Application Security

How Multi-Layered Email Security Can Stop Phishing And Insider Threats

Barracuda’s Product Marketing Manager Peter Mullens talks to Expert Insights about the Barracuda platform, Office 365 and how organizations can protect themselves from advanced email threats

Article thumbnail image

Barracuda is one of the market leading security vendors for businesses. They offer multi-layered email security to businesses of all sizes around the world.

We sat down with Barracuda’s Product Marketing Manager Peter Mullens, to talk about the new threats that customers are facing and how Barracuda’s platform is helping to protect email networks.

Businesses are migrating email networks to Office 365, what threats are they facing?

Mullens tells us that businesses across the world are rapidly moving either part or all of their email networks to cloud based email platforms like Office 365.

These cloud-based systems are attractive to customers, with low cost monthly payments per user, easy management and inbuilt security.

An organisation thinking of making the jump to Office 365 will likely be wondering what threats they can expect on a cloud-based email platform.

“The big talking point for security is spear-phishing and email compromise,” Mullens says.

“I was talking to a customer recently, who was looking for archiving. As we were talking, they said they were also concerned about email compromise, and fraud, and that kind of thing. Many conversations we have lead in that direction.”

“Quite often we are seeing multi-stage email attacks where the initial goal is to do surveillance within the company. So, the attacker will sit there and just read emails for two months to spot vulnerabilities.

Do customers need third party email security for Office 365?

Many customers may look at Office 365 and decide that the inbuilt protection they offer is enough for them.  Mullens suggests that possibly 70 – 80% of businesses may be using Office 365 with no extra security. So, do companies need to use a third-party email protection service at all?

“Microsoft do provide an initial layer of security,” Mullens says.

“No security, including our own is perfect. But the moment you put a third – party solution in front of Microsoft, it’s ten times the security. It’s like putting a lock on the door and installing a burglar alarm. If you don’t have any additional security, you’re just the same as everyone else.”

“We have some existing on-premise customers who move to Office 365 and decide they don’t need us anymore. But then they’re back after six months. The threats aren’t rocketing, but it’s just enough of a concern.”

Is this true of companies of all sizes or just larger companies?

“I’d like to say it’s true for companies of all sizes. There are certain industries which are particularly likely to be targets. The classic ones like finance. In the US a lot of things like real estate.”

“Anyone with trade secrets or valuable intellectual property could be the subject of an attack.”

So, what can Barracuda do to stop email threats like spear phishing and business email compromise?

“Barracuda have a layered approach,” says Mullens. “There’s no single magic bullet for everything.”

“The most important component for us to stop phishing is Barracuda Sentinel. That’s the post-delivery component that actually monitors inboxes. That’s where the clever stuff happens, if you look at the industry generally that’s where there is the most innovation at the moment.”

“Sentinel works on the basis of knowing what a normal email flow is. When you turn it on, it looks back over the last year and finds out what a normal email flow looks like for a company. So, what who emails are sent to, who email addresses are sent from, email addresses, what times, what companies. So that means it has a whole load of knowledge it can bring to bear in terms of stopping phishing attacks.”

“Based on seeing what’s normal for account you can do some clever stuff and work out that the account may be compromised. But you can only do it by monitoring the email inbox.”

Are Post-Delivery Protection Platforms better than a Secure Email Gateway?

The marketing around Post-Delivery Protection platforms like Sentinel argue that they are the best way to protect against threats like business email compromise and spear phishing.  The way that as these platforms can be intelligent enough to learn email patterns and spot threats, in theory makes them much stronger at stopping phishing emails that a secure email gateway.

“It’s complementary,” Mullens says. “We’re still seeing the same old email threats we saw 15 years ago. Nothing ever goes away. We tell customers you still absolutely need a secure email gateway.”

So, does Mullens see a future in which Secure Email Gateways are replaced by products like Sentinel?

“No. I think you still need the gateway defences. If you take those things off, then malware is going to start hitting you again.”

A Multi-Layered Approach to Email Security

A multi-layered email approach is argued many a growing number of security vendors to be the best way for businesses to protect their networks against email attacks.

 Barracuda offers customers a multi-layered email approach, with a Secure Email Gateway, the Sentinel platform and Security Awareness Training.

Does Mullens agree businesses need multi-layered protection?

 “Absolutely, yes.”

“If you take the view that all of these different defences are available, why wouldn’t you get the lot? Why would you settle for less than the total picture?”

“Security Awareness Training is the other thing that’s kind of outside the flow of thinking about IT defences. But that’s the last line as well if everything else fails.”

Attacks Through Personal Email

Many people now have use mobile phones for both work and personal emails, using the same app to manage both inboxes. But this can be a security threat, Mullens argues, with sophisticated attackers exploiting this.

They will target an employee’s personal email account, with the hope that they forward it on to someone else in the company. This allows them access to company communications.

Mullens suggests this type of attack can only be solved by something like security awareness training.

“There’s really no other way,” he says. “However good you are at protecting your company email, this will be on acompletely different inbox.”

“I think that’s very much where it’s going on the basis that hackers will always move on to circumvent defences. The better we get at putting defences in, they’re looking for ways around them.”

Why businesses should consider Barracuda protection

The email security market is crowded. There are a lot of vendors out there for customers to choose from, with different security approaches. What sets Barracuda apart from the competition?

“There are a couple Barracuda traditional values. Ease of instalment and ease of use are something Barracuda always provides. Then there’s also the 24/7 phone support.”

“In terms of email security specifically you don’t have to pick and choose point solutions. Just come to us for the whole email security stack and it all integrates and talks to each other. It’s a multi-layered approach and one-layer talks to the other to provide complete end-to-end protection. So, for instance if you have Security Awareness Training, that training is informed from what your email security sees in the day to day email activity.

“That’s what sets us apart.”

If you’re looking for more information about the Barracuda Email Security platform you can read out reviews of the Barracuda Essentials Platform, Barracuda Sentinel, and Barracuda PhishLine.