Email Security

    Cloud Email Security Supplements: 7 Questions CESS Vendors Really Don’t Want You To Ask

    As cloud email security supplements come in vogue, ask vendors these questions to determine if the effectiveness they offer matches your organization’s risk tolerance.


    Key Points

    • Led by Microsoft, enterprise messaging platform providers are increasing their security capabilities, leading to the emergence of cloud-based “supplemental” security startups.
    • But cloud email security supplementals face challenges that can still leave many gaps, such as their reliance on throttled APIs and algorithmic machine learning based on limited training data, among others.
    • Explore these seven questions to determine whether your organization can tolerate the risks associated with cloud email security supplements, or if it requires a more comprehensive layered security approach.

    As more and more of the world’s organizations gravitate toward the cloud to improve, simplify and consolidate their productivity tools — with Microsoft 365 leading the pack — those platforms’ adoption, users and data grow exponentially, and they become a much higher-value target for hackers. . Consequently, platform providers, Microsoft included, have begun expanding their security offerings. At the same time, a new type of “supplemental” security tool has emerged from several startups, aiming to plug the inevitable gaps cybercriminals find in the homogeneity of any single vendor’s “monoculture” security solution.

    Called cloud email security supplements (CESS) by the research firm Gartner, these startup vendors, such as Avanan, Darktrace Antigena, Agari and Abnormal Security, say the security their systems provide, combined with Microsoft’s native tools, create a defense strong enough to render more comprehensive security systems, such as secure email gateways (SEGs), redundant. Naturally, the real world is not that simple. 

    Emergence of Cloud Email Security ‘Supplements’ (CESS)

    In its 2020 Market Guide for Email Security report, Gartner noted that Microsoft has been investing in improvements to messaging security, and that all editions of Microsoft Office 365 now include Exchange Online Protection’s (EOP’s) basic email security. Many companies are relying on these built-in tools: Gartner research shows that one in four organizations routes its email traffic directly to Microsoft cloud email, using the platform’s native security capabilities as their first line of defense against email-borne threats. While Microsoft’s built-in security tools have improved, Gartner clients say they are dissatisfied with the natively available capabilities. Mimecast’s State of Email Security 2021 (SOES) report corroborates that finding, with nine out of 10 respondents saying they strongly believe they need additional layers of email security over and above what Microsoft provides.

    These beliefs gave rise to cloud email security supplements. CESSes are entirely API-based products that target only certain threats — specifically, the ones that Microsoft 365 is challenged to defend, such as phishing and business email compromise (BEC). The same technology is called cloud-native API-enabled email security, or CAPES, by Forrester. CESS (or CAPES) systems plug into Exchange Online using APIs to claw back and reinspect what Microsoft has already delivered. They then apply artificial intelligence, in the form of machine learning trained by user feedback, to identify patterns and eventually anomalous behavior. The systems remediate threats using inbox claw back and/or banners to identify potential threats. CESS systems don’t require an MX record change and many don’t require rules-based configuration.  

    CESS vendors tout their solutions’ use of AI/ML and ease/lack of configuration, saying their tools provide security strong enough that organizations can feel comfortable eliminating SEGs. However, with email the No. 1 threat vector, organizations must thoroughly test these vendor claims.

    Here are seven questions for CESS vendors to help you do so.

    1. Do you rely on Microsoft APIs to access email?

      Most CESS platforms rely on Microsoft APIs, which cannot guarantee inspection of all emails amid the massive volumes that even small organizations send and receive. Microsoft APIs are throttled — meaning only a limited number of API requests can be made in a certain period — so it’s almost certain that users will be exposed to malicious emails for some period of time. For example, they could click on a phishing link or open an attachment with embedded code that triggers a ransomware attack before the email can be clawed back from the inbox. 

      Some CESS vendors have responded to this limitation with a technical solution that requires each customer to deploy mail flow (transport) rules in their email platform, which divert emails to the CESS for scanning before they reach users’ inboxes. This solves the problem described above but presents a new set of challenges for organizations with complex email routing needs who might already have many mail flow rules configured.

      A secure email gateway, in contrast, does not present email routing challenges and it blocks threats as close to the source as possible. And due to the greater amount of data that mature SEGs process (and have processed over time), these systems are better at stopping a wider range of potential email threats before they reach users’ inboxes — or, for that matter, before a CESS deployment has even been exposed to the email flow.
    2. Do you rely on M365 security to block as many threats as possible?

      Threat actors are constantly bombarding M365 with new and increasingly sophisticated attacks, and the productivity platform simply can’t catch everything. Of course, that’s the raison d'etre for CESS, but this is where CESS claims of negating the need for SEGs leads becomes contradictory. Security professionals agree a multilayered defense is necessary for the best possible protection, and SEGs have long-proven track records of blocking more spam, malware, and targeted email threats than M365 alone. Mimecast’s secure email gateway platform, for example, blocks 22% more malicious content than Microsoft. Organizations will need to determine whether it makes sense to use an SEG to block more email-borne threats than Microsoft before the threats ever reach users’ inboxes, or to rely on CESS systems to remediate the threats that Microsoft misses after users are exposed to (and could potentially act on) those threats. 
    3. What detection technology do you use?

      CESS vendors tend to focus on solving point problems — such as phishing and BEC — using a narrow set of tools and capabilities. They promise reduced management overhead by offering comparatively limited rule-based configuration, relying instead on AI/ML trained by user reporting of false negatives and positives. While this hands-off model sounds appealing, especially to smaller companies with limited IT security staff, the lack of granularity takes away an organization’s ability to tune based on its own risk tolerance, the specific threats that are targeting them, and other factors. In addition, it’s a flawed assumption that most end users will be diligent about reporting, especially over time.  

      Companies evaluating CESS systems should compare them with the detection technology used by proven secure email gateways. Mimecast, for example, uses multiple detection technologies and more than 50 integrated detection engines that combine to produce best-in-class security and low time to protection against new threats. Crowdsourced and correlated threat data mined from the company’s 40,000+ customer base — reams of data collected over many years — informs Mimecast threat intelligence, producing better detection. 

      Further, today’s ever-changing organizational perimeter requires the ability to integrate multiple defense mechanisms quickly, flexibly, and intelligently. No vendor should be an island. To that end, Mimecast has invested in a library of open APIs and off-the-shelf third-party integrations that enable organizations to layer security based on best-of-breed technologies, from endpoint to email and web gateways, and from threat prevention and remediation to data loss prevention. But unlike in CESS systems, which use APIs to access customer emails so they can assess their risk, Mimecast’s APIs are deployed for the purpose of sharing threat intelligence with other best-of-breed security providers.
    4. What is your false positive rate? How do you measure and mitigate it? 

      This is a question CESS vendors likely will not be able to answer because of their reliance on artificial intelligence, which is highly prone to false positives. Companies need to be sure that all suspicious emails are being detected, but they also need assurance that suspicious emails are truly suspicious. Numerous false positives are a significant burden on companies, especially those that are short staffed and/or lacking experience. AI is certainly an important part of any email solution’s set of capabilities, but to be truly effective it must be used in combination with other detection capabilities, such as file analysis and sandboxing, and finely tuned rule-based policies.
    5. Will you protect my users on all devices? 

      One of the keys to email security is engaging users and alerting them to potential phishing, brand impersonation or other attacks using warning banners. But banners work only if users can see them. Many CESS systems use HTML banners, which don’t always render correctly, especially on non-Outlook clients. Mimecast, in contrast, uses banner images — which render correctly on any device — that are color-coded according to threat level, and include contextual information to educate recipients and help them determine whether the email is a genuine threat. 
    6. What happens as my business evolves?

      Security controls need to be constantly updated and improved to outsmart threat actors. By the same token, the risk level associated with email messages changes as businesses grow and change, global conditions evolve, regulations mature and the cyber threat landscape shifts. Many CESS vendors perform automated remediation, based on the limited amount of data and user interaction that these typically smaller, newer companies have.

      This is actually an area where AI, specifically ML, shines, in conjunction with multiple detection engines, DNS authentication and end user awareness training. Mimecast’s new CyberGraph capability, for example, engages users at the point of risk with color-coded banners that indicate the potential nature of a threat. As the risk associated with an email changes — as determined through crowd-sourced threat intelligence — the banner in that email and any similar emails is updated. This ability enables organizations to more effectively integrate security into their productivity tools by engaging employees with the information they need to make smart decisions about email-related risks.
    7. Do you rewrite URLs and perform time-of-click analysis?

      Many CESS vendors rely on Microsoft’s built-in URL protection, one of the native capabilities customers have found lacking. If a CESS vendor says it layers additional URL protection and time-of-click analysis on top of what Microsoft provides, press the vendor for details on what technology it is using and how deep the protection goes. As a point of comparison, Mimecast’s secure email gateway uses multiple layers of technology to scan URLs, including deep web page analysis for higher security efficacy.

    The Bottom Line

    Threat intelligence data points to rising complexity in cybercriminals’ attacks on businesses; threats such as business email compromise or phishing are becoming more difficult for employees to spot and can have even greater impacts on organizations. With the parallel rise in email threat and businesses’ email dependence, it’s critical that organizations seek multilayered security defenses and carefully vet the claims of any vendor purporting to secure messaging systems — especially when they recommend removing a proven layer of email security protection. Avoid these pitfalls and get a demo; the business, its employees and its customers are all at stake.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top