Introduction
Did you know that any organization, regardless of size and the number of in-house security personnel employed, can now automatically prevent, detect, and respond to all types of sophisticated phishing techniques in real-time? Now imagine how much time, money, and resources it could save your company and how much burden might be alleviated from your Security and IT teams.
The reality of email security today, however, is that many businesses do not yet know that such technology exists or that it is possible to replace or supplement their existing solutions with ease. Therefore, most businesses continue to rely on static secure email gateways (SEGs) or the baked-in security of email service providers, such as Office 365 and GWS. While such technologies are proven to reduce some risk, the frequency at which the email threat landscape now evolves, the high rate of micro-targeted attacks, and the speed at which threat intelligence must be consumed, have significantly reduced the effectiveness of both types of solutions.
This playbook introduces CISOs, security teams and analysts, and business decision-makers to the seven essentials of a modern email security platform while providing an objective explanation as to why each essential is necessary and how they work together. At the conclusion of this paper, the reader will have a greater understanding of:
- Why existing cloud and email security solutions are not built for advanced email phishing threat detection and response
- How employees can become a vital layer of detection when incorporated holistically Why the open decentralization of human intelligence is the future of email security
- The importance of a closed feedback loop between technical and nontechnical controls
- The ability to easily integrate or replace your existing email security stack, while keeping deployment seamless
The Pros & Cons of Traditional Email Security Tools
In order to fully understand why there must be seven essentials of a modern email security platform, one must first understand the pros and cons traditional email security tools and how and why such technologies struggle with the pace at which today’s email threat landscape evolves, the high-rate of micro-targeted attacks and the speed at which threat intelligence must be consumed. While secure email gateways, awareness training, DMARC and manual incident response tools have all proven to reduce risk, each of these technologies alone only solves a small piece of what is a very large and complex email security puzzle.
- Secure Email Gateways
- Pro: Proven track record of detecting known signature-based attacks (messages containing links and attachments
- Cons: Not built to detect more targeted and sophisticated file-less attacks such as Business Email Compromise (BEC), spoofing, and impersonation. Also, once an email has landed inside of a mailbox, SEGs struggle to detect and remove the message.
- Security Awareness Training
- Pro: Great for building awareness and reducing employee click rates
- Con: Attackers now deploy social engineering techniques that bypass technical defenses, making it almost impossible for busy employees to detect or recognize as malicious.
- DMARC (Domain-based Message Authentication, Reporting and Conformance)
- Pro: Built to identify a very specific and complex type of spoofing (exact domain spoofing)
- Cons: Only works when both the sender and the receiver are compliant and the type of attack that it is built to stop, exact domain spoofing represents only a tiny subset of all email spoofing attacks
- Manual Incident Response Tools (scripts, YARA rules, signatures, search-based tools)
- Pro: Proven to “claw back” known malicious emails that have already landed in an inbox.
- Cons: Requires significant analyst time to investigate and prompt remediation when time is critical and is also inefficient at identifying and stopping polymorphic attacks
Introducing the Seven Essentials of a Modern Email Security Platform
Email phishing attacks have evolved from a mere nuisance in the early 2000s into the modern-day preferred attack vector for 9 out of 10 cyberattacks. Because of email’s inherent insecurities and with upwards of 156 million phishing emails sent every day, most organizations now recognize the need for robust email security and phishing mitigation tools to ensure business continuity and tangibly reduce risk. To mitigate the widespread risks of email phishing attacks, a modern email security platform must have these seven essentials:
- Advanced malware and phishing/URL link detection
- Mailbox-level threat detection (spoofing and impersonation protection)
- Human-centric phishing detection
- On-delivery email protection (automatic incident detection and response workflow)
- Decentralized crowdsourced intelligence (human vetted intelligence sharing)
- Closed feedback loop
- One platform, seamless deployment, and integration
ESSENTIAL # 1: Advanced Malware & Phishing URL/Link Protection
In the past, anti-malware protection such as attachment & URL scanning may have been sufficient but today attackers are using more devious and sophisticated attacks by harvesting the credentials of users through fake login pages using legitimate domains that go undetected. To detect and prevent zero-days and phishing websites that attempt to steal users’ credentials, email security must provide more than basic signature detection and blacklists. Advanced malware protection must now not only continuously inspect all inbound links and attachments but also utilize computer vision to detect in real-time visual deviations and determine whether a login page is legitimate, automatically blocking access to verified malicious URLs.
ESSENTIAL # 2: Mailbox-level Threat Detection (spoofing and impersonation protection)
Prevention technology must work in conjunction with advanced detections to identify sender impersonations, spoofing, and business email compromise (BEC) that bypass gateway security tools. Absent strong threat indicators (i.e., a oneto-one email from a legit domain to another that does not contain malware or malicious links discussing legit business activities), make blacklists and blocked email lists ineffective. To detect malicious emails with and without payloads, the technology must have the capacity to dynamically self-learn mailbox and communication habits too using machine learning. This will allow for the detection of anomalies based on both email data and metadata (content and context) to improve trust and authentication of email communications.
ESSENTIAL # 3: Human-centric Phishing Detection
Technical detection alone is not enough, as email phishing is a human and machine problem that requires a human and machine solution. However, many businesses are not investing in advanced phishing protection education that can empower employees to identify and mitigate socially engineered attacks, such as business email compromise. When layered into a holistic defense system, employees can become a vital layer of detection. By decentralizing and distributing reported incidents from employees to security teams, companies can mitigate the risk of malicious emails by working in collaboration, within the same platform. And collaboration isn’t limited to just YOUR employees: imagine having the input and value of others, including leading SOCs and other enterprise security resources.
ESSENTIAL # 4: On Delivery Email Response
No prevention and detection will stop every single phishing attack, and with time being of the essence for phishing mitigation, any email security technology must provide end-users (employees) with automated incident response and remediation across all affected mailboxes. Such technology must also be able to collect email threat data and alerts from different sources, including other SOC teams around the world and employee reports, so that incident analysis and triage can be performed automatically to improve efficiency. This helps to streamline responses according to a standard workflow while making it quick and easy for security analysts to classify reported email incidents at the click of a button.
ESSENTIAL # 5: Decentralized and Actionable Crowdsourced Intelligence
Decentralized intelligence sharing within a platform that is actionable through automation, empowers organizations to proactively prepare for trending email phishing attacks. By leveraging an entire virtual global analyst community, decentralization of intelligence sharing can also help businesses utilize data to prepare for what the next attack will look like and to proactively prevent similar or trending attacks from infiltrating or repeating attacks from occurring. This virtual SOC model exponentially improves as the global analyst community grows.
ESSENTIAL # 6: Closed Feedback Loop
Orchestrating threat intelligence from technical and nontechnical controls into a continuous feedback loop is critical in preventing phishing emails from going undetected due to a lack of communication between controls. By continuously feeding machines intelligence from multiple sources, both internal and external, such as analysts’ decisions and employee reports, 3rd party threat feeds, sandbox/threat emulation, and crowdsourced intelligence, email security can adapt and get smarter by predicting, preventing, detecting and responding in real-time. To reduce risk, machines driving the platform must constantly and in real-time be made aware of:
Content: what is being detected by different content scanners of different companies Context: what is being detected at the mailbox level Collaboration of Experts: what is being detected by decentralized threat intelligence (i.e., humans)
ESSENTIAL # 7: One Platform, Seamless Deployment & Integration
Email security is saturated with point solutions and scattered semi-automated tools that require organizations to purchase multiple non-integrated technologies, straining budgets and requiring lots of analyst time and resources. Combining all the essential functionalities to combat modern email threats into one single platform that can easily integrate or replace your existing email security stack, while keeping deployment seamless, scalable and the total cost of ownership low is a major benefit to security teams.
Summary
In conclusion, the frequency at which the email threat landscape now evolves, the high rate of micro-targeted attacks, and the speed at which threat intelligence must be consumed, have significantly reduced the effectiveness of secure email gateways and the security baked into GWS and Office 365. To truly mitigate the risk of email phishing attacks, businesses must look towards technology that provides advanced malware and phishing link detection; mailbox level spoofing and impersonation protection, human-centric phishing detection, and post-email delivery protection and decentralized intelligence that is seamless to deploy and works within a closed feedback loop.
IRONSCALES is a self-learning email security platform that can predict, detect, and respond to email threats within seconds. Email threats are growing exponentially and morphing at scale. Each day, billions of new, increasingly sophisticated phishing attacks and launched globally. Legacy technologies like secure email gateways (SEGs) have been shown to allow up to 25% of incoming phishing attacks through to their intended targets.
With IRONSCALES, you and your organization are Safer Together because of the following:
- Advanced malware/URL protection
- Mailbox-level Business Email Compromise (BEC) protection
- AI-powered Incident Response
- Democratized real-time threat detection
- A virtual security analyst
- Gamified, personalized simulation and training
.svg)
.svg)
.svg)
.svg)
.svg)
