The SEG Conundrum. What’s Right for My Organization?

Team Working with Secure Email Gateways (SEGs)

Secure Email Gateways (SEGs) have been around for a while and began as a powerful solution used to stop malicious emails from arriving in users’ mailboxes. The early SEGs were designed to scan incoming and outgoing email messages for viruses, malware, and other security threats. They were on premises and then moved to the cloud. Over time, SEGs have evolved to include more advanced features such as anti-spam filters, data loss prevention (DLP), encryption, and advanced threat protection (ATP) capabilities.

But with time comes change. And the question today is, “Do you really need a SEG?” Let’s look.

Bottom Line: The SEG legacy technology uses older technology like domain reputation, URL rewriting, and static block lists, which aren’t enough to offer the modern workforce the real-time protection needed to keep users safe. Organizations are now moving away from SEGs to Microsoft Exchange Online Protection (EOP) and supplemented by an Integrated Cloud Email Security (ICES) solution. There are two primary reasons for this. First, Secure Email Gateways use reactive signature and domain-based detection, which cannot keep up with today’s phishing threats. And second, SEGs prevent the implementation of a full defense-in-depth strategy for email security defense. (In contrast, ICESs close the gaps in Microsoft built-in security.)

Let’s look at each of these two points.

SEG Signature and Domain-Based Detection

A SEG today only adds unnecessary complexity to your email security. When SEGs first gained popularity, Microsoft security lacked the technology to stop many email threats. Over the years, however, Microsoft improved and now the SEG creates more redundancy than value. Secure email gateways use technologies that overlap with Microsoft’s built-in security, including URL rewriting and file attachment sandboxing for advanced threat protection.

The technologies that power SEGs are distinct intelligence networks and are effective at stopping known threats and spray-and-pray phishing campaigns since both use signature-based detection techniques. As threat actors continuously innovate to refine their phishing techniques, SEG technologies can’t keep pace. Therefore, advanced detection techniques using AI and ML such as generative AI, relationship graphs, contextual analysis, natural language processing, and computer vision are needed to detect advanced threats like business email compromise (BEC), supply chain attacks, executive impersonation, malware, exploits, financial fraud, and other highly targeted threats.

SEGs Prevent Defense-in-Depth Strategies

The secure email gateway architecture sits in front of Microsoft’s built-in security and requires organizations to disable critical Microsoft security features to prevent disruption to inbound email delivery. This blinds Microsoft to incoming threats, and blocking phishing emails based on the original sender’s IP reputation is impossible since all incoming emails arrive from the SEG’s IP address. Furthermore, SEGs change certain indicators in the email header, reducing the malicious signals that can be acted upon by Microsoft.

Another unfortunate consequence of using a SEG is an increased attack surface. Since SEGs require a public DNS MX record change, adversaries now have a roadmap to customize phishing campaigns for testing and reconnaissance before launching the attacks and increasing the success rate.

Finally, SEGs also introduce an added point of failure. Since SEGs are mail transfer agents with security features, if there is a service outage, it will introduce email delays or, worse, complete email failure for the organization.

ICES Closes the Gaps in Microsoft 365 Native Security and Enables a Full Defense-in-Depth Approach

When Microsoft 365 built-in security offering was much smaller, it made sense to bypass/replace it with SEG technology. You cannot apply a robust defense-in-depth approach today as SEGs require disabling Microsoft security features. Today SEG solutions have too many redundancies with the Microsoft 365 E3/E5 solution, including sender IP reputation, email authentication, and URL rewriting.

ICES solutions use Artificial Intelligence (AI), including relationship graphs, contextual analysis, natural language processing, and computer vision, to detect communication anomalies and close the gaps in Microsoft’s built-in security offering with important threat payloads, including spear-phishing, BEC, and account takeover, to name a few.

A Look at Integrate Cloud Email Security

As previously mentioned, Microsoft’s built-in security has improved, yet threat actors have become more sophisticated. The attack surface has expanded to multiple channels, plus email threats are coming from compromised websites that are difficult to detect. Ransomware-as-a-service gangs use credential harvesting through email as an entry point. Email security solutions must have modern, more advanced detection technology to combat these threats. This is where ICES comes into the picture.

Integrated Cloud Email Security solutions are built for the cloud by offering seamless cloud-native integrations with Microsoft. It integrates using Microsoft Graph API and “sits” behind Microsoft to stop attacks missed by Defender for Office 365. Most importantly, ICES augments Microsoft’s built-in protection to protect against sophisticated threat payloads. Integrated Cloud Email Security solutions with behavioral-based technology that uses ML to detect advanced phishing threats offer an advantage over SEGs and other signature-based solutions.

As threat actors continuously change tactics to launch advanced phishing campaigns, the AI-based ICES solutions use ML algorithms to automate analyses at a significantly larger scale and far faster speed than traditional URL inspection and domain reputation. The detection of known and unknown threats like business email compromise (BEC), supply chain attacks, executive impersonation, malware, exploits, and financial fraud, is proactive and stops the threats before they can have impact on users.

Supplementing Microsoft Using ICES

With the rise in business email compromises (BECs), account takeovers, and the increasing sophistication of modern phishing attacks, security-conscious organizations need to augment Microsoft with complementary ICES to improve overall anti-phishing effectiveness. 

Integrated Cloud Email Security solutions use API access or connectors to analyze email content after Microsoft, but either before or concurrently with delivery to the inbox, without the need to change the MX record. It’s important to use machine learning-based detection, natural language processing (NLP), image analysis, computer vision technology, and behavior analysis to detect the most sophisticated phishing attacks. Integrated Cloud Email Security solutions are quick and easy to deploy because they don’t require changes to the email flow at the gateway level.

What to Review for Adding an ICES to Microsoft 365 Built-In Protection

When looking at ICES to supplement Microsoft 365 built-in protection, make sure it will meet the demands of the modern threat landscape with:

  • High efficacy for best-in-class zero-hour phishing protection and a full defense-in-depth approach to email security.
  • AI-based detection for advanced phishing and other highly targeted threats, such as business email compromise (BEC), ransomware, impersonation, and account takeovers.
  • Multi-channel protection for Email, SMS, Microsoft Teams, SharePoint, OneDrive, LinkedIn, WhatsApp, Zoom, and other messaging channels.
  • Real-time awareness training.
  • SIEM/SOAR integration to simplify the reporting. 

 SlashNext Cloud Email Security for Microsoft 365 

SlashNext Cloud Email Security is powered by patented HumanAI™ technology, which is unique from other ICES solutions and delivers powerful layers of protection. SlashNext uses generative AI, relationship graphs, contextual analysis, natural language processing, and computer vision to preemptively identify threats. LiveScan™ is used for real-time detection to block zero-hour threats missed by Microsoft 365 and SEG ATPs technology and has a proven 99.9% detection rate with 1 in 1 million false positives for true zero-hour protection against BEC, supply chain attacks, executive impersonation, malware, exploits, and financial fraud. 

SlashNext integrates with Microsoft 365 Security for immediate, powerfully accurate cloud email protection. Other ICES solutions require baselining, including reading all employee contacts, email history, and attachments, which is intrusive and can take hours and days to complete. 

SlashNext enables organizations to quickly achieve complete email security: 

  • Integration to protection in 5 minutes with unintrusive deployment using the Microsoft Graph API for immediate protection.
  • Data is never stored on a disk to ensure zero loss of personal identifiable information (PII).
  • Real-time scanning, detection, and removal of zero-hour threats before they reach users with 99.9% accuracy, 1 in 1 million false-positive rates, and 48-hour time to detection advantage.
  • Advanced search and unified security analytics to enable security professionals to pinpoint threats by user and type across email, web, and mobile channels— extensible REST API integrations for leading SIEMs and SOARs, including abuse inbox management playbook. 

 See a Demo or Test Your Email Security via Observability Mode 

To see a personalized demo and learn how our product stops zero-hour business email compromise (BEC), supply chain attacks, executive impersonation, malware, exploits, financial fraud, and more, click to schedule a demo or easily test the efficacy of your current email security with no impact to your existing email infrastructure using our 5-min setup Observability Mode! 

To join the conversation: Register for our webinar, Replacing the SEG with ICES. Is the SEG dead? Wednesday, March 8 at 11AM PT to discuss replacing the SEG with ICES, hosted by SlashNext Senior Director, Product Management, Jimmy Lin. 

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.