What a difference a decade makes. Although it may be hard to believe, there was a time when it wasn’t unusual for companies to have little or no email protection. Over time, it became more popular to protect email with standard security tools—firewalls and endpoint protection—doing double duty. Eventually, forward-thinking companies began moving to secure email gateways.
But a confluence of events has changed the email threat landscape, and the required response. The first is the massive move of email to the cloud—often to Office 365—shifting a lot of the trust for email security away from the organization. The second is the growth of more sophisticated attempts, like account takeovers of Office 365, social engineering, impersonation and cryptocurrency mining malware.
All of these factors point to the fact that by itself, a secure email gateway isn’t enough. While email gateways do a great job stopping attacks with bad links, malicious attachments or viruses, they aren’t as effective in other areas. According to research by Barracuda Networks, 38% of organizations rate the remediation capabilities their company has put in place to address malicious emails that reach users’ inboxes as acceptable or inadequate, while 62% rate them as very good or excellent.
“The bad guys are getting past gateways by using social engineering and attacks that contain text or words that gateway technology was never designed to detect or prevent. That’s the new battleground,” said Mike Flouton, vice president of email protection products at Barracuda. “Certainly spam, malware and malicious links still come in, so you still need a good gateway prevention strategy, but there are tons of other types of compromises that are getting in, so organizations need to do things differently regarding detection and response.”
The proliferation of cloud-based Office 365 is another driver for a more layered strategy. Michael Osterman, principal analyst at Osterman Research, said he is seeing more sophisticated attempts targeting Office 365, including account takeover attempts.
“As more users move to the cloud, we’re seeing more attempts to try to get into the Office 365 infrastructure,” he explained. “The goal is to take over an Office 365 account, and these attempts are hard to detect just by looking at them. In some cases, once an account has been taken over, they go to other Office 365 accounts, so you don’t have the ability to do the mouseover and see a bogus email address or link because now it looks valid, coming from a valid account.”
And that’s not even the worst of it. Once bad actors have entered an account, they can look for invoices in the in-box and then look for the recipients of those invoices in the Sent folder. With that information, they can send revised invoices with different payment terms or request that the payer wire funds to a different bank account.
While Microsoft is doing what it can to stem the tide, it’s not enough. According to Osterman Research, 40% of enterprises say that Office 365 login credentials have been compromised. Microsoft does a good job at basic malware and anti-spam detection, for example, but don’t do as good a job at advanced threat protection.
“Exchange Online Protection [EOP] and ATP [Microsoft Advanced Threat Protection] provide some nice capabilities, but there are … a lot of things both of those capabilities still miss,” Osterman said. “Fundamentally, we’re finding that core capabilities within Office 365 just aren’t as good as what you’ll find in a lot of third-party solutions. They don’t catch as many phishing attempts and aren’t as quick to recognize threats. You’ll find that some solutions, for example, do dynamic checking of links whereas Microsoft does static checking.”
Layering Is Key
First, don’t throw out the tools you are already using. A local email security tool such as endpoint detection, for example, can still be useful. Next, if you aren’t already using a secure email gateway tool, adding one is critical. While it’s not enough to catch everything, a secure email gateway can help reduce the attack surface. It catches some of the easier threats, freeing up resources and time to focus on harder-to-detect threats.
A secure email gateway, either on-premises or in the cloud, will scan all incoming and outgoing content. Osterman recommends that at least larger organizations use an email gateway to protect against threats that Office 365 won’t catch.
According to Osterman, two-thirds of enterprises use at least one type of secure email gateway, with Office 365's ATP being the most popular. Hardware-based secure email gateway appliances are the second-most popular, while virtual email gateways hosted on public cloud providers and cloud-based email security services were tied for third. Twenty percent of respondents use no additional security beyond the basic security features included in Office 365.
But in today’s environment, that’s not enough.
“One of the limitations of sitting at the gateway is that you are only seeing each email at a point in time when it’s either crossing into the organization or exiting it, but you don’t have visibility into the broader context of all the messages people send or receive, and you don’t have visibility into the emails that get sent within an organization,” Flouton said. “That technology just doesn’t have access to enough intelligence and data to be able to detect these new classes of social engineering attacks.”
It’s especially important to add third-party tools if your organization doesn’t rely solely on Office 365, Osterman said. For example, many organizations may use other methods of communication like Salesforce’s Chatter, Slack or Workday, and Microsoft’s APT won’t protect those.
But before you choose additional email security tools to layer on top of your existing tools, it’s important to understand your users, your business and the risks associated with your users, said Joshua Douglas, vice president of threat intelligence at Mimecast.
“You have to be able to apply different policies based on user behavior both inside the company and potentially from third parties on the outside,” he said. “Vendors have to supply that same level of visibility and care when thinking about your customers’ environments and business partners, so they can report back when there are threat attempts.”
Tools that use machine learning or artificial intelligence (AI) help keep some of the newer, more insidious attacks, such as social engineering and impersonation, at bay. Trend Micro, for example, has a tool called Writing Style DNA that uses AI and machine learning to analyze an email content’s writing style, with the goal of determining whether it is legitimate or not.
AI and machine learning also can dig more deeply than other types of email security approaches. For example, a hacker could pose as a CEO, emailing a company administrator to wire funds immediately, so he will have access to them when he lands. A gateway can’t validate the sender’s validity, because it’s just words.
In contrast, AI can understand the language used in the messages and conclude that it looks like an urgent request. While determining that it’s an urgent request isn’t enough to condemn an email, it’s one clue. The AI model should also look at other factors, such as the fact that the person is talking about wiring money. The combination of three factors—the urgent request, the request for funds and the fact that the email address is different from the one the CEO usually uses—is enough for the AI-imbued tool to flag it as suspicious.
AI and machine learning can also help an organization more deeply analyze the body of emails sent or received by Office 365.
“It opens up a new threat detection model because you can look at all that data and build a model of what a good email should look like,” Flouton said. “That way, you can develop a model that specifies the types of words a specific user typically uses in an email, the types of people the user typically emails and what an urgent request from that user looks like. Then AI can use that model to flag emails that seem suspicious based on those factors or signals.”
The Human Element
But as important as tools are—and they are very important—don’t underestimate what Douglas calls the last mile of compromise: the user.
“At the end of the day, what is your biggest problem?” he asks. “Is it malware, phishing links, credential harvesting or human error? If you agree that your largest problem is human error, solve that problem through effective awareness training.”
Effective awareness training empowers employees to be more vigilant and is often accomplished via phishing simulation, classroom instruction and online presentations. Some companies choose to start with SANS’ Security Awareness Maturity Model and customize it from there.
When it comes to email threats, it’s not a matter of if, but when. No matter what protections you have in place, threats will get through. By layering email security defenses as deeply as possible and using advanced technologies like artificial intelligence, your organization has the best chance of thwarting as many as threats possible.