The Evolution of Email Security Platforms
Three generations of email security approaches followed by the global community are explained starting with first generation focus on virus filtering, second generation focus on...
1 BACKGROUND
The cyber security community understands fully the importance of email in offensive attack strategies by adversaries. The use of email vulnerabilities such as malware-laden attachments or phishing links to malicious sites remains an important component in attacks such as advanced persistent threats (APTs) initiated by offensive actors such as nation-states. For this reason, email security has emerged as a foundational component in the field of cyber security.
As a result, it is both educationally instructive and practically useful to understand the evolution of the email security threat from the perspective of both the offensive attacker and the defensive practitioner. This evolution spans the time starting with the first emails being sent in the 1970’s over Arpanet to the present era, where email serves as the backbone for most business and even personal communications [1].
The evolution is presented in three phases, starting with first generation use of computer viruses as payloads in emails sent from hackers to unsuspecting recipients. This is followed by a second-generation era in which gateways were used to filter and mitigate these viruses and other threats with varying levels of success. The present third generation of email security is shown to be characterized by advanced analytics that can intelligently secure email services.
2 FIRST GENERATION: VIRUS FILTERING
First generation email security emerged well-into the initial use of email as a personal and business platform. At the outset, it was unclear which threat models would drive users of email toward protection. Industry icon Bruce Schneier, for example, penned an early book on email security that focused on the use of public key infrastructure (PKI) for secrecy [2]. This encryption method never caught on and remains largely unused across email infrastructure.
Eventually, in the 90’s and early 00’s, the industry determined that viruses could be transported via email as a convenient mechanism for attack propagation. This required that two condition be met: First, the virus would have to execute in the targeted environment – and this was soon a non-problem as Microsoft Windows came to dominate the PC ecosystem for both business users and most home and family users.
But second, the virus attachment would need to be clicked on for download and execution. This requirement led to what we would now refer to as social engineering and phishing attacks. These were much simpler in the early days when users held the view that inbound email should be trusted. Recent advances in user awareness training have made phishing tougher, but still quite successful with many innocent and unsuspecting email recipients.
Figure 1. First Generation Email Virus Attacks
The most common solution implemented during this first generation of email security attacks involved using anti-virus software to secure the PC. The method relied heavily on the use of attack signatures to detect viruses. While this worked initially, variants were quickly developed to sidestep the detection [3]. Modern PC security tools use behavioral analytics and machine learning to detect the presence of unwanted malware more accurately.
Nevertheless, such methods presume the existence of viruses and focus on their detection and removal. This is a valuable strategy, especially when one assumes that exploits are mostly inevitable, and the cyber security industry has developed many solutions with this emphasis. Popular tools and platform that are postpend referenced with the detection-response (DR) designation involve “shifting right” to address an on-going threat.
3 SECOND GENERATION: GATEWAY PROCESSING
The second generation of email security involved attempts to be more proactive about these viruses and malware-leading URL links that would arrive in a recipient’s inbox. The observation was made that if such threats come in through the usual series of store-and-forward nodes that characterize email transport, that one or more of these intermediate processing steps could be used for security inspection.
This is the origin of the well-known secure email gateway (SEG) platform, which has become almost ubiquitous with any enterprise business or government agency email system. The SEG was expected to be an extremely effective solution because control existed for how inbound email was handed. That is, the SEG could be placed in paths (via redirection) that would provide high levels of coverage for email being sent and received.
The good news during the 00’s and early 10’s was that this type of coverage, combined with processing methods that improved on early signature models, did offer (and continue to offer today) considerable risk reductions for inbound email attacks. This helps to explain why so many organizations continue to use a commercial SEG, and why this protection method is unlikely to disappear from enterprise architectures in the near term.
Figure 2. Second Generation SEG Filtering
Additional good news during this second generation was that standards teams developed new schemes for authenticating email sender identities. The open DMARC standard (Domain-based Message Authentication, Reporting, and Conformance) was the dominant contribution, and it allowed for senders of email to bind their originating IP address to any email carrying their domain [4]. This was designed to be done via DNS records which would allow recipients to enforce polices for handling mismarked email.
Sadly, two problems quickly emerged for DMARC during this second generation. First, many enterprise teams had trouble configuring records, especially in enforcement mode. The use of DNS TXT records for DMARC continues to make it tough for non-experts to navigate the difficult syntax and error-probe editing process required to properly set-up DMARC on DNS without causing unwanted negative side-effects.
Second, the DMARC standard has some awkward constraints that make it hard to use with cloud services. For example, there is a domain limit of ten rule sets in the Sender Policy Framework (SPF) portion of DMARC [5]. Since the whitelisting of public clouds will require several rule sets per service, many organizations will be forced to specify certain cloud sender security information by IP address – and this is neither convenient nor easy.
4 THIRD GENERATION: CLOUD-BASED ANALYTICS
The third and present generation of email security benefits from the pros and cons of anti-virus filtering, SEG processing, DMARC controls, and other capabilities used to reduce risk. This includes years of working with employees and users to help them make better decisions regarding security. This aspect of conventional email security is particularly important because it highlights the synergy that can exist between systems and people at the human layer.
State-of-the-art platforms for email security today have precisely this attribute – namely that they can take full advantage of the things that software systems do best (e.g., process data) combined with things that humans do best (e.g., recognize patterns). The result is an analytics-based security approach natively tied to cloud infrastructure that has the strong potential to bend the risk curve downward for email infrastructure.
Elements of this third-generation email security solution include the following key protection features and risk controls:
Behavioral Analytics – Behavioral analytics involve ingest of relevant factors, processing based on correlation and related strategies, and reporting in a variety of different means including via application programming interfaces (APIs) to other security tools.
Automated Learning – With recent advances in machine learning algorithms, email security can improve continually based on patterns detected in test traffic or in live email traffic (e.g., for deep learning systems).
Personalized Protections – Tailoring email security to match the preferences and usage patterns of individual users allows for more accurate handling and security. Some users might view an email as Spam, whereas another might view the same email as fine.
Cloud-Native Controls – The use of cloud infrastructure has emerged as particularly useful for email security since it offers ubiquitous access for both ingest of threat intelligence, as well as for access to email systems.
Quantitative Risk Profiling – Quantifying risk allows for effective reporting of email security posture, which can be helpful when stipulating minimum security levels or in measuring the benefits of a given security protection.
Figure 3. Third-Generation Analytics, Learning, and Advanced Controls
As each generation of email security progresses forward, the good news is that state-of-the-art solutions can incorporate the best practices and demonstrably useful elements of prior generation techniques. Nevertheless, even in the present generation of advanced analytic usage, business email compromise (BEC) and phishing attacks continue to occur, especially when combined with social engineering methods [6].
The goal for email security will never be to reduce cyber risks to zero, but rather to address vulnerabilities sufficiently that email usage becomes a much lower concern for enterprise security teams as well as citizen users. It is an open question whether more intense attention to existing controls will be sufficient to achieve this objective, or if totally new security solutions will be required. The next section offers some views on this future state.
5 EVALUATION FRAMEWORK
To demonstrate how successive generations of email security have provided better handling and protection, it is helpful to introduce a simple evaluation framework. The objective is to identify the relevant aspects of email security that have changed over the years. These include the following attributes:
Email Threat Protection – The purpose of email security obviously is to prevent, detect, or respond to threats – presumably with prevention as the ultimate objective. The good news is that successive generations of email protection introduce stepwise more effective security controls. The reason the problem remains however is that malicious activity has also increased and improved during the same period.
Transparency to Users – An objective in any IT security control is transparency for users. This is especially true for email, since it is such a pervasive tool. During successive generations of email security, the obligations for users has increased, as evidenced by the extensive user awareness training typically required. Removal of such user friction should be an objective for future generation methods.
Lifecycle Costs to Organizations – While license costs for email security tools have likely increased for most organizations, the corresponding costs for incident response have typically been reduced. This is true when suitable investments and good tooling have been put in place. The case to be avoided in the present generation involves high-cost email security tools without commensurate reduction in lifecycle costs.
Figure 4. Effectiveness for Three Generations of Email Security
It is reasonable to conclude that great progress is being made in email security, as depicted informally in Figure 4 with the progression from red status (weak) to yellow status (improving) to green status (effective). While phishing and business email compromise (BEC) are still problems, they usually stem from inadequate application of available tools and poorly conceived architectures – both of which will also improve in the coming years.
6 FUTURE GENERATION EMAIL SECURITY
The use of virus filtering, secure email gateway (SEG) processing, and cloud-based analytics has thus obviously reduced email security risk considerably. Such advances have been balanced, however, by malicious actors improving their own methods for targeting users. Automation has allowed for increased coverage in phishing attacks, even ones using individualized spear phishing methods. This has expanded the attack surface for email.
Based on the progression through three generations of email security and observations about trends in public cloud, SaaS, and networking, three observations can be made with respect to future generation email security. These observations should be viewed less as “predictions” and more as general “extrapolations” of on-going trends in how email security is likely to be handled in the next few years, post 2022.
Embedded Protections – Email security protections should become more integrated natively into services provided by Microsoft, Google, and others. This does not imply that innovative technology companies working email security will cease to thrive and grow, but rather that the buying habits of end-users will demand that these new controls come pre-integrated and embedded into existing services.
Expended Intelligence – Continued advances in artificial intelligence will lead to even more powerful controls for email security. Deep learning methods and computer vision, for example, will more than likely introduce new means for using live email streams as the basis for improving the accuracy and quality of the artificial intelligence models that serve as basis for the protections.
Increased Autonomy – With the introduction of more autonomous computing methods (as evidenced in the trucking and automobile industries) will come greater confidence for user to rely on autonomous email assistants. Such assistants will reduce the monotony of handling routine email but will also come with advanced cybersecurity controls to avoid human errors.
The offense is also likely to improve its malicious techniques, and they should be expected to also rely on advances in artificial intelligence and autonomous computing to build more powerful attack tools. One would hope that the defense would be more aggressive in making progress and the shift toward intelligent autonomy should be particularly useful in reducing human errors, which have always been such an easily exploitable weakness.
[1] Ray Tomlinson, “The First Network Email,” openmap.bbn.com.
[2] Bruce Schneier, E-Mail Security, John Wiley & Sons, 1995.
[3] Timeline of Computer Viruses and Worms, Wikipedia. (https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms)
[4] DMARC Website. (https://dmarc.org/)
[5] DMARC Wiki. (https://dmarc.org/wiki/FAQ)
[6] Jade Hill, “Inside the Business Email Compromise Problem,” July 2021. (https://abnormalsecurity.com/blog/inside-the-business-email-compromise-problem)