Market Guide for Email Security

Published 8 September 2020 - ID G00722358 - 39 min read

Dramatic increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.

Overview

Key Findings

• The adoption of cloud office systems from Microsoft and Google continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by products.
• Impersonation and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with incoming email and are inherently vulnerable to deception and social engineering.
• There is no single technology solution to business email compromise (BEC) attacks. Solutions need to be a combination of technology and user education.
• Compliance and regulation requirements and concerns are putting greater emphasis on email data security.
• Vendors are evolving to support new detect and response capabilities by integrating directly with the email system via API rather than replace the MTA role. This enables faster deployment and multiple complementary solutions to improve detection accuracy.

Recommendations

Security and risk management leaders responsible for email security should:

• Invest in anti-phishing technology that can accurately detect BEC and account takeover attacks.
• Seek solutions for BEC protection that use AI to create a baseline for and detect communication patterns and conversation-style anomalies. For account takeover attacks, seek solutions that use computer vision when reviewing suspect URLs.
• Use adjacent technologies such as multifactor authentication to protect against account takeover attacks.
• Review incumbent email security product effectiveness before investing in new solutions by verifying configurations with the vendor. This will serve as the start of a gap analysis to determine where supplementation or replacement may be required.
• Address gaps in the advanced threat defense capabilities of an incumbent secure email gateway (SEG) by either replacing them or supplementing them with complementary capabilities via API integration. Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.
• Integrate email events into a broader XDR or SIEM/SOAR strategy.

Strategic Planning Assumption

By 2023, at least 40% of all organizations will rely on built-in protection capabilities from cloud email providers as the main line of defense, up from 27% in 2020.

Market Definition

 Email security refers collectively to the prediction, prevention, detection and response framework used to provide attack protection and access protection for email. Email security spans gateways, email systems, user behavior, content security, and various supporting processes, services and adjacent security architecture. Effective email security requires not only the selection of the correct products, with the required capabilities and configurations, but also having the right operational procedures in place.

Market Description

Despite the growth in more targeted attacks through other vectors, email is still the most common channel for opportunistic and targeted attacks, as well as a significant source of data loss.According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient. Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for $8 million in 2019. These attacks increasingly use spoofed emails from legitimate organizations or are a result of account takeover attacks.

Market Direction

Cloud Office Adoption

Enterprise adoption of cloud office systems (see Note 2), for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email. Google’s G Suite and Microsoft’s Office 365 dominate the market. Use of G Suite grew 37% in 2019, slightly faster than Office 365 at 36% ( Businesses @ Work). However, Office 365 remains more popular for larger public companies, but G Suite is growing and particularly in smaller/medium enterprises (see “Survey Analysis: Google and Microsoft Battle It Out in a Growing Cloud Email Market”).COVID-19 saw a significant shift to working remotely, which continued to fuel the adoption of cloud office systems and the use of other collaboration tools beyond email. These are likely to become an additional attack vector.As organizations continue to move to cloud office solutions, we are seeing two major market changes.

Compare Email Security Architectures Against the Native Capabilities That Google and Microsoft Claim to Provide

While G Suite has less sophisticated email security controls and fewer features than Office 365, the simple three-tier model is very appealing to many organizations. Microsoft’s licensing can be complex, and the E5 license that contains the Office 365 Advanced Threat Protection capabilities is seen as very expensive. However, Microsoft has continued to invest in adding security features to the ATP product, including closer integration with other Microsoft security offerings.Microsoft Office 365 includes Exchange Online Protection (EOP) with all plans. EOP is an anti-spam, anti-phishing and anti-malware service. Microsoft also offers Office 365 Advanced Threat Protection (ATP) to add more anti-phishing capabilities, as well as advanced attachment and URL-based threat defense. Office 365 ATP is included in some pricing plans and available for others as an extra cost option. Furthermore, data loss prevention (DLP), email encryption and enterprise digital rights management (EDRM) are available in some pricing plans. This enables organizations to monitor, encrypt, block or apply rights management to messages based on policy (see “5 Steps for Securing Office 365”).Google’s G Suite natively provides anti-spam, anti-phishing, signature-based anti-malware, and — only in the Enterprise and Education plans — DLP capabilities in Gmail for inbound and outbound email, along with Secure/Multipurpose internet Mail Exchange (S/MIME) for outbound encryption. It also offers several settings that can be used to enhance protection against advanced URL-based attacks and domain and display-name-spoofing impersonation tactics. G Suite released network sandboxing capabilities to thwart advanced malware-based threats, although these are only available to customers on the G Suite Enterprise and G Suite Enterprise for Education editions. Gmail Confidential Mode enables the application of several EDRM capabilities to messages (see “What You Need to Know About Security in G Suite”).Google and Microsoft continue investment in G Suite and Office 365 security improvements, and research shows that more than one in four companies route their email traffic directly to Microsoft or Google cloud email, effectively using the built-in capabilities as the first line of defense (see “Survey Analysis: Google and Microsoft Battle It Out in a Growing Cloud Email Market”). At the same time Gartner clients report dissatisfaction with natively available capabilities and are, therefore, choosing to supplement with third-party products, as discussed in the Representative Vendors section.As a result, there is a growing trend of supplementing the built-in security tools with additional API-based solutions as well as traditional security email gateway solutions. API solution vendors increasingly fall into two categories. Cloud email security supplements (CESSs) focus on specific hard-to-detect threats such as BEC and capabilities such as preventing accidental data loss. However, there are also a number of solutions now positioned as an alternative to an SEG. These integrated email security solutions (IESSs) provide many of the capabilities in an SEG such as advanced malware protection, sandbox analysis and URL analysis, intercepting malicious emails before they reach a user’s inbox. When used in combination with the native capabilities provided by Google and Microsoft, these can be a viable alternative to gateway protection.Some traditional SEG vendors are also adding API-based capabilities either as an alternative to their SEG or as a complement to provide internal mail protection. Several security vendors are also adding API email products to integrate with other parts of their portfolio (for example, endpoint protection).Some CESS vendors are expanding capabilities to cover more M-SOAR functionality (see below) and we expect this trend to continue.Figure 1 provides an overview of the overlap between SEG, CESS and IESS.Figure 1: Secure Email Gateway, Integrated Email Security Solution and Cloud Email Security Supplement

The Market for On-Premises Email Security Products Continues to Shrink

As more organizations accept and become familiar with cloud platforms, the demand for on-premises collaboration platforms has diminished. Traditionally, the two main concerns about cloud deployment are availability and security. Google and Microsoft consistently demonstrate acceptable availability (often better than can be achieved on-premises) and have long streaks with no major security breaches. This goes a long way toward assuaging those concerns.Organizations that have migrated to cloud email and those that are planning a migration are overwhelmingly choosing cloud-delivered email security products. Vendors can harness the processing power of the cloud for better defense against advanced threats, while incorporating proper due diligence and numerous control attestations to satisfy most regulatory and privacy concerns. Of course, some organizations with unique requirements will continue to keep SEG implementations on-premises, due to residual privacy, data sovereignty, legal, integration support and network design concerns.

Mobile Device Prevalence

The use of mobile devices for email affects the risk of email threats as well. Many VIP users are power users of email on mobile devices, and they consider this as an ideal way to communicate quickly and around the clock. The use of mobile devices for email is good news for preventing some attack techniques. Because in general mobile devices are less susceptible to malware than traditional endpoints, the impact of malicious attachments and URLs is less critical (see “Advance and Improve Your Mobile Security Strategy” for more information). Nevertheless, mobile device users are at least as susceptible as, and arguably even more susceptible than, full desktop users to attacks such as credential phishing and BEC.The most important negative effect of the use of mobile devices on email security is client application limitations. Both the email clients and the browsers used on mobile devices make it hard for users to check for phishing indicators. Controls, such as adding banners to email messages, also negatively impact mobile email usability more than desktops. Gartner strongly recommends including mobile devices explicitly in awareness programs.

Beyond Email: Securing Collaboration Platforms

As more organizations adopt cloud office applications, other collaboration tools and file-sharing platforms such as Microsoft Teams, Slack and Microsoft OneDrive are being adopted, and attackers will begin to move to these platforms. At the same time, as organizations move to cloud email, it’s easier for attackers to target users with phishing attacks posing as log-in screens in order to harvest credentials. They then use those credentials to launch further account-takeover-based attacks that can include other collaboration tools. Organizations need to ensure that both internal and external email is secured as well as collaboration tools that are being used.

Integration Into Security Tools

There is a growing trend of combining information and indicators of compromise (IOCs) from multiple security tools to improve security operation efficiency as well as improving detection and response capabilities. The concept of extended detection and response (XDR) has seen a renewed interest from vendors in investing in email security and integrating directly into the cloud email solution. Vendors like Cisco, Trend Micro and others have introduced API-based email security solutions to cover both internal protection and provide better integration with endpoint protection products (see “Innovation Insight for Extended Detection and Response”).

Market Analysis

Email is still the most commonly used attack vector for both opportunistic and targeted attacks. Even if many attacks need other channels (typically the web) for full compromise of a client endpoint, in most cases, email is the first to deliver:

• The initial URL, in the form of a link to an exploit kit or phishing website
• The attachment, in the form of a dropper or payload
• The starting point for a social engineering attack, such as in the case of BEC or credential phishing attacks

Email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation. Email threats are also being blended, combining social engineering, identity deception, phishing sites, malware and exploits. Note 3 discusses the reasons for the popularity of email among attackers. Note 4 provides examples of three common email threats (see also “How to Build an Effective Email Security Architecture”).Security and risk management leaders must revisit their organizations’ email security architecture in the light of current email threats, such as sophisticated malware, links to exploit kits, credential phishing and BEC. Security professionals have known for years that, due to its importance as an attack vector, email security requires a layered approach. However, only a few vendors innovate their products at a pace that is similar to the attackers’. Even when vendors have innovated, their customers have often failed to deploy the latest versions in a timely fashion to mitigate the latest threats. As organizations continue to migrate to cloud email, the need to reevaluate email security is even greater. The solutions and controls that were put in place for on-premises email solutions are no longer enough.Technology innovations should be complemented by investments in security awareness training, especially to combat email threats that are payloadless (that is, they don’t contain an attachment or a URL). Organizations should simulate attacks via anti-phishing behavioral conditioning (APBC), measure, and provide training and notification to users. Many vendors offer a “banner approach,” highlighting potential issues within an email that serves as a real-time training of the user without placing additional overhead on the security team. However, this can lead to “banner fatigue,” where the user is so used to seeing the banner they ignore them.User awareness is not 100% effective, of course, but neither is such awareness an optional layer. Educated users can form an effective defense against many email threats, including some of the more sophisticated ones. SRM leaders should document an email security policy, covering the sensitivity of corporate email addresses and what the intended use of corporate email is. Make notification of suspicious email messages as easy as possible, and strive for a culture that has a healthy distrust of email messages.

Differentiating Capabilities

The following capabilities can be used as primary differentiators and selection criteria for email security products. Due to the lack of independent testing, SRM leaders should conduct a thorough proof of concept (POC) in vendor selection (see Note 5).

To Protect Against Attachment-Based Advanced Threats

Network Sandbox

A network sandbox is used to inspect attachments and URLs that cannot be identified as benign or malicious using other methods. The network sandbox should cover an extensive set of file types (including zip, wsf, js and macros that are commonly used in attacks) and embedded URLs. In addition, it should have strong anti-evasion capabilities. It should also accurately identify malware that attempts to detect that it is being run in a virtualized sandbox environment.

Content Disarm and Reconstruction

Content disarm and reconstruction (CDR) is also referred to as “content sanitization.” It breaks down files into their discrete components, strips away anything that doesn’t conform to that file type’s original specification, ISO standard or company policy, and rebuilds a “clean” version. This near-real-time process is an effective and efficient approach to removing malware and exploits from files. Although sandboxing and almost all other techniques depend on detection, CDR protects against exploits and weaponized content that have not been seen before.

To Protect Against URL-Based Advanced Threats

URL Rewriting and Time-of-Click Analysis

Rewrite URLs before they are delivered to the user for stronger protection than time-of-delivery URL inspection. This can be used to:

• Disarm the URL (that is, turn it into a nonclickable version of the URL).
• Replace with text (for example, “embedded URL removed for security reasons”).
• Redirect the URL to the URL inspection service for time-of-click analysis protection. Some SEG solutions also examine URLs in attachments and subject lines that were often missed in less sophisticated solutions.

Remote Browser Isolation

Redirected URLs can also be directed to a remote browser isolation (RBI) service. RBI protects against malware and exploits, but through tight browser controls. Similar to CDR, RBI reformats content to remove any security risks and provide a clean rendering of the website content to the client browser. Users can interact with the website; however, active content is executed in a remote server, and only clean content is rendered to the user.

To Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats

Display Name Spoof Detection

This detects spoofed messages based on email headers and the sender names. Some products support the fuzzy matching of sender names with a list of names that the email security administrator can predetermine — typically a list of VIPs (such as senior executives) likely to be targeted. Other solutions use a social graph to monitor all sender recipient relationships and seek near-match deviations combined with keyword analysis of commonly used keywords in BEC attacks.

Domain-Based Message Authentication, Reporting and Conformance on Inbound Email

This enforces domain-based message authentication, reporting and conformance (DMARC) on inbound email traffic to protect internal users from receiving spoofed external messages from domains that have implemented DMARC in rejection mode. This also checks the alignment of the domains used in message header FROM and SMTP envelope MAIL FROM email addresses.

Lookalike Domain Detection

This detects the use of lookalike domains, also referred to as “cousin domains.” Most, if not all, SEGs allow administrators to include a list of lookalike domains that should be flagged. Some products do fuzzy matching on domains to detect such scams, whereas others require customers to upload their own lists of lookalike domains.

Anomaly Detection

This detects anomalous messages, based on sender, recipient, envelope, content, history and other context to thwart BEC and account takeover attacks. Threats increasingly fly under the radar of traditional, reputation-focused and signature-based products. Anomaly detection may be able to identify these more-sophisticated attacks. Using email telemetry/intelligence enables non-rule-based detection of spam and phishing, even if few messages are sent.Anomaly detection leverages three main ingredients. The first is metadata, which includes the reputation of the sender address, sending domain and IP — global, as well as for the organization. It also includes the identity deception attempts of sender (such as lookalike and reply-to) and authentication (such as Sender Policy Framework [SPF], DomainKeys Identified Mail [DKIM] and DMARC evaluation). The second is content — typically a specific activity request with some urgency, attachments and URLs. Content may be detectable because it is reused across organizations; however, this is typically not the case in targeted attacks. The third ingredient in anomaly detection is historic communication: What was the typical communication between this sender and recipient and their domains?

Additional Differentiating Capabilities

Anti-Phishing Behavioral Conditioning

As phishing-based attacks continue to become more sophisticated and evade advanced machine-learning-based, anti-phishing technologies, end-user training becomes more important to provide a human layer for protection. APBC focuses on reducing the frequency with which employees click on URLs in phishing emails. Although each vendor provides a unique offering, the basic approach is the same:

• Phishing emails are sent to employees.
• Employees who click on the URLs therein are immediately pushed into a computer-based training (CBT) session.
• URL click rates are recorded for longitudinal trend analysis.

The use of APBC as part of a security awareness program is important to help identify key pockets of risk in the enterprise audience, deliver social engineering attacks, and provide just-in-time training and teachable moments. However, SRM leaders must understand that there is no end to this program.Attack strategies change quickly, as the bad actors are always several steps ahead, and the audience needs continuous reinforcement in this area. The frequency should be monthly at least, and potentially greater for higher-risk profiles (see “Three Critical Factors in Building a Comprehensive Security Awareness Program”).

Graymail Handling

This is an area in which many SEGs require further investment. Most products can identify graymail — that is, solicited bulk email messages that the recipient “opted in” for at some point in the past. However, many lack methods for end users to configure the handling of these messages, based on their individual and subjective preferences. Favor products with secure unsubscribe features. Some attacks masquerade as graymail and hide a malicious URL in a seemingly innocuous unsubscribe link. Sandboxing solutions may also skip unsubscribe links to prevent unintended results. Products may offer a safe unsubscribe capability that effectively replaces the links in such messages with a secure one.

Data Protection

Outbound email security features (such as DLP, email encryption and EDRM) are critical for intellectual property protection and regulatory compliance (such as Payment Card Industry [PCI] and Health Insurance Portability and Accountability Act [HIPAA] data). These capabilities should be weighed appropriately in buyer analyses. Although they can be used separately, DLP and encryption are typically used in a complementary approach. Users should be provided with readily available email encryption options that empower them to make the right decision when handling sensitive data via email. However, if they inadvertently or intentionally fail to do so, then the DLP inspection engine for outbound messages can block or remediate this as a fail-safe.Accidental data loss due to human error is one of the most common causes of data breach, often simply due to misdirected email. According to analysis of data from the U.K.’s Information Commissioner’s Office (ICO) by CybSafe, 90% of data breaches were caused due to human error. Further analysis revealed that one of the major causes was misdirected emails. However, we see some email security vendors using a combination of DLP- and AI-based models to detect and alert users of potential errors. These solutions analyze the recipients that are addressed in the To, Cc and Bcc fields and scan whether the content is relevant for the recipient by monitoring the sending and receiving patterns. Some solutions can even detect whether the recipient domain supports TLS or are DMARC, SPF and DKIM authenticated.

Postdelivery Protection and M-SOAR

Organizations should evaluate vendors that have added detection and response capabilities to address threats that were not initially caught and were allowed to land in a user’s inbox. Using API integrations with cloud email systems (such as Office 365) or plug-ins for email clients (such as Outlook), these vendors can attempt to “claw back” a malicious message by removing it from the user’s inbox after initial delivery. This message may have already been opened by the user. Hence, the product should also be able to alert relevant personnel and products (for example, administrators, SOCs, endpoint detection and response [EDR] or security information and event management [SIEM]) about potential compromises for remediation or recovery. As interoperability among products improves, automated remediation actions can be taken in real time to decrease incident response times and the level of human effort required.The challenge of security analysts spending a significant part of their time on phishing investigation and response has resulted in an interesting evolution of capabilities to help improve this. Most security orchestration automation and response (SOAR) vendors have some form of phishing response playbooks. Generic SOAR products often require adjustments and integrations with SIEM and email security products to become effective tools for SOC analysts. With the exception of mature SOCs, the use of full, generic SOAR for phishing incident response is costly and difficult and, therefore, rare.As an alternative to full-featured SOAR products, email security vendors have begun to offer orchestration and automation tooling focused on email. These mail security orchestration, automation and response (M-SOAR) capabilities are characterized by:

• A focus on email threats.
• Less orchestration focus — Even though some vendors do this too, most M-SOAR is focused on the vendor’s product and email platform.
• Simplicity — They are simpler to use and to buy than SOAR, and they often come as an additional license to SEG or other email security products.

Representative Vendors

Market Introduction

A list of representative vendors (see Note 1) is provided in the categories described below. This is not, nor is it intended to be, a list of all the vendors or offerings in this market. It is not, nor is it intended to be, a competitive analysis of the vendors discussed. Several vendors provide email security capabilities that span multiple categories. However, each vendor is listed only once in what Gartner considers to be its predominant category, based on market perception, customer usage and product heritage. Where appropriate, the high-level capabilities of each vendor will be included; however, these capabilities are included for reference only and have not been ranked.

Secure Email Gateways

For inbound email threats or outbound exfiltration attempts, SEGs continue to be the front line of defense for one of the largest attack surfaces. This remains true, even as many organizations migrate their email to the cloud. SEGs are expected to provide a versatile and broad range of capabilities that, at a minimum, should include the following:

• A message transfer agent (MTA), as well as API-based modes for intradomain message scanning and remediation
• Anti-spam and signature-based anti-malware
• Marketing and graymail classification, as well as personalized controls for management of these types of messages
• Network sandboxing and/or CDR for advanced, attachment-based threat defense
• Rewriting and time-of-click analysis for advanced, URL-based threat defense
• Context inspection, display name spoof, lookalike domain and anomaly detection for advanced, impostor-based threat defense
• DLP and email encryption (pull/push methods beyond Transport Layer Security [TLS]) for outbound content to satisfy corporate and regulatory policy requirements
• Cloud-based delivery

As internal mail protection increasingly becomes important, many SEG vendors are also providing this capability either through direct integration into cloud office APIs or by redirecting email internally.Global SEGs (see Table 1) have a broad geographic distribution as well as their sales, support and data center coverage.

Table 1: Representative Vendors for Global Secure Email Gateways

Enlarge Table

Vendor	Product Names
Barracuda	Barracuda Total Email ProtectionBarracuda EssentialsBarracuda SentinelBarracuda PhishlineBarracuda Forensics and Incident Response
Cisco	Cisco Cloud Email SecurityCisco Cloud Mailbox DefenseCisco Email Security ApplianceCisco Advanced Phishing ProtectionCisco Domain ProtectionCisco Security Awareness and Training
Mimecast	Mimecast Perimeter DefenseMimecast Comprehensive DefenseMimecast Pervasive Defense
Proofpoint	P0 Basic Email SecurityP1 — Advanced Email SecurityP1+ — Stop BECP2 — Stop BEC + EACP2+ — Protect Cloud AppsP3 — Full People-Centric Security
Symantec, a Division of Broadcom	Email Security.cloudEmail Threat IsolationSymantec Messaging GatewayEmail Threat Detection and ResponseEmail Fraud Detection
Trustwave	SEG Cloud Standard ProtectionSEG Cloud Office 365/G Suite Companion PackageSEG Cloud AdvancedSEG Service Provider EditionTrustwave Secure Email Archiving

Source: Gartner (September 2020)In addition, other security vendors provide email security capabilities to complement other security tools in their portfolio (see Table 2).

Table 2: Representative Security Vendors Providing Email Security Products

Enlarge Table

Vendor	Product Name
FireEye	FireEye Email Security Cloud Edition
Fortinet	SaaS — FortiMail Cloud — GatewaySaaS — FortiMail Cloud — Gateway PremiumPhysical Appliances — FortiMail
Sophos	Sophos Email AdvancedSophos Email Appliance
Trend Micro	Trend Micro Cloud App SecurityTrend Micro Email Security StandardTrend Micro Email Security AdvancedSmart Protection for Office 365XDR for Users

Source: Gartner (September 2020)Regionally-focused SEGs (see Table 3) have their predominant business operations and customer bases in the same geographic regions, particularly in Europe. Gartner anticipates that these vendors will continue to expand their geographic reach.

Table 3: Representative Vendors for Regionally Focused SEGs

Enlarge Table

Vendor	Product Name
HelpSystems-Clearswift	Secure Email GatewaySecure Exchange Gateway
Hornetsecurity	Spam and Malware ProtectionAdvanced Threat ProtectionEmail ArchivingEmail Encryption365 Total Protection365 Total Encryption
Retarus	Retarus Email Security (“Essential Protection” Package)Retarus Email Security (“Advanced Threat Protection” Package)Retarus Email Security (“Postdelivery Protection” Package)Additional Packages Enterprise Email Archive Email Encryption Email Continuity
Skyguard	ASEGUCSS
Vade Secure	Vade Secure for Office 365Vade Secure CloudVade Secure Gateway

Source: Gartner (September 2020)

Integrated Email Security Solutions

There are a growing number of vendors (see Table 4) that provide the core functionality of an SEG but integrate directly into APIs in Office 365 and G Suite. This type of product includes antivirus and spam detection capabilities to detect threats before they arrive at the user’s inbox. They often include other capabilities such as machine-learning-based detection trained on existing emails, image analysis, account takeover detection and image recognition of URLs to identify phishing attacks as well providing protection for internal emails and M-SOAR functionality.The advantage these solutions have over a traditional SEG is that they are usually very quick and easy to deploy, as they don’t require changes to the email flow at the gateway and, when used in combination with the built-in capabilities of Microsoft and Google, can provide good levels of protection. However, they do often lack the advanced features in an SEG, such as content disarm, encryption and more advanced DLP capabilities.However, for most organizations, the SEG remains the workhorse of their email security architecture. Generally, the use of an SEG is preferred because it stops inbound attacks closer to the attacker. This prevents unwanted emails from taking up bandwidth and storage, and its processing does not compete with the processing of the email system. SRM leaders should be aware of the differences between the in-line SEG approach and products that leverage APIs to integrate with the inboxes in cloud email systems (see “How to Build an Effective Email Security Architecture”).

Table 4: Representative Vendors for IESS

Enlarge Table

Vendor	Product Names
Agari	Agari A1 BundleAgari A2 BundleAgari Phishing DefenseAgari Phishing ResponseAgari Brand ProtectionAgari Active Defense
Area 1 Security	Area 1 Horizon AdvantageArea 1 Horizon Enterprise
Avanan	Anti-phishing for Office 365 or G SuiteComplete Malware Protection for Office 365 or G SuiteFull-Suite Protection for Office 365 or G SuiteIncident Response as a Service (IRaaS)
Graphus, A Kaseya Company	Graphus for BusinessGraphus for EnterpriseGraphus for MSPs
GreatHorn	GreatHorn Cloud Email SecurityAccount Takeover ProtectionGreatHorn Reporter
IRONSCALES	UltimateCore
Perception Point	Advanced Email SecurityAdvanced Internal Email SecurityAdvanced Collaboration Security
Zix	Essentials Email Security SuiteEssentials Email Compliance SuiteEssentials Email Security and Compliance SuiteEmail Security SuiteEmail Compliance SuiteEmail Security and Compliance Suite

Source: Gartner (September 2020)

Cloud Email Security Supplements

Cloud email security supplements (CESSs) focus on specific threats, often in the realm of hard-to-detect phishing and business email compromise, and can leverage full access to cloud-hosted inboxes via APIs for detection and remediation. Most CESSs focus on phishing and use a variety of techniques, including ML, natural language processing (NLP) and natural language understanding, as well as M-SOAR functionality.When considering a CESS, carefully assess the features and deployment options because they can vary widely (see Table 5).

Table 5: Representative Vendors for CESSs

Enlarge Table

Vendor	Product Name
Abnormal Security	Abnormal Security Cloud Email Security Platform
Armorblox	Inbound Email ProtectionOutbound Email Protection
BitDam	BitDam ATP
Clearedin	Clearedin for EmailClearedin for File SharingClearedin for Collaboration and ChatClearedin for Videoconferencing
CSIS	CSIS Email Fraud ProtectionCSIS Email Malware and Phishing Protection
Cyren	Cyren Inbox Security for Office 365Cyren Inbox Security Incident Response service
INKY	INKY for Office 365INKY for G SuiteINKY for Exchange
Menlo Security	Menlo Email SecuritySecure O365Secure G Suite
PhishLabs	Email Intelligence & Response
Tessian	Tessian DefenderTessian GuardianTessian Enforcer

Source: Gartner (September 2020)

Email Data Protection Specialists

Email was never designed to be a secure communication medium, and organizations continue to struggle to protect sensitive email content in transit and at rest. Email data protection products protect the confidentiality and integrity of email messages by enabling the transmission of sensitive information to intended recipients with the starkly reduced possibility of disclosure or alteration. Although more than 60% of client organizations leverage the DLP and email encryption capabilities of an SEG, there can still be a need for specialist products, particularly for customer-facing use cases in which a frictionless experience is critical (see Table 6).

Table 6: Representative Vendors for Email Data Protection Specialists

Enlarge Table

Vendor	Product Name
Echoworx	OneWorld Encryption PlatformOneWorld Encryption Platform: One Delivery MethodOneWorld Encryption Platform: Volume Documents
Egress	Egress PreventEgress ProtectEgress Investigate
RMail by RPost	RMail 365RMail StandardRMail BusinessRMail EnterpriseRMail Expert
totemo	totemomail Encryption Gateway with totemomail Registered Envelope and totemomail WebMailtotemomail Internal Encryptiontotemomail Application Integration Proxytotemomail Large File Exchangetotemomail RMS Integration Connector
Virtru	Outlook EncryptionGmail Encryption
ZIVVER	ZIVVER Secure Email and File Transfer (Ultimate package)ZIVVER Mailbox Retention Compliance

Source: Gartner (September 2020)

DMARC and Brand Protection

With the growth in BEC and phishing, protecting users, customers and partners from “spoofed” emails is increasingly becoming a concern for organizations. DMARC has been a standard for quite some time but its adoption has been slow because of the complexity of managing DMARC records, limitations in the standard and the concern that emails will not be delivered as a result.There are two key elements to DMARC. The first is to check DMARC for inbound messages and to honor the response, especially if it is “reject” or “quarantine.” This should be implemented as an SEG or MTA as a simple way of preventing spoofed emails from organizations that have implemented DMARC.The second element is for organizations to implement DMARC for their own email domains. This can be a complex process, and less than 30% manage to get to the point of “reject” or “quarantine.” There are a number of vendors that specifically provide the tools to manage the process of implementing DMARC. Monitoring and analyzing report data to identify who is sending email on your behalf as well as the extent to which a domain is being abused.DMARC vendors (see Table 7) provide automated tools to overcome the limitations in SPF records as well as being able to identify which services may be sending emails from your domain, streamlining and monitoring the journey to DMARC enforcement. A number of SEG vendors are also offering this capability, often by licensing from a specialist vendor.As well as DMARC implementation, this can be supplemented with brand protection tools to monitor and alert when a brand is being abused in phishing campaigns.

Table 7: Representative Vendors for DMARC and Brand Protection

Enlarge Table

Vendor	Product Name
dmarcian	DMARC SaaS Platform
EDX Labs	DMARC360
Red Sift	OnDMARC
Valimail	Valimail DefendValimail DMARC MonitorValimail Enforce

Source: Gartner (September 2020)Brand Indicators for Message Identification ( BIMI) builds on DMARC to allow organizations to provide a visual indication that the message comes from a specific brand. Adoption is limited at the moment but Google supports the standard in G Suite and Gmail, and for larger well known brands it’s a mechanism for reassuring customers that email is valid. Currently, Microsoft is not participating in BIMI.The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Recommendations

SRM leaders responsible for email security should:

• Adopt a CARTA strategic approach to email security by layering inbound, outbound and internal detection and remediation capabilities. In a CARTA-inspired email security architecture, security controls are always monitoring, assessing, learning and adapting, based on the relative levels of business risk, threat intelligence and trust that is actually observed. Implementing CARTA will be a multiyear journey. Prioritize intradomain message protection as an important starting point. There are many account takeover scenarios in which an attacker can leverage intradomain messages to move laterally and compromise internal resources. As organizations move to cloud email solutions, users become more acceptable to credential theft phishing campaigns targeting those solutions.
• Invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.
  • Before investing in new solutions, review incumbent email security products’ effectiveness by verifying configurations with the vendor. This will serve as the start of a gap analysis to determine where supplementation or replacement may be required. Address gaps in the advanced threat defense capabilities of an incumbent secure email gateway (SEG) by either replacing them or supplementing them with complementary capabilities via API integration. At the same time, consider using the native security controls from Microsoft and Google, supplementing them with API integration vendors.
• Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.
• Integrate email events into a broader XDR, SIEM/SOAR strategy. Fully leverage an incumbent SEG provider and, when looking to replace, include IESS solutions in the evaluation, as they may provide the right combination of security, internal mail protection and M-SOAR capabilities on top of the cloud email solution.
• Assess business requirements for DLP email encryption and EDRM over the next three years, and evaluate products accordingly. Although it is not optimal, DLP capabilities from SEGs or email data protection specialists can be implemented independently of enterprise DLP to satisfy email-specific aspects of regulatory compliance, enforce acceptable usage or enable automatic email encryption. For IP protection, however, buyers of email-centric DLP capabilities must understand how they integrate with a more holistic enterprise data management strategy.
• Adopt a multipronged approach that spans technical, procedural and educational controls to achieve effective mitigation of malicious messages, such as phishing attacks. Include additional controls, such as MFA, to help protect against BEC attacks.

Evidence

The findings and recommendations in this research were derived from more than 1,300 Gartner client interactions between June 2019 and June 2020.

Note 1Representative Vendor Selection

Representative vendors were selected on the basis of one or both of the following:

• Client interest via searches on Gartner.com and inquiries about that vendor for email security
• Vendors that are offering email security capabilities in ways that are unique, innovative and/or demonstrate forward-looking product strategies

Note 2Cloud Office Systems

Cloud office systems include creative, collaboration, communication, social, coordination and data services, along with APIs that enable integration with other systems. Microsoft Office 365 and Google G Suite are the primary examples. At a minimum, cloud office systems include capabilities for email, social networking, file synchronization and sharing, document creation and editing, screen sharing, IM, audio conferencing, and videoconferencing. Most buyers start with a subset that includes email. The broad term “cloud office systems” is a generic label. The term “Microsoft Office” refers to a specific range of products from Microsoft.

Note 3 The Popularity of Email as a Target for Attackers

There are various reasons for the popularity of email among attackers:

• User trust: Email is massively used by consumers and businesses. Many users have an abundant trust in senders, message body content, links and attachments. For many users, the sheer volume of messages received is too high to spend a huge amount of time checking everything. Therefore, people tend to open and consume quickly, and generally do not report issues.
• Inexpensive: Sending masses of unsolicited email messages can be achieved at low cost. It is possible to hire a 10,000-node bot for a few hundred dollars. In addition, there are thousands of free email services for attackers to choose from if they want to conduct nonautomated attacks.
• Usable for most attack types: Email can be untargeted and opportunistic (as spam is), but also lends itself well to targeted attacks.
• Elusive: Mailboxes and domains can be registered by anyone accessing the internet, and attackers leverage many techniques to evade detection by email security products. For example, they may change sender IP addresses quickly and spread attacks across many senders to remain undetected.
• Vulnerable: Attackers abuse inherent weaknesses in protocols and email technology. Spoofing sender names and domains is trivial in many ways. For example, email senders are typically not authenticated, and the reply-to address need not equal the visible sender address. Moreover, most email clients lack clear visual indicators of good or bad email messages or sender reputation. This complicates the verification of received messages, even for aware users.

Note 4 Common Email threats

Threat No. 1:Ransomware Spreading Through Spam: The first example of a quite-common email threat is ransomware. Not all ransomware spreads through email. We see some attackers using exploit kits through web drive-by and adware. However, some of the most successful ones have relied on email, and many are expected to do so in the future.Locky is a well-known family of ransomware that successfully spreads through spam. To spread, Locky hitches a ride with spam campaigns, sometimes targeting millions of inboxes in a single day. Typical spam campaigns show great spikes of activity, sometimes due to a new ransomware campaign. Locky does not use identity deception.The payload for these example ransomware families is typically carried in the form of attachments; however, the types of attachments change over time. Attackers choose the types that are most successful at infecting the machine. Although earlier versions of Locky used Word files with macros (which served as the downloader for the actual payload), later versions carried the whole attack in a compressed archive attachment with malicious scripts. Of course, the body of the message is intended to entice the user to open the attachments and, optionally, enable macros or conduct other follow-up actions to install the malware. For that purpose, attachments often appear to be invoices from well-known organizations.Common, widespread ransomware can be blocked by the SEG, the email server security product and the endpoint. The true multilayer defense-in-depth architecture will be effective against widespread ransomware attacks in attachments.For completely new types of attacks, the assessment is slightly different. Advanced countermeasures in the form of network sandboxes, URL rewriting, CDR or file type allow-listing may be required to block such attacks. Advanced endpoint security technologies may catch some of these at the last layer of defense.In addition to technologies, aware users play a significant role in the protection against widespread attacks, but an even more significant role for more-sophisticated attacks.Threat No. 2:BEC: The second example is BEC, a threat also referred to as “business email spoofing” or “CEO fraud.” Broadly there are two classes of attack. Simple email spoofing targeting users internal to an organization, a supplier\customer, or account takeover attacks where the email is actually sent from the victim’s mailbox.The best-known example of BEC consists of messages seemingly originating from a VIP user, targeting an internal employee and requesting wire transfer. Other BEC scams have gone after W2 forms for subsequent tax return fraud, unpublished financial reports and other sensitive information. BEC scams are typically set up cleverly, spoofing email names, using lookalike domains or using a compromised account to reply to an existing email thread (see below).BEC is one of the fastest-growing email security threats for a few reasons. First, it flies under the radar for many technical detection techniques. It is low-volume and highly targeted, and attacks generally do not leverage attachments or URLs that could indicate its nefarious objectives. Second, attacks pay off. Even though attackers have to spend time on activities such as identifying targets (long live social media), writing personalized messages (no more bad spelling) and copying branded signatures of actual messages, the reward for a successful scam is usually quite high. Examples of such scams have been documented and run in the tens of millions of dollars.Compared to ransomware, the situation for protection against BEC looks bleak. Strong SEG and email server security products combine sender reputation with outlier anomaly detection, content analysis, lookalike domain detection and recipient relevancy to detect and tag such messages. Organizations’ SEGs that do not have these capabilities will need a replacement. There are an increasing number of API solutions specifically focused on BEC attack often using machine learning and natural language understanding to identify the attack. The user, as in the previous scenario, plays a significant role.Other countermeasures fall out of scope for technical controls but are powerful for BEC prevention. Standard operating procedures, also commonly referred to as “internal controls,” greatly reduce the risk of BEC. Incorporate segregation of duties and out-of-band verification for specific calls to action that involve financial processes (such as wire transfers) or sensitive information (such as W2 forms) (see “Protecting Against Business Email Compromise Phishing”).Threat No. 3:Office 365 Account Takeover Through Credential Phishing: The final example is a threat that is becoming increasingly popular among attackers. The attacker sends phishing emails to Office 365 users. Users who fill out their credentials have their mailboxes taken over, and the attack spreads laterally within the organization and to others related to the victim. Because the messages seem to originate from a trusted sender and are executed by human attackers, these messages are hard to distinguish from genuine messages.SEGs, especially the ones with time-of-click protection that go beyond malware and exploits and effectively check for phishing sites, can play a role. Often, URL assessment at time of click requires a sandbox to detect advanced phishing attacks.Integrated protection, because it has historical data on communication patterns, can use its social graph to flag anomalous messages as suspicious. As described earlier, integrated solutions are increasingly using natural language processing and understanding to identify account takeover attacks. Products can also use APIs to analyze and correlate anomalous log-in events with communication patterns as well as identifying indicators of account takeover such as mail forwarding rules.Because an increasing number of organizations are targeted by, or have already fallen victim to, account takeover attacks, it is important for SRM leaders to swiftly implement preventive measures. These include requiring two-factor authentication for mailbox access and adaptive access for managed devices across all email clients.COVID-19:The global pandemic has seen a significant increase in attacks using COVID-19 as a lure, everything from advice from the World Health Organisation (WHO) to fake applications for benefits due to job cuts. Attackers constantly adapt so SRM leaders need to monitor and update training for users on a regular basis.

Note 5 Using a POC in Email Security Product Selection

Don’t overreact if the POC process of the incoming vendors shows large-scale improvements over the incumbent product. One of the largest challenges faced in the email security market is difficulty in building reliable, independent, recurring email protection testing, in particular with spam and phishing detection.There are no reliable monthly tests for spam and phishing results of all the top vendors, as compared with anti-malware tests provided by organizations such as AV-TEST or AV-Comparatives. SE Labs periodically tests several email security products, but not on a monthly basis, and focuses mainly on malware and phishing. The challenges are vendor participation, as well as the ability to come up with current and relevant spam and phishing samples.During POCs, ensure that your incumbent product has all the ATD capabilities enabled and properly tuned. The new products should not be scanning quarantine, deleted, spam or other folders where you are possibly storing emails that have malware, spam or phishing emails for possible false positive detection. Another consideration to factor into the POC process is how the testing is being done — in-line or parallel (journaling).