In our three-part blog series, we’ll debate the efficacy of traditional vs. modern email security. In our first post, we discuss the evolution of email-borne threats and the failure of threat intelligence. Check back next Tuesday, to learn more about the benefits of integrating security awareness training and incident response capabilities into your email security solution. Then on Thursday, we’ll wrap-up our series with a checklist of modern email security standards.
Many email-borne attacks, like spear phishing and business email compromise (BEC), rely on the pretexting of key employees in an organization. Cybercriminals are successful because they use psychological manipulation to trick users into making security mistakes or giving away sensitive information. If the phisher can gain the recipient’s confidence and trust, then the attacker can swiftly extract information, commit fraud, or gain system access.
The types of email attacks that prey on human error present a unique challenge for organizations and the security solutions they rely on to protect them. The evolution of email threats from nuisance spam to sophisticated, targeted phishing campaigns calls for modern email security that is flexible enough to stave off evolving threats before, during, and after an email attack.
What makes a cloud email security platform modern? Simply put, it’s the incorporation of multiple layers of defense—adaptive threat detection and blocking, integrated user education, and simplified email threat removal into a single platform for complete protection before, during, and after an email attack.
Just a couple of decades ago, viruses like ILOVEYOU and Anna Kournikova arrived spreading mostly via email. At this time, securing email was a relatively straightforward endeavor. Security vendors needed to scan the content of inbound and outbound messages for viruses and telltale signs of spam. However, modern-day attacks like BEC make securing email much more difficult.
BEC attacks don’t typically rely on malicious attachments. They can linger for days, weeks, or months—comprising scores or hundreds of separate communications. Their content may be brief, conversational and familiar: hardly the kind of language that can be flagged without also generating staggering numbers of false positives. What’s needed is a new approach. Modern email security protects beyond known “bad” malware. It encompasses adaptive threat detection and strict adherence to business processes designed to mitigate risk. Modern email security also incorporates robust incident response tools and procedures that minimize the impact of the threats that evade detection.
Anti-virus and anti-spam solutions have been around for decades, but the battle for email security is far from over. Indeed, email-borne threats are on the rise and are still amongst the most potent tools in an attacker’s toolkit. Today, technology-dependent organizations face an expanding list of email-related threats. Nuisance spam and malicious email attachments now stand alongside targeted phishing attacks and CEO/executive impersonations. Even the most textbook attacks today use elements of localization and customization. For example, Microsoft has noted how a campaign that sent malicious attachments to small businesses in the U.S. used localization, making the message and attachment appear to come from well-known, local businesses to help trick email recipients to open the malicious email attachments.
To complicate matters, organizations are increasingly reliant on cloud-based platforms. Ideal for supporting a mobile workforce, such platforms offer little in the way of a corporate perimeter to defend and strain the ability of legacy security and monitoring tools. At the same time, compromises of cloud-based messaging platforms like Office 365 allow attackers to burrow deep inside an organization, gaining access to and exfiltrating reams of sensitive communications and data without notice.
Now, the majority of email-based attacks use a combination of attack techniques. This infrastructure is what makes threat intelligence a critical component of modern email defense. Simple emails may provide a beachhead in an organization, but the malicious infrastructure is what allows attackers to expand and move laterally within organizations laying the groundwork for persistent attacks.
Modern email security solutions integrate multiple threat intelligence feeds that add a layer of protection: spotting emerging campaigns, flagging new malware variants and toolkits, and blocking suspicious and malicious domains that are part of command and control infrastructure.
Today, threat intelligence no matter how up-to-date is not enough to effectively combat sophisticated phishing attacks.
Many of today’s most widely-used email security tools rely heavily on threat intelligence, in some form, as the primary threat detection tactic yet, few vendors will admit it. Even the best threat intelligence is unlikely to spot phishing emails because they closely resemble legitimate email traffic and typically lack malicious links or attachments. By dialing up the sensitivity of email filtering and scanning features, administrators end up quarantining a great number of clean, legitimate messages. This can hamper business productivity and irritate employees/executives. It also places the burden of manually reviewing “false positives” caught up in an unwieldy net onto IT staff.
Addressing both the philosophical and technological components of email security
The challenges of most email security solutions have as much to do with a philosophical mindset as they do tactics. In particular, the over-reliance of threat intelligence is symptomatic of an antiquated, perimeter/gate mindset. Where the only role of email security is similar to that of an airport security agent: check everything that comes through against a predefined list of “bad” things and let everything that doesn’t “match” through. In the case of airport screening, if something slips through the perimeter defense, recourse can be disruptive and potentially ineffective. The airport security staff may shut down a terminal (or the airport) or run manual security checks on people who have already cleared. The same is true for email security where so-called “incident response” is often limited to suspending accounts or using PowerShell scripts to identify email that is already in an employee’s inbox.
In the second part of our 3-part blog series Combating Phishing with Modern Email Security, we’ll explain how modern email security platforms strike a balance between combining multiple layers of threat detection, automated protection, security awareness training and automated response actions. This approach prevents the majority of email threats from reaching end users, while simultaneously protecting users and organizations from the email threats that do make it through.
Check back next week to learn more about this balancing act! Want to read more now?