Demystifying Pre- vs. Post-Delivery Email Security

Email remains a primary vector for cyber threats such as phishing, BEC, and ransomware—making email security crucial for any organization. Today, email security approaches are categorized into “pre-delivery” analysis using Secure Email Gateways (SEGs) and “post-delivery” analysis via Integrated Cloud Email Security (ICES) solutions.

However, framing it as a choice between “pre- vs post-delivery” is misleading. The real difference lies between single point-in-time inspection and continuous real-time protection. Let’s explore these concepts to understand their roles in robust email security.

Secure Email Gateways (SEGs): Pre-Delivery Inspection

SEGs act as a barrier between external email sources and internal email servers. They sit “upstream” kind of like an old-school firewall. They inspect and filter emails before they reach the recipient's inbox. This pre-delivery approach uses various techniques to block threats:

• Spam Filtering to block unsolicited bulk emails
• Malware Scanning to detect and neutralize malicious attachments or links
• Phishing Detection to identify and block phishing attempts
• Content Filtering to enforce organizational policies
• Sender Authentication using SPF, DKIM, and DMARC to verify sender identity

SEGs block known threats immediately, often using rules and policies that require regular manual updates. They can also generate false positives, blocking legitimate emails and requiring manual “search and restore” intervention. Once an email passes through the SEG, it’s no longer monitored for new threats.

Integrated Cloud Email Security (ICES): Continuous Real-Time Protection

ICES solutions harness AI and machine learning. They focus on monitoring and analyzing emails at the inbox level. Rather than a one-time check, they provide continuous real-time protection:

• Behavioral Analysis to detect anomalous behavior indicative of threats
• Automated Response to quarantine, flag, or delete suspicious emails based on updated threat intelligence
• Continuous Monitoring to scan emails for new threats
• Dynamic Threat Updates to continuously adapt to emerging threats

ICES solutions excel in detecting sophisticated threats that evolve over time, such as delayed-action ransomware or malware and dynamic phishing links. They reduce false positives by leveraging more context and behavioral data, seamlessly integrate with cloud-based email services, and offer easier deployment and management.

Let’s expand on a couple of those points.

Dynamic Phishing Links

Dynamic phishing links pose a significant challenge to traditional email security measures (SEGs). These links make use of dynamic DNS to change their destination based on the type of client accessing them. Here’s how they work:

• • Dynamic DNS: Attackers use dynamic DNS to frequently change the IP address associated with a domain name. This allows them to evade static blacklists and make it harder to track their malicious activity.
  • Client-Based Redirection: When a headless client, such as a security sandbox or automated scanner, accesses a link, it’s redirected to a benign-looking landing page to avoid detection. However, when a real end-point client (user) clicks the link, it directs them to a phishing/malicious site designed to steal credentials or deliver malware.

By continuously monitoring email inboxes, ICES solutions can effectively detect these deceptive tactics by continuously analyzing user behavior and identifying anomalies indicative of dynamic phishing attempts.

Leveraging Context and Behavioral Data

One of the key strengths of ICES solutions is their ability to use artificial intelligence to capture context and behavioral data to enhance threat detection. This involves:

• • Natural Language Processing (NLP) and Natural Language Understanding (NLU): These technologies analyze the content of emails to understand the context and intent. By learning what normal communication looks like for each employee, ICES solutions can identify deviations that might indicate phishing or social engineering attempts.
  • Social Graph Creation: ICES solutions map out the typical communication patterns and relationships within an organization. This social graph helps to establish a baseline of normalcy, making it easier to spot unusual interactions that could signify a threat.
  • Behavioral Baselines: By continuously monitoring email interactions, ICES solutions can build a behavioral baseline for each user. Any significant deviation from this baseline, such as an unusual request or a change in communication style, can trigger alerts for further investigation.

Continuous Inbox-Level Protection: The Optimal Approach

Understanding that the distinction between pre-delivery and post-delivery is less relevant than the distinction between single point-in-time inspection and continuous real-time protection.

Pre-delivery inspection with SEGs provides immediate blocking of known threats, but it’s limited to a single point-in-time analysis. In contrast, continuous real-time protection with ICES solutions offers ongoing, adaptive defense against evolving threats. By adopting a continuous inbox-level protection strategy, organizations can ensure comprehensive