Secure Email Gateways (SEGs) are an email security solution that sits inline on emails’ path from the public Internet to the corporate email server. This position allows it to inspect email for malicious content before it reaches corporate systems. However, the design of the SEG makes it less suited to protecting modern cloud-based email solutions.
How Does A Secure Email Gateway Work?
An SEG works by acting as a proxy for an organization’s email server. When configuring an SEG, the organization sets up its DNS MX record to point to the SEG’s cloud-based proxy. Any email sent to the organization will then be redirected to the SEG’s proxy.
The SEG can then filter and inspect the email for malicious content based on threat intelligence. After sanitizing the email, the SEG will forward it to the corporate email server for delivery to the intended recipient.
Main Features Of A Secure Email Gateway
An SEG is intended to provide comprehensive protection against email-borne threats. Some of the critical features of an SEG include:
- Content Disarm and Reconstruction (CDR): Email may carry attachments that contain malicious content. CDR deconstructs these files, strips out malicious content, and rebuilds a clean version of the file to be sent on to the user.
- Sandboxing: Classifying email attachments and URLs as benign or malicious may be difficult for some samples, especially zero-day threats. Sandboxed analysis enables this content to be inspected in an environment where malicious code can be executed and examined without posing a risk to the organization.
- Data Loss Prevention (DLP): Email is designed for information sharing, making it a prime vector for data exfiltration. DLP solutions identify intellectual property (IP) and data protected by regulations in emails and prevent it from being transmitted to unauthorized parties or in insecure ways.
- Anti-Phishing: Phishing is one of the most common cyber threats and can be used for malware delivery, credential theft, and data exfiltration. An SEG should incorporate anti-phishing protection to identify and block malicious links and attachments within an email.
- Post-Delivery Protection: An SEG may not detect all threats during its inline inspection of emails, especially when dealing with zero-day threats. Post-Delivery Protection uses API integrations with an email service to pull a malicious email from the user’s inbox. Since the user may have already opened this email, it also generates a security alert of a potential intrusion.
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC): DMARC is designed to protect against email spoofing from domains that have enabled it. An SEG should block any emails that fail the DMARC test from domains that have enabled this protection.
Why Is A Secure Email Gateway Important?
Email-based attacks are a leading threat to corporate cybersecurity. Phishing is one of the most common cyberattack vectors and can be used to deliver malware and steal sensitive information. A compromised email account can provide an attacker with access to valuable data and other online accounts.
An SEG is designed to provide a much-needed additional line of defense against phishing and other email-borne threats. The shortcomings of the built-in security solutions for many email programs make defense-in-depth necessary for risk management.
The Limitations Of Secure Email Gateways
SEGs were a leading email security technology when corporate email was primarily located on-premises. However, as companies increasingly adopt cloud-based email systems, attempts by SEGs to adapt to the changing environment have fallen short. Some of the main limitations of SEGs for the modern enterprise include:
- Perimeter-Focused Protection: Many SEGs will route email traffic directed to the corporate email server through a cloud-based proxy for inspection before forwarding it to its destination. While this provides protection against external threats, it leaves the solution blind to internal ones.
- Single-Layer Security: Some SEGs disable the built-in security protections offered by an email provider (Google, Microsoft, etc.). This eliminates defense-in-depth and makes an organization more vulnerable to attack.
- Email Focus: SEGs are designed to protect email and only email. However, as companies move to other cloud-based file sharing and collaboration tools, this leaves them exposed to attack via these unprotected services.
- Poor OPSEC: To enable some SEGs, it is necessary to change an organization’s DNS MX record to point to the proxy. By revealing the email security solution in use, this enables attackers to tailor attacks to slip past defenses.
- Root Domains: While an organization may have its DNS MX record pointing to its SEG, Office 365 and G Suite also have a root domain whose DNS is managed by Microsoft or Google. Attackers that send emails to this root domain can bypass an SEG.
Secure Email With Avanan
Email is a major threat to enterprise cybersecurity because it largely relies on social engineering to trick the human behind the computer rather than exploiting more easily-fixable software vulnerabilities. Social engineering attacks are effective and easy to perform, making them a major threat to enterprise cybersecurity. Learn more about social engineering in this eBook.
SEGs are designed to protect against phishing and other email-borne threats, but their design dramatically limits their effectiveness. Instead of trying to intercept email traffic en-route to the email server, Check Point and Avanan’s secure email solution uses API integrations to inspect emails after an email service’s built-in protections. To learn more about how this defense-in-depth improves email security, you’re welcome to sign up for a free demo.