Features / criteria to look out for in an email security/filtering product

I'm looking at Votiro, Proofpoint & Israel email security products
to reduce spam, emails from bad reputation IP, emails with
malicious attachments & URL.

What are the features/criteria to assess or look out for?

Esp if I'm on O365.

a) can link to SpamHaus, RBL etc to get bad reputation IP?
b) offers CDR, sandboxing?
c) can claw back malicious emails from users' mailbox once
    Sandboxing completed analysis that an email or attachmt
    is malicious (Proofpoint has one such  product)
d) can withstand email blasting (eg: 80000/minute)
e) in the event the device has an issue, the ease / turnaround
    time to disable it (without changing MX record)
f) allows us to specify IOCs (bad reputation IP obtained from
    threat intelligence or specific payload's hash)
g) the ability to integrate with DLP products : is this supposed
    to be a function of O356 Exchange Online or the filter
    device (as usually such device will be registerd in MX):
    I recall Proofpoint used to be able to integrate with a
    network DLP Codegreen or am I mistaken?
h) ... help add on ...
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
We happen to use Cisco CES, and here are some of the things that we looked when we were setting it up (and I think should be considered for any product):
1) Ability to send encrypted emails
2) Ability to detect attempts at spoofing executives in the company. (We wrote a rule specifically around this)
3) Matches up with C: Ability to remove emails from users' box that are determined malicious later (We never used this because it doesn't notify the user about the action being taken)
4) Failover (we have 2 virtual devices from Cisco that are in a cluster, so we're good from that aspect)
5) Matching up with D: Ability to handle load (we don't necessarily have the same requirement as yours, but the point is that it's still a necessity)
6) Matching with A: Reputation checking (Cisco has their own service for this so...)
7) Ability to detect malicious URLs in messages
8) Quarantines. Spam one should have ability for users to release messages themselves. Any other quarantine you should be able to at
9) DLP capabilities (Cisco has some built in, but we're also going to go from Exchange to 365, so that's another option..)
10) Ability to see real senders of an email
11) Ability for users to mark their own safe senders (We're not using this right now because of Cisco's allowance of users to define entire domains and that very high level permissions are required to peek into users' safe senders lists)

Regarding G, that is a capability that 365 has. However, some filtering products do offer it also. Choose whichever one makes the most sense for you.
JohnBusiness Consultant (Owner)Commented:
We no longer manage any Exchange systems and have outsourced the whole lot. The spam filtering they do is very good all around. Spoofed email control is built into these spam filters.

Things users need:

Spam Quarantine.
Whitelist capability
Blacklist capability

Look for company wide blacklist / whitelist.

If doing it yourself, make sure you implement a grey list device. These deletes emails when the grey list looks backward and cannot find the source of the emails. This gets rid of a lot of spam with little effort on your part.
btanExec ConsultantCommented:
Not familiar with Votiro but it does claims to have CDR (aka "Secure Data Sanitization") as its advanced threat mgmt capabilities. That is probably the niche against incumbent like Proofpoint. That said, it has a wider portfolio of support and particular with O365, it extends the latter security capability through
(Advanced threat protection) It extends Office 365 with:
» URL re-writing
» Static and dynamic analysis for URLs and attachments
» Granular visibility into who clicked what, and where the click happened

(Email continuity) It extends Office 365 with:
» 30-day rolling inbox
» Always-on email continuity
» Automated system restoration flushes messages back into Office 365 upon recovery
» Simple Outlook integration

(Admin control) It extends Office 365 with:
» SmartSearch technology enables rapid message tracing and tracking for remediation
» Administrator filter customization ensures that all filter policies can be customized at a global, group, or user level—with full integration with Office 365’s directory services
» Powerful message routing built on top of the commercial version of Sendmail, the world’s most widely used MTA
https://www.proofpoint.com/sites/default/files/pp-securing-your-investment-in-cloud-collaboration%20(1).pdf

As a whole, I summarise area to look out for in 3 main areas:

Foundation need
- gateway product should just offer basic antivirus, antispam and antiphishing capabilities
- provider that has cloud facilities set up in multiple legal jurisdictions, particularly different countries. That can complicate follow up for example, email messages may be subject to different laws, and may need to use additional or different security and privacy controls
- false pos/neg rates for each threat type such as phishing detection and malware detection should be provided separately
- continually generating rules that feed updates to your email security solution
- definitions and policies are updated regularly and as quickly as possible.

Operational efficiency
- management process itself by customizing administrator dashboards, gateway reports and other aspects of the gateway.
- provide degree of customizability in detection detection profile to reduce false positive as much possible for balanced usability.
- has on-site email security gateways, hardware and virtual appliances
- may route suspicious emails to a server controlled by the gateway vendor for additional analysis.
- provide a continuous view into global traffic activity, analyze anomalies, uncover new threats, and monitor traffic trends

Advanced & Threat mgmt capabilities
- DLP and email encryption capabilities for outbound emails. Allow customization of policies and severity levels to suit needs
- CDR : active cleansing process to all incoming files - through sharing services, email messages and web downloads
- CDR: neutralizing undisclosed and zero-day exploits, which other technologies cannot protect against.
- dynamic malware analysis and sandboxing and file retrospection for the continuous analysis of advanced threats
- incorporating threat intelligence services  that is kept current at all times (e.g., updated every few minutes).
- protection against emerging threats, such as snowshoe spam, by providing contextual analysis and automatic classification
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

AmitIT ArchitectCommented:
Rather looking for other products, i advise you to use ATP. Refer:
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
sunhuxAuthor Commented:
Already tested with highest-end O366 (think it's tier 5 or also known as ATP):
a number of malicious attachments got past it.

Masnrock,
>10) Ability to see real senders of an email
Does the above mean we'll get to see the source IP of the sender or the
sender's domain or ?


Btan
>Not familiar with Votiro but it does claims to have CDR
Yes, it claims it could do Complete Deconstruction & then Reconstruct.
Proofpoint uses Sandboxing but it can take up to 30mins, so it lets
the emails get to the users' mailbox 1st & with another module
installed, it claws back what's been sandbox'ed as malicious
AmitIT ArchitectCommented:
EOP with ATP is enough, make sure you have proper SPF, DMARC record setup for your domain. Read more: https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email

Why I am saying not to look for other option in office 365, as that will add extra layer and complexity to your mail flow and secondly, if there are any issues, you will not get any support from Microsoft.
JohnBusiness Consultant (Owner)Commented:
Also - Sunhux - implement Grey Listing to save much time. My email ISP has been using Grey Listing for more than a decade.
btanExec ConsultantCommented:
Anti evasion such as sandbox detection is already existence (below) so no 100%. That why the different layer threat detection capabilities are needed. Ultimately as long as you layered your defense in depth from external to the endpoint, residual risk would be minimise.  Even endpoint need EDR (besides the AV) and its relies on letting exploit action take presence to trigger its preventive action. Proofpoint also relies on crowd of wisdom intelligence
Imposter attacks are hard to detect. Our Stateful Composite Scoring Service (SCSS) is a machine learning approach that searches specifically for these email threats. It uses what’s known about your unique environment, along with data from all customers, to more effectively detect and block email fraud.

https://www.proofpoint.com/us/threat-insight/post/Theres-a-Macro-in-your-Sandbox
sunhuxAuthor Commented:
does any of the products allow us to enter an attachment's hash value to block?  sometimes spotted malicious attachmts  in hundreds of emails went past proofpt
btanExec ConsultantCommented:
Nope rather use the sandbox to validate. https://www.proofpoint.com/us/threat-reference/malicious-email-attachments

Mainly on file extension and using pre-defined regular expression used to locate specific content in an email (Smart Identifier or Dictionary Scan).

https://support.proofpointessentials.com/index.php?/Knowledgebase/Article/View/93/0/essentials-filters-expanded-overview
masnrockCommented:
Cisco does allow you to block MD5 hashes provided you integrate it with Cisco AMP for Endpoints. You would then enter the MD5 values into the AMP for Endpoints console. Not possible without that integration.

Does the above mean we'll get to see the source IP of the sender or the
sender's domain or ?
Source IP (assuming not forged) should be in the headers anyway, but yes Cisco does show source IP. What I meant was that you would be able to see the envelope sender (that is the actual sender, rather than an email address that's forged). You'll especially notice how common this is with mass mailing systems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.