psdesign1 - Fotolia
Mimecast extends core email security to enable cyber resilience
Mimecast continues to widen its cyber security capability through in-house development and strategic acquisition, as well as extend its core email security technologies to all other areas it applies
Email management firm Mimecast is applying its cloud-based microservices approach ever more widely to enable customer organisations to increase their cyber resilience.
“This approach is more flexible than the traditional approach of creating point solutions, as illustrated by Google and Salesforce,” said Peter Bauer, co-founder and CEO of Mimecast.
“Our architecture enables us to build a vast array of microservices that run on hundreds of thousands of machines,” he told Computer Weekly.
This approach and its inherent ability to scale, as well as the company’s added threat detection capabilities and expansion of its platform to offer new services – such as web security and security awareness training – appear to be paying dividends, with Mimecast reporting revenue of $78.4m for the quarter ending 30 June, up 35% compared with the same period a year ago.
According to Bauer, most of the security products in the market are “relics of the on-premise era” when problems had to be solved “piecemeal” on a per-company, per-server basis.
“In contrast, a cloud-based microservices architecture enables a flexible combination of applications that transcends past software categories and point solutions.”
Using this approach, Mimecast was able to combine the security, archiving and continuity aspects of email management to create a resilient and unified platform to eliminate complexity.
However, the company has recognised that complexity does not only exist around email and that cyber resilience and security are also applicable to many other areas of business.
“We’ve recognised that a lot of the microservices that we have built, and the experience we have gained in scaling our services, is also applicable in other areas,” said Bauer.
As a result, Mimecast has been developing new services such as its Sync and Recover product and more recently its DNS Security Gateway web security service.
Importance of security training
The company has also been accelerating in other areas through strategic acquisitions, but this has required quite a bit of careful thought, said Bauer.
“Whatever we bring in, we want to ensure that we are not rolling backwards architecturally, so we have been very selective. We have been looking at things that are important to our customers as well as that are architecturally compatible with what we are doing.”
In early July 2018, Mimecast announced the acquisition of Ataata, a cyber security training and awareness platform designed to reduce human error in the workplace and help enable organisations to become more secure by changing the security culture of their employees.
Security awareness training has become essential for organisations, said Bauer, as attackers increasingly target employees to get around security technologies deployed by organisations.
“We looked at how to help companies really make a difference in this area and achieve a profound cultural change around security,” he said.
However, according to Bauer, many of the players in the security awareness area tend to concentrate too much on testing staff and keeping performance records as a way of improving security behaviour, which he believes is an artificial and inconsistent approach that is dependent on the quality of the test.
“When we came across Ataata, they really stood out from the crowd,” he said. “We were looking for a way of engaging with people, and we particularly liked Ataata’s entertaining content and concept of an individualised risk factor to understand what risk is inherent in an individual.”
Mimecast was also attracted by the fact that it could enhance this approach with data about individuals’ actual behaviour and how heavily targeted they are as an individual, business role player, company, sector and region to provide a more comprehensive risk score that can be used to automate risk-based security responses and policies.
Spotting malware in data files
Also in July 2018, Mimecast announced the acquisition of security software developer Solebit, which specialises in providing a fast and accurate way of identifying and isolating zero-day malware and unknown threats in data files as well as links to external resources.
“We have always prided ourselves on the security stack that we have built in to our platform, which has been proven in efficacy tests and side-by-side evaluations,” said Bauer.
This stack includes multiple detection engines from a variety of sources that email content is run through before being delivered to anyone’s inbox, but Solebit caught Mimecast’s attention because of the way they were approaching the problem of malware inside data files.
“Solebit’s approach is looking for machine-executable code, specialising in identifying all forms of obfuscation and other ways of hiding code,” said Bauer, in a way that is not as computationally intensive and slow as sandboxing, which has historically been the leading way of tackling this problem, even though it can be detected and evaded by attackers.
The acquisition comes a year of working with Solebit, he said, and seeing how effective and valuable the technology is when it comes to detecting malicious code in email attachments.
“It is highly complementary to the rest of our security stack as well as being extremely fast and cost-effective, but it is also applicable outside of email, and that was key for us, especially in areas like web security, where latency is a bigger issue than it is with email,” said Bauer.
Many malware detection approaches are unreliable, he said, because they are trying to work out if certain things in combination could be malicious, but Solebit simply looks for, and blocks, any executable code, which should never be found in data files that are accessed by employees through email or over the web.
“This means Solebit technology works even if attackers are trying to evade detection by splitting malware up into multiple pieces, or hiding it in image files because there is no legitimate reason that code should be there.”
Firms need to take email threat more seriously
The importance of email security is underlined by research which shows that 91% of cyber attacks begin with email-based phishing or spear phishing – which has been blamed for a potential data breach at Butlin’s.
In addition, 49% of malware is installed via malicious email attachments, with email being the point of entry for attackers in 96% of breaches investigated, according to Verizon’s 2018 Data breach investigations report.
However, not all organisations appreciate the importance of email security, according to Bauer. “The more advanced and mature enterprise security teams understand how wide open an attack vector email is because of all the opportunities it presents to attackers, including malicious attachments and links, email compromise attacks and a range of social engineering attacks.
“The most sophisticated security teams are looking for the best technologies and they know how to evaluate those technologies. But at the opposite end of the spectrum, there are those businesses who think the email threat is limited to spam and is not that serious, perhaps because they have not yet had a serious incident or they have seen some attacks, but think it is just ‘bad luck’ and do not really address the problem.
“But this is something that will not go away and can be extremely costly to targeted organisations, so organisations that have not done so already should pay attention to shoring up their defences against email threats.”
However, Bauer believes that the greatest danger sits between these two extremes, with organisations that understand that there is a problem, but believe it will be somehow be solved by the suppliers of the operating systems and other business software they use.
“This view provides a false sense of security because it fails to take into consideration that cyber attackers are working constantly to find ways around the security that is built into operating systems and other commercially available software, and that those protections are standard for all users and do not take threats to particular organisations or industry sectors into account,” he said.
According to research commissioned from Vanson Bourne, only 35% of UK firms polled have a complete cyber resilience strategy for email, despite 92% of respondents saying they consider implementing such a strategy to be crucial or very important.
Read more about email security
- Email-based cyber attacks are gathering momentum and the cost of these attacks is rising.
- How to improve security against email attacks and for GDPR compliance.
- UK businesses exposed to email-borne cyber risks, survey shows.
- Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.