Selecting Enterprise Email Security: Scaling to the EnterpriseBy Mike Rothman
As we continue down the road of Selecting Enterprise Email Security, let’s hone in on the ‘E’ word: Enterprise. Email is a universal application, and scaling up protection to the enterprise level is all about managing email security in a consistent way. So this post will dig into selecting the security platform, integrating with other enterprise security controls, and finally some adjacent services which can improve the security of your email and so should be considered as part of broad protection.
The first choice is which platform you will build your email security on. Before you can compare one vendor against another you need to determine where the platform will run: in the cloud or on-premise. Although it’s not really much of a decision anymore. Certain industries and use cases favor one over the other. But overall, email security is clearly moving to the cloud.
The cloud is compelling for email security because it removes some problematic aspects of managing the platform from your responsibility. When you get hit with a spam flood, if your platform is in the cloud, upgrading devices to handle the load is not your problem. When the underlying product needs to be updated, patching it is not your problem. You don’t need to make sure detections are updated.
The cloud provider takes care of all that, which means you can focus on other stuff. Leveraging cloud security shifts a whole bunch of problems onto your provider. Bravo!
Another essential aspect of enterprise email security is the ability to recover and keep business running in case of a mail system outage. Your email security platform can provide resilience/continuity for your email system by sending and receiving messages, even if your primary email system is down or shaky. If you’ve ever had a widespread email outage and lived to tell the tale, it’s a no-brainer – ensuring the uninterrupted flow of messages tends to be Job #1, #2 and #3 for the IT group.
So in what use cases or industries does an on-premise email security gateway make sense? In highly sensitive environments where email absolutely, positively, cannot run through a service provider’s network. Email encryption enables you to protect mail even as it passes through the cloud, but that adds a lot of overhead and complexity. Some industries and verticals – think national security – find the cloud simply unacceptable. Or perhaps we should say isn’t acceptable yet because at some point we expect you to look back nostalgically at your data center – a bit like how you think fondly about wired telephones today.
To avoid any ambiguity, aside from those kinds of high-security environments, we believe email security platforms should reside in the cloud.
Blocking malicious email is the top requirement of an email security platform, but a close second is advanced content protection. This could involve DLP-like scanning of messages and encrypting messages and/or attachments, depending on message content and enterprise policies. Most email security offerings offer content analysis, and typically built-in encryption as well.
In terms of content analysis, you’ll want sophisticated analysis to be a core feature. That means “DLP-light,” which we described years ago (Intro, Technologies, Process). It’s not full DLP but provides sufficient content analysis to detect sensitive data, and enough customization to handle your particular data and requirements.
The platform should be able to fingerprint sensitive data types and use built-in, industry-specific, and customizable dictionaries to pinpoint sensitive content. Once a potential violation is identified you’ll want sufficient policy granularity to enable different actions depending on message content, destination, attachment, etc. The more involved the employee can be in handling those issues (with reporting and oversight, of course), the less your central Security team will get bogged down dealing with DLP alerts – a huge issue for full DLP solutions.
Speaking of actions, depending on content analysis and policy, the message in question could be blocked or automatically encrypted. The most prevalent means of email encryption is the secure delivery server, which provides control over encrypted files (messages) by encrypting and sending them to a secure messaging service/server. The recipient gets a link to the secure message, and with proper authentication can access it via the service. Having sensitive data in a place you control enables you to set policies regarding expiration, printing, replying and forwarding, etc. based on the sensitivity of the content.
The base email security platform scans your inbound email, drops spam, analyzes and explodes attachments, rewrites URLs, identifies imposter attacks, looks for sensitive content, and may encrypt a subset of messages which cannot leave your environment in the clear. But to scale email security to your enterprise, you’ll want to integrate it with other enterprise controls.
The integration point that rises above all others is your email platform, especially if it is in the cloud (most often Office 365 or G Suite). It’s trivial to route your inbound email to a security platform, which then passes clean email to your server. Integration with the platform enables you to protect outbound email, and also to scan internal email as discussed in our last post.
You have options to integrate your security platform with your email server whether email runs in the cloud or not, and whether security runs in the cloud or not. Just be wary of the complexity of managing dozens of email routing rules and ensuring that outbound email from a specific group is sent through the proper gateway or service on the way out. Again, this isn’t overly complicated, but it requires diligence (particularly at scale) because if you miss a route, mail can be unprotected.
Keep in mind that integration for internal email scanning is constrained by the capabilities of the email provider’s API. The big email service providers have robust APIs which provide sufficient access; but for any provider, see exactly what’s available.
An enterprise email security gateway is a key part of your security infrastructure, so it should be tightly integrated into your other security controls and tools. For instance, you’ll want to integrate with:
- SIEM: The SIEM tends to be the system of record to aggregate alerts and provide reporting for the security team. So you should be able to send it alerts.
- Work Management: Hand in hand with SIEM integration is the ability to send and receive tickets to and from your work management/operations platform. For example, if your email security service detects a device sending reconnaissance email internally, it should automatically start a ticket/case within your operations platform for a Tier 1 analyst to check out.
- SOAR Platform: Even more operationally sophisticated is integration with a Security Orchestration, Automation and Response (SOAR) platform. Detection of a phishing email would automatically trigger a response playbook in the email security service to delete the message, block the phishing web site in the web gateway, and check whether any other employees received the phish.
As we wrap up this discussion of features and capabilities of enterprise email security, it’s worth mentioning adjacent capabilities your vendor can provide.
- Security Awareness Training: Consolidation has begun: email security companies have acquired or partnered to provide security awareness training. The leverage is clear: it’s more effective to train an employee right after they clicked the wrong message or included private data in an email. For more information on awareness training check out our recent research (Making an Impact with Security Awareness Training).
- Web Security: Outbound content is content, right? There should be an opportunity to leverage email content analysis against what goes out via port 80 or 443. It’s not quite that simple – there are substantial differences in terms of latency, decryption, and email versus web exfiltration. So far we have seen limited benefit from getting outbound web filtering from an email security vendor, but we expect email and web security vendors to continue encroaching on each other’s territory.
- Archiving and eDiscovery: This is less about security and more about convenience. Your email security gateway sees every message going in and out of the enterprise, so storing those messages is straightforward. That minimizes the very real technical challenges of storing potentially billions of messages at a reasonable cost and maintaining chain of custody. An email archive also provides a good platform for eDiscovery, which is all about granular searches through high volumes of messages quickly and accurately, and then providing useful reports. If you pursue this, ensure you can manage archive cost by moving messages to less expensive (and less accessible) storage over time.
That covers the capabilities and features of an enterprise email security platform. Next, we’ll work through the finer points of evaluating and procuring products and services to wrap up this series.