February 14, 2017
Would it surprise you to learn that in recent testing Mimecast has seen a 13.2% false negative rate for incumbent email security systems? Does your current email security system let through an inordinate amount of spam, malware, malicious URLs, or impersonation emails?
How would you find out if it did? Is your primary source for detecting false negatives your users? Do you wonder how your email security performance compares with your peers?
The fact is, until now, there hasn’t been much data comparing or benchmarking the performance of email security systems. They all claim the ability to defend against spam, malware, spear-phishing, malicious links and other email attack techniques. But how good are they really? How do they compare in their ability to block opportunistic email-borne attacks as well as more targeted attacks?
In working with our more than 25,000 customers, Mimecast has seen firsthand that email security systems do not perform equally well. To address this lack of data head-on, Mimecast launched its Email Security Risk Assessment (ESRA).
The Mimecast ESRA has three goals:
- To test the Mimecast cloud security service against an individual organization’s incumbent email security system. To help the organization see in one report the number, type, and severity of email-borne threats that are currently getting into their organization.
- To inform the security industry with hard data on the effectiveness of various commonly-deployed, email security systems.
- To inform the security industry with hard data regarding the number, type, and severity of email-borne threats that are actively being used in attacks.
In an ESRA, Mimecast uses its cloud-based Advanced Security service to assess the effectiveness of other email security systems. The ESRA test passively inspects emails that have been inspected by the organization’s incumbent email security system and received by their email management system. In an ESRA, the Mimecast service re-inspects the emails deemed safe by the incumbent email security system and thus looks for false negatives, such as spam, malicious files, and impersonation emails.
The results we’ve uncovered so far are concerning: Email attacks ranging from opportunistic spams to highly-targeted impersonation attacks are getting through incumbent email security systems both in large number and in various types.
To learn more and to see the results of the ESRA tests completed to date, please check out this paper.
A long time ago, a supercomputer named Deep Thought concluded that the answer to the ultimate question to the meaning of life, the universe, and everything was 42. Although it took Deep Thought 7 and a half million years to produce this answer, it concluded that finding the answer would have been much simpler had it known the question. Deep Thought didn't understand what the "ultimate question" was. And we'll agree; it's definitely hard to provide an answer without a question. Here at Mimecast though, we have the question…the ultimate question…42 of them to be exact!
Join us as we get to know our Mimecast experts in a new blog series called “42 Questions.” We may not find out the answer to life at the end, but we’ll definitely find the answer to what our expert thinks it means to be a Mimecaster, the top security threats they worry about, and even their favorite superhero just to name a few. That should hold us over while we come to a consensus on why 42 is the answer to the meaning of life, the universe, and everything! Enjoy!
Video Script below:
JLW: I’m Jamie Whalen, Social Media Manager at Mimecast and we’re here with J. Peter Bruzzese, a Mimecast employee and Microsoft MVP. We will be asking him a set of 42 quick rapid response questions to get to know who J. Peter is just a little bit more. Are you ready for 42 questions?
J.PETER: You bet- “Greetings Mimecast and Jamie!”
1. What is your MVP Technical expertise?
Awarded 7 times, first 4 times was for exchange 2nd two times was for Office 365. And to put it all into one bucket, the office service, and services bucket.
2. Favorite actress?
3. Favorite movie?
Rocky I, II, III
4. Infrastructure or Software as a service?
Software. Infrastructure is very legacy facing which is still necessary for a hybrid move to cloud but with container and such along with SaaS really providing what most organization need… I see SaaS as the real future in 5 years’ time.
5. Favorite food?
Anything parmesan. Chicken, eggplant, etc.
6. Why do you consult for Mimecast?
When I was first looking at Office 365, I liked it but I felt like there was a need for something else to fix all of the gaps in Office 365. And so, in looking around, the only solution I found that could fill the gap of security, archiving, availability, was Mimecast. And so I decided to work for them.
(Want to see the sleep chambers? They encourage napping!!! I’m a huge fan of napping.)
7. Typical bedtime?
Good question. Any time after midnight.
8. Bed attire?
Pajama bottoms and a t-shirt (either incredible Hulk shirt or some other superhero).
9. Scariest place you’ve ever been?
I lived in Ciudad del Este Paraguay for a year. It’s on the border of Brazil and Argentina. It had its scary moments.
10. Nicest place you’ve ever been?
Ariel de Cabo, an area right above Rio de Jenario.
11. How many languages do you speak?
One – English. But I can also hold conversations in Spanish, Portuguese and Mandarin.
12. Say something in Mandarin?
Wo de mingze Li Xiao Lung.
13. What did you just say?
My name is Bruce Lee.
14. Favorite sci-fi weapon?
15. Coolest career moment?
First published book in my hands and the first time I was awarded the MVP for Exchange.
16. Favorite third party bolt-on solution for Exchange on-prem or online?
Mimecast (look around!)
17. Facebook or Twitter?
Twitter. I don’t do Facebook.
18. Top 3 security threats you worry about?
Spear phishing, Ransomware, Impersonation wire transfer hoaxes.
19. Coolest party game?
Binary Code Conversion. It’s where you take decimal numbers and convert them to binary and vice versa. How’s that for geeky?
20. Favorite superhero?
Marvel- the Hulk. But if you’re talking about DC- Superman.
21. Coolest tech person you’ve met?
(Take out iPhone and show picture of Steve Wozniak) Steve Wozniak.
22. If you could go to Mars would you do it?
Absolutely not… have you seen the Martian? Yeah… no thanks.
23. What’s your favorite color?
24. Least favorite color?
25. Favorite tech gadget you can’t get enough of?
26. Favorite comedian?
27. How would you describe the last election?
Well… I’m neutral but I did hear someone call it a Kobiyashi Maru… and that was funny.
28. Favorite number?
29. What’s your favorite part of Office 365?
30. What’s your least favorite part of Office 365?
(Hey, I heard someone you knew made something here, what and where is it? – enter Parson’s Green)
31. Who built this table?
John Dickey, the owner of the Timberguys. Really awesome stuff.
32. Favorite part of the Mimecast space?
This table in the Parson’s Green room. Believe it or not, the wood came from a boat that was owned by Louis Boxer.
33. How do you know him?
We went to school together.
34. How would you describe yourself?
Two words: driven and passionate
35. Who makes you laugh?
36. What’s keeping you busy these days?
A lot of traveling, talking about cyber resilience and risk mitigation. Specifically with Office 365. With the many threats that are facing the world, you need something on the front end of Office 365 to help provide mitigation and that resiliency. Speaking about here in the states, UK, and Canada.
37. What is a great enhancement a company can assist with, a third party bolt-on enhancement?
Mimecast is one. The enhancements that Mimecast can assist with is really amazing. It’s not just a siloed solution, Mimecast was developed in the cloud, not ported into the cloud. And, they hit upon security, archiving, continuity. Hitting on all things 0365, which really hits on everything you would need to be successful. Mimecast is the only solution I have found that can do that.
38. What’s something you can’t do?
39. What do you like best about Mimecast?
Well as a solution, Mimecast is something that provides a full blanket of resiliency. Mimecast is security, archiving, continuity. It protects you from the bad guys, and if something goes wrong it’s the continuity that keeps you up and running. The fact that you can continue to be up and running no matter what is something that Mimecast can give you.
40. What’s the best gift you’ve received?
My two children. A boy who’s 9 and a girl who’s 6.
41. Dogs or cats?
Dogs, I’m allergic to cats.
42. Last question, what’s the best part about being a Mimecaster?
The best part is the people, the people at Mimecast they work hard, are very diligent. They are committed to providing cyber resiliency to their customers. I think it’s fantastic. But hands down, it’s the people that make Mimecast.
Stay tuned for a new 42 questions coming up in February. Where you’ll get to know Mimecast a little bit better.
Recently, the State of New York has taken steps towards passing the nation’s first cybersecurity regulation which explicitly tells financial organizations in New York what they must do in their security program. You can read an overview of this in the article, “Full Employment for CISOs in New York.”
The main question I have is, does it make sense to legislate the details of a security program versus allowing organizations to build programs that meet the business needs and risk tolerance of their organizations?
Before I answer that question, let me first state that overall, I believe the directives in the regulation generally make sense. In fact, they are practices that most security professionals would have as part of their standard operating procedures. It is a little odd though that they explicitly call out two technology areas – multi-factor authentication and encryption – for inclusion, while staying very high-level on the other security control areas. Again, not that multi-factor authentication and encryption are bad areas to focus on, but why are those included and while other important security controls, such as email security, Web security, anti-virus, identity management, and many other security categories?
Now back to the main question of this blog, is legally requiring specific security practices a good thing? My take is no. However, should regulators consider cybersecurity as part of their supervisory responsibilities? Yes, as part of their view of the organization’s risk management program. Ultimately, organizations are responsible for their own risk management programs and how much risk they can tolerate and how best to mitigate that risk.
Just as regulators don’t direct in detail other aspects of the organization’s business practices, nor should they do it for their cyber risk management practices. There are just too many opportunities for unintended consequences to arise. For example in my experience the more detailed the regulation, it not only becomes overwhelming for the CISO looking to implement, but there’s also a greater chance that the security program turns into a checklist program and not a risk management focused one.
I realize it is a bit cheeky for me to make security resolutions for your security program, but I believe you will find these recommendations to be straightforward and highly actionable. In no particular order:
- If you can’t do it, outsource it. Don’t not do it because you don’t have the expertise or the capital budget to buy or manage the particular security control in question. Now more than ever many security controls can be consumed as services as opposed to being purchased in the form of software or hardware appliances. Increasingly security professionals, just like their cousins in the IT department, can leverage the cloud to get the services they need and save money and time to boot. Security professionals should use 2017 to accelerate their transformation from owning every aspect of the implementation and maintenance of the control to being the strategists and architects of their security controls.
- Plan for an incident response now, well before you need to use it. In this era of near certainty of business impacting security incidents, it’s key to plan now for the variety incidents that will likely hit your business. You know what they are likely to be: ransomware, DDOS attacks, email-borne impersonation attacks, botnet infections, insider threats – malicious, accidental, policy violating, and a handful of others. Work with the relevant functions around your organization, write your incident response plan down and run a table-top exercise or two in 2017. It is much better to do it in theory once or twice before you have to do it for real.
- Make employee security awareness training an everyday affair and not a once a year, video watching boredom fest. While no security program should wholly rely on employees to save them from security incidents, having well-informed and engaged employees greatly helps reduce the risk and mitigate the damage of the inevitable breach. Pushing out a 30-minute video once a year does not. Attacks are dynamic and unpredictable, and so should be the user training. Build informative user messages and tests into the daily operation of your security program. When employees do the right thing, let them know. When they don’t, help them understand why what they did was risky. For example, make it easy for them to report likely spam and other suspicious emails. If you must block something they did, like visiting a sketchy Web site, make sure you tell them why they were blocked and what their options are.
- Evaluate your critical business processes and make sure that they are not completely vulnerable to hacked IT systems or the impersonation of executives or critical partners. Given how easy it is to spoof or hack an organization’s email, it is amazing to see how many business processes are 100% dependent on trusting the content in emails. One needs only to consider the number of fraudulent wire transfers that are generated from simple email requests apparently from executives or business partners to understand the absurdity of fully trusting an email. Please make sure every business process of an importance of yours has automated fraud inspection and out-of-band checks-and-balances that are built-in to the process. Don’t expect your users to be the first and last line of defense.
- I realize this resolution is like requesting three more wishes as your third wish from the Genie (Genies don’t go for that by the way), but I strongly recommend leveraging the SANS 20 Critical Security Controls as a key security framework to benchmark your organization for 2017 and beyond. While there is a lot of depth behind these 20 controls, overall I find this SANS list to be both simple and comprehensive. A great framework to use to frame your security resolutions for 2017 and beyond.
For a quick resource, here’s an eBook from Mimecast outlining five tips to combat email-based attacks.