FireEye Stories

Protection Beyond the Traditional Secure Email Gateway

Email continues to be heavily used by cyber attackers to get past the security defenses organizations have in place. While the secure email gateway (SEG) market is mature, the schemes by which threats evade SEGs are dynamic and constantly morphing. For this reason, a SEG must be agile and adapt quickly to the ever-changing threat landscape. In other words, a SEG that only stops spam and known malware just won’t cut it. These signature-based capabilities as well as commoditized or OEM sandboxing technologies for advanced threats are no match for today’s opportunistic and targeted threats.

What ultimately differentiates the best SEG from the rest is its ability to detect, defend and report on advanced threats such as malware-less impersonation, malicious URLs and attachments, and multi-stage exploits.

FireEye Email Security is a full secure email gateway that blocks inbound and outbound unknown advanced threats, known malware and spam. This singular solution minimizes risk, while delivering robust detection and protection. By consolidating the email security stack with FireEye, organizations also reduce the impact email-borne threats can have on their employees, while often benefiting from cost savings.

Advanced Threat Categories

The primary advanced threat categories include malicious attachments, malicious URLs, impersonation and multi-stage attacks (Figure 1). Multi-stage attacks combine elements of advanced threat types including malicious attachments, malicious URLs, and impersonation. For example, by including a phishing link in the impersonation email, cyber criminals realized they could send out a vaguer email to a larger amount of people while still seeing similar click-through rates. Believing they are talking to a trusted source, users are more likely to click the link in the email compared to in a general phishing attack. Once clicked, the linked phishing site can lead to malware payloads or credential harvesting sites, making it a more efficient tactic for email attacks.

Figure 1: Advanced threat categories and FireEye technologies

FireEye In-house Developed Technology and Intellectual Property

Multi-Vector Virtual Execution (MVX) Engine – MVX technology analyzes email attachments and files downloaded through URLs on over 200 virtual machines against a comprehensive cross-matrix of operating systems, applications and web browsers. Detects, detonates and reports on never-before-seen exploits and malware including zero-day, multi-flow, multi-stage, polymorphic, ransomware and other evasive attacks that other solutions miss.

Advanced URL Defense – This is a true, big data scalable platform that detects URLs linked to phishing sites. An integral part of Advanced URL Defense is classifier plug-ins. Three plug-in examples include PhishVision, Kraken and Skyfeed:

PhishVision is an image classification engine that uses deep learning to compile and compare screenshots of trusted and commonly targeted brands against web and login pages referenced by URLs in an email.

Kraken is a phishing detection plug-in that applies domain and page content analytics to augment machine learning.

Skyfeed is a purpose-built, fully automated malware intelligence gathering system. Social media accounts, blogs, forums and threat feeds are collected for false negative discovery.

The multifaceted nature of Advanced URL Defense offers organizations protected by Email Security unparalleled defense against credential harvesting and spear-phishing attacks.

Smart DNS – Executive names are increasingly used as display names in fraudulent emails, fooling employees into taking action. FireEye Email Security addresses both display name and header spoofing using actionable tools, such as Deep Relationship Analysis to identify anomalous email traffic, while email-specific threat intelligence, or Smart DNS, serves as the basis for the broad tool set that leads to quicker detection of impersonation tactics.

Outbound Scanning

By scanning outbound email, FireEye Email Security provides further benefits to customers. For example, many organizations are concerned about maintaining their IP reputation if their mail server is compromised. By using FireEye’s outbound service, all email will be monitored leaving the organization for malicious content, such as bulk spam, impersonation traits and advanced threats.

Another benefit of outbound scanning will be the capability to apply Smart Custom Rules to outbound email, a functionality targeted for mid-March 2019. For example, this will provide administrators with the scope to monitor email for Regex strings; to perform basic Data Loss Prevention (DLP) functions. The added functionality also allows for the creation of policy around email body, x-header information and many more custom rules available for inbound email today.

Administrators can configure FireEye Email Security to monitor outbound email by creating a policy on the Cloud Edition user interface. A corresponding rule is required on the customer’s mail server to connect to FireEye Email Security, this is normally created as a send connector or transport rule.

FireEye Email Security protection goes beyond the traditional secure email gateway. It’s easy for organizations to become overly reliant upon blocking-based protection, until they realize what’s been slipping through. We see this time and time again with our customers and other security solutions. Our full email gateway protects from emails on their way in and the organization’s network on the way out. This robust level of protection is critical in defending against today’s evolving threat landscape, as spear-phishing, ransomware and impersonation attacks continue to rise.

Register for our upcoming webinar to learn about the latest email threat trends. Additionally, determine if advanced threats are getting past current defenses with a no-cost evaluation powered by FireEye Email Security.