Active and Integrated Email Defense

I just received a purchase order from Midwest Library Service for a textbook I wrote on intrusion detection many years ago. That old book focused on passive intrusion detection as a prompt for subsequent management action in a SOC. I’d hoped that detection of indicators would result in alarms that could then initiate rapid mitigation. Subsequent evolution of IDS included some things that I expected, but also many that I didn't. (Don’t tell Midwest.)

The first evolution was from IDS to IPS, which tightly integrated cyber indicator observation to active mitigation. The second, and more consequential evolution, was from IPS to NGFW, which bound detection and prevention actions more tightly to the gateway platform. And this decision was obviously good for business. (Evidence: The current market capitalization of Palo Alto Networks is twenty billion dollars.)

I had this shift toward active-and-integrated in mind during a catch-up meeting with my good friends at Valimail. They were excited to tell me about a new product in their arsenal called Valimail Defend, and I was keen as usual to hear more. I’ve been a huge proponent of their focus on email security and fraud prevention, so I was eager to see how they were dealing now with deceptive domains. Let me share what I learned from the team:

“We understand that detecting impersonation attacks is vital to reduce email risk,” explained Alexander García-Tobar, CEO and co-founder. “Our Valimail Enforce solution automates DMARC implementation, enforcement, and management, which protect against exact-domain impersonation. Now, with Valimail Defend, we expand our defensive surface to address other types of inbound impersonation attacks, such as lookalike domains.”

By now, I hope you understand the wisdom in supporting DMARC (Domain-based Message Authentication, Reporting, and Conformance) for email security. Building on the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards, DMARC prevents forged sender addresses and allows domain owners to publish policies that the vast majority of email receivers will enforce. This reduces phishing and fraud risk.

“The products are complementary,” García-Tobar added. “Enforce locks down use of your own domains, limiting it to senders you authorize. This cuts off exact-domain impersonation, whether inbound or sent to other recipients. Defend lets you reject all inbound messages from untrusted domains, whether they have published DMARC records or not, allowing only trusted domains to reach the inbox.”

Valimail’s approach lets enterprises designate inboxes as zero-trust zones: Senders can only deliver messages to them if the senders are trusted and authorized. This prefigures a move that major email providers will make in the coming years, García-Tobar said. “Eventually the community will only accept authenticated email from trusted senders, a policy known as ‘no auth, no entry.’ This is under active discussion among the big email providers.”

A challenge to date has been getting teams to enforce DMARC – and that’s where Valimail Enforce is helpful. By automating active quarantining or deletion of emails from demonstrably bogus sources, Valimail Enforce creates an additional layer of security for email, guaranteeing that only authorized senders can use company domains. Defend extends that protection to all incoming mail, regardless of which domain it appears to have come from. And let’s face it: Virtually every major attack includes a step that exploits email.

So, if you are an existing Valimail customer, then reach out immediately to your support contact for information on how to actively integrate Defend functionality into your existing email protection solution. And if you are not currently publishing DMARC records (and consider your hand slapped from me at the very thought), then make it your New Year’s resolution for 2019 to immediately address this weakness in your defensive posture.

As always, please share what you learn.