Email security has been in a state of transformation for a few years now. The targeted nature of email attacks coupled with the migration to cloud email have driven organizations to reevaluate their email security controls and processes. On September 8 2020, Gartner released their latest ‘Market Guide for Email Security’, a research document derived from more than 1,300 Gartner client interactions between June 2019 and June 2020 . The Market Guide defines email security market challenges, outlines attributes of Representative Vendors, and provides recommendations for security leaders that are responsible for email security.
You can get a complimentary copy of the Market Guide by visiting this link.
This blog will cover our thoughts on the recommendations and key findings of the 2020 Market Guide for Email Security.
The State of Native Email Security
Enterprise adoption of cloud office systems such as Office 365 and G Suite is on a clear upward trajectory, with 71% of companies now using cloud or hybrid cloud email according to the Market Guide. Significant shifts to remote work have continued to fuel this adoption. Organizations are increasingly relying on built-in protection capabilities from cloud email providers. In the Market Guide, Gartner makes the following strategic planning assumption:
By 2023, at least 40% of all organizations will rely on built-in protection capabilities from cloud email providers as the main line of defense, up from 27% in 2020.
Increased adoption of native email security will shore up defenses against spam, malware, and some mass phishing campaigns. With many native security capabilities competing with those offered by Secure Email Gateways (SEG), organizations should reevaluate the makeup of their email security stack and aim for threat coverage powered by additive (rather than duplicative) detection algorithms.
Research from Feb 2020 validates the need to augment native email security, with more than 53% of respondents finding native email security capabilities to be insufficient. Organizations are increasingly supplementing native email security with additional API-based solutions that focus on business email compromise (BEC) and other targeted attacks that get past overly deterministic security controls.
While cloud email continues to grow, Microsoft Exchange deployments are still very much a part of the email landscape. Recent research found that 65% of organizations still utilize on-premise email, at least to some extent. With many organizations also embracing hybrid deployment, the resulting complexity often leads to email security that’s ill-equipped to handle today’s vast array of targeted, socially engineered attacks. API-based email security solutions that also support Exchange and hybrid deployments can help organizations as they're making the move to the cloud without penalizing them until they're all cloud. API-based email security solutions also have the ability to protect internal email communications and prevent lateral movement by attackers - areas where SEGs fall short.
The Importance of BEC Protection
On the continued rise of BEC and other targeted email attacks, Gartner says:
Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for $8 million in 2019. These attacks increasingly use spoofed emails from legitimate organizations or are a result of account takeover attacks.
This resonates with what Armorblox is learning in our conversations with CISOs, business leaders, and security practitioners. Today’s adversaries research their targets, mask payloads by standing up zero-day domains with redirections, and often impersonate trusted parties to steal money and data. Attackers are also foregoing payloads altogether, focusing instead on socially engineered messages that are expressly crafted to induce certain actions from victims e.g. asking to change direct deposit information or asking for iTunes gift cards. Legacy security controls fall short of protecting against these attacks.
On protecting against BEC and other targeted email attacks, Gartner says:
Invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. Seek solutions for BEC protection that use AI to create a baseline for and detect communication patterns and conversation-style anomalies. For account takeover attacks, seek solutions that use computer vision when reviewing suspect URLs.
As a Gartner Cool Vendor in Cloud Office Security, the Armorblox platform aligns strongly with the tenets laid out above in our view. Armorblox analyzes 1000s of signals across identity, behavior, and language to stop BEC, account takeover, and other targeted email attacks that get past traditional security controls.
As we onboard customers, Armorblox ML models create historical baselines the past 6 months of customer emails to provide context-aware threat detection. These models are continuously updated after learning across three tiers. A global model is trained on attacks detected across organizations, an organization-specific model is custom-built for every Armorblox customer, and a user-specific model identifies patterns and anomalies for each individual user. This learning-focused approach ensures protection against both global, industry-agnostic attacks and attacks that include organizational or user context.
The Need for M-SOAR
On post-delivery protection, Gartner says:
Organizations should evaluate vendors that have added detection and response capabilities to address threats that were not initially caught and were allowed to land in a user’s inbox. Using API integrations with cloud email systems (such as Office 365) or plug-ins for email clients (such as Outlook), these vendors can attempt to “claw back” a malicious message by removing it from the user’s inbox after initial delivery.
Phishing response has been a continuing challenge for security teams as they deal with high alert volumes, scores of false positives, and highly manual response actions. Armorblox addresses this by automatically analyzing and remediating the vast majority of emails reported to company phishing mailboxes. For threats that need manual review and response, Armorblox automatically creates policies that block identical and similar future threats to ensure that security teams only review threats that merit their attention.
The Danger of Data Loss
On data protection within email security, Gartner says:
Accidental data loss due to human error is one of the most common causes of data breach, often simply due to misdirected email. According to analysis of data from the U.K.’s Information Commissioner’s Office (ICO) by CybSafe, 90% of data breaches were caused due to human error.
We believe people are the new perimeter - a perimeter that lacks protection at the moment. The interconnected and digital nature of today’s communications make both account compromise and human error inevitable. The 2020 Cost of Data Breach Report cites that 80% of all data breaches involved customer PII, throwing the challenge into sharp and quantifiable relief.
Armorblox uses natural language understanding (NLU) to analyze data differently from legacy solutions, enabling organizations to monitor and control the sharing of sensitive and confidential data with unauthorized recipients. And we recognize this is a problem surpassing just email, with accidental data loss now growing on messaging and file-sharing platforms. Armorblox integrates with Slack and Box to provide customers visibility into sensitive data loss on and across cloud office applications.
We think the market guide portrays email security in a state of transformation driven by cloud email adoption and growing BEC attacks. Organizations should refer to the guide while evaluating today’s email security threats, auditing their native security capabilities, and selecting appropriate third-party security controls.
 Gartner, Market Guide for Email Security, 8 September 2020, Mark Harris, Peter Firstbrook, Ravisha Chugh
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.