Why detection-based email security cannot achieve the balance that modern enterprises truly need.
Email and file-based malware attacks that are delivered through email are the leading way to gain a foothold in a targeted network. There are many reasons that email has become such a common target. Email is used by everyone and is generally trusted by users, allowing for almost any type of traffic. Because most general users are not tech savvy enough to detect a threat, email is a relatively easy target for attackers. It’s not a surprise that the volume of email-based cyber security attacks on organizations is increasing steadily year-over-year.
There are several ways that attackers use email to target an organization. One of the most prevalent sources of attacks are email attachments, with 66% of malware penetrations beginning with a malicious email attachment. The most common malicious attachments are Office documents, compressed archives, and PDFs. Together, these commonly used file formats make up 89% of all malicious email attachments.
Enterprise IT teams are investing heavily in advanced threat protection (ATP) solutions to mitigate these threats, yet advanced email attacks that eventually lead to a breach are still common. Email ATP solutions combine a wide variety of tools, services, and security practices designed to prevent advanced cyberattacks before they gain a foothold within the organization. Every email ATP product includes a basic set of tools along with some additions unique to each vendor.
Some security vendors build their solution around a sandbox that examines incoming files in a secure, simulated environment. Others leverage emerging technologies like artificial intelligence and machine learning to identify and block phishing attempts. Many do both, but in different ways.
A common thread to these technologies is that they rely on malware detection instead of prevention. They examine incoming data from multiple sources and try to correlate what they find with known attack patterns. Some will even predict unknown attacks. The result is “good enough” security and minimal impact on usability. But why would security leaders only settle for “good enough” security?
Detection-based solutions rely on monitoring incoming emails and validating them according to various attack signatures, reputational profiles, or authentication metadata. When incoming messages fail the test, they are reported as suspicious and trigger an alert.
This system is robust in theory, but it falls short in a few key aspects. The most important of these involves the relationship between security and usability. The higher the security standard, the greater the impact on usability becomes.
Key traditional methods to enhance security are restrictive policies and sandbox processing.
Restrictive policies can be applied for specific emails and attachments. For example, emails containing password encrypted attachments are often blocked, as detection-based solutions cannot process them safely. This limitation causes frustration and forces the sender and recipient to seek other, often less secure, ways to transfer their files.
Sandboxes are a common element of email ATP security. Sandboxes open incoming attachments in a secure, isolated environment and wait to see if it behaves in a malicious way. Some sandboxes will interact with incoming files in various ways to test their legitimacy.
The problem is that this process takes time, often minutes, which leave the organization with two options: suffer from latency that will impact productivity and business flows, or cut off the sandbox processing at some point and pass the unchecked file to the user’s inbox. Even when the organization is willing to go with the first option and sacrifice usability, detection-based algorithms cannot adequately protect from unknown threats and zero-day exploits and so complete security is not achieved.
Microsoft has been using machine learning algorithms in their email systems since 2015. Today, it uses an AI threat heuristics engine to process historical metadata and threat intelligence insights to identify unknown phishing attacks in real-time.
However, in an extensive review of over half a million malicious emails sent to real-world end-user inboxes protected by Microsoft ATP, researchers found that more than one in ten zero-day phishing emails passed through as a false negative.
For highly visible enterprises weathering thousands of attempted attacks per week, this is a gigantic risk. It’s only a matter of time before a cybercriminal tricks a user into clicking on a malicious link or opening a malicious attachment.
Many high-end cybersecurity vendors use artificial intelligence and machine learning for behavioral analysis, trying to catch unknown threats by predicting attack signatures that don’t yet exist. AI is undoubtedly exciting technology, but in no way is it bullet-proof.
Artificial intelligence algorithms are very good at predicting patterns in large datasets, and playing games with well known, constant rules, like chess. They have limitations when navigating open-ended and rapidly changing, real-world challenges presented by cyber threats.
In addition, optimizing the security of AI-powered solutions often leads to increased false positives. These false alerts mean more emails that do not reach their destination, more false events that must be verified by an InfoSec professional, leading to unnecessary user-frustration and unnecessary costs and wasted IT resources, which are limited to begin with.
It is not that sandboxes are somehow defective, or that AI is a bad technology. The problem is that the nature of such technologies creates a compromise between security and usability, enabling the improvement of one only at the expense of the other.
Modern Zero Trust Prevention techniques present an alternative approach. All files are treated as a threat and the original file never enters the organization. Advanced detection is used to detect and block known malware and prohibited files and innovative prevention is used to eliminate ”zero day” attacks and false negatives. This approach maintains a complete zero trust posture, while reducing restrictions, allowing scalability, and removing unnecessary latency.
Resec for Email has perfected this approach, ensuring that every email that is delivered to the organization’s users is threat-free without impacting usability and business productivity. Resec’s advanced detection engines enable true-file type identification and policy enforcement, high malware detection rates and low false positives. Resec’s market-leading Content Disarm and Reconstruction (CDR) engine eliminates ”zero day” attacks and false negatives by reconstructing all other files into fully-functional threat-free replicas. All of this takes place in real-time, at scale, and with single and multi-layered password encrypted attachments fully supported. With Resec, security leaders can achieve the highest level of security for their organizations, without hampering business flows and processes.