At its core, your email security team has one simple goal: protect company emails from compromise. The solution they choose to meet that end often involves a patchwork of monitoring, data collection, analysis, and mitigation tools. It’s not always the most efficient approach and, as threats get more advanced, it doesn’t always keep pace.
As a result, your team will attempt to modify those tools to both protect your company and maximize efficiency — finding ways to save money without sacrificing quality protection.
The problem with this approach is that your senior security team members often get distracted from critical tasks while working through the system modifications. Their time is poorly managed. And more pressing issues might go unnoticed.
This redundant cycle leaves the finance teams (and ultimately, the C-suite) wondering what on earth the security team is doing all day long… and why it costs so much.
A day in the life of a security analyst
So just what does a day in the life of security analyst look like? Typically, they're responding to outreach from people in their organization, automated security tools, or their own proactive searching.
When investigating a suspicious email, the analyst will start by developing a threat analysis report — often informally, because formal analyses are too time consuming, given the volume of work. They’ll scan for common red flags, such as email headers in different locations. Headers capture an email’s history (e.g., where it came from, which servers it bounced around before landing in your employee’s inbox). Next, they’ll look for clues to answer questions like:
- Are security standards like SPF, DKIM, and DMARC in place?
- What's the timeline of this message?
- Who is the recipient of the message?
- What is the content of the message?
- Did the end user read or engage with the message in any way?
- What IP address did it come from?
- What domains did it come from?
- What's in the message?
- Are the URLs malicious or not?
- Is there an attachment? Is it safe?
If that sounds like a lot of effort for a single email, that’s because it is. On average, every email analyzed takes 33 minutes of your analyst’s day. And if the message turns out to be a bona fide threat, it can take several hours or even days to implement fixes.
A battle of competing priorities
You might expect that buying a costlier tool to defend against email threats would solve your resource problem, but that’s not necessarily the case. Often the cost of a tool doesn’t accurately predict its quality. And the interests of the C-suite (i.e., yours) are frequently at odds with the interests of your security subject matter experts (SME).
When it comes to choosing the right tool for the job, it’s important to remember that a security SME’s goal is not to maximize investment or resource efficiency. Instead, a security analyst will choose a tool that maximizes protection. Inherent curiosity means that analyst is far more interested in understanding the latest attacker techniques and tactics, along with finding tools allowing them to build the most advanced rules they can conjure up, than they are in addressing resource allocation challenges. Bottom line: the analyst’s cost focus will be on the protective functionality of the tool instead of its ability to save time and effort.
Why it’s a losing battle
After a decade or more of using email security tools that all look and function the same, incident management types are convinced that more options plus more information will equal more security. We know, however, there’s a point of diminishing returns, and ultimately your team gets stuck searching when they should be acting.
Remember, you only have 82 seconds between the moment a phishing email lands in an employee’s inbox and the moment that employee clicks on it. How is the more + more = more equation supposed to work when it takes 33 minutes to analyze just one email? Put simply, it doesn’t, and eventually you will be compromised.
The simplest approach is the best approach
To effectively mitigate attacks with a larger talent pool of less expensive resources, you need a defensive tool that’s easy to both learn and use. You still want to staff those expensive, hard-to-find security experts, but you need them on the bigger, more complex challenges, not sitting around tweaking a tool.
But don’t be surprised if the consensus leans toward highly custom solutions that require a lot of care and feeding, judging more straightforward tools to be lacking because they “just work” out of the box. That mindset, however unwarranted, reflects precisely the phenomenon we’ve outlined here.
At IRONSCALES, we’ve pioneered an email security approach that “just works,” with a simple, clean interface that also provides best-of-breed protection. Learn how we can help you upgrade your defenses while better utilizing your capital and human resources. Contact us to set up a free 30-day proof of concept today.