Email Security Solutions Part 2: What Does it Take to Implement Effective Email Threat Visibility?

email securityIn part 2 of this 2-part blog post, we’ll discuss the essential characteristics of technologies that have proven effective for augmenting Secure Email Gateways (SEGs) and stopping email-based malware attacks. Please see part 1, which discusses the challenges of detecting advanced malware attacks using outdated technology.

Augment your SEG with Advanced Malware Detection

To detect and prevent malware from being delivered via email, security organizations need to augment existing email security strategy with a complementary layer of protection that detects the advanced malware that evades detection by existing tools.

Advanced malware detection solutions can integrate with SEGs to catch sophisticated, new malicious attacks that the SEG alone cannot. These products use full system emulation and network traffic analysis to identify potential threats before they can become an issue. By looking for malicious behaviors rather than relying on definitions, these advanced email security systems can reveal malicious behavior even in newer threats.

Four Benefits of Advanced Email Security Systems

The benefits of augmenting SEGs with advanced malware detection products extend beyond the obvious to include:

  • Augmented SEG capabilities. When a SEG encounters a suspicious file, it can forward it to the advanced malware detection product for analysis, supplementing the SEG’s “first line of defense” with this added layer of analysis. The advanced detection technology will then perform behavioral analysis on the application, to determine whether or not the file or website links are dangerous. Consequently, an advanced malware program doesn’t have to replace a SEG (in fact, that isn’t desirable), but instead provides additional, stronger defense.
  • Smarter sandboxes. An advanced malware solution can utilize a more sophisticated sandbox environment – one that is indistinguishable from target systems as far as the malware is concerned. These more advanced sandboxes can interact directly with malware and don’t have any of the “tells” of older sandbox solutions.
  • Fewer false positives. Many SEGs are going to err on the side of marking files as suspicious, which can lead to a multitude of false positives that need to be manually investigated. Advanced malware protection products can put these borderline cases through more thorough analysis processes, ultimately reducing the number of false positives, often to near zero.
  • Foiled phishing attempts. Even if a phishing email gets through, an advanced malware protection product can prevent any real damage by detecting any malicious files or webpages that may subsequently be accessed by the victim.

Improved Email Security Through Detecting Malicious Behaviors

A critical component of advanced malware detection is an isolation and inspection capability, or full system emulation, that imitates a complete operating system and hardware environment, delivering visibility into the malware, all programs and services it invokes, all operating system functions, and all kernel activity. It analyzes the actions of everything that occurs, including all CPU instructions, memory locations accessed, devices used, and network connections.

SOC teams can configure these products to complement SEG and MTA (Mail Transport Agent) systems, and to passively monitor or actively block malicious content. Advanced malware detection tools typically have flexibly deployment options to support how an organization has set up their email service.

MTA Mode

In this option, the SEG or MTA server needs to be instructed to route emails to the advanced malware detection product with email delivery (inline) or without email delivery (not-inline) via the SMTP protocol.

  • Option A: MTA mode with email delivery. The tool analyzes the sender reputation, URLs, and attachments, and performs a message markup (adding a header), then uses a server-side rule to delete, quarantine, or reroute the messages on the mail server.
  • Option B: MTA mode without email delivery. The tool analyzes the sender reputation, URLs, and attachments, and generates appropriate alerts to the security administrator.

BCC Mode

SEG or MTA is configured to BCC (Blind Carbon Copy) emails into an account that the advanced malware detection product accesses via IMAP (Instant Message Access Protocol) or POP (Post Office Protocol). The tool then analyzes the sender reputation, URLs, and attachments, and generates alerts that are then imported into an existing SIEM.

This deployment is optimal to monitor a batch of users by creating a single inbox (account) for them. This deployment is also the recommended alternative to the SMTP monitoring as described in Option 1 above.


Organizations still need to maintain their Secure Email Gateways. Though they are rudimentary, they catch many older exploits — and there are thousands or even millions of these exploits still circulating today. A SEG operates as a very efficient first line of defense, catching older and more common threats. Still, an advanced email solution is still necessary to identify advanced threats.

Given the sophisticated capabilities of malware, security teams need to augment existing email security tools with a complementary layer of protection that is able to detect advanced malware without adding significant cost or complexity. We described the capabilities necessary.

Lastline Enterprise is one example of such a tool that offers the right combination of effective advanced malware detection, proven integrations with SEG controls, flexible deployment as an on-premises or cloud solution, low false positives, and low TCO. It delivers visibility and detection accuracy, enabling analysts to understand the objective of the attack, as well as respond to the threat before a data breach occurs.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing