The best email security gateways: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
An email security gateway monitors emails being sent to an organization for unwanted content, and it prevents these messages from being delivered. Most email security gateways also offer similar monitoring capabilities for outbound emails.
Unwanted content in email messages includes malware, phishing attacks and spam. Some email security gateways are also able to detect and block the transmission of sensitive data, such as credit card numbers, Social Security numbers and healthcare records.
Email security gateways come in several forms, including:
- public cloud-based;
- hybrid (a combination of public and private clouds);
- hardware appliance on premises;
- virtual appliance on premises; and
- email server-based.
Each of these forms offers similar functionality. In fact, many email security gateway products are available in two or more of these forms, typically with identical capabilities. Where the forms differ somewhat is in their relative performance and security. That being said, no form is inherently superior to another. Each has advantages and disadvantages, and the aim is to identify the best email security gateway for your enterprise.
Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet FortiMail, McAfee Security for Email Servers, Microsoft Exchange Online Protection, Proofpoint Email Protection, Sophos Email Appliance, Symantec Email Security.cloud, Symantec Messaging Gateway, Trend Micro InterScan Messaging Security, Trend Micro ScanMail Suite for IBM Domino, Trend Micro ScanMail Suite for Microsoft Exchange and Websense Email Security Gateway are some of the significant players in the email security market.
Each of these products has been evaluated based on publicly available information against five criteria: the sophistication of the basic security functions, additional security functions, management usability and customizability, typical false positive and false negative rates, and reliance on external systems for email processing and storage. These criteria are not comprehensive; they are meant to be used as part of an organization's larger product evaluation process.
Each organization has unique requirements, needs and environments, so, similarly, admins must tailor the product evaluation process for determining the best email security gateway to their own enterprise.
Criterion #1: How advanced are basic security functions?
The basic security functions that every email security gateway performs are fundamentally the same: antivirus, antimalware, antiphishing and antispam. Buyers must be aware that this does not imply all gateways are equally effective when it comes to detecting and stopping threats.
Traditional antivirus, antimalware, antiphishing and antispam features are all less effective than they used to be because attack techniques have evolved to evade detection. Email security gateway vendors have compensated for this by integrating more advanced detection techniques into their products.
One of these techniques is known as sandboxing. Sandboxing uses an isolated environment to test a file to see how it behaves when opened, executed or otherwise accessed. Using a sandbox provides a safe way to identify malware by monitoring its behavior.
Several products promote sandboxing capabilities, including Cisco Email Security Appliance, Fortinet FortiMail and Websense Email Security Gateway. The Trend Micro products also support sandboxing through an optional add-on called the Deep Discovery Analyzer, and the Sophos Email Appliance supports sandboxing with the addition of Sophos Sandstorm.
Another advanced detection technique involves the use of threat intelligence. Threat intelligence is information about current threats -- such as IP addresses of hosts that have been attacking other hosts -- that an organization can use to make better decisions about which activities to allow and which to block.
Most of the products covered in this article use threat intelligence to improve detection capabilities, or they offer add-ons that provide threat intelligence. Products that did not explicitly mention their utilization of threat intelligence include Clearswift SECURE Email Gateway and Microsoft Exchange Online Protection.
For those products that offer threat intelligence, it is important not only to learn about the overall quality of the threat intelligence feature, such as what sources it comes from, but also how often it is updated by the vendor, and how often those updates are transferred to the gateway itself. Ideally, updates should be made in near real time, such as every few minutes.
Some products state that they support other advanced detection techniques in addition to threat intelligence and sandboxing, but these other techniques are usually not described in detail. Examples of the techniques are deep content analysis, file retrospection and advanced content filtering. When performing a product evaluation, an organization should identify any such techniques that products offer and ask for more information about the details behind these titles.
Criterion #2: What additional security features are offered?
As mentioned in criterion #1, the best email security gateway products offer antivirus, antimalware, antiphishing and antispam features. Most gateways provide additional security functionality, typically in the form of data loss prevention (DLP) or email encryption. Organizations that already have DLP and email encryption deployments may disregard this criterion in their evaluations because those deployments are likely to be more robust than the email security gateway-provided capabilities.
DLP technologies scan outbound email for sensitive information that should not be transferred via email. Examples include the organization's financial records, healthcare records and intellectual property.
All of the email security gateway products, other than Microsoft Exchange Online Protection and Proofpoint Email Protection, provide built-in or optional support for DLP. Optional support for Trend Micro InterScan Messaging Security is provided by its Data Privacy and Encryption Module.
Email encryption technologies are most commonly available for protecting the contents of an organization's outbound emails, although some also allow emails between its own email accounts to be encrypted.
Products with built-in email encryption technologies include Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet FortiMail, Sophos Email Appliance and Symantec Email Security.cloud. Optional add-ons are available for Symantec Messaging Gateway (Symantec Content Encryption or Symantec Gateway Email Encryption) and Trend Micro InterScan Messaging Security (Data Privacy and Encryption Module).
Buyers should thoroughly evaluate every DLP feature or email encryption feature on its own merits before product selection. Some products offer robust implementations of these features, similar to what enterprise DLP and email encryption products offer, while others provide only limited implementations that lack many features of their enterprise counterparts.
Criterion #3: How usable and customizable are the management features?
Usability and customizability are email security gateway characteristics that are hard to quantify; yet, they are incredibly important to consider. These two characteristics often work in opposition to each other. More usable products are often less customizable and vice versa.
Small and medium-sized organizations usually have a strong preference for usability over customization; so, for these businesses, customization may be largely irrelevant. And for large organizations, customization may be more important, so that the product is as effective as possible in detecting and stopping threats.
The most important gateway feature in terms of usability, however, is having a single console to manage all the gateway instances. Ideally, this should be true even when gateways are deployed in different computing environments, such as hybrid cloud models.
Customizability is most often noted in terms of dashboards, security policies and reporting. An organization should separately consider its needs for customization in each of these areas. For example, a particular organization might want to heavily customize a particular product's dashboard, but have no need to customize that same product's reporting capabilities.
Because each organization has its own usability and customization needs, they should view demos and perform their own testing of candidate products as part of the product evaluation process to find the best email security product for their needs.
Criterion #4: What are typical false positive and negative rates for each detection technique?
In an ideal world, every email security gateway vendor would publish detailed statistics about their product's typical false positive and false negative rates for each type of email-borne threat. In reality though, vendors publish one or two statistics about their detection rates, and this can make it difficult to compare products based on these rates.
Most published statistics involve spam detection. Products such as Cisco Email Security Appliance, Microsoft Exchange Online Protection, Proofpoint Email Protection (cloud implementation), Symantec Messaging Gateway and Symantec Email Security.cloud offer spam detection rates of at least 99%, while Clearswift SECURE Email Gateway provides 99.9% spam detection. Based on these numbers, it is reasonable to expect an email security gateway to be able to achieve at least 99% spam detection.
A few products report their detection rates for known viruses, typically at 100%. An organization should expect any email security gateway to have a 100% detection rate for known viruses because it is easy for the vendor to write antivirus signatures to detect them.
A final category where a few vendors provide statistics is in false positive rates. Unfortunately, it's rarely clear whether these false positives relate to spam only or to other categories of email, as well; but the accuracy claimed by some products is impressive. For example, the Clearswift SECURE Email Gateway offers a false positive rate of one in 300,000, while the Cisco Email Security Appliance and the Symantec Messaging Gateway both offer a false positive rate of less than one in a million.
Criterion #5: Are email messages or attachments processed or stored externally?
This criterion may not be a concern for many organizations because their email messages and attachments may already be processed by cloud-based email services. Still, it is important for any organization to know where a third party may process or store their emails. This isn't referring so much to cloud-based email security gateway products -- because it's obvious that they are, at a minimum, processing emails in the cloud -- but, rather, products that are on premises.
Such products may, for particular situations, transfer email messages or attachments to a cloud-based service that provides more in-depth analysis to determine if their contents are malicious. This could involve a cloud-based sandbox to evaluate execution of a suspicious file.
The Fortinet FortiMail product allows an organization to optionally share information about its detected threats with the vendor. This can be beneficial for the security community as a whole, by increasing the vendor's knowledge of the latest threats.
Other products may transfer metadata only, not the contents of emails. For example, the McAfee Security for Email Servers product first conducts a local analysis of emails, and if it detects a suspicious file, sends a fingerprint of the file -- not the file itself -- to McAfee Labs for additional analysis. This helps to improve the detection accuracy of the product, both for the targeted organization and for other McAfee customers, without revealing the contents of email messages and attachments to McAfee.
Other email security gateway vendors do not provide information publicly on where their customers' emails may be processed or stored. Any organization that is concerned about inadvertently revealing the contents of emails to a third party should carefully consider this criterion during their evaluation.
Finding the best email security gateway for you
Determining the best email security gateway product can be harder than most other types of security products because vendors tend to provide relatively few details about the characteristics of their products. For example, vendors state whether their products offer DLP or email encryption capabilities, but typically few, if any, details are provided on the robustness of these capabilities. False positive and false negative rates are reported incompletely, and there's no guarantee that the numbers are truly comparable; at best, they are based on some measure of typical rates, which may be quite different from the rates an individual organization experiences.
Organizations should look for products that offer sandboxing and threat intelligence capabilities, and that have a published spam detection rate of at least 99%. Only two products claim to meet these requirements: Cisco Email Security Appliance and Symantec Email Security.cloud. This does not mean that other products do not have these capabilities or should not be evaluated, but rather, that it may be more challenging to get the necessary information for other products to make an educated decision. The Cisco and Proofpoint products are the only two evaluated products that support all of the public cloud, hybrid cloud, local appliance and virtual appliance deployment models.
Server-based deployment is only available for McAfee Security for Email Servers (Microsoft Exchange and IBM Domino), Trend Micro ScanMail Suite for IBM Domino and Trend Micro ScanMail Suite for Microsoft Exchange.
Similarly, the cloud-based Microsoft Exchange Online Protection product only supports Microsoft Exchange use. Organizations with existing Microsoft Exchange or IBM Domino implementations may want to consider these products, while other organizations can automatically exclude them from consideration because of their limited platform support.
Of the remaining products, all support DLP, and all but two (Proofpoint Email Protection and Websense Email Security Gateway) support email encryption. Most (except Clearswift SECURE Email Gateway) support threat intelligence, and some support sandboxing: Fortinet FortiMail, Sophos Email Appliance, Trend Micro InterScan Messaging Security and Websense Email Security Gateway.
To summarize this, the Fortinet FortiMail, Symantec Email Security.cloud and Trend Micro InterScan Messaging Security products support all four security capabilities (DLP, email encryption, threat intelligence and sandboxing). The other products are missing one or more of these capabilities.
In part one of this series, learn about the basics of email security gateways in the enterprise
In part two of this series, find out what the three enterprise benefits of email security gateways are
In part three of this series, discover the five criteria for selecting an email security gateway product