Email Security

An Innovative Approach To Email Security Is Needed To Combat Advanced Phishing Attacks

Expert Insights sat down with Michael Landewe, Cofounder of Security vendor Avanan, about how they are innovating in the cloud security market, especially cloud-based email.


Technology moves quickly, and the email security landscape is no exception. Email security vendors are working tirelessly to create the best tech for businesses to protect themselves from threats like phishing and business email compromise. 

In comparison to the fast moving technology however, the purchasing model for email security has remained for the most part consistent. A customer will most likely go to one vendor for a single solution.

However, companies are increasingly needing a more innovative, layered approach to their cloud security, Michael Landewe tells me.

Landewe is the cofounder of cloud security vendor Avanan, who have taken a different approach to email security than other vendors.

Avanan offers a cloud-native deployment model across enterprise platforms including Office 365™, G-Suite™, and Slack™, where the security of those applications is managed entirely on Avanan’s platform.

In addition to Avanan’s patented anti-phishing technology, the company takes existing technologies and brings them together into one easy-to-use dashboard. This gives businesses enhanced security and greater choice over the tools they’re using for cyber security through partnerships with best-of-breed vendors.

We sat down with Michael to talk about how Avanan’s unified platform brings innovation to a market overwhelmed with point vendors.

How is Avanan different to other email security vendors?

We began as a cloud security product and found ourselves in the Cloud Access Security Broker (CASB) market. Our differentiator there was that we are not a proxy, trying to defend from the outside; we operate from within the SaaS, deploying like an app within Office 365, G-Suite, or Slack.

While selling Avanan as a cloud security product, we found that the number one threat for companies using O365 and G-Suite is email. That is today’s ‘hair on fire, we need a product now!’ issue.

We had built a product to monitor user behaviour, user events, and the configuration. We had made the proxy model irrelevant by deploying within O365, so we have greater access to the files, greater access to the user, and greater access to the controls. But it also gives us very, very granular access to email. This allows us to catch every email before it gets to the inbox. So, emails come through Microsoft’s spam filters and Advanced Threat Protection if you have that turned on. But then if it’s dangerous, we hold it using API in a quarantine folder.

Then, we take a copy of that and run it through all of our partner technologies. For example, sandboxing, from FireEye or CheckPoint. We also have our own phishing analysis.

And this all happens before the email hits the users’ inbox?

Yes. We deploy after Microsoft’s filters, but before the email reaches your inbox. We can even see internal email between users. Most external email gateways are blind to email between employees.

Is there a processing delay for emails coming into the inbox?

It really depends on the analysis that we’re doing. One of the benefits of having our multi-layered technologies is that we are analysing emails with a suite of malware tools in parallel, so we get very, very quick results. We analyze with static analysis and zero-day sandboxing and (most of those are actually very fast now), but there can be a little bit of a delay. However, we’re really seeing traction in the introduction of many AI–based analysis tools that offer all the same zero-day benefits of sandboxing, but with zero delay! We’re actually comparing different tools, some do 20 milliseconds response times, some 50 milliseconds. As a processor, that information is important to us, but when it comes to user experience, it’s near-zero. So, 99.9% of email comes through instantly, and it’s only those things that we deem suspicious that are held for sandbox analysis.

How do you determine which emails are suspicious?

We have multi-tool pre-analysis.

First of all, there are things that don’t have an attachment, URL, or so forth, but we perform language and contextual analysis. Perhaps its from the CEO, for example, asking for money or financial information. We do Business Email Compromise (BEC) phishing analysis as well.

Then you have emails with a URL, so we might need to do some link analysis, either by one of a number of real-time feeds or doing a sandbox of the URL.

For attachments, static from multiple tools can give us instant results and provide us a score even before we send to sandboxing. We have a machine learning algorithm that weighs the results and does a great job of eliminating the false positives.

But it’s as fast, if not faster, than anything on the market. This is because we’re using all the brand names you’re familiar with, but in parallel. Most of the decisions come immediately.

Then we just send an API command to move the message from quarantine into the user’s inbox, and they know it’s clean.

But we can also edit it as well.

If, for example, it’s a wire request from a fake CEO account we know that immediately and either we delete it. But it might be the case that it is a legitimate email, and we determine it did come from the CEO’s account. We might edit the email to have a banner saying: “This is a request for money or information, please confirm through an external conversation,” because we are always concerned about compromised accounts as well as promoting safe behavior.

They key thing about most email gateways is that they are designed as perimeter products and can’t see internal emails. If you assume there is one account in the environment compromised and build you security around that assumption, you’ll make all the right decisions when it comes to what you deploy and the rules you set. If you can stop the insider threat, by design you will stop the external threat. Email gateways and CASBs are blind to what’s going on inside an account, but we have the ability to see user behavior, read and edit emails to solve problems like phishing attacks.

Avanan is really quite unique in the market in that you’re quite open in that use third party vendors to power your platform. When someone buys the Avanan do they choose those vendors as modules or is it sold as a package?

Both actually. We do have a package in which we choose what products are being used. We make sure they complement each other. For example, there may be one solution that catches 80% of malicious emails and another that catches 20%. This might sound like a terrible catch rate, but it’s catching the 20% that the other technology is missing. And people who go for this bundle can also add the products they want to it with the ‘a la carte’ model where they can choose the tools they want. The vision behind having all those different tools is that there are very few engineers on the planet that could build code that can wind its way through four or five different levels of technology. So, by offering different layers, each with different methodologies, we’re able to stop more threats.

We’ve heard a lot recently about the importance of post-delivery protection for email.

We talk a lot about this new generation of post-delivery control. We use all the same tools we use for pre-delivery control for post-delivery protection. Being able to quarantine and analyse email and so on. So, when we connect to a user’s account, we actually go back in time. We look through their history and we can go back weeks and months, even with accounts that have been closed.

A very common phone call that we get is an organization telling us that they’ve been compromised, they have no control, and they need help. What we do is connect, go back in time, analyse all the email, and find where the breach happened.

An example of our post-delivery control is the so-called email storm or reply-all storms. We can grab every copy of that email and delete it with one command.

The ability to control the inbox rolls over to control of the outbox. If someone is trying to send a malicious email or confidential information internally, that’s something we can prevent.

One of the other post-delivery concerns is malicious URLs. Everybody does pre-inbox URL scanning, but 40% of URLs are on legitimate sites, with just one page of malicious content that appears after the email was sent. The URL may flag up as safe, but then five minutes later we may determine that actually it’s bad. If that happens, we can go into the user’s inbox and pull it, after the fact.

Because of where we sit (behind Microsoft’s built-in security as well as behind email gateways a customer might have installed), we have a unique vantage point to be able to see and stop what’s getting though.

Is Avanan an all in one platform for email security? You’d have your Office 365, maybe ATP and then use all Avanan as you all in one security platform?

Exactly. We see it as being like the iPhone model in that people pay us for the platform and they pick and choose the bundles they want. We handle all of the licensing and users just pay one per-user-per-month price for everything. We handle all the scaling, licensing, and the bandwidth. 

What are the typical sizes of customers who need this type of security?

We have customers from all sizes–from two hundred to two-hundred thousand. Fortune 500, banks, hospitals, top-10 cities, for example. The sweet spot has been in the tens of thousands of users’ range because it is so simple to deploy.

But we built the product to be manageable by even a 50-user company that might not have an IT team. It’s the cloud model, so you turn it on, and it just works.

This type of product is especially important for smaller businesses because it’s so easy. The platform is designed so it’s up and running in three minutes and hopefully you never need to look at the dashboard again and we’ve solved the email problem.

Would you say that this technology represents the next generation of email security? It’s almost more than post-delivery protection.

Yeah. We love the fact post-delivery protection is becoming a new language, but we had it from day one. But really for us there’s no difference between post and pre-delivery because it’s all embedded control.

There’s something we do beyond just email security, like the ability to remove files from inboxes, so if an HR document was accidentally sent to everyone it could be deleted. That has great security benefits.

And Avanan also offers protection for instant messaging platforms like Slack?

Yes. The problems facing Slack are the same as those facing email security. I can share malware on Slack, I can share malicious URLs, I can share confidential information. But if you go to an email security provider and say, “What can I do about my Slack?”, it makes no sense to them.

But if you look at Slack channels, you have people from other departments and people from other organisations. Slack has zero malware protection, zero phishing protection. It’s where Microsoft was ten years ago, saying “don’t come to us for security, we’re a collaboration company!”

People would never send a password or credit card information over email. But they will Slack it to each other. And you use Slack channels for everything, even online chats on websites. There’s an inherent trust in the platform. This means you need the exact same protection for email as you do for Slack, which is what we offer.

The Avanan platform is an innovative way for businesses to secure their communications. The lack of a delay for email communications and the comprehensive multiple layers of security mean that they offer strong protection from malicious emails and phishing attacks.

Instant messaging platforms like Slack may become the next big target for hackers to target individuals within an organization, and so Avanan’s Slack protection may become a powerful tool that all businesses need to protect themselves from phishing attacks.

Thanks to Michael Landewe for meeting with us.

For more industry interviews and research, visit: