Proofpoint ,Mimecast, Barracuda and IronPort are traditional email security gateways that redirect traffic through a cloud-based proxy before it reaches the email server. This works well if you assume all threats are external, but they can be blind to internal attacks and compromised accounts.
Gateways Secure the Perimeter
These gateways are some of the most popular email security products on the market, yet they have a fundamental problem with the architecture of their solutions. Because they deploy as a gateway outside your email's cloud, they miss email messages between your employees that never leave your mail provider.
Here's a recent example of this in action. This email comes from a company that is protected by Proofpoint:
The attachment looks like this:
That link has nothing to do with Adobe-it leads to a credential harvesting page.
The compromised user sent this out to more than 500 recipients.
If you don't filter and scan internal mail, this message--and many more like it--will go unchecked.
Gateways Can't Stop Threats in Real-Time
These gateways effectively filter inbound and outbound email. But no amount of work can be done to overcome the problems created by their deployment architecture. Their internal message filtering more closely resembles archiving than true internal scanning, which remediates malicious emails and phishing attacks before they hit the inbox.
Journaling internal email for security scans is fundamentally risky, because it analyzes threats at a delay. Only the gateways and their customers can comment on the length of time between a malicious email arriving in a user’s inbox and them clicking it. But knowing the behavior of the average user, who clicks an email within a minute and 20 seconds of it arriving in their inbox, any interval is too long.
Avanan has a specialized AI model for scanning internal traffic, with indicators relevant for an internally-originated attack. As hackers infiltrate internal accounts to send malicious content to partners, customers, and other employees Avanan identifies those emails as phishing and blocks them.