Email security gateways monitor an organization’s inbound and outbound email traffic for unwanted or malicious messages. These products block or quarantine malware, phishing attacks and spam as their core functionality, but many also offer data loss prevention and email encryption capabilities for outbound email.
Many email security gateway products and services available meet the needs of virtually every organization. Trying to select one product or service from the many available options, however, can be a daunting task. As part of an email security gateway evaluation, an organization should develop a set of criteria, such as a list of questions, to answer for each evaluated product through research, vendor discussions, product testing or other means.
This article provides several potential criteria that should be included in an email security gateway evaluation.
How advanced are basic security functions?
Every email security gateway should protect the organization from bad email: those that contain malware, phishing attempts and spam. However, this doesn’t mean that an email security gateway product should just offer basic antivirus, antispam and antiphishing capabilities. Technologies based on this old generation of antimalware controls are not very effective against current threats.
Instead, an organization should look for more advanced antivirus, antispam and antiphishing technologies. For example, malware detection should use sandboxing and other advanced techniques to evaluate files for possible malicious behavior. Simply using signature-based techniques for malware detection, such as antivirus signatures, is not sufficient anymore.
Providers of email security gateways generally offer sandboxing and other advanced techniques through subscriptions to other products.
Barracuda Networks Inc., for example, offers sandboxing for its email security gateway with a separate subscription to its Advanced Threat Protection (ATP) product. ATP protects against advanced malware, zero-day exploits and targeted attacks not detected by the virus scanning features of the Barracuda Email Security Gateway.
Ideally, basic security functions should also utilize up-to-date threat intelligence. Threat intelligence is information collected by a security vendor about current and recent threats, such as the IP addresses of hosts performing attacks or the URLs of malicious domains.
By incorporating threat intelligence services and advanced detection techniques, an email security gateway can be much more effective at detecting malicious emails, assuming that the threat intelligence is kept current at all times — e.g., updated every few minutes.
Mimecast Services claims that its email security gateway, which is built on a single cloud platform, offers better security and system performance through constantly updated threat intelligence.
What other security features do email security gateways offer?
Some gateways only offer the basic security functions discussed above. However, gateways are increasingly offering additional email-related security functions, particularly data loss prevention (DLP) and email encryption capabilities for outbound emails.
For many organizations, especially larger enterprises, these additional functions are irrelevant, because the organization already has enterprise DLP and email encryption capabilities. But for organizations without these capabilities, adding DLP and email encryption options to an email security gateway — often for an additional fee — can be a cost-effective and streamlined way to add these capabilities to the enterprise.
How usable and customizable are the management features?
Usability is an obvious plus for email security gateway management. The easier a gateway is to manage on a daily basis, the more likely that admins can manage it properly and — therefore — the more effective it will be. However, the importance of customizability shouldn’t be overlooked.
Although organizations may not want to spend significant time customizing their email security gateways, doing so can improve detection capabilities, as well as enhance the management process itself by customizing administrator dashboards, gateway reports and other aspects of the gateway.
The needs for usability and customizability of gateway management vary widely among organizations. High-risk organizations require a high degree of customizability in order to make detection as advanced as possible — even if it negatively affects usability.
What are the typical false positive and negative rates?
A false positive rate is the percentage of benign emails that are incorrectly classified as malicious. Similarly, a false negative rate is the percentage of malicious emails that are incorrectly classified as benign. Ideally, false positive and negative rates should be as low as possible, but it is impossible to get these rates all the way down to zero. No detection technology is perfect, and something that lowers one rate often causes the other rate to increase.
Since each email security gateway uses several detection techniques in parallel with each other, it’s not generally helpful to report overall false positive and negative rates for the entire gateway. Instead, vendors provide typical rates for each threat type — spam detection, malware detection and phishing detection, among others.
An organization should be able to “tune” the gateway’s detection methodologies to raise or lower the rates so the gateway has the desired balance of rates. One business might be able to tolerate a relatively high false negative rate in order to achieve a very low false positive rate, for example.
Are email messages or attachments processed or stored in an external system?
Some email security gateways are cloud-based services. With these products, the organization’s emails will pass through an external system. Some on-site email security gateways, hardware and virtual appliances, may route suspicious messages to a server controlled by the gateway vendor for additional analysis.
Transferring email to an external server for processing or storage may be an unacceptable risk for some organizations, particularly if gateways are analyzing internal email messages. This could cause the email security gateway vendor to access sensitive data and inadvertently or intentionally expose it to breach. Similarly, if the vendor’s server is compromised, the sensitive data could be compromised as well.
Organizations with particularly high needs to protect the confidentiality of their emails that aren’t encrypted may want to consider acquiring on-site email security gateways instead of cloud-based services.
Another consideration for the use of external systems is that security and privacy laws and other requirements may differ among jurisdictions.
Suppose an organization purchases services from a cloud-based email security gateway provider. If this provider has cloud facilities set up in multiple legal jurisdictions, particularly different countries, the email messages may be subject to different laws, which may necessitate the use of additional or different security and privacy controls. It may also pose different risks — for example, a foreign government might have the authority to access the organization’s email on the vendor’s servers within that country.
Do your homework and evaluate
It can be overwhelming to try to evaluate email security gateway products and services when so many options are available. Defining basic criteria for evaluation is a helpful step in analyzing the possibilities. There is no right product for all organizations. Each has its own security requirements, email infrastructure and IT environment, as well as a different combination of threats against it.
This underscores why it is so important for each organization to do its own email security gateway evaluation. Simply relying on third-party evaluations is not sufficient to make the best selection, although such evaluations can provide valuable input.
This article presents several criteria, which are meant as a starting point for an organization to develop its own more comprehensive list of criteria. Each organization should consider all of its unique requirements, including applicable laws, regulations and other compliance needs.
Linda Rosencrance contributed to this report.