Protect From Evasive Phishing with Email Security Defense-in-Depth

by John Callon

As phishing emails and ransomware continue to find their way into the user inbox, we are led to the following idea -- email security is broken. It has become obvious that companies are attempting to defend against today’s sophisticated attacks using technology developed to block spam and malware.

In the late 1990s, spam had become a serious problem and propagation of malware by email started to increase. In response, email security software was created. The popular open source spam filtering software, SpamAssassin, was first made available in 2001. It included various detection techniques, such as Bayesian filtering, IP reputation and blocklists. The trusty Secure Email Gateway (SEG), a product category that came into being in the early 2000s, still uses these techniques today. 

Protection from email spam and viruses using a SEG

Most organizations deployed SEGs as dedicated appliances at the network edge or, in more recent years, as SaaS. Many eventually deployed multiple layers of email gateway defenses and anti-malware installed together on the mail server. The latter performed scheduled scans to detect new malware missed by the SEG, because the former did not yet have a signature update to detect them.

Certainly email security gateway vendors that have stayed on top of their game have evolved their detection technologies: integrated sandboxes protect from zero-day threats; time-of-click analysis defends against embedded URLs that are weaponized post-delivery; and authentication protocols such as SPF, DKIM and DMARC help detect impersonation attacks.

The SEG's single-layer limitation

But the SEG has a major limitation –- it protects only at a single point in time, at time of delivery, or in the case of time-of-click protection, when the user clicks the link.

In a world of evasive phishing and malware threats, the one-pass detection provided by the SEG is not enough. You need to deploy a defense-in-depth email security architecture. The SEG has its place in this approach. It provides solid front line security to block spam, known threats, and some unknown threats when you integrate advanced detection capabilities like sandboxing. Where the SEG falls short is detecting highly evasive phishing, spear phishing, BEC and cousin domain spoofing, and sitting at the perimeter, it can do nothing to detect compromised email accounts.

A new layer of email security –- Inbox Detection & Response

What is required is an email security paradigm updated to detect today’s threats, and the massive migration to cloud platforms like Office 365 has given us just such a new opportunity. They provide APIs that enable us to deploy security directly into the mailbox, giving us a new security tool and creating an emerging category of product called Inbox Detection & Response.

Inbox Detection & Response (IDR) can protect against new threats by continuously scanning every email in every user’s mailbox, checking and rechecking everything that has made it past the gateway. It can also go beyond the usual security approach of inspecting objects for threats and adds a totally new dimension to email security, by monitoring behaviors and user interactions in the mailbox and then, through the judicious application of "Big Data" techniques, identifying anomalies. This adds context to an email and paints a much richer picture for evaluation.

Best of all, if a new threat is discovered at any time, since it has "hooks" into every user inbox, IDR can automatically delete every copy across every mailbox. This automatic remediation removes the burden on the email administrator or  security analyst, seriously reduces the cost to respond, and massively reduces the feared "window of vulnerability" caused by malicious emails lingering for lengthy periods within the reach of users.

IDR can also provide a framework for users to interact with and contribute to detection technologies in an efficient way, incorporating user feedback quickly and automatically to identify and protect against phishing attacks. Data collected through the framework can be correlated to determine whether an email is malicious and action should be taken. Incident and case management workflows can eliminate false positives and help email admins and security analysts identify threats for further investigation.

Finally, IDR can create a fast feedback loop to reinforce machine learning algorithms. This uses the outputs captured by continuously scanning emails, monitoring user behaviors, and tracking URLs. Through analysis of this data, IDR can better detect anomalies, predict what the next threat might look like, and push intelligence to SEGs and other security assets, strengthening an organization’s security posture as a whole.

Create email security defense-in-depth

IDR brings continuous monitoring, detection and response to email security, using technology that cannot be deployed at the SEG. In turn, the SEG provides technologies that cannot be deployed in the inbox, so it must remain as part of your email security stack. Finally, there are technologies that can be deployed at the gateway or in the inbox, allowing a true email security defense-in-depth solution to be realised.

To find out more read A New Vision for Phishing Defense: Inbox Detection & Response.  

Go back