Recently, Gartner published their Hype Cycle for Endpoint Security, 2020. This Hype Cycle report illustrates the maturity, adoption, and social application of specific technologies and attack trends in the endpoint security space. Here’s a link to the full report (only accessible for Gartner subscribers). According to Gartner:
“Security leaders are asked to protect endpoints from attacks, while also allowing access from any device to any application over any network, with minimal impact on user experience. We illustrate the most relevant innovations in the endpoint security space, for security leaders to adopt and put in place to address these challenges.”
The Rise and Rise of Business Email Compromise (BEC)
Business email compromise protection entered the Hype Cycle this year, being positioned in the ‘Innovation Trigger’ phase. Gartner defines this phase of the Hype Cycle as “a breakthrough, public demonstration, product launch or other event generates significant press and industry interest.”
We fully agree with the positioning of business email compromise protection technologies in the Hype Cycle. Our conversations with CISOs, business leaders, and security practitioners have brought the changing face of email attacks into sharp relief. Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending socially engineered emails.
Fig: The rapid rise of business email compromise
BEC attacks are not just a singular entity either. Multiple attack types exist within the BEC umbrella, each utilizing a different combination of techniques to get past traditional defenses. Some attack types include:
- Payroll diversion fraud: Targeted emails that fraudulently request a change in direct deposit information to steal from an employee.
- Email account compromise: Attackers take over a legitimate email account through credential phishing. Attackers then use that account for further compromising customers, third-party vendors, and internal employees.
- Vendor email compromise: A ‘long con’ business email compromise attack that exploits legitimate third-party email accounts to further compromise the vendor’s clients.
- Advanced credential phishing: Attackers send emails with malicious zero-day URLs, often masking the final credential phishing site behind multiple redirects and lookalike pages.
Protecting Against Business Email Compromise
In the report, Gartner recommends:
“Security and risk management leaders should review existing email security solutions to ensure that BEC and internal email protection is included. Either upgrade existing email security solutions to include specific BEC protection or supplement existing controls with a cloud email security supplement that specifically targets BEC.”
Here are some Armorblox recommendations for organizations looking to improve their email security posture:
1. Increase breadth and depth of detection
Organizations should complement the native features of their cloud email providers (eg. EOP for Office 365) with third-party controls that take a different approach to email security. Security solutions that look beyond just identity-based signals and email authentication can provide better protection against socially engineered emails. Relying too heavily on binary signals won’t be sufficient to detect emails that are often sent from reputable accounts, contain zero-day links or forego links altogether, and exploit the victim’s trust to steal money and data.
Advances in deep learning and natural language understanding (NLU) have made it possible for security technologies to truly analyze and reason with textual data (such as emails). Organizations should augment native email security with third-party controls that add something new to their threat detection arsenal.
2. Adopt deployment that simplifies email security stack
Whether organizations have moved their email to the cloud or still have on-premise Exchange servers, it’s advisable to rethink the preferred deployment of third-party email security controls. Specifically, organizations should look for API-first deployment models rather than traversing down the well-trodden path of SMTP-based gateways.
Deploying SEGs often requires modification of MX records and rerouting emails through either on-premise or hosted servers, increasing complexity and negatively affecting email availability on occasion. Ensuring ongoing compatibility also diverts resources from IT and security teams that already tend to be lean by necessity and design.
Fig: Organizations should embrace API-first email security implementation to simplify their security stack
An API-based email security solution will sit on top of (rather than in front of) native email security layers, providing additional controls and detection capabilities that address the full spectrum of email attacks - from spam and mass phishing emails to BEC attacks and zero-day credential phishing attempts. This deployment model enables organizations to extract full value out of their existing email security investments rather than tweaking and duplicating efforts.
3. Look for learning-focused systems
BEC attacks are targeted by nature, with attackers exploiting researched knowledge about you, your peers, your known vendor associates, and more. It thus stands to reason that organizations should invest in BEC protection based on systems that learn from custom organizational data and get better with time. Here are some systems to look for:
- Learning across organizations: Solutions that leverage anonymized signals across organizations as training data for their ML and fraud prediction models can offer broad and forward-looking email threat protection.
- Learning within organizations: If learning across organizations offers breadth, building custom self-learning models for each organization offers depth. Models that account for the volume and nature of external/internal email interactions, frequency of communication across departments, legitimate third-party vendor context, and other enterprise-specific signals can provide high-fidelity and relevant email threat detection.
- User-focused learning: The most focused and possibly deepest level of learning comes from studying individual user identity, behavior, and language signals. A user’s writing style, the topics they discuss, their common login locations, and the people they frequently communicate with are signals that can provide vital context during an email account compromise or targeted attack.
4. When in fatigue, automate
Adding more layers of email security should not result in an increased volume of low-fidelity alerts for already overworked security teams. Email security controls that increase the relevance and reduce the volume of alerts that security teams need to review should be preferred. Email security solutions should aim to automatically remediate the vast majority of detected threats so that the security team can spend their valuable time looking at incidents that actually matter.
Fig: Organizations should embrace automation for all repeatable tasks in email security detection and response
We see the positioning of business email compromise protection in Gartner’s Hype Cycle for Endpoint Security, 2020 as a strong indicator for organizations and the capabilities they should focus on to protect against the email attacks of today and tomorrow.
To learn more about what Gartner has to say about email security’s evolution, download the ‘Cool Vendors in Cloud Office Security’ report by visiting the link below.
Gartner “Hype Cycle for Endpoint Security, 2020,” Dionisio Zumerle, Rob Smith, 15 July 2020
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.