Slide 1

Strengthening Your Email Security: It’s Time for Mimecast

Dan SloshbergProduct Marketing Director

• Hello and welcome to our latest webinar • My name is <name> • The global threat landscape has changed. • We all know that our organizations are under increased attack from better resourced and

more sophisticated attackers. • Effectively defending against these more advanced threats requires the latest protection

techniques – something not all incumbent security vendors offer.

Slide 2

What we’ll

cover

• Why email security is more important than ever

• Ransomware, spear-phishing and impersonation

attacks

• Defensive strategies & technologies

• Why your current Symantec Email Security solution

(MessageLabs) may not be up to the task

• Q&A

• Today we’ll be looking at the role email continues to play as the main vector of attack and why ensuring the best email security is paramount

• We’ll take a closer look at the latest attack types including ransomware and impersonation, what they look like and why they are successful

• Critically, we will talk about how organizations like yours can effectively prevent these types of attacks by using the right technologies and processes

• And finally, based on best-practice defensive techniques, we’ll uncover where you may have some holes in your defense.

Slide 3

• So, who are the attackers? • Cybercriminals take many forms

• Hacktivists like the group ‘Anonymous’ strategically target organizations for political reasons and then bring media attention to an issue

• State sponsored attacks are increasingly common whereby government and private organizations are attacked by groups directly controlled by or influenced by a government – Russia’s alleged influence over the recent US election is a good example.

• Naturally these groups are well funded and motivated by driving the agenda of the sponsoring country / state.

Slide 4

• There are many individuals being sought by intelligence agencies for their role in cyberattacks both carried out by them alone or as part of wider organized hacking groups.

• These groups are increasingly run as businesses. Their ‘employees’ clock on and off like in a regular job.

• Their motivation…?

Slide 5

• MONEY • The majority of attacks on both private and governmental organizations are motivated by

financial reward • Perhaps they’re stealing credentials or payment card details to sell on the black market • Or could be encrypting content and holding the targeted organization to ransom • Cryptocurrencies like Bitcoin make it easier for the attackers to get away with it as it’s more

difficult to trace payments

Slide 6

Malicious

Accidental

Policy Violating

• Let’s not forget too that not all attackers are external to an organization. • Insiders have become an increasingly greater threat due to the implicit trust bestowed on

them by their organizations and the relative ease of access to sensitive and valuable content their position provides.

• But not all insiders are malicious, in fact most aren’t: • The Compromised Insider – Their accounts have been taken over by external attackers

through credential harvesting, social engineering, phishing emails, and the installation of various forms of malware – like ransomware, remote-access Trojans or key loggers.

• The Careless Insider. Those employees who ignore or simply don’t fully understand the organization’s security policies and rules. While ignoring these policies is not done with malicious intent, the actions – such as sending sensitive information insecurely - puts the organization at greater risk of sensitive data leakage and malware infections.

• Malicious insiders, though not common, do exist. And when they strike, they can cause significant damage. These employees either intend to profit personally from, or do damage to the organization by stealing, leaking or compromising confidential data and systems.

Slide 7

91% of incidents

start with an

emailWired

• So, how do these various types of attacker get access to systems? • While multiple entry points exist, email remains the #1 vector of attack. • Why? • Well it remains the main communication channel for organizations – according to the

Radicati Group, there are more than 2.6Bn email users worldwide and more than 100B business emails are sent every day.

• Email was never built to be inherently secure, but yet employees place a huge amount of trust in email and the information they receive through it.

• Attackers actively exploit this trust – and we’ll talk more about this later.

Slide 8

1 minute

40 secondsa phish: median time-to-first-click

Verizon 2016 Data Breach Investigations Report (DBIR)

• As evidence of the trust we all place in email, it takes just 1 minute and 40 seconds on average for someone to click on a phishing link in an email.

• That’s the median, imagine what the lower outliers are. • And... 50% of those people who do click the link will do it within the first hour.

Slide 9

Cybercriminals Love Email!

Verizon 2016 Data Breach Investigations Report (DBIR)

• And as I said, this is why attackers love email • This chart shows that email attachments and links are the preferred methods used by

attackers using a common Crimeware kit readily available online • They use these methods because they work

Slide 10

Social Engineering & Email = Attacker Heaven!

Hi <yourname>,

Please find attached the file/spreadsheet/document containing your <something emotive like

salary/raise/redundancy> details.

Sorry about the <insert mistake/error to get

blood boiling>, please let me know if you have any

questions.

<your boss>

<HR>

<finance>

• And to make them work even better, attackers have turned to social engineering. • What’s social engineering? • It’s the psychological manipulation of people into performing actions or divulging

confidential information. • Sounds complicated right? WRONG • There are many books published on this subject and it’s not as difficult as it sounds. • It results in emails like this look personal and often contain emotive language like a pay rise.

They are designed to look genuine and encourage the recipient to click the link or open the attachment – which then unleashes the malware.

Slide 11

Do You Have a Page Like This On Your Website?

• Cybercriminals will do their research before launching an attack – a little research goes a long way to making their attack more successful

• Remember: if they can increase their open rate or click through rate by just a few points, it can make them a lot more money

• And for more targeted attacks, it takes just one employee to click before they think, and compromise their organization.

• Most of us have websites that include details of senior leaders. This is a fertile hunting ground as an email that looks like it comes from the CEO or CFO will get employees attention.

Slide 12

• There are also easy to find tools like this one that let you harvest email addresses

Slide 13

Public Filings Help A Lot Too!

• And for publicly traded and public sector organizations who have vast amounts of information available online, attackers will use this information to find a hook

• For example, if they know who an organizations accountants or auditors are, this could be referenced in an email to gain trust, or the email could even be made to look like it’s come from them.

Slide 14

Ransomware and why it’s getting bigger

• One of the fastest growing attack types over the last 12-18 months has been ransomware.

Slide 15

• Ransomware is a type of malware attack that encrypts files on a device with the attacker holding the encryption keys for ransom

• 99% of ransomware attacks start with an email. (Wall Street Journal, Aug 2016) • This particular example is the Jigsaw ransomware variant. • Most commonly this type of malware is delivered by email attachment. • Social engineering is used in the email body to encourage people to open it, and even in the

attachment itself. • For example, a Word doc could use social engineering to convince someone to enable the

macro or make it editable – whereby that action in fact triggers the malware to download and infect the employees device.

Slide 16

Ransomware = $1B “Business” in 2016 for the Cybercriminals - FBI

• Ransomware has become a big problem • And it’s costing businesses a lot of money. • The FBI estimate ransoms paid at $1bn in 2016. • They also estimate that attacks cost victims $330,000 per incident • Other research suggests that almost 40% of organizations have been hit by ransomware in

the last year

Slide 17

Ransomware is becoming more targeted Example…Shifting from Client -> Server

• And the news is getting worse • The specialisation or sophistication of ransomware is increasing • Attacks are becoming more targeted and now going after servers rather than just clients • The more it hurts an organization, the more they’re likely to pay • Criminals focus their efforts on companies with money and important assets – like

intellectual property

Slide 18

“…are also charging

ransoms based on

the number of hosts

infected…suggested

ransom amounts that

vary depending on

the geographic

location of the

victim.”

• The FBI note that ransom requests are adjusted based on the number of hosts infected, and also the location of the victim

• For example, the ransom request may be higher for organizations based in the US versus those in a less developed part of the world.

Slide 19

Ransomware is Moving to Critical Infrastructure

• No –one is immune from this threat. • You may have seen recently that the San Francisco transport system suffered a ransomware

attack that left ticket machines disabled and allowed passengers to travel for free. • This is a great example of criminals targeting organizations for maximum impact and pain to

encourage payment. • Remember payment is most often requested in the form of Bitcoin, so the perpetrators are

difficult if not impossible to trace.

Slide 20

You don’t even

need to know

how to code

Source: Forbes.com - "Ransomware As A Service Being Offered For

$39 On The Dark Net" 7/15/16

• What’s even more scary, is you don’t even need to know how to code to launch an attack these days

• Ransomware as a service, like through this TOX, is available on the dark net. • You get a nice graphical interface to track your attack, see how many have been infected and

to watch your bank account grow. • Some of these kits even include call centers to help people who may not know what Bitcoin is

or how to get hold of it

Slide 21

But if you do but

you don’t know

how to bypass

sandboxes….

FUD (Fully

Undetectable)

crypting Services

to avoid AV

detection

• And even if you can code, but don’t know how to evade sandbox detection…. • There’s an online service that can help with that too. • This example offers fully undetectable malware crypting • They’ll even guarantee their work and redo it if it fails for any reason

Slide 22

• Email - #1• Direct delivery of the file via email

• Delivery of a dropper (Javascript/DOCM macro) via email

• Clicking a bad URL in an email which downloads file

• Drive-by downloads on Web

• Botnets

• Ad networks

Modes of Ransomware Malware Entry

• As we’ve said, ransomware can enter an organization through various channels, although email remains #1.

• A weaponized file attached to an email • A file containing a macro as the dropper • An infected link in an email

• Drive-by downloads on the web, botnets and malvertising are other preferred routes. • Malvertising is when criminals infect online ads that are then displayed on webpages through

legitimate ad networks.

Slide 23

Mimecast Security Gateway Processes >600M Emails a Day

Nearly 50% of email with malware

blocked @ Mimecast in a recent period was Locky ransomware

• Mimecast sees a lot of email – over 600M messages a day • Recently, over 50% of email with malware blocked contained the Locky variant of

ransomware. • So this is certainly a big problem that is getting worse

Slide 24

Impersonation attacks – exploiting trust

• As if the risk of being hit by ransomware is not enough, the rise in impersonation attacks is even more worrying

Slide 25

Impersonation

Business Email

Compromise

Whaling

Bank Wire Fraud

W-2 Fraud

Who Says Attacks Need to Involve

Malware?

• These attacks are often called Business Email Compromise, wire transfer fraud, W-2 fraud or whaling

• What’s sets these attacks apart is that they don’t use malware to achieve their goal • They rely purely on the power of social engineering and the inherent trust in email • And this is the appeal. Traditional security systems like AV cannot detect this type of attack. • Even those with technology that scans URLs and detonates attachments in a sandbox are

powerless to stop these attacks • Defending against these attacks requires specialised tools that monitor multiple indicators of

potential compromise.

Slide 26

Domain Spoofing + Social Engineering + Email = Opportunity for Easy Money

• Tactics vary but can include domain spoofing, where an attacker sends an email that looks like it comes from your own domain.

• In this example, the domain is ‘mirnecast’ – i.e. using ‘r’ and ‘n’ to look like the ‘m’ in Mimecast.

• Here the attacker has also spoofed the display name to make it look like the email has come from an employee – in this case the CFO

• They are using social engineering here to try and convince a member of the finance team that they have received an email from the CFO asking for a wire transfer to be made – obviously to a fraudulent account.

• Other variants target HR departments for example, attempting to get someone to send confidential information like W-2 forms containing personal tax information of employees – these details can be sold on the black market

Slide 27

“1,300% increase

since January

2015”

“Reported in all

50 US states and

in 100 countries”

“Losses over $3.1

billion”

• Once again, the threat from impersonation attacks is so great the FBI have put out an announcement to help raise awareness and vigilance.

• They estimate that this type of attack has skyrocketed by 1,300% since the start of 2015. • It’s widespread across the globe and losses have reached over $3bn already

Slide 28

Defensive Strategies

• OK, so let’s now look at how we can effectively defend against these latest threats. • How can you help ensure your organization doesn’t become the next headline? • The importance of defending against these latest types of attacks has never been greater.

Financial and reputational impact is a massive risk • And for many, the need to comply with increasing regulation such as the General Data

Protection Regulation that will affect all organizations that hold data on EU citizens, makes protection an absolute necessity.

• Organizations will need to demonstrate that they have taken all steps to protect information they hold

• If they are breached, they may need to make a public statement – with associated reputational damage

• And they may also need to pay massive fines for non-compliance or due to a breach

Slide 29

Layer 1: The technology

• Layer one is of course the technology

Slide 30

Critical Considerations

Prevent

Continue

Recover

URL re-writing & sandboxing

Robust weaponized attachment defense

Comprehensive impersonation protection

AV updates, patching, application whitelisting, network

segmentation

Business continuity for critical applications – email,

business systems, databases

Offline (in the cloud) archiving & recovery to a best known

good state

• There are some critical technology requirement to help protect against advanced attacks. • The first aspect is prevention

• URL rewriting with dynamic analysis is key to detect and protect against malicious URLs

• Weaponized attachment defense is also critical • Protecting against malware-less attacks like impersonation or W2 fraud has become

paramount too • And there are a number of other tactics organizations should use to help limit the risk

of breach – including making sure AV is up-to-date and the latest software patches are applied

• Further action can be taking through application whitelisting and network segmentation – which predefine which apps can run on what hardware and separate network segments so malware can’t spread right across network.

• Business continuity is also a key factor. If a system is impacted by a breach, for example email or a CRM system, do you have technology and procedures in place to ensure employees can continue working effectively?

• And finally, especially in the case of ransomware attacks, do you have an archive or backup of data that allows you to recover to a good known state if data is encrypted?

• This is especially important for organizations that have moved to Office 365 for example. If the data held in Exchange Online is encrypted or corrupted, do you have a separate copy outside of Office 365 to recover from? Bearing in mind that encryption can spread to the copies held by Microsoft.

Slide 31

Move to Mimecast for optimum protection

Prevent

Continue

Recover

Support

All URLs rewritten, multiple checks on every click

Multi-layered attachment defense – sandboxing + safe file

conversion

Reduces delivery delays; mitigates sandbox evasion

Granular, fully configurable impersonation protection

Integrated email continuity allowing employees to remain

productive – instant failover, SMS notifications

Fully integrated archive with ability to rapidly recover data

Dedicated global customer success & support team with

deep email security and management expertise.

• So how does Mimecast protect customers against these and other advanced threats? • To start, all links in every email are rewritten at the gateway.

• Every time an employee clicks a link, it undergoes multiple real-time checks. • Mimecast defends against delayed exploits where the destination site is only infected

after the initial email has passed through the gateway. • It also protects against clicks from archived emails. Protection is automatically

included across devices. • Gateway only checks cannot offer this level of protection.

• Weaponized attachment protection is multi-layered • A full emulation sandbox means attachments can be dynamically analyzed before

being delivered to employee inboxes. All sandboxes incur a delivery delay while files are being checked.

• An innovative safe file conversion option means employees get the email and a safe version of the attachment instantly. This takes away the inherent sandbox deliver delay and also combats the risk from sandbox evading malware (malware designed to evade detection when being analysed by a sandbox).

• This delivers optimum protection from weaponized attachments, like those often used in ransomware attacks, without delivery delays.

• As we discussed earlier, malware-less impersonation attacks have grown considerably. Mimecast delivers dedicated impersonation protection.

• Multiple, highly configurable elements provide comprehensive protection tailored to individual requirements – resulting in optimum defense while minimizing false positives.

• Mimecast’s fully integrated email continuity service ensures employees remain productive will full access to email through Outlook, web, Mac app and mobile apps – even when primary systems are offline.

• The solution includes seamless failover and failback; SMS notification channel to employees; all security policies remain in place during a continuity event

• Mimecast also integrates archiving with security and continuity. • This ensures a verifiable repository of critical email data is held separate to core

operational data. • Employees and legal teams can access this information anytime in an instant – even if

primary email is unavailable. • It can also be used to recover data if needed.

• Having the right support is critical. • With Mimecast you benefit from a dedicated global team of email security experts

tasked with achieving legendary customer success. • Industry leading support both during implementation and setup and ongoing

operation.

Slide 32

Mimecast added value

• Employee security awareness tools built-in

• End user initiated encryption– incl. expiration, message recall, read receipt, prevent print, prevent reply

• Email signatures and disclaimers

• Secure large file sharing within Outlook

• ISO 27018 certification (protection of personally

identifiable information)

• There are other tools and capabilities available as part of the Mimecast security suite. These include:

• A built-in security awareness capability to help create increase vigilance • The ability for employees to initiate email encryption when sending sensitive or personal

information via email. This is in addition to policy-based encryption controlled by IT • It includes the ability to control message expiration, read receipts, prevent printing or

replying and also the ability to recall the message • The built-in email signature and disclaimer features are fully customizable and have granular

controls • Critical to reducing the risk of shadow IT, where employees use unsanctioned and often

consumer-grade tools to get their job done, is the ability to send large files directly from Outlook.

• This provides a secure alternative to third-party sites and ensures all email is retained and protected in line with corporate policies.

• Critically, Mimecast takes the security of customers and their data very seriously, and has invested to ensure compliance with the strictest standard, including not only ISO 27001 but also 27018, that relates specifically to the protection of personally identifiable information.

• Only a handful of cloud vendors have achieved this level of certification.

Slide 33

Layer 2: Herd alertness

• The second layer of defense is employee awareness and vigilance. • The aim here is to a create herd alertness in your organization. • The intention is not to make everyone suspicious of everything, or make everyone a security

pro, but make them alert enough to linger over a link or attachment. • The Mimecast security awareness tools help in this mission to compliment the other tactics

you should use like training and perhaps simulated exercises.

Slide 34

Where we’re adding value

US commercial real

estate owner1,000 seats

Security, archive, continuity

MessageLabs and

Enterprise Vault (EV) take-out

Global professional

services firm4,000+ seats

Security (incl. TTP), archive,

continuity

MessageLabs take-out

Residential property

investment company1,500 seats

Security (incl. TTP), archive,

continuity,

MessageLabs and EV take-out

Football confederation 2,000 seats

Security

MessageLabs take-out

Hundreds of customers have replaced Symantec with Mimecast just this year alone. Here are some examples. Displaced Symantec security. • Had been experiencing increasing spam and customer service issues and uncertainty about company’s future. • Replaced Enterprise Vault archive with Mimecast. Bought into single platform proposition. Threats entering business with MessageLabs. • Cited challenges with Symantec support. • Required a unified approach to email archiving and email gateway for improved evidential weight and non-repudiation. Needed improved email security as threats entering the business – especially weaponized attachments. • Wanted a unified solution and single console for security and archiving. • Needed protection for Exchange outages. • Evaluated leading email security solutions and chose Mimecast for security approach, unified solution and TCO. • Suffered from Symantec cloud outage in Apr 2016 and needed better service availability assurance. • Support from Symantec was below their expectations.

Slide 35

Where we’re adding value

“Infrastructure Manager

UK local council

We needed a solution to protect us from more advanced threats like ransomware that were coming through our previous email security

cloud solution. Mimecast was the obvious choice for us.

And a local council in the UK recently chose Mimecast to protect against advanced threats – especially ransomware attacks that were still coming through their defenses.

Slide 36

Why Symantec is not up to the job

• Many organizations expect that their existing security solution will protect them against traditional viruses and also more advanced attacks.

• Unfortunately this is not always the case. • I do think it’s important for organizations to understand where their current solution may be

falling short • Symantec have been in the security game a long time, however they haven’t always kept up

with the rapidly changing threat landscape in order to provide the required email threat protection to combat today’s threats.

Slide 37

• A point-in-time gateway check only on URLs

– No protection from delayed exploits

• Single layer attachment protection - sandbox-only

– Prone to delivery delays and evasion. Requires on-premises footprint

• Limited imposter protection – opaque and non-configurable

‘spam’ rule

• No integrated continuity or archive/backup

– Cost, management & complexity implications

• Broad product set with lesser focus on email

What you are missing with Symantec

• Symantec only offer a point-in-time check of URLs at the gateway • This offers little protection from polymorphic threats and delayed exploits that only

become active once past the gateway • Attachment protection is a single layer offering – comprising a traditional sandbox only.

• As we’ve discussed, sandboxing is prone to delivery delays and malware is increasingly able to detect and evade them.

• While Symantec’s sandbox is cloud-based, the tools needed to enable it require an on-premises footprint. This is far from ideal for customers embracing the cloud.

• They offer a limit capability to help customers defend against the growing threat of impersonation attacks.

• Only very recently announced, they offer very little insight into how or what they are detecting.

• Part of their anti-spam service, the tool provides reports on threats identified. • They talk about reporting and visibility of these threats, but not about actually

stopping them. • There is no integrated continuity or archive capability – and following the split with Veritas,

customers using Enterprise Vault must deal with two separate vendors, support teams, consoles etc…

• Symantec do have a broad security offering, with an increased focus on network security – especially following the Bluecoat acquisition.

• There is little focus on email security – which given over 90% of attacks start in email – is a significant gap and risk for customers.

Slide 38

Mimecast Can Get You Protected In 3 Easy Steps

The Mimecast Connect App makes the move quick and easy

• Importantly, moving to Mimecast is quick and straightforward • The first step is to get mail flowing outbound. This protects outbound mail and starts to build

a list of trusted senders to help ensure the best protection with lowest false positives • Syncing your directory ensures only valid users will receive mail and means you don’t need to

recreate users, groups etc… • Finally, switching your MX records to Mimecast will ensure employees are protected from

external threats. • We provide many pre-configured policies to ensure protection from day one. • The Mimecast Connect App, an intuitive wizard driven tool, makes connecting to and setting

up Mimecast even easier.

Slide 39

Prevent

You need the

technology that

provides the best

possible multi-

layered protection

Continue

You need to

continue to work

while the issue is

resolved

Recover

You need to go

back to the last

known good

state

This is called Cyber Resilience

• So to wrap up… • Five years ago you probably stood in front of the board and could pretty confidently say that

“we won’t have an attack” • That’s no longer the case – we’ve all seen the headlines and the vast array of organizations

who have been breached – large, small, and across pretty much all industries. • More realistically now, you must be able to say: “we are doing our best with the latest and

most up-to-date technology. But if we do have an attack, we have a plan that will minimise the impact to our business and employees.

• This is what a cyber resilience strategy is all about. • We’d certainly appreciate the opportunity to talk further about how Mimecast can support

you.

Slide 40

© 2017 Mimecast. ALL RIGHTS RESERVED.

Mimecast is a leader in enterprise cloud services for the protection and management of corporate human generated data. The company’s email security and cloud

archiving services are built on Mimecast’s world-leading secure cloud platform and optimized for Microsoft Exchange and Office 365. Founded in 2003, the company has

thousands of customers, with millions of employees and works with over 800 channel partners worldwide. Mimecast has offices in Europe, North America, Africa and

Australia.

Thank you

Thank you and questions.