How many times a day do you check your email on your phone? For 85% of us, checking email on mobile is the default. It's simple and easy.
And if you have API-based email security products, it's a security risk.
API-based email security providers work by removing a malicious email after it reaches the inbox. Their marketing literature says it takes a millisecond. We know this takes around five minutes, in actuality--and oftentimes far longer.
But even if it took exactly a millisecond--and we wrote about why that's not possible here--it's not the only place where it has to be remediated.
Let's review inbox incursions first.
A malicious email is sent to a user. Because these API solutions are not inline, they are automatically delivered to the inbox first. After it hits the tenant, there's a race between it being removed and the user clicking. This race condition tends to favor the user, as we've detailed before.
While this race is happening, there's a lot going on behind the scenes. It starts with the copy being sent to the API provider for analysis.
If it's deemed malicious, here's where things get interesting. The provider will do an API call to either delete or move the message to quarantine. When that happens, the email is removed.
But it's not removed everywhere. Your email lives on your phone, on your desktop client. It won't be removed until the agent syncs. So an email can be removed by the service, but if your phone or desktop client hasn't synced yet, there the email will lie, available for your end-users to click on and interact with.
How long this takes depends on how often your agent sync, whether manually or automatically. Regardless, there's a dwell between when the solution provider removes the email and when it's removed from all available avenues.
Avanan does things differently. Yes, we're API-enabled. But we work in a way that allows for scalability and avoids throttling.
Avanan is using the Microsoft API across the system but not for the real-time email retrieval that needs to work at wire speed.
- We use API to set inline scanning - this is our patent
- We use API to apply the configuration so you never need to open the Office 365 console. However, it is a one-time operation during the initial setup
- We use APIs to pull the user lists and groups, their titles, etc, all to provide the context and social graphs for better analysis. But that’s an offline process with a very limited number of calls
- We use API for the manual quarantine as part of our “search and destroy” for post-delivery analysis. But that’s triggered by the admin and for a select set of emails, a far smaller subset than every email coming in
For real-time emails - we use SMTP. It’s scalable and it can be inline.
A millisecond is often not a millisecond--especially when it relates to the agent sync. Be sure you know exactly how long the agent sync takes. It's a matter of security.