5 Reasons Email Security Solutions Fail

Despite Email Security Investments, Most Organizations Still Experience Compromise Through Email

By Dave Gruber, ESG Senior Analyst
AUGUST 2021

Executive Summary

With the relentless use of email as an entry point for both mass and highly targeted cyber-attacks, email security is top-of-mind for most security teams and executives. The 2021 Verizon Data Breach Investigations Report declared that social engineering is the fastest growing incident pattern, with phishing responsible for the vast majority of breaches in this pattern.¹

Phishing tactics are not only commonplace in today’s workplace, but well understood by most digital workers, thanks to help from the media and security awareness training and represent a sizable threat to most organizations. Yet despite this heightened awareness, email users continue to take the bait, get duped into clicking on malicious or impersonated URLs, answer false requests from spear phishing campaigns, and remain susceptible to other trickery, leading to credential and sensitive data theft.

These same organizations generally have applied budget to email security solutions that fail to accomplish the task of preventing or exposing the attacks that ultimately lead to the criminal loss of digital assets, sensitive customer data, and real money when business email compromise tactics are involved. Meanwhile, email security spending continues to increase, while security teams desperately search for the next security solution capable of protecting against this ever-expanding, seemingly impossible threat vector. ESG research reports that 64% of organizations planned to increase email security budgets in 2021.²

More security-savvy organizations are beginning to understand what’s needed to fight the adversary, beyond traditional point email security solutions, and even beyond classic defense-in-depth strategies. New, deeply integrated, cooperative security strategies are emerging, combining network, endpoint, email, cloud, and identity controls to detect and stop the stealthiest of attacks. This integrated security approach is further strengthened using big data analytics capable of continuously analyzing the growing threat landscape and monitoring each activity across the attack surface to suss out complex attacks.

Email Security is a Top-5 Priority

With the relentless use of email as an entry point for both mass and highly targeted cyber-attacks, email security is a top-five cybersecurity priority for 69% of organizations.³

This paper explores five reasons email security solutions are failing to protect organizations against today’s complex attacks and why organizations are evaluating integrated security platforms that can tightly integrate email security into the overall security stack, ensuring critical email infrastructure and data are adequately secured against the expanding email threat landscape.

Reason #1: Email Provides a Direct Path for Adversaries to Leverage End-users in their Tactics

Despite the use of “front-door” email security strategies, adversaries continue to penetrate up-front security controls, providing a path to directly communicate with end-users. With literally billions of dollars invested in email security solutions, adversaries continue to successfully penetrate defenses, landing malware on endpoints capable of carrying out malicious activities.

Spoofing techniques pre-date 50 years of technology and are still used successfully today. Impersonated domains, URLs, co-workers, executives, suppliers, and every other relationship type continue to be effective tactics. While more advanced email security solutions are leveraging machine learning, relationship graphing, and historical relationship mapping, adversaries continuously test new methods of spoofing to find weaknesses in controls that enable them to reach unsuspecting users.

Reason #2: Most Email Security Solutions Fail to Verify User Identity Before Operating

Credential theft has become one of the most effective tactics for adversaries to penetrate infrastructure. While identity and access management (IAM) security controls are in use in most organizations, few deploy IAM widely throughout email infrastructure. This creates a weakness and an opportunity for the adversary to steal credentials, penetrate infrastructure, and impersonate trusted personnel, leading to escalated privileges and actions by other users that facilitate complex attacks.

Reason #3: Cloud-delivered Email Solutions Create New Opportunities for Adversaries

Cloud-delivered email infrastructure has rapidly become the preferred approach to enable email communications, with over 1.3M companies depending on Microsoft 365.⁴

For many, handing over email infrastructure to a cloud service provider means transferring and trusting email security and resilience to the provider. While many cloud-delivered email providers promise security and resilience, most fall short of what many security and IT teams would consider adequate. Further, adversaries are capitalizing on these homogenous security systems to bypass controls. As a result, ESG research reports that 49% of organizations are turning to third-party email security and resilience solutions to close gaps.⁵

Not a Panacea

Cloud-delivered email solutions aren’t a panacea. Moving on-prem email solutions to the cloud replaces the operational infrastructure but doesn’t necessarily fully replace security controls.

This rapid move to cloud-delivered email solutions has further offered adversaries a new opportunity to apply impersonation techniques that fool unsuspecting users. Adversaries have deep knowledge of the operational characteristics of these cloud email solutions, capitalizing on many users as they initially transition from well-known on-prem email to newer cloud-delivered email operating environments. Impersonated, “system-generated” emails have facilitated huge amounts of credential theft, falsely attracting users to visit an impersonated, copycat email log-in URL, capturing user credentials.

Reason #4: Email Repositories House Massive Amounts of Sensitive Data

Massive amounts of IP, customer data, sensitive financial data, credentials, and other valuable digital assets reside within email data stores. When adversaries breach email infrastructure through credential theft, credential stuffing, and other techniques, they open a treasure trove of valuable data that support direct exfiltration or more sophisticated, calculated attacks leading to ransom, BEC, and other criminal activities.

While most email security solutions are focused on inbound threats, outbound threats continue to evade controls, with 69% of organizations reporting sensitive data loss as a high or medium risk to their organization.⁶ Intentional sensitive data exfiltration facilitated through impersonation and ATO activity has become a common attack strategy, often used for reconnaissance activities to locate valuable assets. Insider threats further enable adversaries to locate and gain access to digital intellectual property and protected customer data.

Reason #5: Email Security Operating in a Silo is Blind to More Sophisticated Attacks

While 23% of malware directly involved in breaches enters through email⁷, email is also widely used successfully in other tactics, including pre-texting and of course direct phishing emails, often leading to the theft of credentials and other sensitive data. Yet during investigations, most find that early use of these tactics is seldom directly involved in the final stages of criminal activities.⁸ Email is often simply a means of initial compromise, offering adversaries an attractive path to gain a foothold into a broader organization—frequently without the end-user ever knowing that they were involved. When email activities are only monitored in isolation from other attack vectors, non-malicious actions often go unnoticed, enabling low and slow attacks to get underway.

What's Needed

Extend and Strengthen Native Email CSP Security Controls

Advanced email security capabilities should complement native, cloud-delivered email security controls without introducing friction, allowing organizations to supplement and close gaps while avoiding delivery and transmission delays.

Integrating Identity and Access Controls with Email Security

Because impersonation is so widely used as a tactic to fool email users, email security solutions must include or integrate tightly with identity and access management controls, ensuring that email users are, in fact, who they say they are.

Identification and Protection of Sensitive Data

Significant amounts of sensitive data are both in motion and at rest in email on a frequent basis. The ability for email controls to both identify and protect sensitive data is required to protect against both inbound and outbound threats, including both intentional and unintentional data leakage.

Integrating Email Security Within the Broader Security Stack

Integrating email security with the rest of the security stack can help to identify and stop more advanced threats. Modern threats often involve email early in the attack chain without notable malicious actions, but when correlated with other security telemetry, complex attacks can be more easily detected and stopped.

The Bigger Truth

New strategies for protecting email infrastructure are necessary to combat today’s complex threat landscape. Traditional, siloed email security controls are no longer sufficient, leaving many organizations exposed. The move to cloud-delivered email solutions has further led many to falsely believe that native security controls would be sufficient to protect users and the digital assets housed within email infrastructure.

Integrated email security solutions provide a means to thwart attacks by working together to both detect and to defend against attacks. Identity and access integration is core to the process, defending against so many common phishing and credential theft tactics.

As organizations review email security strategies, ESG recommends considering highly integrated security platforms like Email Security from Cisco that can bring best-of-breed email security controls together with network, endpoint, cloud, and identity security solutions.

Cisco Secure Email

LEARN MORE

DOWNLOAD PDF REPORT

This ESG White Paper was commissioned by Cisco and is distributed under license from ESG.

¹Source: Verizon, 2021 Verizon Data Breach Investigations Report.

²Source: ESG Research Report, Trends in Email Security, Aug 2020.

³ibid.

⁴Source: Statista, Number of Office 365 company users worldwide as of June 2021, by leading country.

⁵Source: ESG Research Report, Trends in Email Security, Aug 2020.

⁶ibid.

⁷Source: Verizon, 2021 Verizon Data Breach Investigations Report.

⁸ibid.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.