AI SecurityBlogCloud SecurityCloudSecurity
Blog5 minute read

The Role of AI in Email Security

Email collaboration replaced in-person meetings as the top tool of business long ago. Not much changed until AI rolled around, offering users the ability to craft more concise messages and summarize long rambling emails. But AI, like any tool, can be used for good or evil.

In this blog

  1. Email security threats as they were
  2. Email security threats as they are now
  3. How are these services being delivered?
  4. Defense in depth

 Email security threats as they were

Cybersecurity training for spotting email threats used to be pretty cut and dry. Look for the .exe attachment or malicious link, grammatical errors, bad formatting or the lack of relevance to the individuals' day-to-day tasks and click the "Report" button to collect your prize. While this approach still has value, threat actors are increasingly leveraging more sophisticated approaches that help clean up the obvious mistakes of the past.

 Email security threats as they are now

As an email user (and I know you are), you've probably noticed that threats have gotten better. Gone are the malicious attachments and links that don't fool modern solutions. Sometimes we still get a file leveraging a zero-day vulnerability or a link to a site that later becomes malicious, but more and more threats rely on people being people. No one wants to disappoint their co-workers or leadership, so messages that instill urgency to get something done are all the rage. If the email can come from a compromised internal account, a trusted domain, or a targeted lookalike account, then there is nothing to immediately cause the victim to assume danger.

 So what's AI got to do with it?

The upleveling of attacks on email users is courtesy of freely available AI tools that help smooth out the language and grammar, and that tactic makes a lot of sense. One of the most pivotal advances AI brings to technology is the seamless interaction with humans. AI has to understand the context and nuance of human language to properly interact, and although that's done through math and not semantics, it still translates into a powerful tool for both deceiving and understanding the deception in a malicious email interaction. But why does this matter? There are only so many ways an email can hurt an organization. When you remove malicious links and attachments, you leave exploiting emotions as the only repeatable attack type. If you had a thousand security engineers reviewing emails with unlimited time, then no malicious email that relies on emotions alone would ever make it to its intended target. But organizations don't have those resources, and this is where AI provides real-world, tangible benefits. Payload-less email attacks attempt to cause the recipient to do something the attacker wants them to do by upping the urgency through the tone of the messaging. This is easily discernible by current AI models and allows the message to be filtered out before it reaches a person that it might work on.

 How are these services being delivered?

Security Email Gateways (SEG) have been around for a long time, acting as an intermediary in the email chain to provide security to a service that had no safeguards initially built into it. SEGs vendors have incorporated AI models to increase detection efficacy as part of both inbound and outbound protection models. API delivered email protection services have also leveraged AI models with increasing success. In fact, the only way an API delivered service can work effectively to protect users against email threats is by leveraging AI models to make decisions faster than users. In an API delivered service, the email has to make it to the user's inbox, at which point it turns into a race between the user opening the email and the security service taking action.

This is where the rubber really hits the road. When you think of allow/block policies, most products will break detections into an efficacy scale, think high, medium, low confidence scoring. Most admins will block high confidence policy hits, if you can't trust a high confidence alert then why did you buy the product? Low confidence policy hits almost never get blocked; it's low confidence for a reason and usually means that it's a nuisance rather than a threat. Medium alerts are where AI needs to drain the queue. If a product generates a large number of medium alerts, then it's setting the admin up for failure. If an admin can't feel confident blocking every alert that rises above nuisance, then the users will be left to fend for themselves, and the product will provide minimal value. The strength of the AI models, the depth of the explanation provided to admins about the decisions that were made, and the ability for the platform to provide intelligence and automation hooks into a Security Orchestration, Automation, and Response (SOAR) platform are the major value-adds for an AI-powered email security solution.

 Defense in depth

So, what's the right solution for you and your organization? When it comes to email, the number one business collaboration app in the known universe, one solution might not be enough. The great thing about cloud-delivered email infrastructure is that you can run multiple solutions with minimal impact to your users. SEG functionality is still a must, but they don't have to be dedicated as they once were; email service providers can fill some of that need. The trade-off when doing security with a service provider, though, is that they will always be a service provider first, which means tough decisions like scan timeout values will always be made in favor of service delivery SLAs over security needs. Email service + AI-powered API security is a strong solution for many organizations, but it's not the right one for all organizations. Email service + SEG + AI-powered API security allows you to leverage the strengths of each approach and build a deep defensive perimeter around your organization's most critical communications platform.