A few weeks ago we wrote about the Mimecast Cyber Resilience Summit in Dallas and as a follow-up, Mimecast’s CEO Peter Bauer has unveiled his vision for the future of email security.
‘Today organizations are required to think bigger and create proactive cyber resilience postures that address the threats at the email perimeter, inside the email network, and also beyond their purview, to eliminate the threats that abuse the trust in their brands out in the wild. Organizations must also leverage the vast telemetry and threat intelligence that can be gathered at the attack surface of their email systems to make their teams and their other security investments smarter and more effective.’
This is what Bauer referred to as advancing from perimeter email security to pervasive email security and you can read the full article here.
But What Does It Mean In The Real World?
Let’s go back, way back…
Email Security 1.0 was largely based around spam, which resulted in network bandwidth being unnecessarily taken up and was largely a performance and management issue (enter MessageLabs, the first cloud-based scanner who negated 80%+ of email related network traffic by stopping spam at the cloud, rather than on premises).
By the time Email Security 2.0 came around, it was more focused on malware embedded in attachments and the earliest forms of phishing and impersonation attempts and it ushered in the age of URL scanning and the scanning of said attachments. As is often the case, Mimecast got first mover advantage amongst email security providers by launching their Targeted Threat Protection (TTP) module which specifically looked at protecting users against malicious files and URLs being sent via email.
Both 1.0 and 2.0 focussed their attention on the perimeter of email being the point at which an attack is launched but 3.0 take a different viewpoint.
Today, as many businesses know to their quite considerable cost, attacks are increasingly sophisticated as well as being increasingly hard to detect and prevent as they move away from the traditional perimeter. Instead of trying to infiltrate specific internal users they are going big by attempting to use a brand to launch an attack on the supply chain or client base.
In a purely hypothetical example we will use British Airways (and it must be clear that this is just an example we have made up for the purposes of this blog post).
As well as millions of passengers every year, BA carry a significant amount of pharmaceutical freight (medicine and equipment) to cities all over the world and their clients for large-scale freight are the major forwarding companies like FedEx and DHL as well as the pharmaceutical companies themselves.
A pervasive attack could look something like this:
Example 1: An attacker spoofs a British Airways email account (firstname.lastname@example.org) and sends an email to one of the forwarding companies which could take the form of a fraudulent invoice with the bank details requesting – or even demanding – payment.
Example 2: It could be a spoof email containing a link purporting to be a portal/site for booking freight slots (and asking for credit card payment at the same time).
The trouble facing BA in these hypothetical examples is that both are outside the control of traditional internal IT departments so they become very hard – almost impossible in many cases – to police effectively.
Example 1: What Should They Do?
In example 1, BA should lock down their SPF* records so that only legitimate emails from known and registered email sources can be sent using the ba.com domain. This would prevent spoofing.
*SPF stands for Sender Policy Framework and it is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send email on behalf of a particular domain. The purpose of an SPF record is to detect and prevent spammers from sending messages with forged ‘From’ addresses on a domain.
Having spoken about how important anti-spoofing is, Mimecast, in yet another example of staying ahead of the curve, have strengthened their position even further by acquiring DMARC Analyzer, a SaaS-based solution provider that offers user-friendly Domain-based Message Authentication, Reporting and Conformance (DMARC) setup, management and analysis.
You can read about the acquisition and the details here but put simply, DMARC Analyzer’s simple and effective service offerings help reduce the time, effort and cost of stopping domain spoofing attacks.
Example 2: What Should They Do?
In example 2, BA could utilise the services of a company such as SegaSec who provide end-to-end solutions for mitigating the risk of consumer phishing scams and who have a technical partnership with Mimecast to intelligently detect and prevent potential sources of phishing attacks as well as scanning millions of web pages in real-time to look at fraudulent imitations of their web portals and shut them down – protecting the reputation of the brand.
Mimecast & Microsoft – Cat & Mouse
Over the last 3-5 years, there has been a perpetual game of cat and mouse between Mimecast (and, it can be argued, Proofpoint) and Microsoft as the latter attempts to react to the market by updating their email gateway to offer similar levels of coverage to Mimecast.
In the past six months, with the launch and subsequent improvements of Microsoft’s ATP module (a paid-for add-on or included in E5), that gap narrowed with Microsoft providing controls around malicious URLs and attachments, three or more years after Mimecast brought them to market (but who’s counting…)
But, the gap has widened again and the industry (our very own Stephen Dorling) is unsure whether it can be closed.
Microsoft’s Exchange Online Protection with Advanced Threat Protection is good to combat yesterday’s threats and may be sufficient combatting today’s threats but is certainly not geared up for tomorrow’s. Mimecast is.
And Who Can Blame Them?
When you’re the world’s biggest productivity platform, does one really need to be at the bleeding edge of security for mass adoption? Perhaps not, but that certainly doesn’t mean that their clients should needlessly expose themselves to unnecessary risk.
In this case, two clouds are definitely better than one.
Contact us today on email@example.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or who should be starting in England’s midfield at Euro 2020, Henderson, Winks, Barkley, Mount, Sancho, Oxlade-Chamberlain, Alli, Lingard, Rice, Maddison, Dier or all of them in a 0-11-0 formation…