A Process for Testing Email Security

Mimecast’s recent Email Security Risk Assessment (ESRA) is a great read on the topic of threats to email (not to mention including a nice infographic suitable for printing and framing). Let me provide here a brief summary of how the Mimecast team executes ESRA tests, which it has been doing for the past couple of years. Their fine process illustrates how source selection or review might be performed for any number of email security offers.

Mimecast’s report specifically highlights instances of threats that bypassed their competitors, but are detected by their system. I’ve always felt that such marketing use-cases were reasonable to report, so long as the tests are repeatable. While I have not re-done any of the reported testing in my own lab, I’ve spent considerable time with the Mimecast team discussing the process and output, and I’m convinced that both are sound.

ESRA tests consist of analysis performed over a few weeks to a month by organizations using their live traffic of inbound emails, versus synthetically generated streams. Certainly, this could bias results, but it also provides a measure of realism to the testing (the inbound mail is exactly what the organization is receiving). Organizations run their ESRA tests, which consist of passive inspections to record any detected security problems.

The types of email threats investigated in ESRA tests include inspecting for Spam, phishing, malware, and malicious URLs. A more specific use case example includes searching for sender impersonation attacks that rely on public information to trick a recipient into side-stepping a protection process, such as an internal approval. (As you’d guess, Mimecast detects such attacks accurately and effectively in part by using Active Directory look-ups.)

Other attacks that Mimecast detects include credential stealing using domains adjacent to known brands, as well as supply chain attacks to plant a malware base by pretending to be a trusted business partner. While Mimecast offers these results as part of their marketing, interested readers can also learn from the process and re-use the attack tests for their own source selection, or to improve understanding of the most challenging email-borne attacks.

Regardless of where you are in your email security lifecycle, I suggest you review the ESRA report and go through the material (including the infographic). It’s a good case study in security testing (not to mention product marketing), so your time will be well-spent with the material. As always, I sure do hope you’ll share back your experiences and understandings after reviewing the report. I hope to hear from you.