Cybercrime against businesses is perpetually evolving, so security systems and tools must continually adapt to protect against new threats. Gartner determined one such adaptation as being distinct enough to warrant a new name: “Integrated Cloud Email Security” (ICES).
ICES emerged as a replacement for static email protections like Secure Email Gateways because today's threat landscape is unrelenting—particularly regarding phishing and Business Email Compromise (BEC) threats. The increase in these targeted, sophisticated attacks are slipping past SEGs, putting organizations that have not adopted more sophisticated targeted threat prevention like ICES at risk.
Per the 2021 IC3 Report, phishing attacks have been the overwhelming majority of these threats since 2019. In addition, BEC and other email account compromise (EAC) attacks accounted for roughly 35% of IC3-reported losses in 2021 alone.
Legacy systems like secure email gateways haven’t proved successful enough at defending businesses during the current cybercrime wave. Despite significant time spent configuring rules and exceptions in email security solutions, 70% of impersonation emails evaded native email security controls.
So how do ICES differ and improve protections?
What Are Secure Email Gateways (SEG)?
Let’s use an analogy you’re sure to understand. If an email were like an average airline passenger, Secure Email Gateways would be the pre-gate security screening. Origins, destinations, identification documents, and contents are all assessed for malicious content before passengers (like emails) are allowed through their respective processes.
Additionally, SEGs would oversee and monitor the “No Fly List” based on vendor-built threat detection engines and manually constructed filters when scanning for cybercrime indicators.
And, like airport security screenings, once an email successfully passes through an SEG, there are no additional checks – any additional security would require human efforts. Unfortunately, this means that cyberthreats bypassing initial filtration have a much greater chance of success.
SEG Operational Characteristics
For each inbound email, SEGs perform the following steps––relying on internal threat detection engines and manually configured filters.
- The email’s sender is assessed and validated based on IP address or domain (e.g., reputation, safelists).
- The email is scanned for viruses and checked for DMARC, DKIM, and SPF email validation (three primary email security protocols which require manual configuration and maintenance).
- The email undergoes a quick threat assessment, which involves:
- Opening attachments in an isolated sandbox environment, usually delaying email delivery times
- Enforcing “time-of-click” security measures that only have the capability to identify and block bad URLs and threats that are already known, missing zero-day attacks
- Scanning for recognizable threat signatures that indicate malicious activity, based on attack methods and sources it has already encountered.
- Emails that pass these quick assessments are directed to recipients, whereas those that don’t are quarantined for further analysis. Meaning false positives can be trapped with delayed delivery to end users’ mailboxes.
While these four steps proved sufficient in the past, this is no longer the case. Bad actors’ sophisticated methods can better disguise their malicious activity to bypass these scans and filters.
SEGs Are Now Legacy Technology
Before ICES, most businesses relied on Secure Email Gateways to safeguard their communications from inbox-targeting cyberthreats like BEC and phishing. The prevalence of email-based cybercrime made layering SEG on top of native email security a business necessity, but this approach was not without its weaknesses.
With cybercriminals able to spoof valid email indicators, targeted attacks have a greater chance of slipping past these old technologies. SEGs have simply become insufficient at stopping today’s sophisticated email threats.
This is primarily due to SEGs' reliance on threat signature databases. And, despite the robust databases of email threat signatures collected, the FBI still recorded 847,376 victims of successful criminal activities last year, including:
- Phishing, vishing, smishing, pharming – 323,972 victims, amounting to $44,213,707 in losses
- BEC and EAC – 19,954 victims, amounting to $2,395,953,296 in losses
- Fake tech support – 23,903 victims, amounting to $347,657,432 in losses
- Ransomware – 3,729 victims, amounting to $49,207,908 in losses; however, the FBI notes that ransomware victims do not always report the crime, and these losses don’t include:
- Lost business
- Remediation services
What Are Integrated Cloud Email Security (ICES) Solutions?
With widespread cloud-based email platforms, providers have incorporated better native security, often duplicating the layer of protection against email attacks that SEGs were once applauded for. However, protection against targeted, sophisticated email threats is still needed as the email attack landscape advances and attackers craft ways of bypassing these native email security and SEG layers.
This is where ICES and its API-based integration come in. ICES solutions integrate directly with email platforms and provide better detection and protection against targeted threats through:
- Machine learning models and artificial intelligence
- Organizational behavior and individual analysis that identifies a baseline for communications and detects differentiators to provide proactive threat prevention
- Natural Language Understanding that processes and understands the content and context of email communications
Unlike the in-line deployment of SEGs (i.e., operating as a singular gateway), API integration allows ICES solutions to function alongside inbound, internal, and outbound email traffic flows. This achieves continual analysis—and does so without having to alter MX records.
Furthermore, ICES solutions continue learning through analyzing email traffic, which allows for better detection and protection for sophisticated threats, reduces false positives, automates security responses, and informs personnel to minimize human errors.
What Determines a Quality ICES Solution?
As with any machine learning and artificial intelligence solution, the quality and quantity of data determine the effectiveness of ICES solutions. Therefore, a robust, multivariate dataset is needed to identify and anticipate new and changing threat signatures.
What features should an ICES solution have? Here are some tips to consider before selecting an ICES solution for your business:
- Quality and fidelity of ML/AI training data: Armorblox has 58,000 customers and a set of models that learns from global attacks.
- Communication insights: Visibility over external and internal email traffic provides communication and workflow insights to your business’ security team.
- Ease of use: ICES solutions should also not require heavy lifting in day-to-day operations
- Integrations with orchestration and management tools: Integrating with other tools like Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) saves time for security professionals.
Protect Against Advanced Email Threats with Armorblox
SEGs don't provide protection against malicious actors targeting organizations with phishing, BEC, and similar email-based attacks. Organizations can best protect themselves from advanced and continually evolving email threats with ICES that augment native email security.
Armorblox is an Integrated Cloud Email Security and provides organizations the protection necessary against targeted email threats that slip past SEG and native email security solutions. Armorblox leverages ML and NLU to analyze customers’ email data and detect new threats to proactively protect against sophisticated email attacks in the future.
Want to learn more? Take a quick product tour below.