This is the first in a series of five blog posts exploring how to evaluate anti-phishing tools.
As successful phishing campaigns continue to make headlines week after week, many organizations have recognized the need to dramatically reduce both their mean time to detection (MTTD) and mean time to respond (MTTR). To some extent, it’s therefore not surprising that we’ve seen a wave of new anti-phishing tools hit the market over the course of the past 18 months.
In this blog post, we’ll discuss why these tools exist and how to evaluate solutions to find the one that’s right for you. Over the coming weeks, we’ll explore each of these four considerations in detail.
Wait, why can’t I just use my secure email gateway?
The domination of cloud email platforms such as Office 365 (soon to be Microsoft 365) and G Suite in large and small businesses alike has brought with it a dramatic shift in the email security landscape as well.
Where secure email gateways (SEGs) used to be the de facto choice for email security, we’ve seen a wave of new anti-phishing tools emerge to address what has been a growing gap in protection. We’ve written in depth about the challenges the SEG market faces, the benefits of a cloud-native approach, and the advantages of API-based email security.
Meanwhile, despite the investments that cloud email platforms have made in security, such improvements have made only a small impact on the overall phishing landscape – catching some volumetric attacks, but failing to identify targeted phishing campaigns, polymorphic attacks, or even spoofs of their own service.
Automate your phishing response
Given the gaps outlined above, it’s no wonder that companies are turning to API-based solutions to fill the gaps left by legacy email security tools. By integrating directly with Microsoft or Google through their APIs, such tools have the capacity to be a valuable weapon against the onslaught of phishing attacks.
In evaluating such solutions, consider whether you’re looking for a primary email security solution or a secondary one. Some solutions are suitable ONLY as a add-on to an already robust email security platform with limited detection capabilities and feature set, while others can be the workhorse of your email security strategy.
Regardless of how it’s being used, there are four critical areas to review to determine the effectiveness of the tool in lowering both your detection and response times:
Incident response: Despite best efforts, there will always be a need for email threat removal, and yet this is the area that that has historically been invested in the least by email security solutions. A good anti-phishing solution will recognize the need not just for more accurate detection of business email compromise and other phishing attacks, but also provide robust tools to find and remove threats even after delivery. While remediation capabilities have become more common, they are often limited in scope and functionality, lacking bulk remediation, detailed search, and integration with other security products such as security orchestration, automation, and response (SOAR) platforms.
User engagement via in-the-moment warnings: Companies have invested heavily in both security awareness training and computer-based-training programs to help their employees understand how to spot phishing emails. But such periodic training exercises are often quickly forgotten, particularly in times of high-stress and when away from normal work routines. Look for an email security platform that incorporates multiple ways to engage and educate the user of suspicious threats – from customized warnings when they open an email or click on a suspicious link to easy ways to determine an email’s relative threat.
Effective email threat (and specifically, phishing) detection: Consider what kinds of threat detection are being used. Most tools claim some kind of advantage that helps them detect phishing threats, but understanding what those techniques are and how to use them is critical. Machine learning, for example is a technique, not a goal – how is it being used, and does its application make sense? Similarly, DMARC analysis can be helpful (though not in isolation) in identifying brand impersonations, but do not provide any help with executive impersonations or account takeover attacks.
Corporate and technical maturity: It’s great to see the level of innovation and advancement that all these companies are bringing to the email security space. But that doesn’t mean you should overlook critical indicators that can help you determine if your new potential partner is ready for primetime. Consider how important the company’s security controls are to you (easily addressed with a SOC 2 Type 2 audit, for example), and whether the vendor ever takes possession of the content of your emails. You may also want to discover how much mail they analyze and whether it’s from a mix of industries and sizes.
The bottom line: Most of these tools will provide some additional level of protection, but choosing the one to invest in should take as much consideration on your part as any other security decision you make. Reviewing these four areas of consideration should help you differentiate the different solutions and choose the one best suited to meet your needs.
Stay tuned for our next blog in this series which will explore how to evaluate threat remediation capabilities in detail.
Note: To help combat the increased risk from phishing, GreatHorn is offering a Workforce Protection Program – giving organizations full access to the GreatHorn Email Security platform for free for 60 days without restriction on functionality.