Many organizations think their current email security systems are up to the task of protecting them against today's threats.

Unfortunately the email security systems of many organizations fall short and thus do not keep them safe. The reality is the industry needs to work toward a higher standard of overall email security. The proof is in the numbers. Mimecast is establishing a standard of transparency for organizations and as such is raising the bar for all email security vendors. In order to address this head-on, Mimecast has launched the Email Security Risk Assessment (ESRA).

Mimecast uses its cloud-based Advanced Security service to quantitatively and objectively assess the effectiveness of legacy email security systems. The ESRA test passively inspects emails that have been passed by the incumbent email security system and received by the organization's email management system. In an ESRA, the Mimecast service re-inspects the emails deemed safe by the incumbent email security system and looks for false negatives, such as spam or malicious content.

The Mimecast ESRA can help participating organizations better understand the email-borne threats that are getting through their current defenses, giving them a sense as to the number and types of attacks to which they are likely vulnerable.

For the security industry in general the aggregated data that is provided by running a series of ESRA tests across multiple incumbent security technologies provides tangible, quantitative evidence of the strengths and deficiencies of commonly used email security systems. This helps alert organizations to the types of attacks that might be circumventing their existing security defenses.

The ESRA testing to date has covered 44,644 email users over a cumulative 287 days of inbound email received into the organizations participating in the testing. In this time period more than 40 million emails were inspected by Mimecast. It is critical to understand that these emails were all passed by the incumbent email security vendor or cloud security service in use by the particular organization. The Mimecast security inspections occurred passively after the incumbent email security system executed its security filters.

Overall the Mimecast security service determined that nearly 9 million of the more than 40 million emails, or 22.3%, were in fact “bad” or “likely bad.” In other words, the overall false negative rate in aggregate for the incumbent security tested was 22.3% of all emails inspected by Mimecast.

Not surprisingly, the vast majority, or 99.8%, of the false negatives that were passed by the incumbent email security systems and caught by Mimecast were spam email messages. In the next inspection step down 8,319 emails with dangerous file types as attachments were detected by the Mimecast service, and thus missed by the incumbent email security service. Next, 1,669 emails were determined to contain known malware. Stepping down another level of lethality, in this series of ESRA tests 487 emails that contained unknown malware attachments were detected through the use of file behavior monitoring technology, generally known as sandboxing.

Now to the final ESRA inspection step, 8,605 false negative emails that are characterized as impersonation attempts were missed by the incumbent email security system. Impersonation emails, as the name implies, are emails that carry neither malware nor malicious URLs generally and are difficult to detect. They are social engineering-heavy emails that attempt to impersonate a trusted party.

Over time as Mimecast executes more ESRA tests, the security industry will receive more tangible evidence of email threats and the effectiveness of security defenses. This data will be reportable by vertical industry, incumbent email security system, and even by the geographic location of the organizations.

While many organizations erroneously think their current email security systems are up to the task of protecting them, in particular from today's more sophisticated, well-resourced and targeted attackers, the Mimecast ESRA takes an important step to proving this to be wrong.

Mimecast, as part of our commitment to improving security in general, and email security in particular, commits to continuing our ESRA tests. As we collect more data from more individual tests, we commit to update the security industry on what we are seeing. Ultimately, the email security industry needs to be driven by data and not vague claims and generalizations to more effectively assist customers and the overall industry.

By Matthew Gardiner,
Senior Product Marketing Manager