Part I: Why Proofpoint and Mimecast Can't Secure Office 365 and Gmail
- Posted by
Gil Friedrich on August 11, 2017
Proofpoint and Mimecast were the premier email security solutions for legacy on-premise email platforms, such as Exchange or Lotus Notes. But using them for cloud-based Office 365 or Gmail actually blinds Microsoft and Google's default security. In some cases, you are better off without these email gateways. (In "SaaS Email Security: 7 Reasons not to Use an MTA Gateway," we summarize why an email gateway is not the right solution for cloud email.)
Proofpoint and Mimecast are blind to Office 365 built-in defenses.
As a security company, we observe many phishing attacks. Among these, one of the most enduring threats is also the most ironic: deploying a secure email gateway from Mimecast of Proofpoint allows emails that would have been blocked by Office 365 or Gmail to bypass all security. This boils down to spending money on a security solution that actually worsens your security posture.
When you double-stack your security with a secure email gateway, you must disable Microsoft and Google's spam filters—which play a key role in anti-phishing. This is why upon deployment, you will often be advised by Proofpoint or Mimecast to disable your default spam filtering and rely solely on the gateway.
Installing a secure gateway makes emails bypass the native security of your cloud-based email provider.
Email security solutions like Mimecast and Proofpoint change certain indicators in the email's header, blinding some critical aspects of the default security layers in Office 365 and Gmail.
After the email passes through the gateway, Google and Office 365 can no longer interpret two main indicators of phishing because:
1. The sender's IP address is changed.
After a secure email gateway is configured, O365 and Gmail no longer see the IP address, which identifies the original sending server of the email. As an email passes through the secure email gateway, it replaces the sender’s IP with its own IP address.
The following information also becomes unavailable, making the related security dysfunctional:
Black-listing of senders
ISP information and its reputation
When all mail going through the gateway is “from” the gateway, identifying threats becomes more difficult.
2. SPF (Sender Policy Framework) fails.
Email providers prevent sender address forgery using SPF, a DNS-based security protocol/mechanism, by verifying the sender’s IP address against the sender’s domain.
With this in mind, imagine you’ve deployed a secure email gateway atop the default security stack of your cloud email. In the same day, the cloud email server receives a legitimate and spoofed email from Bank of America. For both emails, SPF has failed because your email provider sees the secure email gateway’s IP is not allowed to send on behalf of the sender’s domain.
Because of this issue, secure email gateway vendors tell you to disable the spam and phishing filtering of your email service. Although SPF is not fail-proof, it remains an important indicator for the genuineness of the email.
Proofpoint and Mimecast can't stop internal threats in real-time.
Secure email gateways deploy outside of cloud email to scan inbound and for an extra price, outbound threats. By default, Mimecast and Proofpoint don't scan internal email, but they offer it—just not in real-time. Recently, they have introduced a separate product for internal email. Secure email gateways rely on a Rube Goldberg-ian system of tools to quarantine malicious email after they've reached the inbox and have been opened by the victim.
As you can see in Proofpoint's infographic below, these systems
1.) copy every email so it can be
2.) inspected by the external email gateway. Then, the on-premise appliance
3.) occasionally polls the gateway to see if there are any bad messages. Only then does it
4.) quarantine the email already in the user's inbox.
Some of these systems proclaim their ability to track down forwarded emails, which only emphasizes the weakness of the mechanism; by the time they discover the threat, it's already been read, clicked, and forwarded.
Essentially, this is a separate process for scanning internal email. No matter how effective their scanning is, this architecture will never catch threats in real-time.
The solution: securing email from inside the cloud.
Avanan’s anti-phishing solution is different than your legacy email gateway in a few key ways:
1. Avanan deploys within your cloud email—as an app.
Because Avanan is deployed internally, we are uniquely positioned inside of cloud email. We scan internal threats with no additional, cumbersome configuration, as is the case with gateways.
- Approve our app from your admin account and in minutes, Avanan connects directly to the native API of your Office 365 or Gmail environment—completely out of band, with no need for a proxy, appliance, or endpoint agent.
- We see everything that Google and Microsoft can, and catch threats that were specifically engineered to bypass them.
Deploying from within cloud-based email creates an architectural advantage.
Rather than replacing one security layer with another—as you would with a secure email gateway, Avanan is another security layer added to the default security in the platform.
2. Instead of depending on domain blacklists and Big Data, Avanan’s novel anti-phishing algorithm makes security decisions with Natural Language Processing and Machine Learning.
Instead of just relying on Big Data to prevent threats, which looks outward at a magnitude of similar emails, Avanan considers the language and behaviors specific to your organization to detect internal and external threats.
- Our machine learning leverages your users and their behaviors to build additional indicators of phishing. By contextualizing their past behavior such as login locations and times, emails opened, deleted, replied to, and forwarded, and more, Avanan can identify suspicious behavior that indicates specific email-based threats.
- AI baselining engages the end-user in detecting suspicious email activity by first looking for an array of phishing indicators, then presenting a message to the end-user, and finally asking them if they know or trust the sender. In this way, the algorithm learns what is legitimate or malicious.
- Avanan shows a warning to the end-user in the email explaining why the email is suspicious, with messages like "We have never seen this sender" or "We normally see this user from this email address." From there, users can choose to trust the sender or report it as phishing. Taking each response into account, Avanan’s machine learning evolves from these user decisions.
3. Avanan lets you choose from 3 modes of protection.
With Avanan, you choose from three modes of when, where, and how we secure your email. Moreover, Avanan’s anti-phishing workflows secure email without blocking traffic or disrupting business.
- Monitor only: Manual and automated query based quarantines are available after delivery to the user mailbox.
- Detect and Prevent: Scans after delivery and adds an automated policy action to quarantine malware and phishing, with user notifications and release workflows available.
- Protect (Inline): Scans and remediates emails before delivery to the end user’s inbox.
4. Avanan lets you add even more layers of defense to your anti-phishing strategy.
We have cloudified pre-configured, zero-management versions of the top security tools in the industry and put them on our platform. Each security tool is available from within our app; from our platform, you can observe them running in parallel, acting as additional layers of security, and compare what they catch.
Avanan provides you with layers of defense so you are never relying on a single security tool's catch rates.
5. Setting up Avanan doesn’t put you at risk.
Secure email gateways require that you change your DNS MX record to point to the security provider instead of your cloud email provider. The consequence of this setup is that any hacker can know what security service you have selected and reverse engineer it in a replicated environment to eventually send you malware that they know can bypass your security measures.
On the other hand, Avanan’s API-based solution does not expose the security you chose. You can add as many security tools on our platform as you choose—all scanning in parallel all emails, all invisible to potential hackers.
At the end of the day, email security is about catch rates.
We turned to one of our customers, a CIO at an IT management company of 3,000 employees who would prefer to remain anonymous. He said, “Avanan caught 162 phishing attacks during our 2-week trial, compared to Proofpoint and Mimecast, which caught 101 and 69, respectively. It even had a better false positive rate.”
**This post was updated on November 20, 2018.**