Email Security Vendor Market Share Report
In 2015, Gartner announced the end of the Gartner Magic Quadrant for Secure Email Gateways (SEG), citing commoditisation and market consolidation as key reasons.
In a time when Email Security had never been more relevant to businesses, this struck me as somewhat of an odd move. The types of threats being delivered by email have never been more sophisticated and it’s no secret that Email is the #1 attack vector.
Additionally, the arms race amongst the major vendors continues, with continuous innovation amongst the top vendors to keep ahead of what the adversaries are doing.
At InfoTrust we believe that defence-in-depth is key and I am particularly wary of any vendor claiming to offer the “silver bullet”. The worst cases of this I have seen have come from point-play vendors who have claimed to completely solve a threat vector. A holistic approach that considers prevention, as well as rapid detection and response.
Over the years, the battleground for Email has continuously evolved – as the bad guys get smarter, the vendors have bolted on additional functionality to plug the gap. The challenge is that the adversaries are now creating targeted email attacks that contain nothing obviously bad – no malicious code, no patternable content, no dodgy links and emails are coming from reputable sending servers. Here are just a few of the capabilities that have been added to vendors SEG detection capabilities over the years (often with different names or descriptors per vendor):
- Signature based AntiVirus Detection
- Heuristics
- Delayed Execution Inspection
- Sandboxing
- Advanced Sandboxing
- Physical Server/Endpoint sandboxing
- URL black lists
- Link following
- Real time link following
- Point of click link following
- Spam Signatures
- Traffic shaping
- Anti-Phishing
- Spear Phishing detection
- Spoof sender detection
- DMARC validation
- SPF Validation
- Fuzzy fingerprint detection
- Black Lists
- White Lists
- Application profiling
- Advanced Threat Detection
- IP Reputation
- Impersonation controls
- The list goes on…
Many email gateways now have an extremely deep stack of “Prevention” controls to keep the bad Email out. But fundamentally this approach is doomed to fail. This is evidenced by the fact that many Email Gateway vendors are now offering User Awareness training alongside the Email Gateway solution. Whilst in principle I agree that User Awareness training as part of a defence-in-depth strategy is a good thing, it’s clearly not the answer to this escalation of malicious emails bypassing major SEG services.
Email Market Analysis
InfoTrust has performed analysis of all organisations with 250 users or employees and above, with a presence in Australia that are known to us. This constitutes over 6000 organisations. The analysis was done by querying the MX protocol on the primary web domain of these companies and the results have been collated and represented below.
The Australian market for Secure Email Gateways is very mature, with 60% leveraging a cloud based mail filter. “Other” accounts for 40% of market and this is made up of smaller MSP’s with less than 50 customers or the on premise appliances from vendors such as Cisco, Symantec, Barracuda, Trustwave, etc.
Symantec is leading the way amongst cloud providers with 19% (1355 customers), shortly followed by Microsoft FOPE with 19% (1320 customers). When we analysed the detail we found that Symantec was still more popular amongst Australia’s largest organizations (such as 8 out of the 12 largest Australian banks), whilst Microsoft’s increase in market share can be attributed to the significant adoption of Office 365, particularly prevalent within the Mid Market (500-1000 users bracket).
Meanwhile a surprising observation was that specialist vendors Mimecast and Proofpoint have relatively low market penetration with only 4% and 2% respectively. This may be attributed to Mimecast’s SMB focus (under 250 users) and Proofpoint’s limited time in the Australian market.
Disclaimer – An MX query will only show the publicly visible address for email and there may be additional redirections after original receipt. Whilst the vast majority of organisations leverage the same domain name for their website and email, some organisations may use different domains for their email versus their web. Additionally, some organisations may have subsidiaries/sub-brands under different Email Gateway control, which may mean some vendors are supplying parts of these larger organisations. Therefore the actual customer numbers may vary slightly.
Conclusion
InfoTrust are specialists in securing the email ecosystem, supporting some 350+ organisations with Secure Email related services and therefore closely observes innovation within this space. Whilst the main stay vendors have been investing significantly in adding security layers, to “keep the bad stuff out”, we’ve been watching with interest a new market entrant for inbound protection, named Agari. Agari made its name helping major email senders such as the leading global banks, social networks and tech giants to prevent outbound email fraud on their owned domains with DMARC deployment and analysis. Now, Agari is leveraging unparalleled knowledge of “good senders” to redefine the way inbound protection is achieved.
This new kid on the block is making a name for itself with large Enterprises in the US and Europe, by taking a significantly different approach to inbound detection. Instead of focusing on identifying the bad, they begin by identifying the good, based on machine learning and Enterprise and User Level receiver profiling.
To put it another way, instead of trying to find the needle in the haystack, Agari’s approach is to first remove the hay!
This fundamental switch has been proven to detect the 1:1 spear phishing attacks targeted at your execs, which we often hear is a major concern for customers of all leading SEG services. By no means a complete replacement for a SEG, Agari is one to watch.
Leading SEG supplier’s continue to innovate, but the key to future success is those that take the approach that Detection and Response capabilities are crucial to ensuring the defence-in-depth approach. Therefore, tighter integration with SIEM/SOC, Threat Analysis and Incident Response is key. In addition, improved integration between the mail gateway and the mail platform (Exchange, O365, Google) to allow for after-delivery retrieval of emails later found to malicious. Symantec and Proofpoint are leading the way in this regard, but I expect others to follow suit in the months and years ahead.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help