The case for a cloud email security supplement (CESS)
Adrien Gendre
—August 20, 2020
—3 min read
The high-volume phishing waves of the past have been replaced by sophisticated attacks that even superior technologies fail to detect. For Microsoft 365 business users, cloud email security and the constant onslaught of phishing and malware attempts is an IT burden that many SMBs and even their MSPs are ill-equipped to handle. Coined by Gartner in 2019, a cloud email security supplement (CESS) is a solution—in fact a must-have—for any business that is serious about cybersecurity.
The shift to cloud email security brings fortune and pain
The massive migration from on-premise infrastructure to cloud services has empowered SMBs to compete in ways that previously were not possible for small businesses. With Office 365, now Microsoft 365, SMBs gained access to enterprise-level software at SMB-friendly prices. Unfortunately, as more businesses signed on (258 million users as of this writing), hackers took notice.
Microsoft was the most impersonated brand in phishing attacks in five of the last six quarters, thanks to the substantial value of a compromised Microsoft 365 account. Cybercriminals who manage to compromise accounts have access to a business’s most valuable data, whether in the form of email addresses or the sensitive data stored in applications like SharePoint and OneDrive.
Microsoft’s native cloud email security protection
Exchange Online Protection (EOP), once a paid email security add-on for Microsoft 365, is now offered by default—a native solution that many SMBs believe is sufficient to protect their businesses from attacks. But while EOP is effective at blocking known threats, its cloud email security protection is notoriously weak with sophisticated attacks. As a result, some Microsoft 365 business customers purchased secure email gateways (SEG) to supplement EOP, but SEGs have proven to be only slightly more effective than EOP alone.
First, SEGs, like many traditional solutions, rely on reputation and email fingerprint detection technology that scans for known malware signatures and blacklisted IPs and senders. Second, because a SEG sits in front of Microsoft 365’s architecture, SEGs are not effective against account takeover, one of the more popular Microsoft 365 email attacks. Once an intruder is inside Microsoft 365, a SEG cannot detect the insider activity and the ensuing phishing, malware, or spear phishing attacks that hackers carry out inside the system.
Additionally, deploying a SEG requires an MX record change, an undertaking for SMBs with little to no IT and an additional burden for busy MSPs. And because the SEG can be identified with an MX-record lookup, cybercriminals can adjust their methods to bypass the SEG. Finally, some SEGs require EOP to be disabled in order to function, eliminating the benefit of the layered protection of both the SEG and EOP.
The rise of the cloud email security supplement
Sophisticated phishing and spear phishing attacks are responsible for some of the most well-known cyberattacks and breaches of the last decade. From the phishing email that brought down a presidential campaign in 2016 to the spear phishing email that cost Toyota $37 million in 2019, hard-to-detect email threats can result in catastrophic damages and insurmountable public scrutiny.
The limitations of both EOP and SEGs require a more sophisticated cloud email security solution for Microsoft 365. According to Gartner, a cloud email security supplement provides an added layer of security to EOP and better protection for the hard-to-detect, sophisticated attacks that are so frequently directed at Microsoft 365.
While a SEG might remain the “workhorse” for many businesses, a cloud email security supplement accesses Microsoft 365's cloud email inboxes via API. This allows for the post-delivery remediation capabilities that are not possible with SEGs. While some SEG can remove an email from an inbox, most require a separate product or module.
While many CESSs focus only on specific threats, primarily phishing, the growing sophistication of cyberthreats should serve as a warning that advanced phishing protection alone is not sufficient.
SMBs and MSPs should consider a cloud email security supplement that can detect the full spectrum of threats, including spear phishing or BEC and malware/ransomware. Spear phishing and malware might represent a fraction of email threats detected, but they can be equally, if not more damaging and expensive than a phishing attack.
Additionally, the fingerprint and reputation-based technologies in most SEGs cannot adequately address today’s threats. A cloud email security supplement with AI-based threat detection offers a broad range of analysis capabilities that fingerprint and reputation scanning simply cannot, including machine learning, anomaly detection, natural language processing, and computer vision. Each works in the following ways to detect email threats:
Machine Learning: Scans for malicious IPs and URLs, detecting obfuscation techniques such as URL redirections and shorteners, and malicious webpages.
Anomaly Detection: Scans for anomalies in an organization’s email traffic, including spoofed email addresses from outside the organization.
Natural Language Processing: Detects words and phrases common in spear phishing or BEC emails, including urgent language and financial requests.
Computer Vision: Analyzes images to identify distortion techniques used to conceal known phishing emails.
A better solution for MSPs
The complexity of SEGs and limitations of EOP creates an added burden on MSPs, especially those focused on growth. A cloud email security supplement for Microsoft 365 checks a series of boxes for MSPs who are focused on growth and serious about cybersecurity:
- Easy to deploy and manage
- Faster time to value
- Residual gains from operational efficiency
- Increased protection for clients
- Higher margins through Microsoft 365-focused bundles
Vade for M365 provides an added layer of protection to Microsoft 365 that catches what Microsoft misses. A cloud email security supplement that works with rather than against EOP, Vade for M365 can be deployed in a matter of minutes, requires no MX record change, and ingests your current Microsoft Exchange rules without needing to copy them over to Vade. Designed for busy MSPs, it’s a low-maintenance solution that can be bundled with additional Microsoft 365 products, offering improved email security and increased margins.