Choosing a new security vendor can be difficult. To help you with your assessment, we’ve compiled a list of the top 10 questions you should ask when evaluating cloud email security vendors. Here’s our list.
#1. Does your solution detect both payload and social engineering attacks?
Cybercriminals will usually take the easiest route to the maximum return. Since hacking humans is often more efficient than hacking machines, cybercriminals will employ impersonation, urgency, and exploitation tactics to compel their targets to act.
We’re all human and make mistakes, so make sure that the cloud email security solution that you choose can identify and flag the not-so-obvious evasion tactics like direct spoofs, name spoofs, and domain look-alikes.
Although, there has been a significant rise in the use of impersonation attempts without the presence of malware, the detection of executables should still be addressed. Payload-based attacks can be just as damaging and contain the same exploitation tactics.
- Does your solution detect malicious links and attachments with the ability to dynamically scan and sandbox?
- Does it detect suspicious links, provide workflows to protect end users, and give control/context to admins?
- Can it flag direct spoofs, name spoofs, and domain look-alikes?
#2. Does the solution have integrated threat intelligence?
Check that the solution includes the ability to continuously ingest the latest third-party threat intelligence feeds and also offers proprietary behavioral threat intelligence to identify and protect against emergent threats.
- Does the solution take a multi-faced approach to detection of potentially malicious content? This may include, but is not limited to, integration with third-party threat intelligence providers.
- Does it take a baseline of communication patterns, relationships and email header metadata and use that data to help limit false positives that are unique to your environment?
#3. Does it use content-based detection?
RegEx-/string-based and keyword-based content identification are important in identifying unwanted emails within your environment. For example, anything from W-2 language to wire transfer requests to suspicious language can be detected by keywords.
Make sure that content identification criteria are available and can be used on its own or in conjunction with other factors like sender/recipient relationship, to help detect potentially malicious messages.
#4. Can it detect malicious messages based on anomalous email authentication configurations?
DNS-level authentication standards can be misconfigured or inconsistently implemented, both internally and externally, thus creating security holes that can be exploited. Changes in this metadata can be crucial indicators of threat.
Check that your cloud email security solution has the ability to analyze SPF, DKIM, and DMARC configurations for all mail received as well as a way to benchmark all addresses and domains to detect true anomalies beyond absent or misconfigured records.
#5. Does it have threat remediation and response capabilities?
The cloud email security solution should have strong incident response capabilities with multiple risk- appropriate threat response options, including automation capabilities and configurable policies. Consider whether the solution offers:
- Automated response actions
- Configurable response actions
- Incident response workflow capabilities
#6. Is it able to take post-delivery remediation actions?
It’s crucial to address the percentage of email that gets through the perimeter. Check that the solution is able to continuously monitor and take action on emails even after they have already arrived in end-user inboxes.
Evaluate whether remediation actions post-delivery are available. These can be:
- Removal of messages
- Moving messages to a designated folder
- Moving messages to trash folder
#7. What are the reporting capabilities?
The solution should have analytics and performance reporting capabilities that provide visibility into the organization’s threat landscape and risk level over time. Reporting capabilities should include:
- Metrics in threat and risk reduction: Access to information including at risk users, spikes in email volume to an individual or across your domain, attack types seen, or misconfigured or non-configured DNS-level authentication.
- Management reporting: Reports and data should be formatted in ways that are management-friendly for technical and non- technical audiences.
- Search capabilities: Ability to perform search for forensics and ad hoc investigations with exportable results.
#8. Is it easy to use? Can I deploy quickly and see results ASAP?
Let’s be honest, no team has the time and/or resources to struggle with a security tool. So, please consider the following:
- Deployment shouldn’t take more than a few minutes
- You shouldn’t have to change DNS/MX records: Rerouting your MX records to a cloud-hosted solution may cause deliverability delays or downtime.
- Pre-configured security policies: The ability to provide immediate protection via out-of-the-box policies is a must.
- Universal protection across mail clients
#9. Does the solution minimize interruptions to operations and users?
The solution should not introduce any risk of interruption to the business. Make sure that the solution you choose will allow for a seamless transition and won’t impact existing processes and end users. This means no latency or deliverability delays. Check for the following:
- No end-user email workflow changes required: Given the nature and importance of email usage in business, requiring a change in end-user behavior is not optimal, nor necessary.
- Seamless integration with existing security infrastructure and processes: Consider your current architecture, from firewalls to the configuration of sending services, and how the addition of an email security solution will—or will not—impact that architecture in the short- and long-term.
#10. Last but not least…when it comes to evaluating and choosing any new cybersecurity solution, one size does not fit all.
The stakes are high when adding a new security solution to your existing stack, so make sure to check customer references and third-party reviews.