Assembling security tools to capture context, correlation and causation.
In today’s guest post, Dave Detweiler, Sales Director at SEI IT Services, provides insight into the importance of email visibility as part of a well-protected IT platform.
“The best way to prevent email attacks is to keep them from ever reaching employees’ inboxes.” – Captain Obvious
Of course, there is no foolproof defense for any of the 3 pillars of cybersecurity – email included. The degree to which one can control risk is equal to the degree of visibility they have and their ability to act on what is seen. Breadth of coverage is how email visibility is attained.
“No Silver Bullet” is true for email visibility and protection; no single tool provides everything. Breadth of coverage refers to utilizing multiple tools that each “see” certain types of events and close coverage gaps. Visibility is so crucial that some tools used in a security program don’t even stop attacks – they exist solely to collect data that other tools miss. All will contribute information back to the centralized cybersecurity platform for context in remediation of incidents. Similar to utilizing all five senses, coverage from multiple tools that see different types of information can allow a security analyst to discern that: “The room looks OK, I don't hear any noise ... but it smells like methane. There’s a problem to dig into."
Take sophisticated email spoofing: An attacker attempts to make similar-looking domains or email addresses in hopes of tricking employees. Instead of firstname.lastname@example.org, an attacker may create a spoof email with two v’s (vv) for the w: email@example.com. From the security side, Levenshtein (lev) distancing will increase visibility. “Le-what?” Lev matching can provide visibility for different patterns like this on both sides of the @ symbol and help protect your employees from having this email reach their inboxes.
Another attack trend involves encrypting email attachments. Why encrypt the attachment? How does the attacker get the employee to take action to launch the attack if the attachment is encrypted? The attackers are encrypting the attachment for two main purposes:
- Encrypting the attachment hides the contents within the attachment. Just like with network visibility email protection solutions cannot protect against what they cannot see.
- The email will generally contain instructions for how the employee can decrypt the attachment, (e.g., the last 4 digits of an account mentioned in the email). These instructions make the email seem legitimate and can lull employees into a false sense of security.
Breadth of coverage via modern email protection solutions should be able to decode, decrypt and decompress email content (encrypted attachments included) to combat the latest malware delivery, business email spoofing, business email compromise and phishing techniques. Putting these email details in to the standard RFC822/2822 email format and ingesting them into a centralized cybersecurity platform, can enable full visibility and analytics in the email pillar.
More from The Sphere Blog
Helping to identify the intersection of people, process, tools and budget for optimal risk control.