BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
As long as email exists, phishing attacks will too. In the world of IT, that probably means forever. So to keep pace with hackers, IT security professionals and email security vendors need to constantly reassess their email system features to help prevent phishing attacks.
Whether you're looking for a new email security system or making a wish list of features to hand your current vendor for phishing protection, here's a checklist of key product features to consider.
The following list was created using The Tolly Group's background in email security, along with input from email security vendors. While not comprehensive, this email security checklist should help ensure you have your anti-phishing bases covered.
1. Review the existing configuration
While IT professionals have a tendency to look beyond their existing environments for new features and functions or to new vendors to help solve technology problems, they often don't have to look that far. The quickest path to potential improvement is to first review your existing email security system configuration. If you're still running on defaults, your system definitely isn't optimized.
2. Harden logins to protect credentials
The goal of phishing is most often to retrieve and compromise users' credentials. If you can't stop 100% of phishing attacks, you can at least reduce their effectiveness by hardening the login process.
Many applications offer two-factor authentication, where a text is sent to a person's registered mobile number, for example, to help assure the right user is logging in. Similarly, many systems provide reports of anomalous logins or login attempts. While this might be outside your purview as an email security professional, encouraging credential protection can be a secondary but effective method to guard against phishing attacks.
3. Verify threat intelligence networks
First and foremost, your email security needs to be smart and know about threats as soon as they arise. Threat intelligence services -- also called platforms or networks -- provide this information, so be sure to check your vendor's offerings to see if it has its own threat intelligence network. If so, make sure you know how extensive it is.
Also, ask your vendor if it leverages other resources, such as FireEye, Lastline or others.
4. Mailbox intelligence
While mailbox intelligence is a fairly straightforward feature, it can save you from a lot of trouble.
If you're like me, you get a lot of emails. Your email security system may apply some intelligence to the message flow and determine who your normal correspondents are -- either by name or by company. The first email from anyone is more likely to carry a phishing attack and probably deserves closer inspection by the email security system than a message from a known person.
5. Deep link inspection
While some phishing attacks are evident just from the look of an email, the more insidious ones may not become evident until the link is probed. Be sure your email security system will follow links and inspect not just the source email but the target link in the message.
Every link in an email is potentially a phishing site, and with deep link inspection, the email system opens the link in its own sandbox to make sure it isn't malicious. Then, malicious links are removed or blocked.
6. Multilayer email security
As with any security system, more layers usually provide more protection. Look for products that can provide multiple layers of security. Look for email security products that check links at least twice -- first when they enter the email system and again if or when they are clicked by a user. It is certainly possible for an email to contain a harmless link when it enters the system, but it can be turned into a phishing site a few minutes or hours later.
The opposite is also true. Links can be malicious when they enter an email system, but they could be identified and resolved by the time a user clicks through a few hours later. A system that doesn't check a second time would be likely to label the now-clean site malicious, which produces a false positive. False positives slow down users who may need to contact a security admin so the message can be manually cleared or whitelisted.
7. Web and document isolation
What if your email security system can't determine whether a given site or document is legitimate or phish bait? There will always be that no-man's land where a document is potentially good or potentially malicious.
Symantec, for example, practices isolation, a capability it attained from its acquisition of Fireglass in 2017. The isolated site is presented in read-only mode. As a result, it's easier to see what the site is without entering any data. Another option is for the security manager to configure the feature to allow users to override isolation and proceed.
Similarly, you can isolate an attachment. For example, if a user opens a Microsoft Word or Excel attachment, it can actually open in an isolated container rather than on the user's system. If the email happens to contain a malicious macro, that macro can't infect or attack the end user's computer.
Many of the files and links related to email can reside on a cloud service like Google Drive, Dropbox or Microsoft OneDrive. While these applications often integrate into the user's computer interface, they may have special requirements for file scanning or threat isolation.
Some of these cloud products might require special application code for the email security system to query and analyze those files. It's always a good idea to note any platform-specific requirements and match them up to what the vendor is offering.
9. Reporting and analytics
You will certainly want to know how effective your email security system is at isolating and neutralizing phishing attacks. For this, you will need a comprehensive set of reporting and analytics tools. Make sure your system can provide a real-time dashboard, as well as historical reporting capabilities and data export functions in the event you want to generate a custom analysis of your threat response information.
Is there more that you can do? There's always more, but starting with this checklist should improve your email security protection and your awareness of where the industry is moving.