The best email security gateways: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
An email security gateway monitors emails being sent to an organization for unwanted content and prevents these messages from being delivered. Most email security gateways also offer similar monitoring capabilities for outbound emails. Unwanted content in email messages includes malware, phishing attacks and spam; some email security gateways are also able to detect and block transmission of sensitive data, such as credit card numbers, Social Security numbers and healthcare records.
Email security gateways come in several forms, including:
- Public cloud-based
- Hybrid (combination of public and private cloud)
- Hardware appliance on premises
- Virtual appliance on premises
- Email server-based
Each of these forms offers similar functionality. In fact, many email security gateway products are available in two or more of these forms, typically with identical capabilities. Where the forms differ somewhat is in their relative performance and security. That being said, no form is inherently superior to another, however. Each has advantages and disadvantages. This article will help you identify the best email security gateway for you by covering a variety of representative products using any of these forms.
The following products were analyzed for this article: Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet FortiMail, McAfee Email Protection (Editor's note: Intel Security recently moved this product to end of life and will no longer offer it as of Jan. 11, 2016), McAfee Security for Email Servers, Microsoft Exchange Online Protection (EOP) , Proofpoint Enterprise Protection, Sophos Email Appliance, Symantec Email Security.cloud, Symantec Messaging Gateway, Trend Micro InterScan Messaging Security, Trend Micro ScanMail Suite for Microsoft Exchange and Websense Email Security Gateway.
Each of these products has been evaluated, based on publicly available information, against five criteria: the sophistication of the basic security functions, additional security functions, management usability and customizability, typical false positive and false negative rates, and reliance on external systems for email processing and/or storage. These criteria are not comprehensive; they are meant to be used as part of an organization's larger product evaluation process. Each organization has unique requirements, needs and environments, so similarly, the product evaluation process for determining the best email security gateway must be tailored for each enterprise.
Criterion #1: How advanced are basic security functions?
The basic security functions performed by every email security gateway are fundamentally the same: antivirus, antimalware, antiphishing and antispam. However, this isn't meant to imply all gateways are equally effective when it comes to detecting and stopping threats. Traditional antivirus, antimalware, antiphishing and antispam features are all less effective than they used to be because attack techniques have evolved to evade detection. Email security gateway vendors have compensated for this by integrating more advanced detection techniques into their products.
One of these techniques is known as sandboxing. Sandboxing uses an isolated environment to test a file to see how it behaves when opened, executed or otherwise accessed. Using a sandbox provides a safe way to identify malware through monitoring its behavior. Several of the products analyzed in this review promote sandboxing capabilities, including Cisco Email Security Appliance, Fortinet FortiMail, McAfee Email Protection, Proofpoint Enterprise Protection and Websense Email Security Gateway. Both Trend Micro products also support sandboxing through an optional add-on called the Deep Discovery Analyzer.
Another advanced detection technique involves the use of threat intelligence. Threat intelligence is information about current threats -- such as IP addresses of hosts that have been attacking other hosts -- that an organization can use to make better decisions about which activities to allow and which to block. Most products covered in this article use threat intelligence to improve detection capabilities. Products that did not explicitly mention their utilization of threat intelligence include Clearswift SECURE Email Gateway, Microsoft Exchange Online Protection and Sophos Email Appliance.
For those products that offer threat intelligence, it is important not only to learn about the overall quality of the threat intelligence feature, such as what sources it comes from, but also how often it is updated by the vendor and how often those updates are transferred to the gateway itself. Ideally updates should be made in near-real-time, such as every few minutes.
Some products state that they support other advanced detection techniques in addition to threat intelligence and sandboxing, but these other techniques are usually not described in detail. Examples of the techniques are "deep content analysis," "file retrospection" and "advanced content filtering." When performing a product evaluation, an organization should identify any such techniques that products offer and ask for more information about the details behind these titles.
Criterion #2: What additional security features are offered?
As mentioned in criterion #1, the best email security gateway products offer antivirus, antimalware, antiphishing and antispam features. Most gateways provide additional security functionality, typically in the forms of data loss prevention (DLP) and/or email encryption. Organizations that already have DLP and email encryption deployments may disregard this criterion in their evaluations because those deployments are likely to be more robust than the email security gateway-provided capabilities.
DLP technologies scan outbound email for sensitive information that should not be transferred via email. Examples include the organization's financial records, healthcare records and intellectual property. All of the email security gateway products other than Microsoft Exchange Online Protection provide built-in or optional support for DLP. (Optional support for Proofpoint Enterprise Protection is available through its Enterprise Privacy Suite product, and optional support for Trend Micro InterScan Messaging Security is provided by its Data Privacy and Encryption Module.)
Email encryption technologies are most commonly available for protecting the contents of emails outbound from an organization, although some also allow emails between its own email accounts to be encrypted. Products with built-in email encryption technologies include Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet FortiMail, McAfee Email Protection, Sophos Email Appliance and Symantec Email Security.cloud. Optional add-ons are available for Proofpoint Enterprise Protection (Enterprise Privacy Suite), Symantec Messaging Gateway (Symantec Content Encryption or Symantec Gateway Email Encryption), and Trend Micro InterScan Messaging Security (Data Privacy and Encryption Module).
Note that every DLP feature and/or email encryption feature should be thoroughly evaluated on its own merits before product selection. Some products offer robust implementations of these features, similar to what enterprise DLP and email encryption products offer, while others provide only limited implementations that lack many features of their enterprise counterparts.
Criterion #3: How usable and customizable are the management features?
Usability and customizability are email security gateway characteristics that are hard to quantify, yet incredibly important to take into consideration. As explained in the previous article in this series, these two characteristics often work in opposition to each other. More usable products are often less customizable, and vice versa.
Small and medium-sized organizations usually have a strong preference for usability over customization, so for these businesses, customization may be largely irrelevant. And for large organizations, customization may be more important so that the product is as effective as possible in detecting and stopping threats.
The most important gateway feature in terms of usability, however, is having a single console to manage all the gateway instances. Ideally this should be true even when gateways are deployed in different computing environments, such as hybrid cloud models. For instance, McAfee Email Protection offers such a global interface.
Customizability is most often noted in terms of dashboards, security policies and reporting. An organization should separately consider its needs for customization in each of these areas; for example, a particular organization might want to heavily customize a particular product's dashboard but have no need to customize that same product's reporting capabilities.
Because each organization has its own usability and customization needs, it is recommended that each views demos and perform its own testing of candidate products as part of the product evaluation process to find the best email security product for its needs.
Criterion #4: What are typical false positive and negative rates for each detection technique?
In an ideal world, every email security gateway vendor would publish detailed statistics about their product's typical false positive and false negative rates for each type of email-borne threat. However, in reality this doesn't happen. At most, vendors publish one or two statistics about their detection rates, and this can make it difficult to compare products with each other based on these rates.
Most published statistics involve spam detection. Products such as Cisco Email Security Appliance, Microsoft Exchange Online Protection, Proofpoint Enterprise Protection (cloud implementation), Symantec Messaging Gateway and Symantec Email Security.cloud offer spam detection rates of at least 99%, while Proofpoint Enterprise Protection (local implementation) provides 99.8% spam detection and Clearswift SECURE Email Gateway provides 99.9% spam detection. Based on these numbers, it is reasonable to expect an email security gateway to be able to achieve at least 99% spam detection.
A few products report their detection rates for known viruses, typically at 100%. An organization should expect any email security gateway to have a 100% detection rate for known viruses because it is easy for the vendor to write antivirus signatures to detect them.
A final category where a few vendors provide statistics is in false positive rates. Unfortunately, it's rarely clear whether these false positives are relating to spam only or to other categories of email as well, but the accuracy claimed by some products is impressive. For example, the Clearswift SECURE Email Gateway offers a false positive rate of one in 300,000, while the Cisco Email Security Appliance and the Symantec Messaging Gateway both offer a false positive rate of less than one in a million.
Criterion #5: Are email messages or attachments processed or stored externally?
This criterion may not be a concern for many organizations because their email messages and attachments are already being processed by cloud-based email services. Still, it is important for any organization to know where their emails may be processed or stored by a third party, such as an email security gateway vendor. This isn't referring so much to cloud-based email security gateway products -- because it's obvious that they are, at a minimum, processing emails in the cloud -- but rather products that are on premises.
Such products may, for particular situations, transfer email messages and/or attachments to a cloud-based service that provides more in-depth analysis to determine if their contents are malicious. This could involve a cloud-based sandbox, for example, to evaluate execution of a suspicious file. The Fortinet FortiMail product allows an organization to optionally share information about its detected threats with the vendor. This can be beneficial for the security community as a whole by increasing the vendor's knowledge of the latest threats.
Other products may transfer metadata only, not the contents of emails. For example, the McAfee Security for Email Servers product first conducts a local analysis of emails, and if it detects a suspicious file, sends a fingerprint of the file -- not the file itself -- to McAfee Labs for additional analysis. This helps to improve the detection accuracy of the product, both for the targeted organization and for other McAfee customers, without revealing the contents of email messages and attachments to McAfee.
Other email security gateway vendors do not provide information publicly on where their customers' emails may be processed and/or stored, other than the obvious (for example, cloud-based solutions process emails in the cloud). Any organization that is concerned about inadvertently revealing the contents of emails to a third party should carefully consider this criterion during their evaluation.
Finding the best email security gateway for you
Determining the best email security gateway product can be harder to evaluate than most other types of security products because vendors tend to provide relatively few details about the characteristics of their products. For example, vendors state whether their products offer DLP and/or email encryption capabilities, but typically few, if any, details are provided on the robustness of these capabilities. False positive and false negative rates are reported incompletely, and there's no guarantee that the numbers are truly comparable; at best, they are based on some measure of typical rates, which may be quite different from the rates an individual organization experiences.
Still, some generalizations can be made about the products analyzed for this article. Organizations should look for products that offer sandboxing and threat intelligence capabilities, and that have a spam detection rate of at least 99%. Of all the products analyzed for this article, only two claim to meet these requirements: Cisco Email Security Appliance and Proofpoint Enterprise Protection. This is not meant to imply that other products do not have these capabilities or should not be evaluated, but rather that it may be more challenging to get the necessary information for other products to make an educated decision. Coincidentally, the Cisco and Proofpoint products are also the only two that support all of the public cloud, hybrid cloud, local appliance and virtual appliance deployment models.
Server-based deployment is only available for McAfee Security for Email Servers (Microsoft Exchange and Lotus Domino) and Trend Micro ScanMail Suite for Microsoft Exchange. Similarly, the cloud-based Microsoft Exchange Online Protection only supports Microsoft Exchange use. Organizations with existing Microsoft Exchange or Lotus Domino implementations may want to consider these products, while other organizations can automatically exclude them from consideration because of their limited platform support.
Of the remaining products, all support DLP and all but one (WebSense Email Security Gateway) support email encryption. Most (except Clearswift SECURE Email Gateway and Sophos Email Appliance) support threat intelligence, and some support sandboxing: Fortinet FortiMail, McAfee Email Protection, Trend Micro InterScan Messaging Security and WebSense Email Security Gateway.
To summarize this, the Fortinet FortiMail, McAfee Email Protection and Trend Micro InterScan Messaging Security products support all four security capabilities (DLP, email encryption, threat intelligence and sandboxing). The other products are missing one or more of these capabilities.
In part one of this series, learn about the basics of email security gateways in the enterprise
In part two of this series, find out what the three enterprise benefits of email security gateways are
In part three of this series, discover the five criteria for selecting an email security gateway product