Research

Securosis has a long history of following and publishing on data security. Rich was the lead analyst on DLP about a zillion years ago during his time with Gartner. And when Securosis first got going (even before Mike joined), it was on the back of data security advisory and research. Then we got distracted by this cloud thing, and we haven’t gone back to refresh our research, given some minor shifts in how data is used and stored with SaaS driving the front office and IaaS/PaaS upending the data center (yes that was sarcasm). We described a lot of our thinking of the early stages of this transition in Tidal Forces 1 and Tidal Forces 3, and it seems (miraculously) a lot of what we expected 3 years ago has come to pass. But data security remains elusive. You can think of it as a holy grail of sorts. We’ve been espousing the idea of “data-centric security” for years, focusing on protecting the data, which then allows you to worry less about securing devices, networks, and associated infrastructure. As with most big ideas, it seemed like a good idea at the time. In practice, data-centric security has been underwhelming as having security policy and protection travel along with the data, as data spreads to every SaaS service you know about (and a bunch you don’t know about), was too much. How did Digital Rights Management work at scale? Right. The industry scaled back expectations and started to rely on techniques like tactical encryption, mostly using built-in capabilities (FDE for structured data, and embedded encryption for file systems). Providing a path of least resistance to both achieve compliance requirements, as well as “feel” the data was protected. Though to be clear, this was mostly security theater, as compromising the application still provided unfettered access to the data. Other techniques, like masking and tokenization, also provided at least a “means” to shield the sensitive data from interlopers. New tactics like test data generation tools also provide an option to ensure that developers don’t inadvertently expose production data. But even with all of these techniques, most organizations still struggle with protecting their data. And it’s not getting easier. The Data Breach Triangle Back in 2009, we introduced a concept called The Data Breach Triangle, which gave us a simple construct to enumerate a few different ways to stop a data breach. You need to break one of the legs of the triangle. Data: The equivalent of fuel – information to steal or misuse. Exploit: The combination of a vulnerability or an exploit path to allow an attacker unapproved access to the data. Egress: A path for the data to leave the organization. It could be digital, such as a network egress, or physical, such as portable storage or a stolen hard drive. Most of the modern-day security industry focused on stopping the exploit, either by impacting the ability to deliver the exploit – firewall/IPS or preventing the compromise of the device – endpoint protection. There also were attempts to stop the egress of sensitive data via outbound filters/FW/web proxy or DLP. As described above, attempts to either protect or shield the data have been hard to achieve at scale. So what do we get? Consistent breaches. Normalized breaches. To the point that an organization losing tens of millions of identities no longer even registers as news. SaaS exacerbates the issue Protecting data continues to get more complicated. SaaS has won. As we described in Tidal Forces, SaaS is the new front office. If anything, the remote work phenomenon driven by the inability to congregate in offices safely will accelerate this trend. Protecting data was hard enough when we knew where it was. I used to joke how unsettling it was back in 1990 when my company outsourced the mainframe, and it was now in Dallas, as opposed to in our building in Arlington, VA. At least all of our data was in one place. Now, most organizations have dozens (or hundreds) of different organizations controlling critical corporate data. Yeah, the problem isn’t getting easier. Rethinking Data Security What we’ve been doing hasn’t worked. Not at scale anyway. We’ve got to take a step back and stop trying to solve yesterday’s problem. Protecting data by encrypting it, masking it, tokenizing it, or putting a heavy usage policy around it wasn’t the answer, for many reasons. The technology industry has rethought applications and the creation, usage, and storage of data. Thus, we security people need to rethink data security for this new SaaS reality. We must both rethink the expectations of what data security means, as well as the potential solutions. That’s what we’ll do in this blog series Data Security for the SaaS Age. We haven’t been publishing as much research over the past few years, so it probably makes sense to revisit our Totally Transparent Research methodology. We’ll post all of the research to the blog, and you can weigh in and let us know that we are full of crap or that we are missing something rather important. Comments on this post are good or reach out via email or Twitter. Once we have the entire series posted and have gathered feedback from folks far smarter than us, we package up the research as a paper and license it to a company to educate its customers. In this case, we plan to license the paper to AppOmni (thanks to them), although they can decide not to license it at the end of the process – for any reason. This approach allows us to write our research without worrying about anyone providing undue influence. If they don’t like the paper, they don’t license it. Simple. In the next post, we focus on the solution, which isn’t a product or a service; rather it’s a process. We update the Data Security Lifecycle for modern times, highlighting the need for a systematic approach to identifying critical data and governing the use of that data in

Do you ever play those wacky question games with your friends? You know, where the questions try to embarrass you and make you say silly things? I was never much of a game player, but sometimes it’s fun. At some point in every game, a question about your favorite physical feature comes up. A lot of people say their eyes. Or their legs. Or maybe some other (less obvious) feature. It would also be interesting to ask your significant other or friends what they thought. I shudder to think about that. But if you ask me, the answer is pretty easy. It’s my hair. Yeah, that sounds a bit vain, but I do like my hair. Even though it turned gray when I was in my early 30s, that was never an impediment. It probably helped early in my career, as it made me seem a bit older and more experienced, even though I had no idea what I was doing (I still don’t). The only issue that ever materialized was when I first started dating Mira (who also has great hair). She showed my picture to her daughter (who was 12 at the time), and she asked, “why are you dating that old guy?” That still cracks me up. This COVID thing has created a big challenge for me. I usually wear my hair pretty short, trimmed with a clipper on the sides, and styled up top. But for a couple of months, seeing my stylist wasn’t an option. So my hair has grown. And grown. And grown. As it gets longer, it elevates. It’s like a bird’s nest elevation. You know, like losing your keys in there elevation. I could probably fit a Smart Car in there if I don’t get it cut at some point soon. If I’m going to grow my hair out, I want to have Michael Douglas’s hair. His hair is incredible, especially during his Black Rain period. The way his hair flowed as he was riding the motorcycle through Tokyo in that movie. It was awesome, but that is not to be. My destiny is to have big bird nest hair. Mira told me to shave it off. I have a bunch of friends that have done the home haircut, and it seems to work OK. I learned that a friend of mine has been doing his hair at home for years. And he looks impeccable even during the pandemic. I’m a bit jealous. I even bought a hair clipper to do it myself. I figured I’d let one of the kids have fun with it, and it would make for a fun activity. What else are we doing? The clipper is still in its packaging. I can’t bring myself to use it. Even if the self-cut turned out to be a total fiasco, my hair grows so fast it would only take a few weeks to grow out. So we aren’t talking about common sense here. There is something deeper in play, which took me a little while to figure out. I used to wear my hair very short in college during my meathead stage. So it’s not that I’m scared of really short hair. Then I remembered the one time I did a buzz cut as an adult. It was the mid-90s when I was 60 lbs heavier and into denim shirts. Yes, denim shirts were cool back then, trust me. So combine a big dude with a buzz cut in a denim shirt, and then one of my friends told me I looked like Grossberger from Stir Crazy, that was that. No more buzz cut. Clearly, I’m still scarred from that. I guess I have a bit of a Samson complex. It’s like I’ll lose my powers if I get a terrible haircut. I’m not sure what powers I have, but I’m not going to risk it. I’ll just let the nest keep growing. Mira says she likes it, especially when I gel my hair into submission and comb it straight back. I call it the poofy Gekko look. But I fear the gel strategy won’t last for much longer. By the end of the day, the top is still under control, but my sides start to go a little wacky, probably from me running my hands through my hair throughout the day. I kind of look like Doc Brown from Back to the Future around 6 PM. It’s pretty scary. What to do? It turns out hair salons were one of the first businesses to reopen in Georgia. So I made an appointment for mid-June to get a cut from my regular stylist. Is it a risk? Yes. And I’ve never checked her license, but I’m pretty sure her name isn’t Deliah. The salon is taking precautions. I’ll be wearing a mask and so will she. We have to wait outside, and she cleans and disinfects everything between customers. It’s a risk that I’m willing to take. Because at some point, we have to return to some sense of normalcy. And for me, getting my hair cut without risking a Grossberger is the kind of normalcy I need. Share:

The pandemic is hard on everyone. (says the Master of the Obvious) It’s a combination of things. There are layers of fear — both from the standpoint of the health impact, as well as the financial challenges facing so many. We cannot underestimate the human toll, and unfortunately, the US has never prioritized mental health. As I mentioned last week in my inaugural new Insight, I’m not scared for myself, although too many people I care about are in vulnerable demographics. I’m lucky that (at least for now) the business is OK. I work in an industry that continues to be important and for a company that is holding its own. But it’s hard not to let the fear run rampant. The Eastern philosophies teach us to stay in the moment. To try to focus on what’s right in front of you. Do not fixate on decisions made or roads not taken. Do not think far ahead about all of the things that may or may not come to pass. Stay right here in the experience of the present. And I try. I really try to keep the things I control at the forefront. Yet there is so much I don’t control about this situation. And that creates a myriad of challenges. For example, I don’t control the behavior of others. I believe the courteous thing to do now is wear a mask when in public. There are certainly debates about whether the masks make a real difference in controlling the spread of the novel coronavirus. But when someone near me is wearing a mask, it’s a sign (to me anyway) that they care about other people. Maybe I’m immunocompromised (thankfully I’m not). Maybe I live with someone elderly. They don’t know. The fact is they likely don’t have the infection. But perhaps they do. It’s about consideration, not about personal freedoms. I have the right to approach someone sitting nearby and fart (from 6 feet away, of course). But I don’t do that because it’s rude. I put wearing a mask into the same category. But alas, I don’t control whether other people wear masks. I can only avoid those that don’t. NY Governor Andrew Cuomo said it pretty well. I don’t control who takes isolation seriously and who doesn’t. Many people have decided to organize small quarantine pods who isolate with each other because they don’t see anyone else. This arrangement requires discipline and trust and doesn’t scale much past 2 or 3 families. Being in a blended household means that I had my pod defined for me. There are my household and the households of both of our former spouses. It’s hard to keep everyone in sync. My kids were staying with their Mom in the early days of quarantine. But my son was seeing other kids in the neighborhood. Not a lot, but a few. And supposedly those kids were staying isolated – until they weren’t. One of the neighbors had a worker in the house and then had a visitor who was a healthcare professional in Canada. Sigh. So he goes into isolation for two weeks, and I can’t see my kids. Then my former spouse got religion about isolation and decided that she wasn’t comfortable with my pod, which includes Mira’s former spouse. She doesn’t know him, and in this situation, trust is challenging. Sigh. Another six weeks of not seeing my kids. Mira and I have done a few social distance walks with them, but it’s hard. You wonder if they are too close. So we adapted and set up chairs in a parking lot and hung out. It’s tough. All I wanted to do was hug my kids, but I couldn’t. To be clear, in the grand scheme of things, this is a minor problem. A point in time that will pass. Maybe in 6 months, or maybe in a year. But it will pass. And I’ve got it good, given my health and ability to still work. Many people don’t. They may be alone, or they may not have a job. Those are big problems. But I also don’t want to minimize my experience. It sucks not to be able to parent your kids. It’s getting more complicated by the day. Things in Georgia (where I live) are opening up. Many of the kid’s friends are getting together, and the reality is that we can’t keep them isolated forever. So their Mom and I decided we would keep things locked down through the end of May and then revisit our decision in June. My kids could stay with me for a little while. And that happened last week. When I went over to pick them up, I was overcome. It was only a hug, but it felt like a lot more than that. Over the past week, I got to wake them up, pester them to do online classes, eat with them, and sit next to them as we watched something on Netflix. We were going to figure out week by week where the kids would stay. I’m not going anywhere, so that would work great. But the best-laid plans… I found out that my oldest is seeing her friends. And isn’t socially distancing. Sigh. She’s an adult (if you call 19 an adult), and she made the decision. I’m unhappy but trying to be kind. I’m trying to understand her feelings as her freshman year in college abruptly ended. She went from the freedom of being independent (if you call college independent living) to being locked up in her Mom’s house. That when you are 19, you don’t really think about the impact of your actions on other people. That you can get depressed and forget about the rules and do anything to take a drive with a couple of friends. And now the other house where my kids live is no longer in my pod. One of the kids is with me, and she’ll stay for a couple of

It’s a sunny late spring day. Mike steps into the dank building and can smell the must. It feels old but familiar. Strangely familiar. The building looks the same, but he knows it’s different. Too much time has passed. He steps into the confessional and starts to talk. Mike: Forgive me. It’s been almost 3 and a half years since I’ve been here. I’d say it was because I have been busy, which I have. But it’s not that. I spent close to 13 years here, and I had gone through a pretty significant personal transformation. As I was navigating the associated transitions, I guess I just wanted to live a bit and integrate a lot of the lessons I’ve learned behind the scenes for a while. Confessor: OK. That seems reasonable. How’s that been going? Mike: Pretty good, I’d say. I mentioned my new love (her name is Mira). We got married in mid-2017. I’ve packed my oldest daughter off to college last August and my step-son leaves for his college hopefully at the end of this summer. We’ve got a wonderful blended family and we’ve made some close friends as well. Physically I’m good as well. I’ve been able to maintain my fitness through intense workouts (thanks to OrangeTheory) and use the time in class as my mindfulness practice. And I just try to improve a little bit each day and live my life with kindness and grace. Confessor: How’s work going? You mentioned being busy, but what does that mean? Everyone is busy. Mike: That’s a good point. Culturally there is some kind of weird incentive to be busy. Or to look busy, anyway. Rich and I have been grinding away. Adrian decided to move on last December, so we’ve just kept pushing forward. Evidently cloud security is a thing, so we’ve benefited from being in the right place at the right time. But we spend a lot of time thinking about how work changes and the impact to security. We don’t quite know what it will look like, but we’re pretty sure it accelerates a lot of the trends we’ve been talking about for the past 5 years. I’m also happy to say DisruptOps is doing well (we closed a Series A back in late February). I guess I’m just grateful. I work with great people and I can still pay the bills, so no complaints. Confessor: Hmmm. So you are in a good spot personally and the business is doing well. It seems that you used the time away from here productively. Why come back now? Mike: I found that being here was a way of documenting my journey, for me. And that many of the people here enjoyed it and learned a thing or two. The fact is we are in the midst of a very uncertain time. Our society has undergone shocks to the system and we’re all trying to figure out what a “new normal” looks like. I don’t have any answers, to be clear, but I want to share my fears, my hopes, and my experiences and hope that we’ll all navigate these challenging and turbulent waters together. Confessor: Fear. That’s a good place to start. What are you scared of? Mike: Simply put, that COVID-19 impacts people that I love. We’ve been lucky so far, taking the quarantine seriously, but I am not taking that for granted and continuing to stay inside. Good thing I can come here virtually. Strangely enough, I have little fear regarding my own physical well-being. I made a deal with Mira that we’d be together for at least 44 years and I plan to make good on that deal. But our parents are old and in some cases, immunocompromised. We can’t control what other people do and whether they respect the threat or the science. So it’s definitely scary. Confessor: How are you holding up mentally? Mike: It’s tough. My head was spinning. I was consumed by the news and reacting to most every Tweet. It wasn’t productive. So I’ve started seated meditation again. I just needed to shut down my thoughts, even for a short time, and open up to possibility. To get into the habit of controlling my thoughts, my outlook, and my mood. Meditation helps me do that. And it’s hard to not be able to do the things we love and have no idea when things will return to some semblance of normal. You know, doing simple things that I took for granted, like travel. Mira and I love to travel and we’re very fortunate to go on very cool trips. We can’t see shows or live sports for the time being. That sucks. I also value the time I can spend with clients and at conferences. Who knew that the RSA Conference would be the last time many of us will travel for business for who knows how long? But you make the best of it. Confessor: We’ve changed a lot in the time that you were away. There are new people here. Some have moved on. Mike: It’s not like I’m the same person either. We’re all constantly changing. The goal is to navigate change in the most graceful way possible. I like to think my changes have been positive. I don’t need to act like a grump anymore, I was happy to leave that aspect of my persona behind. I think there is also something to be said about the wisdom of experience. I don’t claim to be wise, but I have a lot of experience. Mostly screwing things up. Hopefully, I’ll be able to continue sharing that experience here and we can learn together. We’re in uncharted territory and that can be pretty exciting if you are open to the inevitable changes ahead. Confessor: So when will you be back? And I suspect it won’t look the same, will it? Mike: You are pretty perceptive. I always enjoyed that about being here. I’m going to aim to

For Rich and me, it seems like forever that we’ve been doing this cloud thing. We previewed the first CCSK class back at RSAC 2011, so we’re closing in on 10 years of hands-on, in the weeds cloud stuff. It’s fundamentally changed Securosis, and we ended up as founders of DisruptOps as well. Yet as the cloud giveth, it also taketh away. Adrian’s unique perspective on application and cloud security made him a great candidate to join Bank of America, so he did. It’s a great opportunity, but we’ll certainly miss having him around during RSAC week. Especially since it means I’ll have to get the aspirin and Tums for you derelicts. But that’s not this year’s DRB theme. We picked (IM)MATURITY because it’s hard to keep in mind that we’re still in the very early stages of the cloud disruption on IT. The questions we get now are less _ “what is this cloud thing?”_ and more ” what does the journey look like?” We didn’t have a decent answer, so we set out to find one. That led us to partner with our friends at IANS to develop a Cloud Security Maturity Model that gives you a sense of the cloud journey and helps you understand how to increase your cloud security capability and maturity. At this year’s DRB, we’ll have the model on hand, as well as an online diagnostic where you can do a self-assessment against the model. We may even have a new strategic relationship to announce at the breakfast. (hush, hush – don’t tell anyone) Let’s celebrate both our maturity in the security space (yes, this is my 24th RSA Conference) while acknowledging the immaturity of securing the cloud by once again holding the most kick-ass breakfast of the year. There are breakfast impostors now, filling up the TableTop Tap House on the other mornings of the conference. But we are the true breakfast innovators of the security industry. There can be only ONE Disaster Recovery Breakfast. check out the full invite Kidding aside, the DRB happens only because of the support of our long-time supporters LaunchTech and DisruptOps, and our media partner Security Boulevard. We’re excited to welcome IANS, Cloud Security Alliance, Highwire PR, and AimPoint Group to the family as well. Please make sure to say hello and thank them for helping support your recovery. As always, the breakfast will be Thursday morning of RSA Week (February 27) from 8-11 at Tabletop Tap House in the Metreon (fka Jillian’s). It’s an open door – come and leave as you want. The breakfast spread will be awesome (it always is), and the bar will be open. I am still drinking Decaf, but I’ve traded in my Bailey’s for a little Amarula after sampling the nectar on my recent trip to South Africa. Please always always always remember what the DR Breakfast is all about. There will be no spin, no magicians, and we’re pretty sure Rich will keep his pants on -– it’s just a place to find a bit of respite amongst the maelstrom of RSAC. To help us estimate numbers, RSVP to rsvp (at) securosis (dot) com. Share:

To wrap up this series we will bring you through a process of narrowing down the shortlist and then testing products and/or services in play. With email it’s less subjective because malicious email is… well, malicious. But given the challenges of policy management at scale (discussed in our last post), you’ll want to ensure a capable UX and sufficient reporting capabilities as well. Let’s start with the first rule of buying anything: you drive the process. You’ll have vendors who want you to use their process, their RFP/RFP language, their PoC guide, and their contract language. All that is good and well if you want to buy their product. But what you want is the best product to solve your problems, which means you need to drive your selection process. We explained in our introduction that a majority of attacks start with a malicious email. So selecting the best platform remains critical for enterprises. You want to ensure your chosen vendor addresses the email-borne threats of not just today, but tomorrow as well. A simple fact of the buying process is that no vendor ever says “We’re terrible at X, but you should buy us because Y is what’s most important to you.” Even though they should. It’s up to you to figure out each vendor’s real strengths and weaknesses and line them up against your requirements. That’s why it’s critical to have a firm handle on your requirements before you start talking to vendors. The first step is to define your short list of 2-3 vendors who appear to meet your needs. You accomplish this by talking to folks on all sides of the decision. Start with vendors but also talk to friends, third parties (like us), and possibly resellers or managed service providers. When meeting vendors stay focused on how their tool addresses your current threats and their expectations for the next wave of email attacks. Make any compliance or data protection issues (or both) very clear because they drive the architecture and capabilities you need to test. Don’t be afraid to go deep with vendors. You will spend a bunch of time testing platforms, so you should ask every question you can to make an educated decision. The point of the short list is to disqualify products that won’t work early in the process so you don’t waste time later. Proof of Concept Once you have assembled the short list it’s time to get hands-on with the email security platforms and run each through its paces through a Proof of Concept (PoC) test. The proof of concept is where sales teams know they have a chance to win or lose, so they bring their best and brightest. They raise doubts about competitors and highlight their own capabilities and successes. They have phone numbers for customer references handy. But forget all that now. You are running this show, and the PoC needs to follow your script – not theirs. Preparation Vendors design PoC processes to highlight their product strengths and hide weaknesses. Before you start any PoC be clear about the evaluation criteria. Your criteria don’t need to be complicated. Your requirements should spell out the key capabilities you need, with a plan to further evaluate each challenger based on squishier aspects such as set-up/configuration, change management, customization, user experience/ease of use, etc. With email it all starts with accuracy. So you’ll want to see how well the email security platforms detect and block malicious email. Of course you could stop there and determine the winner based on who blocks 99.4%, which is better than 99.1%, right? Yes, we’re kidding. You also need to pay attention to manageability at scale. The preparation involves figuring out the policies you’ll want to deploy on the product. These policies need to be consistent across all of the products and services you test. Here are some ideas on policies to think about: Email routing Blocked attacks (vs. quarantined) Spam/phishing reporting Email plug-in Threat intelligence feeds to integrate Disposition of email which violates policy Attributes requiring email encryption Integration with enterprise security systems: SIEM, SOAR, help desk And we’re sure there are a bunch of other policy drivers we missed. Work with the vendor’s sales team to make sure you can exercise each product or service to its fullest capabilities. Make sure to track additional policies, above and beyond the policies you defined for all the competitors – you want an apples to apples comparison, but also want to factor in additional capabilities offered by any competitors. One more thing: we recommend investing in screen capture technology. It is hard to remember what each tool did and how – especially after you have worked a few unfamiliar tools through the same paces. Capture as much video as you can of the user experience – it will come in handy as you reach the decision point. Without further ado, let’s jump into the PoC. Testing Almost every email system (Exchange, Office 365, Google Suite, etc.) provides some means of blocking malicious email. So that is the base level for comparison. The next question becomes whether you want to take an active or passive approach during the PoC. In an active test you introduce malicious messages (known malware and phishing messages) into the environment to track whether the product or service catches messages which should be detected. A passive test uses the product against your actual mail stream, knowing it will get a bunch of spam, phishes, and attacks if you look at enough messages. To undertake an active test you need access to these malicious messages, which isn’t a huge impediment as there are sites which provide known phishing messages, and plenty of places to get malware for testing. Of course you’ll want to take plenty of precautions to ensure you don’t self-inflict a real outbreak. There is risk in doing an active test, but it enables you to evaluate false negatives (missing malicious messages), which create far more damage than false positives (flagging

As we continue down the road of Selecting Enterprise Email Security, let’s hone in on the ‘E’ word: Enterprise. Email is a universal application, and scaling up protection to the enterprise level is all about managing email security in a consistent way. So this post will dig into selecting the security platform, integrating with other enterprise security controls, and finally some adjacent services which can improve the security of your email and so should be considered as part of broad protection. Platform The first choice is which platform you will build your email security on. Before you can compare one vendor against another you need to determine where the platform will run: in the cloud or on-premise. Although it’s not really much of a decision anymore. Certain industries and use cases favor one over the other. But overall, email security is clearly moving to the cloud. The cloud is compelling for email security because it removes some problematic aspects of managing the platform from your responsibility. When you get hit with a spam flood, if your platform is in the cloud, upgrading devices to handle the load is not your problem. When the underlying product needs to be updated, patching it is not your problem. You don’t need to make sure detections are updated. The cloud provider takes care of all that, which means you can focus on other stuff. Leveraging cloud security shifts a whole bunch of problems onto your provider. Bravo! Another essential aspect of enterprise email security is the ability to recover and keep business running in case of a mail system outage. Your email security platform can provide resilience/continuity for your email system by sending and receiving messages, even if your primary email system is down or shaky. If you’ve ever had a widespread email outage and lived to tell the tale, it’s a no-brainer – ensuring the uninterrupted flow of messages tends to be Job #1, #2 and #3 for the IT group. So in what use cases or industries does an on-premise email security gateway make sense? In highly sensitive environments where email absolutely, positively, cannot run through a service provider’s network. Email encryption enables you to protect mail even as it passes through the cloud, but that adds a lot of overhead and complexity. Some industries and verticals – think national security – find the cloud simply unacceptable. Or perhaps we should say isn’t acceptable yet because at some point we expect you to look back nostalgically at your data center – a bit like how you think fondly about wired telephones today. To avoid any ambiguity, aside from those kinds of high-security environments, we believe email security platforms should reside in the cloud. Content Protection Blocking malicious email is the top requirement of an email security platform, but a close second is advanced content protection. This could involve DLP-like scanning of messages and encrypting messages and/or attachments, depending on message content and enterprise policies. Most email security offerings offer content analysis, and typically built-in encryption as well. In terms of content analysis, you’ll want sophisticated analysis to be a core feature. That means “DLP-light,” which we described years ago (Intro, Technologies, Process). It’s not full DLP but provides sufficient content analysis to detect sensitive data, and enough customization to handle your particular data and requirements. The platform should be able to fingerprint sensitive data types and use built-in, industry-specific, and customizable dictionaries to pinpoint sensitive content. Once a potential violation is identified you’ll want sufficient policy granularity to enable different actions depending on message content, destination, attachment, etc. The more involved the employee can be in handling those issues (with reporting and oversight, of course), the less your central Security team will get bogged down dealing with DLP alerts – a huge issue for full DLP solutions. Speaking of actions, depending on content analysis and policy, the message in question could be blocked or automatically encrypted. The most prevalent means of email encryption is the secure delivery server, which provides control over encrypted files (messages) by encrypting and sending them to a secure messaging service/server. The recipient gets a link to the secure message, and with proper authentication can access it via the service. Having sensitive data in a place you control enables you to set policies regarding expiration, printing, replying and forwarding, etc. based on the sensitivity of the content. Integration The base email security platform scans your inbound email, drops spam, analyzes and explodes attachments, rewrites URLs, identifies imposter attacks, looks for sensitive content, and may encrypt a subset of messages which cannot leave your environment in the clear. But to scale email security to your enterprise, you’ll want to integrate it with other enterprise controls. Email Platform The integration point that rises above all others is your email platform, especially if it is in the cloud (most often Office 365 or G Suite). It’s trivial to route your inbound email to a security platform, which then passes clean email to your server. Integration with the platform enables you to protect outbound email, and also to scan internal email as discussed in our last post. You have options to integrate your security platform with your email server whether email runs in the cloud or not, and whether security runs in the cloud or not. Just be wary of the complexity of managing dozens of email routing rules and ensuring that outbound email from a specific group is sent through the proper gateway or service on the way out. Again, this isn’t overly complicated, but it requires diligence (particularly at scale) because if you miss a route, mail can be unprotected. Keep in mind that integration for internal email scanning is constrained by the capabilities of the email provider’s API. The big email service providers have robust APIs which provide sufficient access; but for any provider, see exactly what’s available. Management An enterprise email security gateway is a key part of your security infrastructure, so it should be tightly integrated into

As we covered in the introduction to our Selecting Enterprise Email Security series, even after over a decade of trying to address the issue, email-borne attacks are still a scourge on pretty much every enterprise. That doesn’t mean the industry hasn’t made progress – it’s just that between new attacker tactics and the eternal fallibility of humans clicking on things, we’re arguably in about the same place we’ve been all along. As you are considering upgrading technologies to address these email threats, let’s focus on detection – the cornerstone of any email security strategy. To improve detection we need to address issues on multiple fronts. First we’ll look at threat research, which is critical to identify attacker tactics and maintain information sources of known malicious activity. Then you need to ensure detection will scale to your needs, as well as implement some attack specific detection in case of phishing and Business Email Compromise (BEC). Finally we’ll evaluate use of internal email analysis as another mechanism to identify malicious activity within the environment. Threat Research: the Foundation of Detection The general tactics used to detect email attacks, such as behavioral analysis and file-based antivirus, are commoditized. There is little value in these tactics themselves, but many detection techniques working together can be highly effective. It’s a bit like mixing a cocktail. You can have five different liquors, but knowing the proportions of each liquor to use lets you concoct tasty cocktails. Modern detection is largely about knowing what tactics and techniques to use, and even more about being able to adapt their composition and mixture because attacks always change. So threat research is contingent on a mature and robust analytics capability. It’s about blending sources like multiple AV engines, malicious URL databases, and sender reputation databases to determine the optimal mix and weighting of each input. It’s necessary to have a sufficiently large corpus of both good and bad email to identify common components and patterns of malicious email, which then filters back into the detection cocktail. Threat research requires analytics infrastructure and data scientists to run it effectively. During the courting process with potential vendors it’s helpful to understand their threat research capability in terms of resourcing/investment, skills, and output. Sure, having a research team find a new and innovative attack and getting tons of press is laudable, but it doesn’t help you detect malicious email. We recommend you focus on meat and potatoes activity, like how often detections are changed, and how long it takes a new finding to be rolled out to protect all customers. Applied Threat Research Once you are comfortable with a potential provider’s threat research foundation, the next area to evaluate is how that information is put to use within a gateway or service. For instance, how do behavioral detections work within the gateway or service? You’ll want to know how the offering protects URLs. You learned about their URL database above, but what happens when a URL is not in the database? Do they render it in a sandbox? Do they use techniques like URL rewriting and stripping malicious domains from email to protect users from attacks? Then focus on finding malicious attachments. How are inbound files analyzed? Does the provider have a sandbox service to perform analysis? What is the latency entailed in analyzing a file, and in the meantime is the message held or sent to the user, while the sandbox runs in the background? Will the service convert files to a safe format and deliver that, while maintaining availability of the original? What about impersonation attacks (often called Business Email Compromise [BEC]), where attackers try to convince employees that a message is legitimate, and to take some unauthorized action (like wiring a ton of money to their bank account)? This is another form of social engineering, but these attacks can be detected by looking for header anomalies and watching for sender spoofing approaches (such as changing the display name and using lookalike domains). Even something simple like marking messages that come from outside your domain can trigger employees to scrutinize messages a bit more carefully before clicking a link or taking action. And let’s not forget about phishing. Does the provider have a means of tracking phishing campaigns across their customer base? Can they identify phishing sites and help have them taken down? Phishing is old news, but like many email attacks, seems to have a half-life measured in decades. Finally, how easy is it to categorize users and build appropriate policies for the group? For example some groups have legitimate business requirements to get files from external sources (including HR for resumes, Finance for invoices, etc.). But some employee groups shouldn’t get many email attachments at all, or are likely to click links to compromised sites. So managing these policies at enterprise scale makes a big difference in the effectiveness of detection. We’ll discuss this more in our next post. Internal Analysis to Detect Proliferation Historically email security happened upon receipt of email. Once it was deemed legitimate, a message went on its way to the user, and if the gateway missed an attack you hoped to detect it using another control. Over the past few years more enterprises have started evaluating internal email traffic to detect missed attacks (those dreaded false negatives). For example you can identify lateral movement of an attack campaign by tracking the same email to multiple employees. The ability to monitor and even remove malicious emails from a user’s mailbox can offer a measure of retrospective protection, addressing the fact that you will miss some attacks. But once you identify a message as bad, you can find out which users received it, how many opened it, and whether they clicked the link – and remove it from their inboxes before more damage occurs. Another advantage of integrating security with internal email servers is outbound protection. You can check email for sensitive data and malicious attachments before it is sent, providing an earlier chance to stop an attack than

It’s 2019, and we’re revisiting email security. Wait; what? Did we step out of a time machine and end up in 2006? Don’t worry – you didn’t lose the past 13 years in a cloud of malware (see what we did there?). But before we discuss the current state of email security, we thought we should revisit what we wrote in our 2012 RSA Guide about email security. We thought we were long past the anti-spam discussion, isn’t that problem solved already? Apparently not. Spam still exists, that’s for sure, but any given vendor’s efficiency varies from 98% to 99.9% effective on any given week. Just ask them. Being firm believers in Mr. Market, clearly there is enough of an opportunity to displace incumbents, as we’ve seen new vendors emerge to provide new solutions, and established vendors to blend their detection techniques to improve effectiveness. There is a lot of money spent specifically for spam protection, and it’s a visceral issue that remains high profile when it breaks, thus it’s easy to get budget. Couple that with some public breaches from targeted phishing attacks or malware infections through email, and anti-spam takes on a new focus. Again To be clear, that was seven years ago. The more things change, the more they stay the same. We, as an industry, still struggle with protecting email – which remains the number one attack vector. That’s some staying power! We can be a little tongue-in-cheek here, but it underlies a continued problem that seems to defy a solution – employees. Email users remain the weakest link, clicking all sorts of stuff they shouldn’t. Over and over again. You’ve probably increased your investment in security awareness training, as it seems most enterprises are moving in that direction. We recently wrote a paper on Making an Impact with Security Awareness Training to cover that very topic. So check that out. In this series, Selecting Enterprise Email Security, we’re going to hit on the technologies and how to evaluate them to protect your email. Before we get into that, let’s first thank our initial licensee, Mimecast, who has graciously agreed to potentially license this report at the end of the project. Remember, you benefit by gaining access to our research, gratis, because folks like Mimecast understand the importance of educating the industry. Steady Progress We can joke a bit about the Groundhog Day nature of email security, but let’s acknowledge that the industry’s made progress. Email providers (including Microsoft and Google) take security far more seriously, bundling detection capabilities into their base email SaaS offerings. Although not the best (we’ll dig into that later in this series), but we prefer even mediocre security built-in to none at all. The arms race of detecting email-borne threats continues, with security vendors making significant investments in complementary technologies (such as malware analysis and security awareness training), purpose-built phishing solutions emerging, and a focus on threat intelligence to help the industry learn from common attacks. As in many other aspects of security, the emergence of better and more accurate analytics has improved detection. Security vendors have access to billions and billions of both good and bad emails to train machine learning engines, and they have. All the major companies hire as many data scientists as they can find to continually refine detection. We’ll dig into how to figure out which detection capabilities make an impact (and which don’t) in our next post. New Attacks Unfortunately it turns out adversaries aren’t standing still either. They continue to advance phishing techniques, especially for campaigns which last hours rather than days. They hit fast and hard, and then their phishing sites are taken down. Financial fraudsters have automated many of their processes and packaged them up into easily accessible phishing kits to keep overwhelming defenders. We also see new attacks, like BEC (Business Email Compromise), where attackers spoof an internal email address to impersonate a senior executive (perhaps the CFO) requesting a lower-level employee transfer money to a random bank account. And unfortunately far too many employees fall for the ruse, assuming what looks like an internal email is legit. And that’s not all. We see continued innovation in both defeating endpoint defenses (even fancy new next-generation AV products) and preying on the gullibility of employees with social engineering attacks. So your email system is still a major delivery vehicle for attacks, whether you run it in your data center or someone else’s. That means we need to make sure your email security platform can protect your environment. We’ll go through the latest technological advancements, and define selection criteria to drive your evaluation of enterprise email security solutions. We’ll start by digging into the latest and greatest detection techniques, then walk through enterprise features needed to scale up email security. Finally we’ll wrap up by providing perspective on procurement, including how to most effectively test email security services. Again, thanks to Mimecast for licensing this content so you can be brought up to date on the latest and greatest in email security. Share:

Cloud Security CoE Organizational Models In the first post of our Cloud Security Center of Excellence series we covered the two critical aspects of being successful at cloud security: accountability and empowerment. Without accepting accountability to secure all the organization’s cloud assets, and being empowered to make changes to the environment in the name of improved security, it’s hard to enforce a consistent baseline of security practices that can dramatically reduce an organization’s attack surface. Read the full post at DisruptOps Share: