Estimated Reading Time: 3 minutes
This Weeks’ New Commentary on Chronicles of a CISO
It’s Time to Rethink Your Email Security
As every security professional knows, we live in a world of a constantly evolving game of one-upmanship. If this past week’s headlines have shown us anything, it is how legacy email protections are failing at protecting us from some of the newer attack methods we that are being seen across the industry. Attackers continue to up their ante, evolving from basic HTML ‘look alike’ emails and typosquatting, to requiring CAPTCHA’s, using legitimate domains, and subverting DMARC and MFA controls in order to appear legitimate.
While I have no doubt that most of you have some type of email security in place, I wonder how many of you have done a true assessment of the features, functionality, and more importantly, the detection rates of those solutions. Just as in any other attack vector, email attacks are constantly adjusting their evasion techniques to avoid detection. I think it is safe to say that the vast majority of email security solutions analyze emails in transit, however, as more and more companies move to cloud solutions, this type of solution becomes less effective.
Much like the new breed of endpoint detection solutions continually monitors for suspicious activities rather than attack signatures, the new generation of email security solutions continually monitors the inbox for suspicious elements, flagging malicious content that was previously flagged as safe. These new approaches allow us to continually scan and monitor the user’s inbox, identifying threats in near real-time rather than only at the time of delivery.
For example, one of the easiest ways to subvert a legacy solution is to include a benign link in the email to get past the email gateway signature files, only to change the link post-delivery to be malicious. We then relied on signature-based endpoint solutions to protect the user from anything that eventually ended up in the mailbox. As we all are painfully aware, this is not the best solution even when all of the signatures are current and the system is running optimally.
If you are one of those organizations that are moving your email solution to the cloud, you should take this opportunity to completely re-evaluate your control requirements and see if some of the more modern solutions can put you in a better position. It’s also important to not forget to consider your email routing order (cloud-first or local-first) as well as the changes in DKIM/SPF/DMARC that could make a measurable impact in the amount of generic spam you receive.
With the almost exponential growth of pandemic and protest-related SPAM, the human element of our control environment has never been under the level of attack as it is now. Phishing emails are expertly crafted and sent into organizations by the truckload thanks to the various botnets around the world. Collectively, we need to re-think email security, and moving towards the continual risk monitoring of the inbox is the first step to the new model.
The Chronicles of a CISO Weekly Hotwash is a recap of critical stories and news that occurred over the past week. The goal is to hopefully share some insight and perspective on how these stories may impact our industry, our careers, or our companies.
Copyright © 2002-2020 John Masserini. All rights reserved.