Check Point Email Security | Blog

You Need AI for Email Security

Written by Jeremy Fuchs | September 24, 2021

Email security has changed. Previously, it was dominated by Secure Email Gateways (SEG), which were designed to protect on-premise email servers. They used a set of rules that governed which emails were allowed into the inbox and which weren’t.

Today, though, the majority of email lies in the cloud. However, the rules-based protection remains in place for many vendors.

Rules do not work anymore. What’s needed, instead, is email security based on Artificial Intelligence (AI). Without advanced AI, traditional solutions miss as many as 51% of advanced threats. Further, without AI, it is impossible to catch more attacks without being bombarded with false positives.

AI as a concept can be confusing. It’s marketed heavily by many vendors. But, as Gartner says, “Leaders must translate the marketing hype that has heralded AI in misleading terms.” (Gartner, 5 Questions CISOs Must Answer Before Adopting AI, 2020).

In order to have the tools to translate marketing hype into actual capabilities, we’ll outline why the rules-based world of the past is no longer effective and how AI is critical in stopping today’s threats.

What Are Rules and Why Are They Ineffective?

The old way of doing email security is no longer working in today’s world of ever-advancing threats, including ransomware. Secure Email Gateways (SEGs) apply the long-time standard of using rules to block emails or allow emails into the inbox. Rules are a way to move, flag, and respond to email messages. Rules can be used to automatically block threats or allow previously flagged emails that were determined to be safe into the inbox. These rules apply to threats the email security system caught before and are applied to incoming threats that have been seen before.

Nowadays, however, they are ineffective. Why?

Rules are cumbersome, hard to manage and hard to get right. They have to be done manually. Given that there are an endless amount of possible rules, the amount of time it sucks up could be infinite. Not only do they have to be created manually, but they have to be updated and reviewed regularly.

Imagine the following scenario. You hire a new security analyst. Their sole job is to find every single threat that exists on the Internet and create a rule based on it. Additionally, they have to find every safe website and contact that someone in their organization could come across. Given the scope of the internet and the number of email messages received on a daily basis, this is an impossible task to keep up with. And then, it would have to be constantly updated and adjusted, a never-ending cycle that couldn’t possibly keep up with the pace of the web, email and ever-evolving cybersecurity attacks. One missed rule could be tremendously damaging. You can create a rule for what you’re looking for, but you can’t be aware of what other, legit things this rule will trigger. It’s nearly impossible to create a false-positive free rule. Rules can be created initially, but after a while, they create false positives.

Consider the following example. An attacker sends an email. In the body, there is a keyword that triggers a rule and blocks an attack. This works for a while. But after a period of time, you begin to see a lot of false positives, because people are using that keyword for legitimate reasons. The rule that was created at that time is no longer accurate. It’s difficult to build a rule that will sustain over the course of time. Any time the rule no longer works, there will be false positives.

Rules are ineffective, time-consuming, and impossible to keep on top of. Using Artificial Intelligence (AI) is the best way to combat the ever-evolving cyber threats. It's real intelligence that exhibits a human-like intelligence at reviewing the data and making a decision—and does so better than humans and much faster. Think of it as a superhuman that instantly understands whether an email is good or bad. Instead of relying on a pre-approved list of threats, it learns over time. Instead of looking for that one keyword, AI correlates many things together, combining them into an intelligent decision. Rules apply specific logic. AI interacts with everything.

Beyond that, it also learns from relationships between employees, historical emails and communication patterns, so as to build a custom threat profile for each organization. Further, AI can consistently be trained. In fact, in Avanan’s case, the AI trains itself specifically on the advanced threats that were designed to evade existing security. This means it’s tuned to what others miss, learning from their mistakes and applying it to future emails.

Now, it’s important to note that many SEGs do use some form of AI. But even this AI is constrained by rules. By using rules with AI, it’s constraining the AI, keeping it within a box of rules and static layers.

The days of static lists are over. In email security, being static is an invitation to be attacked. Being dynamic, with world-class AI, is the best way to keep your organization safe.

How Has Identifying Patterns Changed?


A few years ago, the primary way of identifying whether an email was malicious was by looking at patterns. Someone in the Security Operations Center (SOC) would look at, for example, a link that proved to be malicious. The offending link had the suffix of ‘eapf’. The SOC analyst would then see if other emails had links with that suffix. If they did, then you could block it as malicious and create a rule to block all emails that had links with the suffix ‘eapf.’

Times have changed. Today, the individual email is just a tiny part of the total picture. In order to fully understand the entire context, more is needed. The solution needs to look at a lot of previous emails. It needs to look at other customers in the network—have they received similar emails? It needs to look at role-based, contextual analysis of previous conversations. There needs to be a trusted reputation network. The solution needs to know if it’s a known vendor or a trustworthy partner. In short, the entire context of the company is needed. What’s typical and what’s not? Phishing emails have evolved to look just like regular emails. A single email at a single point in time—which is how SEGs operate— is not enough. The whole picture is required.

Avanan Has Over 5,000 Customers. Why Does That Matter?

A huge network gives Avanan an unparalleled amount of data points. AI effectively digests massive amounts of data. With over 5,000 customers—and growing—we have an extensive global reach, across all industries and organizations of all sizes. This intelligence and insight across such a tremendous dataset ensure our AI has access to the best and most possible data. The most essential element of any good AI is the dataset on which the AI is built upon. The more good data, the better the AI.

With more data, our AI spots new patterns—and new threats—instantly. With more data, we can easily see a new emerging threat and train our AI on that data. The more data, the faster the solution picks up on new threats. The AI is trained on this data to know what to look for in complex zero-day phishing attacks. Further, this AI is self-teaching and can dynamically detect malicious behavior and quarantine dangerous files. Frequently, only slight variations in data patterns, unseen to the human eye or too complex for a human to observe, will reveal that it’s an attack. An AI system needs to be trained to pick up on those subtle shifts and block the attack.

Plus, the entire customer base benefits. If just one of Avanan’s customers is attacked, it’s stopped across the board, preventing other customers from getting hit.

Let’s take the following example. A supplier of a company is hacked and begins sending phishing emails to their entire network. Avanan automatically learns and discovers an organization’s supply chain, so we’ve identified this partner company. Beyond blocking these, all of our other customers are now on alert, looking for emails coming from the compromised company. By leveraging our vast scale and data, the entire customer base enjoys the power of the network.


What is NLP?
Natural Language Processing (NLP) is the ability of the machine to understand what’s being written. A few years back, the standard way of analyzing an email worked like this:

  • Email is scanned
  • Keywords are identified
  • If a keyword matches one on a Block List, the email is blocked


This is similar to how the early search engines worked. Remember AltaVista? It was one of the early search engines. Their searches worked in a similar way. When you searched for something, they looked for websites with those exact keywords.

Now, things are different. If you search for ‘how does Roger Federer hit a backhand’ you’ll be directed to sites that match that keyword, but you’ll also be directed to a site that talks about how he hits a “backstroke”. Those mean the same thing but use different keywords.

Though it seems simple, this is a quantum leap in machine learning and AI. It was spearheaded by Google and their system of BERT, or Bidirectional Encoder Representations from Transformers. It’s an architecture of machine learning, and there are many different models within BERT.

The main goal of BERT is to extract meaning. It can take two different pieces of text, with no keywords matching and understand it’s saying the same thing. Or, it can take two pieces of the text with tons of keywords matching and understand it’s a different thing. Take this example:

  • Roger Federer is the greatest of all time
  • Roger Federer is not the greatest of all time

If using keywords, the system would think you’re talking about the same thing. BERT knows it’s different.

Avanan uses BERT and was one of the first to use it for phishing detection. We use it because BERT can understand what the email is about, improving accuracy.

BERT is best when it’s trained on more data, with a proper AI framework for it to learn. Avanan provides that with its network of millions of data points. As time goes on, BERT gets even more robust.


Avanan’s Accuracy Improves Over Time. Why?

Avanan utilizes customer feedback. Every interaction from an end-user turns into a learning experience for our AI. If an admin quarantines or releases emails, that’s added to the training set. There are several training sets. As an inline security solution, Avanan runs after Microsoft and Google’s default security. One of the training sets, then, is the specific attacks not caught by Google or Microsoft. Additionally, Avanan is trained on the attacks missed by other security solutions, such as Secure Email Gateways.

Beyond that, Avanan constantly trains and tunes the AI on a specific tenant, creating a custom threat profile, one that learns from relationships between employees, historical emails, and communication patterns to block attacks specific to each organization.

There are also separate training models based on the direction of mail—i.e., inbound, outbound, internal.

Our AI learns across all customers and their data, and inputs that information into our algorithms. Combing millions of emails, capturing them, and inputting them into the data set. The more extensive the network, the more interactions there are. As attacks change, it’s essential to continually learn and evolve. That’s why models are rerun on the data continuously.


The Importance of AI
Today’s threat landscape has gotten incredibly fierce. Advanced threats require a dynamic, cutting-edge solution that constantly adjusts and improves over time. Avanan has found that, without advanced AI, 51% of the most sophisticated threats would not be stopped.

The days of rules-based security are over. If you don’t have advanced AI trained on the best data, you are not fully secure.

Join us Tuesday, September 28th at 11:00 am ET for a webinar, as we take a deep dive into the importance of AI in securing your email.