The CF List: 20 Email Security Providers You Should KnowThe CF List: 20 Email Security Providers You Should Know
The changing threat landscape has spawned a new generation of email security providers.
September 14, 2021
Email security is a top concern among organizations. That’s because email remains a primary means for hackers to launch ransomware and initiate data breaches.
A Hornetsecurity survey of more than 420 businesses found about one in four (23%) reported an email-related security breach. Phishing attacks caused 36% of these breaches. These targeted what’s arguably the weakest point of any security system — end users.
Our latest CF List focuses on email security. Analysts with Omdia, S&P Global Market Intelligence and Forrester weighed in on email security market trends and what it takes to be a successful provider.
Customers Want Better Protection
Joseph Blankenship is vice president and research director of security and risk at Forrester. He said the pandemic hasn’t had a direct impact on the expectations of an email security solution. What has changed is that customers are looking for better protection against phishing and business email compromise (BEC) attacks.
Forrester’s Joseph Blankenship
“The most effective solutions combine capabilities like email filtering, anti-malware, authentication, security awareness and training, phishing protection, and incident response capabilities — either in an integrated suite or through partnerships/integrations,” he said. “Email is also becoming an important part of extended detection and response (XDR), and we are seeing integrations with endpoint technologies as part of this.”
Scott Crawford is research director of information security at S&P Global Market Intelligence.
S&P Global Market Intelligence’s Scott Crawford
“Email is still one of – if not the most prevalent – means for an adversary attempting to gain a foothold in a targeted organization,” he said. “That remains true for any number of reasons. It’s simple and accessible. It requires a certain set of tactics that are fairly easy to reproduce at scale. To the extent that it relies on social engineering, people can be manipulated, and that’s one of the main things about email. It’s a primary interface between the external world, people and technology within a targeted organization. That’s a trifecta that’s really tough to beat in any other venue. So email will continue to be a popular threat vector regardless.”
Adversaries Becoming More Creative
One of the biggest trends over the last couple of years is as adversaries become more creative with their tools and techniques to target potential victims via email, the technologies they’re using have advanced accordingly, Crawford said.
“So we see a cadre of email security vendors that are seeking to push the envelope, if you will, pushing into new frontiers of what they’re actually looking for in malicious email,” he said. “They’re leading really in terms of technology innovation for recognizing these attacks and mitigating them. So that’s been probably one of the most significant things that we’ve seen over the last couple of years. That and some increased interest in sender authentication and validation.”
There’s also been some overlapping of email security and zero trust initiatives as “they do tend to have a lot in common,” Crawford said.
Rik Turner is principal analyst at Omdia, which shares a parent company with Channel Futures (Informa). He said the migration of corporate email services to the cloud has had various consequences on email security:
It meant all the secure email gateway (SEG) providers had to develop cloud-delivered SaaS services for their products.
It also brought Microsoft into the email security market, if not as a full-blown competitor, then as a provider of “good enough” protection against malware, spam and spyware, with its Exchange Online Protection (EOP) product. Microsoft doesn’t offer EOP as a standalone, so it isn’t in direct competition with SEGs. Furthermore, it continues to work with any SEG that is deployed in front of Office 365. But clearly EOP is a factor in whether or not a customer continues to renew its subscription with its SEG provider.
Changing Threat Landscape Spawns New Generation
The threat landscape at least partially is moving on from traditional malware, spam and spyware to email attack methodologies like phishing, BEC and executive fraud, Turner said.
This in turn has spawned a new generation of email security providers, dubbed non-SEGs, whose technology:
Isn’t deployed in front of Office 365, but instead integrates with it or Gmail via API.
It’s not a “one-time” look at the mail flow. It’s able to go back and pull an email even after it has already been delivered to an inbox if it has subsequently been discovered to be malicious.
SEG Market Growing
Omdia’s Rik Turner
The market for SEG technology is still growing, Turner said. Omdia has it at $1.6 billion in 2020 and growing to $2 billion in 2024, “so enterprises are clearly not ready to ditch their SEG wholesale in favor of EOP, at least not right now.”
“Beyond an SEG, you clearly need the capabilities of a non-SEG to address the more modern attack methodologies,” he said. “And whether you opt to get them from your existing SEG provider or go with one of the new kids on the block probably depends on how much you trust/like the former, your appetite for risk, and your ability and readiness to manage a second email security product in addition to your SEG. It obviously should be simpler to get the whole thing from one vendor. But maybe you’re already halfway toward easing the incumbent out, wondering whether Microsoft EOP might be able to do a good enough job on the basics, and so considering a much cheaper product from one of the pureplay non-SEG guys.”
We’ve compiled a list, in alphabetical order, of 20 top email security providers. It’s based on analysts’ feedback and recent news reports. The list, by no means complete, includes a mix of well-known providers as well as lesser-known ones making strides in email security.
About the Author(s)
You May Also Like