MSP Cybersecurity

Post-delivery Threat Remediation Puts MSPs Back in Control

Adrien Gendre

July 25, 2019

4 min

MSPs

One of the biggest complaints we hear about secure email gateways is that they produce an excess of false positives and false negatives. The former is ineffectual and time-consuming, and the latter is dangerous. According to a recent report by Cofense, of 31,000 malicious emails that reached the inbox within a given period, 90 percent were found in environments running one or more SEGs. This creates a multitude of headaches for users, but it’s especially painful for MSPs, which bear the burden of cleaning up the mess.

MSPs are often unaware that either scenario occurred until their clients’ end users report the problem—complaints that they’re not receiving important emails or the very bad news that they’ve become a victim of email fraud like phishing or spear phishing. With 74 percent of SMBs saying they’d hold their MSP accountable for a cyberattack, the risks are simply too great.

MSPs need a way to remove threats that have already been delivered to their users’ inboxes. In the case of SEGs, this simply isn’t possible in Office 365 environments. One of the main limitations of SEG architectures is that the product sits outside of the Office 365 environment, so emails that have already been delivered cannot be removed. To remove threats post-delivery, the solution needs to live natively inside Office 365.

Threat remediation has always been a weakness of email security solutions, but thankfully that’s changing.

How Did We Get Here?

Traditional email security solutions use reputation and signature-based methods to identify threats. Blocking known threats like blacklisted IPs and URLs was—and remains—the core feature of these solutions, including Exchange Online Protection (EOP). It’s effective against spam, mass phishing emails and malware with a known signature, but not against the low-volume, highly targeted phishing and spear phishing attacks we’re seeing today. Hackers are simply too sophisticated.

Knowing that many businesses were protected by these traditional solutions, hackers evolved their techniques. To avoid being blacklisted based on reputation, they created more targeted phishing campaigns and stopped relying on mass email sends, which sets off red flags. Some hackers even use a unique IP address, URL and message for each phishing email to avoid detection. Another technique is the use of time-bombed URL redirects, where a hacker inserts a clean URL in the phishing email and then creates a redirect once the email has been delivered. A traditional email filter will check the URL when the email is received but not when the user clicks on it, rendering the filter useless. Conversely, the same filters that should recognize clean emails incorrectly mark them as junk or spam, delay email delivery with quarantines, and create a catalogue of false positives.

Reactive technologies simply do not match the sophistication of today’s threats. MSPs need a better solution for protecting their businesses and their Office 365 clients.

AI-based Threat Detection Paves the Way for Automated Remediation

Artificial intelligence (AI) is ushering in a new era in cybersecurity to augment reputation and signature-based detection. Using a predictive approach to threat detection, an AI-based solution applies its training to anticipate and then block unknown email threats. To train the AI to detect spear phishing, unsupervised machine learning models are shown thousands of real spear phishing emails so they can learn to identify patterns of abuse and anomalies seen in most spear phishing attacks. To detect phishing, supervised machine learning models are trained using both legitimate and phishing pages that have been carefully selected by a data scientist. The models analyze specific features of the URL and page – also carefully selected – looking for URL redirects and other obfuscation techniques that bypass reputation and signature-based solutions.

Unfortunately, no system is foolproof, and humans sometimes outsmart machines. When a phishing email thwarts detection and lands in an inbox, an MSP has a little as 82 seconds before users start clicking on the email. If the user reports the email, the MSP can investigate and then manually delete it, but this isn’t an effective long-term strategy. For starters, direct remediation in Office 365 environments can be a very manual, complex process that involves specialized knowledge and use of a command line. More important, the filter that missed the malicious email doesn’t learn from its mistake. It’s up to the MSP to pick up the slack each time the filter fails.

The same AI engine that is trained to identify phishing and spear phishing emails can learn from user behavior—and its own mistakes—to facilitate remediation. Here’s how it works:

MSP facilitated remediation: A suspected phishing email bypasses the email filter and is reported by an end user, so the MSP investigates and, upon confirming the threat, takes action to mitigate its impact on the organization. With a feature like Remediate for Vade Secure for Office 365, MSPs can instantly remove a threat from multiple users’ inboxes with just a few clicks, deleting the messages or moving them to the Outlook Junk folder. The data is passed to the product, which uses the data to improve the AI engine.

User facilitated remediation: A user receives an unwanted email and reports it using the Outlook Junk button. While Microsoft obviously receives this information, so doesn’t Vade Secure thanks to its native API integration with Office 365. The data from these user reports helps further improve the AI engine and its process for classifying emails going forward.

Automated remediation: Based on user feedback reports or a real-time view of emerging threats , an AI engine recognizes that a phishing or spear phishing email has been successfully delivered to an Outlook mailbox. It reclassifies the email and reports the action in the logs—without requiring any action by the MSP.

Putting it to Use

Auto-Remediation is a relatively new feature in email security that solves a host of problems for MSPs. Drawing on threat intelligence from 600 million mailboxes around the globe, Auto-Remediate is available at no extra cost to users of Vade Secure for Office 365. Designed for MSPs, Auto-Remediate works in background, freeing up the MSP’s time and providing continuous, automated protection from email threats.

Watch the 2-minute video to learn more about Auto-Remediate.

https://youtu.be/JI3O6cuIk9I