In this blog, we will look at characteristics of third-party email security controls that provide the most effective complement to native Office 365 email security.
This is Part 2 of a two-part blog series on how organizations can efficiently augment their native Office 365 security controls to stop targeted email attacks. In Part 1, we evaluated the strengths and gaps of native Office 365 email security measures. In Part 2, we will look at characteristics of third-party email security controls that provide the most effective complement to native Office 365 email security.
Native Office 365 email security (EOP) does a good job protecting against spam, known malware, and mass phishing campaigns. Microsoft ATP leverages threat intelligence and machine learning models to detect advanced phishing attempts, stop zero-day malware, and provide attack simulations to improve end user education. But there are entire categories of email compromise that evade Office 365 detection, manipulate language and intent, and lull victims into a false sense of security that the email they’re replying to is legitimate.
There’s only so far that eye tests and phishing awareness can take us. Organizations should complement native Office 365 email security with third-party controls that take a different approach to threat detection, deployment, and learning. Such an email security suite results in a more holistic approach, a better spread of techniques, and a more efficient allocation of the security budget.
Breadth and Depth of Detection
Since Business Email Compromise (BEC) attacks can’t be detected by heavy-handed ‘all or nothing’ signals, third-party email security controls should provide a breadth and depth of signal analysis that cuts across user identity, user behavior, and email language.
Identity: Email security controls need to exhaustively analyze who users are in order to prevent impersonation and spoofing attempts. What’s the user’s name, role, and hierarchical status within the organization? What devices, browsers, and email clients do they normally use?
Behavior: Identity is a critical part of email analysis, but these signals can turn noisy if used in isolation. It’s also important to analyze what users do, create a behavior baseline, and study any anomalies from this baseline to accurately detect problems such as account takeovers and insider threats. What’s the extent of interaction that a user has with internal and external recipients? What time of the day do they normally send most of their emails? What location and IP address do they usually login from?
Language: If cybercriminals are able to mask their identity and/or behavior, understanding the language in the email and the intent behind the email can be analysis signals that stop a pernicious attack. What’s a user’s normal writing style and are they noticeably deviating from it? Does the email have a tone of inordinate authority or urgency?
Analyzing a confluence of signals across identity, behavior, and language can enable third-party security controls to detect attacks that EOP/ATP or SEGs might let through. And with recent advancements in Natural Language Understanding (NLU) and machine comprehension, technology today is capable of making this breadth and depth of analysis a reality.
As long as email remains a critical vehicle for communication, attackers will try and evolve their techniques to bypass existing security measures. Ripping and replacing the entire email security stack every few years is not a cogent way to run security operations. Organizations should invest in email security solutions based on technologies and machine learning models that get better with time.
It’s understandable if reading ‘machine learning’ engenders some skepticism, given the prevalent overuse and misuse of the term among security vendors. Here are some learning-focused capabilities within email security solutions that effectively complement EOP/ATP protection features:
- Learning across organizations: Solutions that leverage anonymized signals across organizations as training data for their ML and fraud prediction models can offer broad and forward-looking email threat protection. Some BEC attacks start with one industry (for example, financial services or local government) and replicate successful techniques across other industries. A model that learns across organizations minimizes this attacker advantage.
- Learning within organizations: If learning across organizations offers breadth, building custom self-learning models for each organization offers depth. Models that account for the volume and nature of external/internal email interactions, frequency of communication across departments, legitimate third-party vendor context, and other enterprise-specific signals can provide high-fidelity and relevant email threat detection.
- User-focused learning: The most focused and possibly deepest level of learning comes from studying individual user identity, behavior, and language signals. A user’s writing style, the topics they discuss, their common login locations, and the people they frequently communicate with are signals that can provide vital context during an email account compromise or targeted attack.
- Learning from manual actions: The goal of machine learning systems should never be to replace human insight in security. Rather, ML models should channel human insight where it’s needed most and preclude security teams from manual, repetitive response whenever possible. To this end, every manual action that security teams take (for example, marking an email threat as a false positive) should turn into valuable data that recalibrates ML models and minimizes similar manual actions in the future.
As organizations move their email to the cloud with Office 365, it’s advisable to rethink the preferred deployment of third-party email security controls as well. Specifically, organizations should look for API-first deployment models rather than traversing down the well-trodden path of SMTP-based gateways.
Deploying SEGs often requires modification of MX records and rerouting emails through either on-premise or hosted servers, increasing complexity and negatively affecting email availability on occasion. Ensuring ongoing compatibility also diverts resources from IT and security teams that already tend to be lean by necessity and design.
A SEG sitting in front of EOP/ATP not only duplicates security capabilities, but it also reduces the effectiveness of some EOP connection filtering and detection features. Some SEG vendors actually recommend disabling EOP features to realize full value from their solutions.
An API-based email security solution will sit on top of (rather than in front of) EOP/ATP, providing additional controls and detection capabilities that address attacks only once they get past native Microsoft defenses. This deployment model enables organizations to extract full value out of their existing O365 investments rather than tweaking and duplicating efforts.
Armorblox augments native Office 365 email security capabilities to provide the widest non-overlapping breadth of attack protection. By leveraging unique detection techniques, a cloud-native deployment model, and comprehensive interconnectivity with Microsoft APIs, Armorblox provides organizations with the most efficient allocation of their email security budget.