It’s time the security industry moves beyond traditional email security. The way we protect ourselves going forward must evolve with email and productivity platforms themselves and the threats they face.
Recently, our CMO Luke Retterath received a letter most of us are all too familiar with these days: a breach notification from a healthcare provider. These “we’re writing to inform you that your private information is probably even less private than it already was” notifications have become so frequent for most of us they sometimes feel like little more than the price of doing business in the modern world.
What caught our eye about this particular letter was the nature of the breach–a company employee had approved an unsolicited MFA prompt, allowing an attacker into their email. The attack went unnoticed for over a week before it was caught and access was shut down. That’s not a horrible dwell time in the context of industry statistics, if we’re honest, but still more than enough time for even the laziest adversary to harvest plenty of data and see what other systems that email account had access to.
As a company built on securing the entire email threat landscape from these types of attacks, this obviously caught our eye. Yet again, an attacker breached an email account via a known TTP. Yet again, once inside the account, they had time to rummage around and see what was worth taking before they were detected. And yet again, customers receive another “whoops, we got hacked, whaddaya gonna do? ¯\_(ツ)_/¯” letter.
It doesn’t have to be this way.
Email security needs to evolve – and it is
We recently spoke with Mike Privette at Return on Security about the need to be ready for exactly the sort of threats this healthcare provider faced, and more. Material was founded on the premise that the email security status quo was woefully inadequate – and sadly, for the most part, it remains so today. As attacks like the one above show, the breadth, complexity, and sheer volume of attacks against corporate email accounts is such that blocking them all is impossible.
That’s not to suggest you shouldn’t do everything in your power to block as many threats as possible, but phishing is just one of countless ways attackers can take hold of your inbox. And once they’re in, without the proper defenses in place, all the advanced phishing detections in the world won’t help you.
That’s why it’s critical to think of email security in the context of the full range of functionality that email serves in the real world. Of course it remains the communication and collaboration platform of choice, with well over 300 billion emails sent per year. But that’s just the tip of the iceberg. Email has also evolved into an identity provider for third-party apps and services. It’s become an unstructured store of critical and sensitive information. The approach to securing email has to take those functions into account as well.
Traditional email security
Traditional email security has generally involved using Secure Email Gateways (SEGs) to provide in-transit protections: scan emails prior to delivery to prevent malicious emails from landing in the mailbox. And let’s reiterate: blocking as many threats as possible from reaching the inbox is still a critical part of an organization’s security posture – but the need for a third party to do this is diminishing. Google and Microsoft are doing a really good job of delivering the in-transit security controls. When configured correctly, they will do as good a job as third-party SEGs at stopping malicious emails from getting into a mailbox.
These protections, however, are only effective at reducing the likelihood of a breach, but will not help contain or mitigate unauthorized access to data after a breach starts. Traditional email security is not complete – at best, it is a breach prevention measure.
Organizations build their security posture using defense in depth. Gaps will be discovered in any single layer, and a robust security program will rely on compensating layers to prevent those gaps from leading to a breach. Data at rest in mailboxes is rarely, if ever, protected by defense in depth. Once a control has failed and an attacker gains access to the mailbox, the data within is lost. Attack-focused email protection must be combined with post-breach protections to ensure comprehensive email security.
The power of APIs
Historically, gaining visibility into the content across all mailboxes at an organization was an impossible task because native tools were not built for this purpose. Connecting third-party tools was too challenging and/or risky, and typically required the installation of an agent on endpoints or mail services. These agents created performance, security, and usability issues, exactly the opposite of what an effective security solution should do. Due to these inherited limitations and challenges, the security industry accepted the risk of not protecting data in mailboxes as the status quo.
However, the move to cloud office services has presented us with opportunities to leverage a new class of security services. Microsoft and Google have exposed Mailbox APIs, and those APIs have unlocked superpowers we lacked previously. They’ve given us an agentless way to process, manipulate, and protect data at rest – within not only inboxes but cloud file storage systems also. They give us the ability to catch and examine emails before they hit the inbox that can indicate attempts at lateral movement – third-party app password resets, for example. They allow us to monitor configuration and settings, security hygiene, and risky user behavior like setting up email forwarding rules.
In short, APIs allow traditional email security to evolve.
The requirements of modern email security
Truly complete email security needs to account for all the real-world uses of email and the larger productivity suite, and protect each use case accordingly.
- Email is a collaboration and communication tool, and complete email security must protect against the full range of sophisticated attacks inboxes face daily.
- Email is often the identity layer for a range of SaaS applications, and complete email security must be able to detect and protect emails that facilitate signing up for, changing passwords for, or otherwise administering third-party applications.
- Email is a data repository full of sensitive information and data – and when combined with cloud file storage systems linked with those email accounts, represents the majority if not the totality of a company’s sensitive data and intellectual property. Complete email security must be able to monitor and protect that data at rest, even if the mailbox is breached.
In order to provide that comprehensive protection, modern email security needs to provide four critical elements: visibility, classification, protection, and remediation.
Visibility
Visibility is a fundamental capability needed to investigate, detect, and respond to all types of incidents and attacks. The old cliche of “you can’t protect what you can’t see” is as true today as ever. However, gaining visibility into data at rest in the mailbox has historically been difficult. The native tools available from the major email providers weren’t designed with security use cases in mind; rather, they were designed for legal use cases, such as eDiscovery, leaving security teams without the tools to move quickly and confidently during an investigation.
In Microsoft Purview Content Search, for example, you have to build a job, submit it, and then wait for a notification to tell you that the job is complete for each search you want to run. During an active investigation, searches must run in real time with flexibility to support security investigations.
Material provides our customers with search capabilities purpose-built for security teams, keeping performance and investigations in mind. With our performant search, customers can view results across all mailboxes from months’ worth of data in seconds.
Classification
Classifying data at rest in a mailbox or cloud storage services is key for a comprehensive data protection program. Think about what kind of data is currently sitting in your company mailbox or file-sharing platform: credit card numbers, customer PII, bank routing information, social security numbers, PHI, etc. Without data classification, it’s difficult to know what data was compromised when an attacker gets access to a mailbox. Classifying the data closes this gap.
Material classifies the data in every mailbox and Drive we are connected to. Once the data is classified, our customers can immediately start taking informed steps to reduce the risk this data presents. Taking steps to reduce additional data leaking into email, revoking external or public sharing of sensitive data, understanding sensitive data trends across an organization, and being able to see which employees are accessing or sharing sensitive content inappropriately are just some of the examples of what customers can do with effectively classified data.
Protection
Now that we can see the data at rest in the mailbox and know what types of risk it represents, something needs to be done about it. Classifying and protecting data at rest in a mailbox are key for a comprehensive data protection program.
Material secures the sensitive data at rest in a mailbox with MFA. Requiring step-up authentication to view the email means that even if an attacker gets access to a mailbox, they will not have access to the sensitive historical data. Failed attempts by the attacker to access those emails also provide valuable security telemetry.
Continuing to accept risks to the data in our mailboxes after a breach should not be the status quo. Email data is as sensitive as, and maybe more sensitive than, data sitting at rest in other data storage services. It must be protected.
Remediation
It’s 2024: the last thing any security team needs is another security tool to throw out more alerts that require manual resolution. SecOps has enough blinking red lights to deal with. Comprehensive email security must be able to create automated remediation workflows wherever possible to streamline, rather than complicate, security operations.
Material provides a range of automated remediations for detected issues. When we detect a phishing email, the platform automatically finds similar messages across the entire organization, clusters these into a single case, and applies the chosen automated remediation (a range of options from speedbumping at the most lenient to outright deleting at the most severe). When certain risky behaviors or security posture issues are detected, we can automatically take actions like disabling MFA bypasses, disabling auto-forwarding, and removing individual account-specific passwords.
Within Google Drive, we can automatically revoke external access for files owned by a user who is being offboarded, send a Slack notification when shared files match a sensitive content classification, email a file owner when they moved a shared file into a private shared Drive, automatically revoke access to specific sensitive file types (or all sensitive files), and so much more.
There will always be instances where human expertise is needed to bridge the gap AI and automation can’t fill. However, complete email and productivity suite security needs to have robust automated remediation measures in place for already-stretched security teams.
Complete email security and beyond
It’s time the security industry moves beyond traditional email security. Past is prologue, and the lessons learned from decades of evolution in both how we use email and productivity software and the threats faced by those platforms must inform how we protect ourselves moving forward. If we ever want to stop getting letters as we discussed above, we must think beyond simply blocking attackers from getting into our inboxes. Most modern security takes “assume breach” as a core tenet – we need to apply that to our emails as well.
At Material, we’re just getting started. Watch this space to see security evolving in real-time.