Bad actors are always on the lookout for new opportunities to exploit vulnerable systems and access your data. Unsecured email accounts can be an attractive target for attackers due to the effectiveness of malware, and the sheer ubiquity of email in modern life. It’s no wonder, then, that 91% of attacks start with an email.
Users are at risk from having their accounts compromised, or data stolen, when they unwittingly download a malicious file, or click on an untrustworthy URL – it might contain malware such as ransomware, or a virus such as a Trojan or a Worm. Depending on the type of software, this could result in bad actors gaining access to you, and your customers’, data. Unfortunately, these attacks are not only common, but can have devastating consequences for an organization: IBM reported that that “83% of organizations have had more than one data breach” and that the average cost of a ransomware attack (not including the cost of ransom) was $4.54 million USD.
Robust email security works in two directions. It can prevent someone from sending malware or phishing attacks into your network to corrupt your files, trick users or use your device as part of a coordinated “bot” attack. In the other direction, data can leave your organization via email. This could be because someone has stolen the data, or because a user has, knowingly or unknowingly, shared the information. Proper email security can ensure your accounts are protected from both these risks.
The main types of email security used by organizations today are: Secure Email Gateways (SEGs), post-delivery protection, and outbound protection.But what’s the difference between these email security solutions, and how do they work?
Secure Email Gateways (SEGs)
A SEG is a cloud-based email filtration service that identifies and blocks malicious or unwanted emails from entering your inbox. SEGs use multiple filters to screen your mail, before using a host of tools to remove the threat. Spam, malware, viruses, graymail, and phishing attempts can all be blocked by a SEG.
A spam filter will scan all traffic for tell-tale signs that the email is unsolicited and unwanted. An SEG will use multiple filters, each identifying a different attribute, to prevent most of the spam reaching your inbox. Filters can search for language attributes – is the email written in the user’s usual language? Is there a high number of spelling mistakes or non-standard characters? Is there an “unsubscribe” button, signalling that this email is a newsletter or for marketing?
There are more sophisticated filters too. Header filters analyze an email’s delivery data to deduce if the email address is genuine and corresponds to the identity advertised in the body of the email. Bayesian filters use a list of common phrases to calculate the likelihood of an email being spam. These lists are dynamic, so can continually adapt to ensure the filter is as reliable as possible.
If there is uncertainty whether an email is spam or not, an SEG can redirect the email into “spam quarantine”. With most leading email security solutions, the end user can access the “spam quarantine” to decide if the email should be read or deleted. This ensures the end-user is not frustrated by spam reaching their inbox, but has access to any emails, should they need to.
An end-user digest should be produced to summarise the emails that have been redirected to spam quarantine. This makes it easy for the user to review the decisions made by the SEG and ensures that no important emails are missed.
Graymail is promotional or newsletter content that a user has opted-in to received, but is no longer interested in. For the end-user, this email might be considered spam. However, for a different user, the mail might be relevant and wanted. Due to different users viewing the same email in different ways, it can be difficult for SEGs to accurately identify graymail for each user. Some services offer a secondary, “Other”, or “Promotional” inbox for graymail.
Antivirus / Malware Protection
To identify malware and viruses, the SEG will begin by checking any actionable content found in an email with a database of known malware and viruses. Attackers are, however, continually creating new types of malicious code to evade these database searches.
As with using multiple spam filters each searching for a different attribute, SEGs use multiple antivirus scans to reduce the chance of anything being missed. This feature brings a great return on effort – for the sake of scanning data multiple times, the threat can be drastically reduced.
Anti-malware software can examine how a piece of code behaves to decide if it is a risk to your system or not. Once this decision is made, the email (or just the dangerous software) can be deleted, ensuring your inbox is safe and clean. If the actionable content is unknown, and its behaviour isn’t clear, SEGs have several tools for making an informed decision – these include “sandboxing” and “content disarm and reconstruction”.
When a SEG cannot verify if a URL or attachment as malicious or not, the file can be opened in a virtual “sandbox”. This is a safe area to inspect the content of the file and see how it operates. It is safe to do this in a sandbox, as this is not connected to the rest of the system. If the file is malicious, there is no way for the file to infect the wider infrastructure.
Content Disarm And Reconstruction (CDR)
Sometimes attackers will try to disguise dangerous code within another file. In this instance, Content Disarm and Reconstruction (CDR) is an essential tool used to keep you safe. This involves a file being broken down into its discrete, essential components. Any additional, executable content will be revealed, and can be removed. The file is then reconstructed, using only the essential elements, making it “clean” and impotent.
Time-of-Click Protection / URL Rewriting
URLs embedded within an email can be a way of administering malware onto your system. The risk is that a bad actor could bypass the email filters by sending a valid (safe) URL link in an email. Once the email has reached inboxes, the URL can be weaponised, allowing the users account to become infected. As this link has already passed through the filter, there would be no way of knowing that it’s dangerous unless time-of-click protection was active.
Time-of-click protection works by analysing the URL at the time that the end-user clicks on it. This is beneficial as it means the user is protected when they use the URL. If the time-of-click analysis decides that the site is malicious, the user will be prevented from accessing it, keeping them safe. This is sometimes called URL Rewriting.
Some advanced solutions do not scan the link but open the URL in a secure window and allow limited interaction with the site. As the window is secure, you can view the site without putting your systems at risk. The SEG might also intervene to prevent you from putting sensitive details into the suspicious site.
One of the big challenges facing SEGs is their ability to identify and flag phishing attacks. A phishing attack is very different from a spam email. Where spam is written to a bulk, general audience, phishing is more targeted, often mentioning a relevant company of individual. To a spam filter, this can look very much like a genuine email. Research suggests that many SEGs are not equipped to identify this, and therefore “miss over 30 percent of targeted phishing attacks”.
Employee education is an important way of preventing phishing attacks. Once a user understands how their details can be used, they are better able to identify a suspicious email that has passed through the filters. This helps prevent data leaks too. Users can learn how emails are intercepted, and if it is wise to email a specific piece of information to a specific account.
SEGs are an effective way of blocking a large quantity of dangerous emails, with very little management needed. Multiple filters ensure that very few spam emails make it into users’ inboxes. Many SEG solutions are user friendly and can be deployed quickly.
SEGs, however, struggle to identify highly specific forms of phishing – like spear phishing – and are not designed to remediate once the email is in your inbox. It can be beneficial to use an SEG in conjunction with post-delivery protection, or outbound delivery protection.
If you are interested in learning more about The Top 11 Email Security Gateways, read our article here.
Post Delivery Protection (Inbound Protection)
Post Delivery Protection (PDP) operates within your email network, to proactively remove any dangerous files that have reached your inbox. It acts a line of defense, after the email has been delivered. They work by building up a picture of a user’s usual behavior by analyzing email history with AI and machine learning.
Any deviations from the normal expectations can be flagged as suspicious. As this type of protection is individual and adaptive, it can protect from a range of threats that include spear-phishing, BEC (Business Email Compromise), and other social engineering attacks.
Analyze Normal Behavior
By building up a comprehensive picture of a user’s usual habits and contextual factors, PDP can accurately identify anomalies and instances where an account is compromised. This baseline of usual behavior can be created through understanding who an employee usually communicates with. What (type of) content is usually shared between them? What is their role within an organization? What departments or users are at the greatest risk of being targeted by a phishing attack?
PDP can analyze recent emails to your organizations from external vendors. This is used to understand the nature of your organization’s relationship with the vendor – this is very similar to the way users’ behaviour is analyzed. If you receive an email from a known vendor, but the interaction does not fit with the pattern, the vendor might have been compromised. This helps your organization avoid falling victim to phishing or BEC attacks. This vendor analysis is ongoing to provide an up-to-date picture of the relationship.
As with in SEGs, sandboxing provides a safe, isolated, environment for an unknown piece of software to be run. This allows the PDP to understand how the software works, and if it poses a threat to the user. As the sandbox is isolated, the software is unable to interfere with your system.
Having effective reporting tools is essential for a good PDP solution. Because PDP works post-delivery, malicious content has got closer to your infrastructure, than if it was blocked pre-delivery. This means there is a higher chance of the malicious content being active. Admin should automatically receive a notification if a PDP has had to remove any content, which allows the admin to carry out further investigation and ensure the network has not been compromised.
End User Reporting
Users can report emails that have made it into their inbox but seem suspicious. This will result in an admin receiving a notification and can then investigate the email further. If they think the email is dangerous, they can delete it from every account that it has been sent to. This type of remediation ensures that end-users play a proactive role in maintaining secure accounts.
Some PDP solutions add warning banners to emails that have the potential to be malicious. As phishing attacks can be highly personal, it is difficult to identify accurately all the time. By adding a banner, the end-user is reminded of the risks, but can make an informed decision about how to respond to the email. The banner will briefly summarise why the email should be handled carefully, and how to respond.
Post-Delivery Protection Summary
PDP is an invaluable line of defense to back up the work done by a SEG. Because PDP understands the user on an individual level, it is suited to identifying highly specific attacks with a good degree of accuracy.
There can be a slight delay as the PDP solution analyzes new content. It might take less than a minute to scan an email to check for malware. This is, however, long enough for a user to click on the URL or download a malicious file, before the PDP solution has recalled the email. Using a PDP solution in conjunction with a SEG gives you the greatest chance of identifying and removing malicious content before it harms your accounts.
Read our Top 8 Cloud Email Security Solutions to learn about what features are offered by each solution.
Outbound Delivery Protection
To prevent sensitive data being shared with the wrong people, wittingly or unwittingly, outbound delivery protection is a powerful tool in your security setup. The two areas where this type of service is most beneficial are preventing interception through encryption, and managing human error through behavioral factors and remediation functions.
Outbound protection prevents your valuable, sensitive information from being distributed to the wrong people. This ensures you are adhering to data compliance and regulation laws, and it also benefits your own security as it prevents malicious actors gaining knowledge of your organization’s email practices, which could result in them being able to initiate an authentic phishing attack.
Outbound Protection Features
Interception Prevention And Encryption
The two times when your emails are most vulnerable to being accessed is whilst in transit, and whilst sitting in an inbox. TLS (Transport Later Security) is a type of encryption that can secure your emails whilst they travel from outbox to inbox. TLS cannot, however, protect your email once it is in the recipient’s inbox. It relies on that inbox being secure, to ensure your data is not accessed. TLS also requires both mailboxes to be TLS compatible.
End-to-end encryption is an alternative encryption method that can protect your emails through their whole journey. Your email is encrypted whilst in your account, and only decrypted once the recipient accesses it. AES-256 (Advanced Encryption Standard) is the most secure type of encryption commonly used – making it virtually impossible to hack.
The ease-of-use depends on the outbound solution you are using. Some can be difficult and not intuitive to use – this might reduce a user’s willingness to encrypt a message. There are, however, lots of solutions that have prioritised usability. When sending an email, users have the option to mark the email as “Unclassified”, “Internal”, “Confidential” or “Restricted Access” depending on how sensitive the data is. When they receive an email, if they are not already a verified trusted account, users will have to login to access the content. If necessary, MFA can be required before a user has access to the communication and any attachments. This level of security means that the sender can be informed when the email was delivered and read.
Human Error And Behavior Analysis
Human error is impossible to prevent completely through training or authorization procedures. People make mistakes. Behavior analysis helps to mitigate that by alerting users when they are trying to do something that does not fit with their usual behavior. For example: Are they emailing an unusual account? Do they usually send that type of file to that account? Have they attached the wrong type of, or an unusual, file?
A user’s usual behavior can be analyzed by machine learning technologies. Any behavior that is considered abnormal can be flagged or proactively blocked. This protection can be configured so that an admin is able to verify whether the email, and the data contained within it, is suitable to be distributed. This behavioral baseline can be adaptive, and continuously update to provide accurate insights into non-normal behavior. This type of system can also be configured to have a set of pre-defined criteria about what information cannot be communicated via email. You might receive a notification saying: “You don’t normally send emails to this person. Are you sure you want to send this file?”
Some outbound services – like Microsoft Outlook – have a “Revoke” feature that allows users to remotely block access to an email once it has been sent. You can also edit the email once sent, then resend it with your changes.
Because outbound delivery services have access to all your email communications, they are ideal places to archive and log emails for data compliance and regulation purposes. With many outbound services, this is a fully integrated feature. This ensures that you can prove that data is safe and secured within your organization.
If you are interested in The Top Outbound Email Security Solutions, read our article here.
Outbound Protection Summary
Outbound protection can be very useful as it is able to monitor what information is leaving your organization. This type of insight is important as it ensures you are complying with all relevant regulations, whilst limiting the chance of human error. By eliminating errors, your organization can focus on important issues, rather than clearing up the fallout from a data breach.
Outbound protection is designed to do something very different to a SEG or PDP solution, and therefore has lots of strengths, but should be used as part of a comprehensive security set up.
Without an outbound security solution in place, if a bad actor manages to gain access to your network – by logging in with valid credentials – they will be able to connect with other internal users and distribute malware without their emails being scanned. Outbound delivery protection will identify this malware, and prevent it being spread throughout your organization.
Email is the predominant means of B2B communication, so it is critical that your organization has a robust security solution in place to prevent data loss as the result of an attack or human error. Combining a SEG with relevant PDP and outbound services is the best way to ensure that your data is secure.
You should not, however, become complacent with your security set up. With the growth remote and hybrid working styles, there are an increasing number of ways to communicate. Slack, Zoom, Teams and other SaaS applications allow individuals to share links and files. Just because your email accounts are secure, it does not mean that all forms of communication are.