Market Guide for Email Security

Continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.

Overview

Key Findings

·        The adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers.

·        Solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.

·        Vendor consolidation and integration with other security tools enable improved detection and response capabilities (aka extended detection and response [EDR]).

·        Ransomware, impersonation and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering. The evolution in threats has led to increased demand for other techniques and services, such as domain-based message authentication, reporting and conformance (DMARC), cloud access security broker (CASB)/API integrations, continuous awareness and mail-focused security orchestration, automation and response (MSOAR).

Recommendations

Security and risk management leaders responsible for email security should:

·        Use email security solutions that include anti-phishing technology for business email compromise (BEC) protection that use AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs. Consider products that also include context-aware banners to help reinforce security awareness training.

·        Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.

·        Take advantage of emerging APIs to Integrate email events into a broader XDR or security information and event management (SIEM)/security orchestration, analytics and reporting (SOAR) strategy.

·        Ensure that email is included in your data protection strategy by examining the types or data shared externally via email and putting appropriate controls in place.

Strategic Planning Assumptions

By 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.

By 2025, 20% of anti-phishing solutions will be delivered via API integration with the email platform, up from less than 5% today.

Market Definition

Email security refers collectively to the prediction, prevention, detection and response framework used to provide attack protection and access protection for email. Email security spans gateways, email systems, user behavior, content security, and various supporting processes, services and adjacent security architecture. Effective email security requires not only the selection of the correct products, with the required capabilities and configurations, but also having the right operational procedures in place.

Market Description

Email security covers a wide range of capabilities and solutions. This Market Guide focuses on three main types of email security solutions (see Figure 1).

·        SEG: Email security for both inbound and outbound email has traditionally been provided by SEG solutions either as an on-premises appliance, a virtual appliance or a cloud service. SEGs process and filter SMTP traffic, and require organizations to change their MX record to point to the SEG.

·        Integrated cloud email security (ICES): The adoption of cloud email providers (Microsoft and Google) that provide built-in email hygiene capabilities is growing. Advanced email security capabilities are increasingly being deployed as integrated cloud email security solutions rather than as a gateway. These solutions use API access to the cloud email provider to analyze email content without the need to change the Mail Exchange (MX) record. Integrated solutions go beyond simply blocking known bad content and provide in-line prompts to users that can help reinforce security awareness training, as well as providing detection of compromised internal accounts. Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.

·        Email data protection (EDP): Email is fundamentally unsecure, and email data protection solutions add encryption to track and prevent unauthorized access to email content before or after it has been sent. EDP can also help prevent accidental data loss due to misdirect recipients.

Adjacent markets that often overlap with email security and are not covered by this Market Guide include:

·        Security awareness training

·        Information archiving

·        Email continuity services

Market Analysis

Email continues to be a significant attack vector for both malware and credential theft through phishing. An estimated 40% of ransomware attacks start through email.¹ As the threat changes, it’s important to reevaluate the capabilities and effectiveness of the current solution compared to new products. This is especially true as the incumbent solution may not be investing in new detection technologies.

Compare Existing Capabilities With Native Capabilities Provided by Google and Microsoft

Both Google and Microsoft provide the basic email hygiene capabilities, including:

·        Blocking emails from known bad senders

·        Scanning attachments with AV

·        Blocking emails with known bad URLs

·        Content analysis to identify spam

While Google Workspace has less sophisticated controls and fewer features, the simple three-tier model is very appealing to many organizations that have chosen Google Workspace as their collaboration platform. Microsoft’s licensing can be complex, and the E5 license that contains Microsoft Defender for Microsoft 365 is expensive. However, there are various different bundles and add-ons that can be used to add the advanced capabilities. Exchange Online Protection (EOP) is included in all plans and provides the basic anti-spam, anti-phishing and anti-malware capabilities.

Microsoft has continued to invest in Microsoft Defender for Office 365, which includes more-advanced protection capabilities including safe links and safe attachments, and integrates with the other security tools from Microsoft. It also covers Microsoft SharePoint, Teams and other Office clients. Eighty percent of organizations are looking to consolidate security vendors, and the close integration between Microsoft 365, Microsoft Azure Active Directory (Azure AD), Microsoft Information Protection and Microsoft Defender for Endpoint can provide improved overall visibility and security, and forms part of Microsoft’s XDR strategy.

Other security vendors are also making investments in email security capabilities as part of their own XDR strategy. Cisco, F-Secure, Kaspersky, Trend Micro and others have all recently updated or added email security components. Often, these are API-based ICES solutions.

Several email security vendors are also investing in integration with other security tools such as endpoint protection platforms (EPPs), endpoint detection and response (EDR), SIEM and SOAR. These provide a set of APIs that not only allow the sharing of information, but also can initiate response and remediation actions.