Dispelling the Three Most Common Myths of Email Security Incident Response

Lomy Ovadia |
Sep 18, 2019
Email security, incident response

The email security industry has become congested with manufactured trends and buzzwords, saturating the landscape with misused terminology as outdated platforms clamor to stay on top of advanced phishing attacks. As a result, email security is now inundated with noise – making it difficult for CISOs and SOC teams to sort through and distinguish fact from fiction.

In reality, email security must constantly evolve. Phishing attacks are not a new phenomenon – 83% of organizations report experiencing a phishing attack in the last year according to a forthcoming report by – and yet many businesses continue to unknowingly depend on email security point solutions, anti-phishing prevention and incident response controls and countermeasures that we’re never designed to stop the types of advanced phishing techniques trending globally today.

Understandably, cybersecurity is a highly competitive industry with millions of dollars on the line. But the pursuit of profits should not be a license for companies to mislead buyers about the limitations of their technology. I’ve previously written about the must haves of a truly automated email security platform in response to the dissemination of disinformation, particularly as it relates to email incident response.

Email phishing remediation: search & delete (AKA Yara Rules) is not enough

One of the most disingenuous practices occurring in email security is led by vendors that are wrapping power shells and scripts into a nice interface and labeling it as incident response, when such technology is nothing more than a very basic and inefficient search and delete feature driven by Yara Rules.

For example, if a security team is made aware of an incident, but, despite the bells and whistles alerting them, has to manually remediate part or all of the attack instead of having confidence in an automatic response – that’s not advanced email security protection. So, while many businesses are led to believe that they are investing in modern email incident response, they are unfortunately just implementing technology that attackers can harness for their own gain, in large part because security teams can’t react quickly enough.

For SOC and security teams, and IT Managers to effectively manage email incident response, they must first begin by being able to separate fact from fiction. These are the top three myths about email security:

Myth 1: Search and delete will capture all variations of phishing attacks -

Many adversaries now regularly deploy advanced phishing techniques that can easily bypass traditional email security tools, such as secure email gateways (SEGs). Most notable are polymorphic emails, which occur when an attacker implements a slight, usually undetected, change to an email’s artifacts – such as the subject line, sender, or content – thus bypassing signature-based security measures that are not built to recognize such modifications to threats. To put this into perspective, IRONSCALES identified 52,825 permutations impacting 209,807 inboxes across the world, reinforcing the reality that standard incident response procedures do not capture all attacks.

Myth 2: Search and delete relieves the burden on SOC teams -

With 42% of all email phishing attacks taking at least one permutation, polymorphic email attacks are growing in numbers. As a result, SOC teams are inundated with the time-consuming and burdensome task of mitigating these risks, wasting valuable time and money. For example, if one phishing attack had 10 permutations – the security team would be spending its time removing those 10 permutations from all inboxes inside the organization. By the time, the team completed that task, more attacks with permutations could have penetrated email protocols. It’s a vicious cycle. Additionally, search and delete does not integrate with prevention tools, which means the flow of malicious emails never stops, keeping SOC members caught up in an endless cycle of phishing analysis and response.

Myth 3: Manual, non-integrated incident response is effective in stopping phishing attacks -

Integrating and orchestrating threat intelligence from both technical and non-technical controls into a continuous feedback loop is critical for incident response. If this process is absent, then there is no opportunity for SOC teams to prevent future phishing attacks, which puts them into an endless cycle of detect-respond, detect-respond with no end in sight. By continuously feeding machines intelligence from multiple sources, both internal and external, such as analyst decisions and employee reports, 3rd party threat feeds, sandbox/threat emulation and crowd sourced intelligence, email security can adapt and get smarter by predicting, preventing, detecting and responding to threats in real-time.

True incident response does not require a long process – no implementation that requires a full scan of all mailboxes, no heavy lifting of the analysts, and no specialist needed to work the system. Instead it should focus on automation and orchestration with easy one-click response to quickly and efficiently mitigate the risk.

In a world of copycats and disinformation, IRONSCALES’ goal is to create email security that solves both existing and emerging threats, including those pesky permutations, through our combined power of artificial and human intelligence. Our platform works within the inbox to deliver fast, easy and seamless collaboration while reducing detection and remediation through its decentralized model – giving security teams better visibility and control, ultimately cutting back on time and effort.

No myths here, the proven results are enough. Check out our white paper on How Email Security, Orchestration, Automation and Response Revolutionizes Phishing Detection, Investigation and Response

SUBSCRIBE TO OUR BLOG

X
Free Trial