The four necessities for effective email security incident response

The four necessities for effective email security incident response Eyal Benishti is chief executive officer at IRONSCALES.

Cybercriminals are escalating their phishing attacks across the globe, causing many organisations to scramble for new email security solutions to mitigate the risks. In fact, Gartner predicts that global cybersecurity spending will reach $170.4 billion by 2022, with more than $18 billion earmarked for anti-phishing, as business security evolves to address more frequent and complex email threats.

In response, many cybersecurity vendors have introduced new email security incident response solutions to the market. However, many of these tools are little more than time-consuming search-and-delete features masquerading as products offering real-time remediation.

The marketing of these solutions has resulted in buyer confusion, which only serves to help attackers and hurt the businesses in desperate need of greater email security defences.

Incident response must be fast and swift

Most businesses are starting to understand that speed is crucial for email security. In particular, SOC and IT security teams must move quickly to respond to phishing attacks because it takes less than 80 seconds from attack detonation until the first lure is clicked, according to Aberdeen Phishing Research. However, the fact remains that while the incident response capabilities of email security tools should expedite the speed of prevention detection and remediation, many tools still require significant human analysis, reducing the timeline and increasing risk.

In order to truly mitigate phishing risks and slow the growth of the email threat landscape, the entire email security industry must unify around incident response best practices so to protect the “greater good.” Here are four necessities for effective email security incident response:

Capabilities beyond search and delete, YARA Rules and signature-based detection

Because of attack frequency and sophistication, email incident response can no longer be based on simply searching for and deleting suspicious messages, writing rules over and over again or relying on a single identifier. Unfortunately, all too often, email security incident response reflects no more than wrapping scripts into an interface, which is a time- consuming processes that can bog down SOC teams.

While this approach may alert security teams to some threats, it can rarely respond quickly enough. This is especially problematic as attacks now morph on a daily basis to bypass traditional security tools such as secure email gateways. In fact, polymorphic email attacks can send SOC teams on wild goose chases. By the time they identify the permutations, inboxes have usually been penetrated

Orchestration and automation

To be truly effective, incident response requires orchestration and automation, both of which can improve the efficiency of the SOC teams by providing a framework to flag, analyse and classify investigations in real-time. Because cybercriminals are constantly looking for and exploiting new vulnerabilities, organisations must process threat data as quickly as possible. SOC teams cannot rely heavily on humans as the primary defence mechanism.

Instead, they must look to automation to help protect their organisation’s assets. Orchestration with sandbox, third-party multi-anti-virus and content disarm and reconstruction (CDR) solutions can enable SOC teams to automatically detect and respond to known threats. Such automated response capabilities can reduce phishing risk by more than 70%.


Many email security solutions with incident response capabilities lack integration. One study conducted by 360 Velocity and Dr. Chenxi Wang in 2018 found that 70% of respondents said at least half of their security controls were not integrated, reducing the speed of investigations and remediation while increasing manual labor, costs, and response time. Email security incident response must be integrated with other preventive technologies to not only close the loop on prevention but to also stop new threats from hitting the mailbox should they be able to bypass gateway controls.

Machine learning

Rules and signature-based email incident response is no longer effective in these perilous times. Today, email incident response requires machine learning because of how frequently threats can morph. For example, polymorphic emails now constitute 42% of all email phishing attacks and use slight and random changes to parts of the emails, such as in a sender name, subject line, or content, to bypass the rules.

Organisations that simply try to “predict” these attacks based on yesterday’s news will always fall behind. Machine learning technology allows incident response to go on the offensive. The technology learns from users’ past experiences to predict future phishing events with confidence. As a result, security teams can proactively prepare their response before a trending attack threatens their business

As organisations strive to mitigate the growing risks, effective email security incident response requires more than basic search and delete capabilities. It must be integrated, automated, built on machine learning and have the ability to better predict threats before they reach the mailbox.

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data ExpoCyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *