
K logix’s Technology Advisory service helps organizations make the right product investment when considering email security vendors. Our services leverages our proven methodology using a vendor-agnostic, risk-based and business case driven approach. The result is an analysis-backed, justified technology product investment decision.
Jared Lyons, Sr. Research and Technology Consultant K logix