In today’s fast-paced digital era, businesses are continually seeking ways to enhance productivity, streamline operations, and improve data security. Email communication has experienced drastic transformation with many businesses leaving behind on-premises legacy systems to experience the benefits of the cloud.  But choosing the right email security solution can seem daunting. WIth countless platforms offering protection from evolving cyber threats, it seems almost impossible to keep up or know what to choose. You might be asking the question, “How do these products work with my current tech stack?” or “Is my business ready to make the leap?” This blog will act as a guide, showing how complete cloud email security can support businesses at each stage of their digital transformation journey while ensuring robust protection.  Stage 1: Assessing the need for change The first step in transitioning to the cloud is recognizing the limitations of a legacy system. On-premises email providers require extensive hardware investments, maintenance, and IT resources to keep them running smoothly. They may lack scalability, flexibility, and advanced security features required to combat evolving cyber threats. By evaluating these shortcomings, businesses can begin the shift towards a cloud-based system.  Stage 2: Choosing the right cloud providers Before the migration, it’s important to understand your lineup of technology tools. What solutions will you need on-top of your email provider? Which integrations will make the transition seamless and extra valuable? Let’s start with Microsoft.  When selecting the right cloud provider, you’ll want to look for a track record in email security. Look for data encryption practices, infrastructure redundancy, and perhaps most importantly, protection against email attacks and data breaches.  For base-level protection, businesses may layer a secure email gateway (SEG) on top of their email provider. The SEG works with Microsoft to provide rule-based protection against attacks. But rules can’t catch everything. Microsoft has now invested in native security controls, so an additional SEG is no longer needed. Instead, you can go beyond the SEG with a behaviorally-intelligent integrated cloud email security solution (ICES). An integrated cloud email solution can catch the advanced attacks that bypass Microsoft and a SEG.

Stage 3: Migrating data to the cloud  Whether you are moving to a hybrid setup or fully in the cloud, migrating data will require careful planning and execution. It’s important to have the cloud provider’s support team with you for every step of the way. When exploring industry reviews, look beyond product efficacy for mentions about customer support.  Stage 4: Leveraging advanced security features  When considering your email tech stack, think about the future of your business. As you scale, can your software grow with you? As attacks get more sophisticated, will your inbox stay safe? The effectiveness of legacy approaches to email security has been declining for quite some time, with email being responsible for over 90% of cyber attacks. This is where the power of artificial intelligence and machine learning come to play. When attackers outsmart the pre-built rules, how can you ensure your protection is already one step ahead? Tessian takes a unique approach to securing people using email. Through a combination of machine intelligence, deep content inspection, stateful mapping of email relationships, and behavioral analysis, Tessian turns your email data into your biggest defense against security threats and stops the type of threats you can’t make a rule for.  How Tessian can help from Stage 1 Tessian can be on your journey at any stage whether on-premise, hybrid, or fully in the cloud. No matter where you are on your digital transformation journey, Tessian can help.  Tessian has multiple deployment methods (Modern Microsoft Add-in, API, or Gateway) to cover any email infrastructure at any stage of the cloud journey.  Most importantly, you don’t have to wait until after your cloud-migration to implement a tool like Tessian. By layering it on top of your existing email security strategy, you will ensure no gaps in coverage while you migrate key features — like rules, safelinks, and email authentication — from your SEG to your E3 or E5 Microsoft licensing. Tessian has your back.

Forrester has named Tessian a Strong Performer in The Forrester Wave™: Enterprise Email Security, Q2 2023. In this research, Forrester evaluated 15 enterprise email security solutions and provided a detailed overview of the current offering, strategy, and market presence of these vendors, to help security teams select the right solution for their email security needs.  In an ever-changing threat landscape where duplicative rule-based legacy email security tools are failing to stop advanced email attacks, and cannot detect very subtle employee-driven data loss, security teams are looking for a solution which can address the full spectrum of evolving threats on email.  This Forrester Wave™ report conducts a 26-criterion evaluation of enterprise email security providers by identifying, researching, analyzing and scoring the most significant ones. The research provides a guide for buyers considering their purchasing options and demystifies the complex email security market consisting of point solutions, legacy rule-based gateways, incumbents and next generation tools which span the full range of email security functionality.  In the report, Forrester has declared “email security is now entering a golden age after stagnating for the better part of a decade.” and Tessian agrees. Now is the time to assess your existing email security stack.  The Forrester report advises that, “…enterprise email security customers should look for providers that: Offer flexibility in deployments and integrations Make it easy for security teams to respond Look beyond email to deliver holistic human protection” Tessian Receives the Highest Possible Score in the “Vision” Criterion According to the Forrester report, “Tessian has refined its superior vision to not only focus on protecting the human layer but also to frame email security as a means to elevate security culture within organizations.”  When it comes to elevating the security culture within the enterprise, we at Tessian recognize that automatic email defense is only part of the email security problem that security professionals are facing today. In order to provide the most complete email security, Cloud-native, API-enabled email security (CAPES) solutions shouldn’t solely focus on inbound email security, but should also make it easy for security teams to respond to those inbound security events with speed and ease. Tessian’s vision is to empower security teams by providing the most complete CAPES solutions in the market, that eliminates human influenced cyberattacks, accidents, and insider threats from the enterprise. This means defending against inbound email threats, protecting the enterprises most sensitive data from being lost via email, coaching end-users to drive better security decisions, and most recently, helping security teams respond to email security incidents faster and more efficiently. Tessian recently launched a new product offering, Tessian Respond, dedicated to enabling security teams to quickly identify and respond to email threats with powerful threat hunting capabilities and the automated response to end-user reported emails. Security teams benefit from Tessian Respond by spending less time triaging across multiple legacy email security solutions, manually remediating email threats with PowerShell scripts, and maintaining an overwhelming list of reactive rule-based prevention policies. Tessian Respond makes it easy for security teams to quickly pivot between email security events and response workflows to better understand the full scope of an attack, and to make an informed response decision based on the complete risk exposure, without having to jump between multiple different loosely connected consoles to perform simple remediation tasks. Faster response workflows integrated directly into email threat prevention, paired with automated response to end-user reported email such as false positives or spam, save security teams significant labor-hours by reducing the quantity of alerts that require investigation, while also improving the quality and efficiency of each investigation. While security teams are focusing their time investigating legitimate high risk security events, Tessian takes the opportunity to not only auto-remediate end-user reported emails, but also provide in-the-moment coaching to continuously elevate the end-users security risk awareness. The Forrester Wave™ research states “awareness and training efforts must move beyond standard phishing testing and compliance checkbox courses to adaptive human protection, like real-time “nudges” to encourage vigilance and secure handling of sensitive information.”  At Tessian, we enable security teams to transform an employee’s inbox into a personalized security awareness platform without impeding end-user productivity.   Through in-the-moment training and contextualized warning banners on suspicious emails and risky data loss attempts, Tessian coaches the end-user and builds stronger security cultures within enterprises.  

But email is just one of the many facets of an enterprise’s cyber security posture – security teams at large enterprises typically manage around 64 security tools on average. The Forrester Wave™ research report notes that some customers showed “a preference to feed the telemetry from one or more email security solutions into security analytics tools to initiate investigation and response actions”.  Our integration with SIEM and SOAR platforms facilitates the streamlining of processes and workflows, saving security teams time in pivoting between multiple tools for threat analysis and security event reporting.  As Tessian continues to deliver on its superior vision in today’s remote world, the future of holistic human protection expands beyond just email. Tessian’s DLP capabilities within the email space allow organizations to ensure sensitive information is not lost – be it by accident, with malicious intent, or pure negligence towards internal data privacy policies. Expanding data loss risk prevention across file sharing services and cyber defenses to messaging and collaboration applications is the next step in Tessian’s vision to secure the human layer, empowering people to do their best work, without security getting in the way. And as the Forrester report suggests, “S&R pros interested in linking email security with security coaching and culture should consider Tessian as an additional (human) layer of protection.” Tessian Receives the Highest Possible Score in the “Support and Customer Success” Criterion The Forrester evaluation also reported Tessian received the highest possible score in the Support and Customer Success criterion, citing that, “Reference customers are happy with Tessian’s support and willingness to customize features as well as its easy-to-use interface…” Across over 450 global customers, security professionals and end-users alike agree that Tessian has elevated their organizations’ security culture. Here are some quotes from our customers, independent of the Forrester evaluation:  “Really easy to work with, brilliant solution to offer that multiple layers of technology to protect against advanced threats both inbound and outbound” “Integration and implementation is simple. Integrations with other products are huge. Customization of products is unbelievable.” “Now I can find everything I need in one platform. Before Tessian Respond, it would take me 10-15 minutes just to log into the different Proofpoint platforms and then do the searches. Now with Tessian, it only takes 2-3 minutes and that’s mostly because I need time to read all the information Tessian is providing about the potential email threat.”

Additional Resources To read… The Forrester Wave™: Enterprise Email Security, Q2 2023 report, visit here. Forrester Consulting study of a 268% ROI via The Total Economic Impact™ Of The Tessian Cloud Email Security Platform (commissioned by Tessian, July, 2022), visit here. Tessian’s Press Release about this industry recognition, visit here. About Tessian Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error – like data exfiltration, accidental data loss, business email compromise and phishing attacks – with minimal disruption to employees’ workflow. Founded in 2013, Tessian is backed by renowned investors like Sequoia, Accel, March Capital and Balderton Capital, and has offices in San Francisco, Boston and London.

Tessian, a Cloud-Native, API-enabled Email Security (CAPES) company, received the highest scores possible in the Vision, Support and Customer Success criteria according to report.   BOSTON, Massachusetts – June 12, 2023 – Tessian, Inc. today announced that it has been named a Strong Performer by Forrester Research, Inc. in The Forrester WaveTM: Enterprise Email Security, Q2 2023 – The 15 Providers That Matter Most And How They Stack Up. According to the Forrester report, “S&R pros interested in linking email security with security coaching and culture should consider Tessian as an additional (human) layer of protection.”  As the Forrester report states, “Tessian has refined its superior vision to not only focus on protecting the human layer but also to frame email security as a means to elevate security culture within organizations. Roadmap items include expanding DLP capabilities to file-sharing applications; API-integrated remediation orchestration with major SIEM, SOAR, EDR, and XDR players; and expansion of protection to messaging and collaboration applications.”  In Forrester’s evaluation of the Enterprise Email Security Space, Forester suggests “email security customers should look for providers that:  Offer flexibility in deployments and integrations.  Make it easy for security teams to respond.  Look beyond email to deliver holistic human protection.”  Tessian’s recognition as a Strong Performer in The Forrester WaveTM: Enterprise Email Security report comes on the heels of Tessian’s two most recent major announcements at RSA Conference 2023 this past April. First, as the First Email Security Platform to Fully Integrate with M365 by integrating via both M365 Add-In (Office Add-In) and M365 API (Microsoft Graph API), on top of Tessian’s existing deployment/integration options. April also delivered Tessian’s Official Launch of Advanced Email Threat Response capabilities, Tessian Respond, offering a dramatically faster solution that quickly identifies and responds to email threats through proactive threat hunting capabilities and automated response to end-user reported emails.  “Tessian’s vision is to secure the human layer, empowering people to do their best work without security getting in the way, by eliminating human influenced cyberattacks, accidents, and insider threats from the enterprise.”, said Tim Sadler, Co-Founder and CEO at Tessian, “Our product strategy is to provide the most complete CAPES solution in the market, by not solely focusing on inbound email security, but also offering outbound data loss prevention, real-time security coaching, and the fastest response capabilities in the enterprise email security space.” Additional Resources  To read…  The Forrester WaveTM: Enterprise Email Security, Q2 2023 report, visit here Forrester Consulting study findings of a 268% ROI via The Total Economic ImpactTM Of The Tessian Cloud Email Security Platform (commissioned by Tessian July, 2022), visit here Tessian’s blog about this industry recognition, visit here About Tessian  Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error – like data exfiltration, accidental data loss, business email compromise and phishing attacks – with minimal disruption to employees’ workflow. Founded in 2013, Tessian is backed by renowned investors like Sequoia, Accel, March Capital and Balderton Capital, and has offices in San Francisco, Boston and London.

Nearly all forms of Business Email Compromise (BEC) attacks are on the rise, according to the fourth edition of Microsoft Threat Intelligence Cyber Signals published last week. In the latest Microsoft research for phishing protection, Microsoft Threat Intelligence Digital Crimes Unit (DCU) detected and investigated 35 million BEC attempts between April 2022 and April 2023, or 156,000 attacks every day. The FBI Internet Crime Report 2022 also found that BEC attacks were responsible for over $2.7 billion in losses last year alone. Microsoft saw an increase in both the sophistication of attacks and the tactics used by adversaries in BEC attacks. Cybercrime-as-a-Service organizations enable advanced phishing techniques at scale for bad actors, allowing them to easily circumvent traditional detection methods like “impossible travel” flags and malicious URL detection.  According to the Microsoft Threat Intelligence Cyber Signals report, BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. The report goes on to explain that, rather than targeting software vulnerabilities, BEC attacks exploit the daily sea of email traffic to lure victims into providing financial information or taking action which unknowingly helps criminals perform fraudulent money transfers. 

Key Findings by Microsoft Threat Intelligence Digital Crimes Unit from April 2022 to April 2023:   35 million annual BEC attempts detected and investigated  156,000 daily BEC attempts detected and investigated   417,678 unique phishing URL takedowns   38% increase in Cybercrime-as-a-Service targeting business email [2019 – 2022]   BEC threat actors increasingly purchase credentials and local IP addresses from end-to-end Cybercrime-as-a-Service (CaaS) providers to evade traditional detection methods Top Targets for BEC Attacks:   Executives & Senior Leadership   Finance Teams & Management   HR Staff with access to employee records (i.e. Social Security numbers, Payroll, and other PII)   New employees less likely to verify unfamiliar requests via email Top Trends for BEC Attacks in 2023 (January to April)   LURE attacks (Legacy URL Reputation Evasion)   Payroll/Invoice attacks   Gift Card Requests   Business Information Requests Defending Against BEC Attacks – Microsoft’s Recommendations The Microsoft Threat Intelligence Cyber Signals report discusses many best practices that organizations can implement in the fight against BEC, but their recommendations can really be boiled down into two key initiatives:     Enhancing existing defenses through AI-based phishing protection    Training employees to better spot BEC attacks in real-time

Microsoft + Tessian – Better Together Tessian’s Complete Cloud Email Security Platform is an ICES solution that defends against advanced email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, all while coaching end-users to drive better security decisions in real time. Organizations leveraging Microsoft’s native email security capabilities along with Tessian find the most complete cloud-based AI-driven email security coverage for defending against BEC attacks.  Aligning with the recommendations in the most recent Microsoft Threat Intelligence Cyber Signals report, Tessian enhances Microsoft’s native email security capabilities by leveraging behavioral based AI detection for more effective prevention against social engineering attacks. Tessian also offers customizable, bespoke in-the-moment security coaching that encourages end-users to take a step back and consider the potential risks and costs associated with successful BEC attacks.  To learn more about how organizations are pairing Microsoft + Tessian for the most complete email security protection, download our Tessian + Microsoft 365 Solution Guide.  

Tessian Complete Cloud Email Security Platform defends against inbound email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, while coaching end-users to drive better security decisions When evaluating email security solutions, security professionals care about one thing over anything else: will this help us prevent more threats?  The irony is, security solutions themselves have become one of the main drivers as to why security teams aren’t preventing more threats in the first place. Legacy gateway solutions are time intensive, manual and inefficient – meaning security teams simply don’t have the time, tools or patience to effectively manage their email security posture. Security teams today often rely on rule-based prevention policies or end-user reporting to first identify email risk, and then use between 2-5 different security tools to perform investigation and remediation workflows. For every individual email threat, this process can take 30 minutes on average – and sometimes, more.  This means if an organization sees any more than 15 potential email threat alerts, one single security team member may lose a full day of work.

Between a backlog of end-user reported emails, attacks that have bypassed traditional controls and inefficient email response workflows, security teams spend too much time responding to advanced email threats. It can take days, due to archaic tooling and approval processes, for organizations to remove known malicious emails from an enterprise, exposing the company to extended risk.  In order to prevent more threats, security teams need a solution that will help them cut through the noise, enhance their risk detection, and increase their response efficiency. This is exactly why we’ve built Tessian Respond. 

Tessian Respond is the fastest solution for security teams to quickly identify and respond to email threats by offering threat hunting capabilities and the automated response to end-user reported emails. Tessian Respond makes it easy for security teams to quickly pivot between email security events and response workflows, to better understand the full scope of an attack and make an informed response decision based on the risk. 

Powerful search queries leveraging data and threat indicators from the entire Tessian platform – such as Subject, URLs, or even File Hash Values – now allow security teams to investigate if a single email alert is an isolated incident, or part of a broader attack campaign across the organization. End-user reported emails will be ingested from any existing report phish button and prioritized by highest risk using a combination of machine learning algorithms and customer defined policies. Tessian Respond automatically classifies end-user reported spam and false positives, which enables the security team to quickly focus their time on legitimate higher risk email threats.  The ability to quickly detect and identify email risk does not, however, completely solve the problem that security teams are dealing with today. In order to enable more prevention, security teams need the ability to remediate existing email threats… FAST. Tessian Respond gives security teams bulk remediation actions directly within investigation workflows to quickly remove threats from the environment and reduce the organization’s attack surface moving forward. With a continuous feedback loop directly into Tessian’s behavioral based AI detection algorithm, every email marked as malicious, reported as spam, and removed from the inbox  improves Tessian’s understanding of an organization’s normal email behavior and helps Tessian improve prevention overtime. Security teams will benefit from Tessian Respond by spending less time triaging across multiple legacy email security solutions, manually remediating email threats with PowerShell scripts, and maintaining an overwhelming list of reactive rule-based prevention policies. Tessian Respond gives security teams the freedom and flexibility they need to do what is most important to them: prevent more threats.

When evaluating email security solutions, security professionals can be confident in one thing over anything else: Tessian enables security teams to respond faster, and as a result, prevent more threats.

Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.  The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.

Advanced threats require a new approach to addressing email security risk Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.

Secure Email Gateways (SEGs) SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.  SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.  Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period. And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 

The key attributes of SEGs include: Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies

Integrated Cloud Email Security (ICES) Solutions The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.  Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.

The key attributes of ICES solutions include: Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability

The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.  Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 

Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.

Here’s a real-life example of Tessian in action. On this occasion, Tessian has flagged a potential phishing email chasing an invoice payment from a supplier. The client is a 3000-user global law firm and receives thousands of emails a day. In this attack attempt the threat actor has spoofed a legitimate existing domain for the approach,  *******services.com. But crucially, for the reply address, the attackers used *******service.com, omitting the final S found in the original URL.  It’s a common technique for attackers to use a legitimate domain for the initial email to gain trust, and then use a lookalike as the reply to, so they can then divert all conversations to their own inbox. They hope it won’t look suspicious because the recipient will probably think that it’s the same sender’s address. The science behind the way humans read words would mean that this would be easily scanned over in a busy office. The warning displayed to the end user

Tessian alerted the end recipient that the email was suspicious and explained why in three simple points, after which they correctly marked it as malicious. It’s in-the-moment explaining and training like this that empowers employees to make the right security decisions themselves, without slowing down their workday.  And here’s how the Security Team saw the event in the Tessian portal. You can see that the user safely marked the email as malicious in under five minutes from when it arrived.  Tessian picked up on the fact that the reply to address is extremely similar to the sender address and that *******services.com is not very well known to the customer, based on their statistics. Other flags included keywords such as ‘invoice’ and ‘payment’.

It’s also worth noting the time the email was sent, around 2pm GMT. Our own State of Spear Phishing report shows that the most successful attacks happen just after lunch, or towards the end of the working day, when people are at their most distracted.  Let’s now look at the email itself, and some of the social engineering triggers the attacker has used. It’s worth noting there’s just the right amount of suspicious intent: too much urgency such as ‘please pay immediately’ can cause people to double check and action it there and then, especially if the request comes from a senior manager or the C-Suite. Too little urgency meanwhile, means it might not get done at all.  The email arrived on Thursday 19th of January, with a suggested payment deadline of the 31st – just the right amount of nudging to ensure it’s quietly added to someone’s ‘to do’ list the following week. 

Attacks that mimic your suppliers can be particularly tricky to defend against, as psychologically, your organization and people have probably dealt with them before. Even small firms can have hundreds of different suppliers – from office cleaning to raw materials to payroll. For large multinationals like Walmart, or Total that number can run to over 100,000. That’s a lot of emails back and forth.  Tessian stops attacks like this on a daily basis, delivering a modern email security posture and protecting your end-users and data. But the best thing is we do all that, while reducing your security team’s workload. This ultimately saves you money and reduces complexity, leaving you confident that your organization is protected.

Cybersecurity attacks are increasing in volume and sophistication year-byon-year. As every CISO knows, email is the primary attack vector used by cyber criminals – being responsible for 96% of cybersecurity breaches. It means that protecting your organization against email-based attacks is a top priority for any IT leader. Traditionally, in a world where most IT systems, including email servers, were hosted on premises, Secure Email Gateways (SEGs) were used to monitor incoming and outgoing emails and weed out fraudulent or malicious content. Today, in the work-from-anywhere era, organizations are increasingly moving to cloud-based email platforms, which need to be secured by a new generation of email protection software – known as Integrated Cloud Email Security (ICES) solutions. To find out more about Secure Email Gateways and the emergence of Integrated Cloud Email Security (ICES), we caught up with Tessian Senior Sales Engineer, Tam Huynh. He knows more than most about the benefits and applications of these technologies, how they can be deployed in practice, and how they help organizations deal with today’s ever-changing email threat landscape.   What are the greatest email-based cybersecurity risks?  There are many ways for hackers to attack an organization’s data and systems via email. Some of these have been around for a long time, but are becoming more sophisticated every year, while others are brand-new.  Phishing attacks Phishing has been around for almost as long as email itself. It involves a fraudster spamming users with emails, purporting to be from a reputable source, and encouraging the recipient to click on a link or visit a particular site. Phishing emails might offer a tempting prize or incentive, or they could threaten the recipient with account closure or financial penalties if they don’t click on the link to rectify an issue. Once the recipient clicks on the link, they are taken to a fake website and encouraged to share personal information, bank details, or reset passwords. Ransomware attacks A ransomware attack involves a hacker breaching your company’s security and restricting access to data or systems. The hacker then demands a ransom to be paid in order to lift the restriction. Ransomware attacks are often made through email, duping users into clicking on malicious links or opening an attachment that releases malware into the company’s computer network. Zero-day attacks This is a rapidly growing threat that targets previously unidentified vulnerabilities in a company’s software. Again, email is the attack vector, with zero-day malware entering a network via a breach in email security and stealing or damaging data from within an organization’s network. Because these attacks enter via a previously unknown vulnerability or gap in cyber defenses, the organization targeted has ‘zero days’ to patch the vulnerability and fix the problem. The only way to identify zero-day malware is to examine suspicious email and software activity.

What is a Secure Email Gateway? A Secure Email Gateway (SEG) is a technology solution designed to protect organizations from email-based threats and ensure a secure flow of email communications. Secure Email Gateways act as a filter between an organization’s internal email infrastructure and external email systems, such as the internet. Secure Email Gateways are designed to prevent unwanted email entering a company’s IT environment, while ensuring good emails get through to the right recipients. SEGs help to detect spam, phishing attacks, malware, and fraudulent content, while outgoing messages can be analyzed to prevent sensitive data leaving the organization.  How do Secure Email Gateways work? Originally developed in 2004 for on-premise email servers, SEGs use a rule-based approach to threat detection. They have ‘deny’ lists, ‘allow’ lists and signatures for message authentication to prevent attacks. That means they protect email systems against threats that are already known, using a reactive approach. However, this means that Secure Email Gateways can’t offer protection against zero-day attacks and are increasingly easy for attackers to evade using advanced social engineering campaigns. Secure Email Gateways use an established dataset and static analysis to identify the threat signals in emails. However, SEGs have been found wanting when it comes to detecting business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks – because often there is no malicious payload associated with these emails. Furthermore, the shift away from on-premise email platforms to cloud-based platforms presents new challenges in securing these cloud services against email-based attacks. Gartner estimates that 70% of organizations now use cloud productivity solutions like Microsoft 365 and Google Workspace. In this environment, IT leaders are increasingly turning away from SEGs and opting for new Integrated Cloud Email Security (ICES) solutions.  

What is an Integrated Cloud Email Security (ICES) solution? Integrated Cloud Email Security (ICES) solutions have been developed to provide the best defense against advanced email-based threats that evade traditional email security controls. ICES solutions are cloud-based and use application programming interfaces (APIs) to detect anomalies in emails, using advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time-to-value, and can analyze email content without the need to change the Mail Exchange (MX) record. How long does it take to deploy an Integrated Cloud Email Security solution? APIs enable advanced and intricate ICES solutions to be deployed to Microsoft 365 in around 20 minutes, depending on how quickly the administrator can get the author credentials. With the Tessian solution, users enter their credentials inside of our portal and grant permissions to the Tessian console, tell us which groups to sync, and they’re done.  If we look back a decade at how Secure Email Gateways were deployed, it could take well over a month or more of multiple-phase approaches, changing control windows, testing within a lab or a sandbox first, and then rolling the system out to production. ICES deployment is much faster. How do ICES solutions work with existing tech stacks? Our experience shows that many businesses are essentially replacing their Secure Email Gateways with ICES solutions. To enable this transition, we typically create a full feature map of the organization’s SEG, and then recommend a Microsoft 365 E5 license that enables them to use features such as sandboxing and behavioral analysis, as well as other features found in a SEG. Of course, organizations can choose to retain their Secure Email Gateway alongside Microsoft 365 E5. For organizations not looking to move to Microsoft 365, who might have an on-premise exchange server, or are using G Suite, Tessian can leverage a gateway testing deployment, which means an installation time of around an hour. And that’s from start to finish. Either way, deploying via the APIs or gateway means no worrying about modifying MX records.

How should companies communicate ICES to the rest of the business?  As we’ve seen, ICES solutions can be deployed in under an hour, but that might come as quite a shock to other teams around the organization. So it’s vital to have a clear communication strategy for the business, alongside your technical deployment strategy.  You need to ensure that all relevant teams are aware of the change, well ahead of time, especially non-technical teams. Users will want to know if the change is going to affect any imminent sales. Does the Customer Success team need to inform customers? And don’t forget to let the leadership team know. Use the skills of your communications team to help get the information out to the wider organization, and have them on standby in the unlikely event that there is an issue with the deployment.  When is the best time to deploy an ICES?  Not at 5pm on the penultimate Thursday or Friday in the quarter when sales might be trying to hit target! The ideal time we’ve found with our customers is after business hours on a Monday. The email volume is low, so it won’t be noticed by most end users.  To find out more about Integrated Cloud Email Security and how it can protect your business from the latest email-based cybersecurity threats, please read our Buyers Guide to ICES or request a demo. 

A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.  We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.  Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros.

Here are the highlights: CISOs are working overtime and can’t always switch off from work The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.  Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.

The size of the company makes a difference The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.  On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.

Overworked employees make more security mistakes Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.  Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.  While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.

So what can CISOs do to create a better work / life balance? Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.  Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.

The threat caused by malicious, embedded URLs will grow as Business Email Compromise (BEC) attacks increase. Only a behavioral-based approach that involves a thorough examination of the URL content contained within the email body and its attachment allows you to reduce the risk of a URL-based email compromise. Differentiating from the SEG While URL link rewriting, also known as time-of-click protection, is offered by legacy email security providers, such as Secure Email Gateways (SEGs), it has major restrictions on the level of security it can provide. The problem is that your protection is only as effective as the rules and policies you create and how up-to-date the threat detection engine of known threats is. Tessian enhances the protection against known and unknown malicious URLs by ensuring they are detected and retrieved from both the email’s body as well as any attachments that may include them. From here the URLs are analyzed against known and unknown indicators of compromise (IOC).

Cyber Criminals break the rules The static, rule-based approach to malicious URL detection offered by legacy email security presents an open opportunity for threat actors to circumvent them using a range of obfuscation methods. For example, in a well-documented case of APT 39’s malicious URL campaign, the cyber criminals were able to hide malicious links within attached files and bypassed the rule-based SEGs of numerous victims. 

Five Shortcomings of URL Link Rewriting Protection  Here are five additional reasons why URL Link Rewriting falls short in protecting your organization from malicious URLs: URL link rewriting is an overly manual security control prone to human error It requires a significant degree of manual security rule and policy orchestration. The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.  URL link rewriting is ineffective at protecting against zero-day attacks It only offers protection against known threats and limited protection against zero-day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors.  URL link rewriting lacks the intelligence to detect advanced attacks on email Threat actors are continuously becoming more sophisticated. Hiding malicious URls in an attachment or having a redirected link tricks the victim into thinking they are clicking on a perfectly safe link when in fact they are actually clicking on a malicious link. Protection starts and stops at the gateway When utilizing a perimeter solution, such as a SEG, you can only see what is coming into and out of the organization. Lateral phishing attacks are missed as the email doesn’t pass the gateway. If all you have is a hammer, everything looks like a nail URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign-looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.

The need for Intelligent Cloud Email Security  Email-based attacks are still by far the most popular attack vector. The efficiency of legacy email security controls has come into sharp focus as a result of the constantly shifting and developing attack landscape. Threat actors are continuously becoming more sophisticated and circumventing the rules-based approaches of legacy email security tools. Today URL link rewriting is no longer capable of defending organizations from advanced attacks on email. Only by leveraging intelligent email security solutions that understand behavior and have contextually aware scanning capabilities – detecting the most obfuscated of URLs – can you significantly improve your email security posture against URL-based attacks. To see how the Tessians Intelligent Cloud Email Security platform prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.

So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do. And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are… Strong passwords That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication, Updates Make sure you’re always keeping your machine updated! Mindful posting What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.  Report suspicious emails And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.

Hosting a security open day There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and  relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components. You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have. What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked  other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at. You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are. It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”. But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.  And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in  half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”. It helps them  really see the practicality of of the events that they’re doing.

Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise. Listen to the whole episode, here, or read on for three key Q&As from the interview.

Why are BEC attacks growing more frequent and more effective? I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam. Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness. In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example. The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.

What are the typical traits and characteristics of these attacks? In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye. As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion. I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online. This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.

How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks? We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.  When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.  In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.

For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.