A few weeks ago, I made a trip across the pond to one of the biggest U.S. security events of the year, the RSA Conference. The 400+ exhibitors pulled out all the stops, unveiling new products, displaying elaborate booth décor and giving away all sorts of prizes.
Attendees that stopped by Mimecast’s booth had the opportunity to spin a prize wheel for any number of giveaways, ranging from an American Express gift card to a golf tee, along with learning more about our recently-launched Secure Messaging service. At RSA, the market need for Secure Messaging was validated by the positive conversations we had with booth-goers and media and analyst influencers, including this one I had with ISMG Editor Tom Field.
There were a few recurring themes I noticed during conversations at the show, including during a keynote given by Microsoft’s Corporate VP of Trustworthy Computing, Scott Charney. For one, companies continue to see the value and benefits of migrating data to a third-party cloud provider. At the same time, though, they demand a certain level of control over their data and security measures. Scott likened this feeling to some people’s tendency to drive their own car to their desired destination, as opposed to flying there. In order to help companies strike a balance, the industry calls for complete transparency and “technically enforced trust boundaries.”
This sentiment is not unlike how we’ve designed Secure Messaging. With it, companies can set certain policies, such as a date in which a message will expire or a rule against the recipient being able to print a message. Visibility is also key, so we’ve made it easy for senders to track who’s read their messages and even recall them, if required. In addition, the message never leaves the Secure Messaging portal, so the sender retains control of the data the entire time.
Further to what Scott spoke about, and as re-affirmed in our Secure Messaging service, control is not just critical for helping IT administrators sleep soundly at night. It is control that allows companies to keep tabs on who has access to their data and lessen the chances that they are a victim of a breach. The trick here, though, is to not sacrifice the user experience in the process – for example, an employee should be able to send a secure email from his or her inbox without any clunky, productivity-hindering extra steps.
As was mentioned more than once at RSA, hackers are only becoming more advanced. It’s the industry’s job to adapt and innovate in order to mitigate the risk of malicious attacks, both for the protection of our data and our customers’ data.
Email wasn’t designed for sending sensitive or confidential information yet it remains the most common form of communication in business. Meanwhile, traditional approaches to encryption have been costly and complex.
Credit card details, personal identifiable information and financial data are regularly put at risk when shared over traditional email services.
The result has been that employees regularly disclose sensitive, personal or confidential information to the outside world – often by accident but sometimes even maliciously. The price is the loss of business reputation, valuable intellectual property and customer confidence. Not to mention the risk of potentially expensive legal action.
This is why today we’re announcing the launch of Mimecast Secure Messaging. This new service is designed to help employees confidently send and receive sensitive or confidential information via email.
Recipients access messages via a secure Web portal, fully customized and branded with the sender’s company name, colors and logo – helping ensure brand recognition and recipient confidence.
Here are just three scenarios where Secure Messaging would make a difference:
Secure Messaging is part of Mimecast’s wider cloud email security suite; working alongside gateway, DLP and content controls to help organizations meet compliance regulations, including PCI-DSS, HIPAA and GLBA.
Email security is an essential part of your overall security strategy. It protects users from new and emerging email threats and enforces security controls on information flows. Technologies including anti-virus and anti-spam cover the external threats, but you must also enforce controls on the email flow from within your organization.
In the wake of continued high-profile data breaches, email users now expect to see a higher level of protection to be confident that appropriate measures have been taken to safeguard their sensitive data.
Consider the emails that your organization sends to customers, suppliers and prospects. Will your recipients be satisfied by your security approach?
It’s not David and Goliath. It’s David, without a slingshot, battling a Goliath who has recently beaten David’s more popular brother Google Apps.
The launch of Amazon’s WorkMail makes perfect sense on paper. It should have an offering in the enterprise email server market – its rivals have been in it for years. The trouble for Amazon is that it’s incredibly late and it looks like it has no stand out features. To make matters worse for Amazon, Microsoft unquestionably leads the world in the provision of enterprise email inboxes – both in on-premises Exchange and now in the cloud with Office 365.
Of course, high-profile security breaches such as Sony and Target have heightened the interest of enterprises in the security of their email services. Encryption for email in transit is growing in importance and reflects the critical importance email plays in business, but this is not the be-all and end-all of securing email from snooping eyes, legitimate or otherwise.
Businesses need to be thinking about making their email safe beyond the actual inbox and transit encryption. This is where third-party cloud service providers for email security, archiving and continuity, like Mimecast, come in.
Businesses also have to consider carefully how best to deploy their business critical services in the cloud era – the answer certainly isn’t relying on one vendor for everything. Amazon, Google or Microsoft for that matter. On the other hand, you don’t want a myriad of vendors or you’ll be left paying for, and managing, all this additional technology in the cloud, very much like you are doing on-premise now.
The news about WorkMail doesn’t change this fundamental challenge.
Unseating Microsoft from its position as enterprise email server of choice, with more than 300 million Exchange inboxes out there, will take some revolutionary ideas. Competition is a good thing, of course. Even though we’ve been supporting email services from Google and Microsoft for years, we will look closely at how WorkMail does in the market.
That said, my first assessment of WorkMail from news reports suggests that its basic offering of encryption and calendars, however priced or packaged, won’t be the revolutionary spark Amazon needs to unseat the entrenched competition potentially even within AWS’ own customer base.
But didn’t they say that about David’s chances against Goliath? No, scratch that. This time the big dog does win.
There’s been a spate of phishing attacks this month seeking to uncover the user credentials for users of various hosted email services. Gmail, Outlook, Yahoo and AOL have all been targeted.
While some reports of the Outlook.com phish seem to have incorrectly claimed it was sent to all 400 million users of the service. Intruth the phishing email was sent to a handful of email addresses in the hope that some would be users of the popular Microsoft service, and be duped into providing their user credentials.
We don’t yet know the ultimate goal of the attackers, but we do know they have identified both consumer and business email accounts that use these services. And, that they’re hoping to gain access to that service by duping someone into giving up their user credentials with a convincing looking, but malicious, login page.
Look carefully at the Outlook.com example, and you’ll start to uncover the art of a well-crafted and targeted spear-phishing attack. What we’re seeing, thanks to Chris Boyd and Malwarebytes, could be the start of a well thought out campaign that’s hunting for something quite specific, in effect, the beginnings of a long speculative con. So far, we’ve seen a number of Outlook.com email addresses being targeted, in a seemingly random way, as well as some collateral fallout to other email domains.
The worst case scenario is the attackers know who they are looking for; the best case is that this is random. What’s likely to happen next is that the newly compromised account will be used to target someone, or something else, in order to add an air of legitimacy. The attackers are likely to use a further spear-phishing technique that tricks their target into clicking a link that downloads a malware dropper to their computer.
Once we’re at that stage, we can assume it’ll be game over for the target: their computer will have been compromised, the RAT will likely have given the attackers access, and they’ll be making off with data or moving onto their next target.
All of this could take hours, days, weeks or even months, but be sure the attackers have the patience to wait it out.
For enterprise users, this type of breach could be catastrophic (see Sony Pictures). What starts with a simple phish can end in a whole lot more trouble. Enterprise users are generally well protected by their IT teams, but URIs (URLs in emails) are still not as protected as they should be. Consider how often you click a link in an email without thinking about it, assuming that the IT team have deployed enough protection to keep you safe. In reality, the Outlook.com phish, as well as most other types of spear-phishing, are likely to have made it past your enterprise email security gateway. This is exactly what attackers are relying on – they know a malicious file will never get to you, so they try to trick you into clicking their link.
Therefore, protecting the link is the only real way to defeat this threat, and for the enterprise that means adding another layer to the security stack. A layer that can re-write the link and scan it for malicious end points as it’s delivered to the end user. For business users of Office 365 this means a similar layer of security over and above the already useful Exchange Online Protection.