In 2015, Gartner announced the end of the Gartner Magic Quadrant for Secure Email Gateways (SEG), citing commoditisation and market consolidation as key reasons.
In a time when Email Security had never been more relevant to businesses, this struck me as somewhat of an odd move. The types of threats being delivered by email have never been more sophisticated and it’s no secret that Email is the #1 attack vector.
Additionally, the arms race amongst the major vendors continues, with continuous innovation amongst the top vendors to keep ahead of what the adversaries are doing.
At Infotrust we believe that defence-in-depth is key and I am particularly wary of any vendor claiming to offer the “silver bullet”. The worst cases of this I have seen have come from point-play vendors who have claimed to completely solve a threat vector. A holistic approach that considers prevention, as well as rapid detection and response.
Over the years, the battleground for Email has continuously evolved – as the bad guys get smarter, the vendors have bolted on additional functionality to plug the gap. The challenge is that the adversaries are now creating targeted email attacks that contain nothing obviously bad – no malicious code, no patternable content, no dodgy links and emails are coming from reputable sending servers. Here are just a few of the capabilities that have been added to vendors SEG detection capabilities over the years (often with different names or descriptors per vendor):
Many email gateways now have an extremely deep stack of “Prevention” controls to keep the bad Email out. But fundamentally this approach is doomed to fail. This is evidenced by the fact that many Email Gateway vendors are now offering User Awareness training alongside the Email Gateway solution. Whilst in principle I agree that User Awareness training as part of a defence-in-depth strategy is a good thing, it’s clearly not the answer to this escalation of malicious emails bypassing major SEG services.
Infotrust has performed analysis of all organisations with 250 users or employees and above, with a presence in Australia that are known to us. This constitutes over 6000 organisations. The analysis was done by querying the MX protocol on the primary web domain of these companies and the results have been collated and represented below.
The Australian market for Secure Email Gateways is very mature, with 60% leveraging a cloud based mail filter. “Other” accounts for 40% of market and this is made up of smaller MSP’s with less than 50 customers or the on premise appliances from vendors such as Cisco, Symantec, Barracuda, Trustwave, etc.
Symantec is leading the way amongst cloud providers with 19% (1355 customers), shortly followed by Microsoft FOPE with 19% (1320 customers). When we analysed the detail we found that Symantec was still more popular amongst Australia’s largest organizations (such as 8 out of the 12 largest Australian banks), whilst Microsoft’s increase in market share can be attributed to the significant adoption of Office 365, particularly prevalent within the Mid Market (500-1000 users bracket).
Meanwhile a surprising observation was that specialist vendors Mimecast and Proofpoint have relatively low market penetration with only 4% and 2% respectively. This may be attributed to Mimecast’s SMB focus (under 250 users) and Proofpoint’s limited time in the Australian market.
Disclaimer – An MX query will only show the publicly visible address for email and there may be additional redirections after original receipt. Whilst the vast majority of organisations leverage the same domain name for their website and email, some organisations may use different domains for their email versus their web. Additionally, some organisations may have subsidiaries/sub-brands under different Email Gateway control, which may mean some vendors are supplying parts of these larger organisations. Therefore the actual customer numbers may vary slightly.
Infotrust are specialists in securing the email ecosystem, supporting some 350+ organisations with Secure Email related services and therefore closely observes innovation within this space. Whilst the main stay vendors have been investing significantly in adding security layers, to “keep the bad stuff out”, we’ve been watching with interest a new market entrant for inbound protection, named Agari. Agari made its name helping major email senders such as the leading global banks, social networks and tech giants to prevent outbound email fraud on their owned domains with DMARC deployment and analysis. Now, Agari is leveraging unparalleled knowledge of “good senders” to redefine the way inbound protection is achieved.
This new kid on the block is making a name for itself with large Enterprises in the US and Europe, by taking a significantly different approach to inbound detection. Instead of focusing on identifying the bad, they begin by identifying the good, based on machine learning and Enterprise and User Level receiver profiling.
To put it another way, instead of trying to find the needle in the haystack, Agari’s approach is to first remove the hay!
This fundamental switch has been proven to detect the 1:1 spear phishing attacks targeted at your execs, which we often hear is a major concern for customers of all leading SEG services. By no means a complete replacement for a SEG, Agari is one to watch.
Leading SEG supplier’s continue to innovate, but the key to future success is those that take the approach that Detection and Response capabilities are crucial to ensuring the defence-in-depth approach. Therefore, tighter integration with SIEM/SOC, Threat Analysis and Incident Response is key. In addition, improved integration between the mail gateway and the mail platform (Exchange, O365, Google) to allow for after-delivery retrieval of emails later found to malicious. Symantec and Proofpoint are leading the way in this regard, but I expect others to follow suit in the months and years ahead.