Why you need Integrated Cloud Email Security (ICES)

Tony MasonEmail Security, Office 365 Security, Security Awareness & Phishing

In their 2021 Market Guide for Email Security, industry analyst Gartner introduced the acronym ‘ICES’, which stands for integrated cloud email security. They also predicted that these platforms would make up 20% of anti-phishing solutions by 2025, up from 5% in 2021. You might also see the acronym ‘CAPES’ used to describe these platforms as well. This was coined by industry analysts Forrester. It stands for ‘cloud-native API-enabled email security’. Since their definition mostly agrees with Gartner’s, we’ll use ICES throughout this article to describe these solutions, explaining their origin, capabilities, and the reasons you need one.

The history of ICES

Earlier Gartner Market Guides referred to cloud email security supplements (CESS) and integrated email security services (IESS). In the 2021 guide, they merged these categories for three reasons:

  1. Proliferation of advanced phishing attacks. – Historically, phishing emails concealed malware in attachments, which was then downloaded from servers linked in the email. Today, however, cybercriminals have evolved their attacks. They are increasingly sending payload-less phishing emails and attacks containing URLs that link to seemingly innocent material. However, they are tailored to harvest credentials for future attacks. These emails are managing to get through existing email security and, therefore, a new solution was required.
  2. Intelligent detection capabilities were developed. Intelligent detection was brought to market as a result of advancements in machine learning, social graphs, and linguistic analysis. This then made it easier to identify advanced phishing attacks.
  3. Adoption of Microsoft 365. – Cloud email platforms make it possible to deploy email security solutions that conduct post-delivery inspection of emails and threat remediation.

Hence we are seeing an accelerating increase in the adoption of ICES solutions.

Easy deployment for an additional layer of security

ICES systems are not intended to replace current email security. Rather, they are meant to supplement it and address the use cases that it cannot address. As a result, they coexist with already available secure email gateways (SEG). Such as the built-in security offered by Microsoft 365.

ICES security can also be set up in a matter of minutes. There’s also no need to change the domain name services mail exchanger (DNS MX) record.

Deployment Techniques

There are two popular deployment techniques for ICES solutions, and both can be used with just a few clicks:

  1. Utilise Microsoft GraphAPI to retrieve emails from the inbox post-delivery. Then examine them. If a phishing email is discovered, either quarantine the email, or add a warning banner before returning it to the inbox. If no threat is detected, the email is sent back to the inbox in its original format.
  2. Use mail flow rules in Microsoft 365 to divert emails to the ICES platform for inspection. If a phishing email is detected, either quarantine it or add a warning banner before sending it to the inbox. Again, if no threat is detected, the email is sent to the inbox.

Regardless of how the solutions are deployed, both approaches allow for the use of GraphAPI to remediate emails that are delivered as legitimated emails but later discovered to be malicious.

It’s worth noting that some have criticised the first method for placing too much reliance on the Microsoft Graph API. This can throttle connections during periods of high volume. The effects of this are well-documented on Microsoft’s website. It can cause potentially harmful emails to stay in users’ inboxes for tens of seconds, if not minutes. During which time a user may fall victim to a phishing attack. A second limitation of this method is the ICES platform’s inability to recover emails that have been sent to devices that are using their default email clients rather than the Outlook app. Again, this causes the user to have access to potentially harmful emails on that device.

 Consolidating around Microsoft

Gartner states that 75% of enterprises are adopting a ‘vendor consolidation’ strategy. Organisations are realising that they are underutilising a large portion of the capabilities they have already paid for. In particular, with their Microsoft E3 or E5 license.

ICES solutions enable organisations to achieve these consolidation goals. By enhancing Microsoft’s native email security they open up the possibility of removing their SEG.

 ICES provide different functionality versus a SEG

As they use self-learning technologies, ICES vendors frequently describe their products as ‘intelligent’. This contrasts with SEGs’ usage of rules and signature-based policies. These require ongoing upkeep and upgrading by IT and security personnel.

 ICES platforms offer three crucial capabilities:

  1. Intelligent detection. – Three key detection technologies are used by the top ICES platforms.
    • Machine learning for behaviour-based security (understanding typical email behaviours and highlighting anomalies).
    • Social graph technology to learn the normal sender/recipient trust relationships and flag anomalies.
    • Linguistic analysis to detect social engineering attacks.
  2. User engagement. – ICES platforms are designed to handle the grunt work. They must identify advanced and complex threats that have eluded other security measures. They are the final line of defence before a recipient is faced with a phishing email. Platforms do not necessarily quarantine questionable emails. Instead, they add a warning banner that is often colour-coded to indicate the level of suspicion. Many banners additionally include contextual information about the threat’s nature. Some of them even give users the option to click through for more details or to mark an email as malicious or safe. These real-time teachable moments reduce risk for the long-term and augment an organisation’s security awareness and training (SA&T) programme.
  3. M-SOAR capabilities. A security analyst must act swiftly. They need to analyse, contain, and eliminate any threat when a user reports an email as malicious. Or when a suspicious email is found through other channels. Leading ICES platforms achieve this through search and destroy capabilities. This surfaces all emails along with warnings about potential hazards or indicators of compromise (IOC). They frequently provide a visual of the original email. Additionally, they enable one-click remediation of all matching emails.
Going beyond ICES

Many organisations are looking to remediate risks beyond the threats that ICES can identify. Intelligent detection technologies are revolutionising outbound threat protection in a similar way to how they have changed incoming threat protection. When Gartner established ICES in the 2021 Market Guide, they also coined the phrase ‘email data protection’ (EDP).

EDP increases security against data breaches caused by human error. Human error can result in emails being sent to the wrong recipients, having the wrong attachments, having too many people in the ‘To’ field, and sending emails with critical information without encryption. It makes use of the same intelligent technologies as those previously mentioned. It comprehends typical sender and receiver actions, and alerts the sender when an abnormality is detected. The intention is to nudge the user at the point of risk by interfering with their regular process, similar to how ICES added warning flags.

ICES providers are striving to include EDP to their portfolios as organisations start to quantify this human activated risk that leads to data breaches. Few, though, can offer both incoming and outbound protection in its entirety.

Get in touch to learn more about Integrated Cloud Email Security (ICES) and EDP platforms and selecting and justifying the best solution for your needs. Email: sales@s3-uk.com Tel: 01628 362 784