Avatar of sunhux
sunhux
 asked on

Features / criteria to look out for in an email security/filtering product

I'm looking at Votiro, Proofpoint & Israel email security products
to reduce spam, emails from bad reputation IP, emails with
malicious attachments & URL.

What are the features/criteria to assess or look out for?

Esp if I'm on O365.

a) can link to SpamHaus, RBL etc to get bad reputation IP?
b) offers CDR, sandboxing?
c) can claw back malicious emails from users' mailbox once
    Sandboxing completed analysis that an email or attachmt
    is malicious (Proofpoint has one such  product)
d) can withstand email blasting (eg: 80000/minute)
e) in the event the device has an issue, the ease / turnaround
    time to disable it (without changing MX record)
f) allows us to specify IOCs (bad reputation IP obtained from
    threat intelligence or specific payload's hash)
g) the ability to integrate with DLP products : is this supposed
    to be a function of O356 Exchange Online or the filter
    device (as usually such device will be registerd in MX):
    I recall Proofpoint used to be able to integrate with a
    network DLP Codegreen or am I mistaken?
h) ... help add on ...
ExchangeMicrosoft 365Network SecuritySecurity

Avatar of undefined
Last Comment
masnrock

8/22/2022 - Mon
SOLUTION
masnrock

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Amit

Rather looking for other products, i advise you to use ATP. Refer:
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
sunhux

ASKER
Already tested with highest-end O366 (think it's tier 5 or also known as ATP):
a number of malicious attachments got past it.

Masnrock,
>10) Ability to see real senders of an email
Does the above mean we'll get to see the source IP of the sender or the
sender's domain or ?


Btan
>Not familiar with Votiro but it does claims to have CDR
Yes, it claims it could do Complete Deconstruction & then Reconstruct.
Proofpoint uses Sandboxing but it can take up to 30mins, so it lets
the emails get to the users' mailbox 1st & with another module
installed, it claws back what's been sandbox'ed as malicious
Amit

EOP with ATP is enough, make sure you have proper SPF, DMARC record setup for your domain. Read more: https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email

Why I am saying not to look for other option in office 365, as that will add extra layer and complexity to your mail flow and secondly, if there are any issues, you will not get any support from Microsoft.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
btan

Anti evasion such as sandbox detection is already existence (below) so no 100%. That why the different layer threat detection capabilities are needed. Ultimately as long as you layered your defense in depth from external to the endpoint, residual risk would be minimise.  Even endpoint need EDR (besides the AV) and its relies on letting exploit action take presence to trigger its preventive action. Proofpoint also relies on crowd of wisdom intelligence
Imposter attacks are hard to detect. Our Stateful Composite Scoring Service (SCSS) is a machine learning approach that searches specifically for these email threats. It uses what’s known about your unique environment, along with data from all customers, to more effectively detect and block email fraud.

https://www.proofpoint.com/us/threat-insight/post/Theres-a-Macro-in-your-Sandbox
sunhux

ASKER
does any of the products allow us to enter an attachment's hash value to block?  sometimes spotted malicious attachmts  in hundreds of emails went past proofpt
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.