BlogCloud SecurityCloud
Blog7 minute read

The State of Email Security

Email security threats continue to evolve, but in recent years, countermeasures seem to be evolving just as fast. Migration to the cloud has unlocked new options for organizations to stay ahead of the threat.

Email security is not going away

Although it's easy to forget about email security sometimes, it is not a set it and forget it technology. When email was on-prem, and the threats were always "out there", largely static email gateways at the perimeter were good enough to keep threats out and data in. Now that the majority of email is in the cloud, everything is "out there", the threats, the security controls, sensitive data, external senders, and yes even the internal mailboxes. Vendors have continued to introduce technologies that leverage the cloud, embracing what makes cloud services unique, rather than attempting to retrofit on-prem techniques into a virtualized environment. For organizations that are leveraging cloud-delivered email and email security services, this article is an attempt to cover what we've seen in the Software as a Service (SaaS) email security space recently. 

The move to cloud

The move to cloud created economy of scale for both email services and email security providers. The cost of maintaining gateways, mailboxes, and backup services could be spread across tens of thousands of customers. This allowed for both cost savings and cost certainty for customers by turning email into a yearly op-ex subscription service rather than a cap-ex hardware platform. The never-ending wait for the next on-prem component to fail at the worst time and create multi-hour, and sometimes multi-day, outages was replaced by a 99.9% uptime SLA. Email security providers also moved to the cloud to support the new consumption model, which shifted from a heavy emphasis on hardware support to an easier software support model. This meant that most issues were admin created and could be solved by reverting back to a previous config in a cloud-based console. From the perspective of an email security administrator, very little changed, and the things that did change were for the better. Since in-line email services were never physically in-line, security email gateways (SEG) just shifted to the cloud and brought your MX records with them. This architecture is still a tried-and-true approach, but with cloud hosting comes cloud tools, and new approaches to solve longtime problems. 

The cloud is not just someone else's data center 

Virtualized SEGs and SaaS email were the highlights of early cloud adoption, but by no means the limit of what the cloud could do. Virtualized cloud gateways allow for faster threat sharing, more robust denial of service protection, and diminished hardware scaling and support concerns for customers. It has also allowed for increased compatibility with newer same-vendor and third-party vendor integrations through the use of Application Programming Interfaces (APIs). Automation of virtualized systems and services rides on the back of APIs. The more APIs that are opened from service-to-service and service-to-consumer, the further we move away from an on-prem look-alike architecture in the cloud. APIs allow users and services to call on some of the same features that make cloud virtualization what it is. The ability to quickly pull and push data, make admin changes, and share signals between services means that companies can stay ahead of attackers in what is still the #1 threat and data exfiltration channel. Beyond that, though, APIs can change how email is handled in cloud environments in two other ways:

API Clawback - This is likely a method you have heard of already. An email to an inbox and an API call are used to pull a copy of the email and inspect it for malicious code or content. If the email poses a risk to the environment, then another API call is executed to have the system move that email out of the inbox. This method, coupled with common-sense controls from your email service for inbound nuisance threats and outbound data exfiltration, can be used to root out complex threats that go beyond misspelled advanced fee fraud. With a full copy of the email and attachments, an API-based solution can use modern AI to spot the slightest inconsistency and take appropriate action.

API Routing Rules - This might be a method you're not as familiar with, and you can be forgiven for that, because there are only a small number of vendors that offer it. This method uses APIs to rewrite the routing rules for inbound and outbound email and shunt them to a third party cloud for inspection before delivery. This method combines the speed of APIs and the pre-inbox protection of a SEG to take full advantage of what a cloud email environment can do to protect against inbound threats and outbound data exfiltration.

What else is new?

The promise of AI can cause fatigue in security. It's a threat, a product, a talking point, and a solution to every problem, all rolled up into one. But AI has the ability to be a game changer with email security before just about any other cyber market. So much of what goes into email-based threats is the lack of time to just stop and ask yourself a few simple questions like "Was I expecting this email?" or "Am I being rushed into a decision I wouldn't normally make?". AI can take the emotion out of the equation and examine things like the email header, the tone of the message, and other details that a well-trained SOC analyst would likely have discovered, if given enough time. Rushing a user to act is the key to many email-based threats, and AI is the perfect answer to that human vulnerability. AI is being baked into email security solutions in multiple places:

AI Threat Analysis - Not every malicious email includes an attachment. Sandboxing attachments is common practice now. This means attackers will often move on to payload-less approaches to trick the recipient into doing something they wouldn't normally do. The psychology behind this has been understood for a long time, and it's now rolled into AI models that can spot these tactics before the user even sees it.

AI SOC Analyst - For anyone that cut their teeth in a SOC, we know it's full of repetitive tasks that need to be completed in the hope that the needle rises to the top of the haystack. Now that work can be done in a fraction of the time by something that doesn't run on coffee. Emails that constitute a threat to the organization can be put on the top of an analyst's to-do list, with a nice bullet point read-out of everything that's wrong with it and what actions were taken.

User Interactive AI - The "Report" button for phishing emails has been a game changer. Now all of the time and effort that's gone into training your users can pay off with one click to get that email in front of an analyst. How can this be improved upon? In some more novel approaches, it's possible for the users to query the AI directly for feedback on emails they find to be questionable. This allows the users to better understand what they are seeing and learn from the experience. It also gives time back to your analysts, who might have spent far longer than they'd like to admit making sure they didn't give a thumbs-up to a malicious email. 

Conclusion

Designing security for the cloud requires an understanding of all of the tools that are available, both from the email service and email security side. Like most IT architectures, there can be overlap in functionality. Some email security tools are offered by email service providers, and some core tenants of email services can be found in email security solutions. This can cause organizations to question if their email service is good enough or if they need to layer email security services on it, and if so, how much? Let us help you answer these questions as we have with so many others.