Integrated cloud email security (ICES) vs secure email gateway (SEG)

by James Dyer
Published on 19th Jun 2023

Cybercriminals continually evolve their techniques, leading to more successful phishing attacks. Using techniques such as text-based attacks that utilize social engineering and highly targeted spear phishing, bad actors are able to bypass traditional email security and land in their target’s inbox. According to the organizations surveyed for the 2023 Email Security Risk Report, 92% fell victim to phishing attacks.

The 2023 Gartner Market Guide for Email Security states: “Impersonation and account takeover attacks via business email compromise (BEC) are increasing and causing direct financial loss, as users place too much trust in the identities associated with email, which is inherently vulnerable to deception and social engineering.”

Gartner recommends that organizations should, “use email security solutions that include anti-phishing technology for targeted BEC protection that use AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs. Select products that can provide strong supply chain and AI-driven contact chain analysis for deeper inspection and can detect socially engineered, impersonated, or BEC attacks.”

Consequently, it is important for organizations to implement the right email security for their needs, protecting them from both inbound and outbound threats.

Gartner's depiction of the email security submarket

Gartner's depiction of the email security submarket

What do secure email gateways (SEGs) do?

A secure email gateway (SEG) sits at the perimeter, and is the first point of contact for all incoming and outgoing emails. Because of where they exist in the mail flow, SEGs typically do not analyze any internal email communications. Some vendors are able to do this marginally by using journaling rules, but this also requires the vendor to have a degree of message retention or archiving functionality.  

A SEG is static in nature and uses signature-based and reputation-based detection for phishing attacks. They provide pre-delivery protection to individuals within a business by quarantining threats before they reach the mail server. SEGs use definitions libraries to block known threats (such as previously identified malware or phishing websites) and can work as a great add-on to existing antivirus software.

There are, however, limits to SEG detection and remediation. SEGs are unable to detect advanced phishing, such as business email compromise (BEC) attacks, that do not contain a known payload and can be sent from compromised accounts. While SEGs can remediate phishing emails with the use of a power shell script, if the attack is polymorphic, the process is extremely time consuming as admins will have to remediate each email one by one. This increases the risk of users interacting with the email, as it sits in the inbox until it is remediated.

In addition, deploying a SEG can be time consuming, as it requires a Mail Exchange (MX) record change that has to point to the SEG to redirect mail flow. This can be done on-premises, hybrid, or as a cloud service.

Microsoft 365 and secure email gateways (SEGs)

In recent years, Microsoft has significantly enhanced the native email security capability in their 365 cloud email platform. This capability uses the same signature-based and reputation-based detection as secure email gateways (SEGs) and, as a result, some organizations are experiencing a total duplication of functionality between the Microsoft 365 licenses they have purchased and their SEG.

80% of organizations are choosing to stop investing in their SEG, and instead are consolidating around Microsoft’s native capabilities augmented by an integrated cloud email security (ICES) solution, which can detect and prevent advanced phishing attacks. Specific vendor capabilities vary, but the key is that ICES solutions offer more capabilities than SEGs, including advanced threat detection, ease of use, and improved response.

Integrated cloud email security (ICES) solutions

Gartner coined the term integrated cloud email security (ICES) in their 2021 Market Guide. Using machine learning, natural language understanding (NLU), and natural language processing (NLP), an integrated cloud email security (ICES) solution detects advanced phishing attacks that get through signature-based and reputation-based detection. Additionally, it can provide real-time dynamic banners within the inbox, offering in-the-moment education that augments security awareness and training programs. An ICES solution fills the gaps left by SEGs and better protects a business from malicious actors.

What an ICES solution does

ICES products use behavioral analysis, natural language processing (NLP), and machine learning to detect and prevent advanced phishing attacks, such as account takeover (ATO), business email compromise (BEC), and ransomware attacks

While SEGs can scan links and attachments for known malware and phishing websites, more sophisticated attacks do not necessarily contain a payload and instead use social engineering to lure victims into handing over sensitive data or sending money. Alternatively, advanced attacks that contain zero-day or emerging payloads that are not yet present in a SEG’s definitions library. Data from Egress Defend shows that 50.72% of phishing emails targeting Egress customers bypassed a SEG, Microsoft 365, or both and landed in users' inboxes between June 1st – 14th, 2023.

By holistically combining intelligent detection capabilities, ICES are able to detect a wider range of attacks, not just those that are ‘known bad’.

Graph showing how Egress plugs gaps in outbound and inbound security including advanced phishing attacks, human error and data exfiltration and unprotected data

Egress plugs the gaps

Augment or replace SEGs

Augmenting your SEG with an ICES solution offers a layered approach to email security. However, as mentioned above, there is current discussion over the future of the SEG, as the defense in Microsoft 365 licenses can create a total duplication in functionality between SEGs and Microsoft. Ultimately, the debate about replacing SEGs focuses primarily on Microsoft’s capabilities, with ICES solutions augmenting Microsoft, SEGs, or both.

Organizations may opt to keep their SEG to bolster defenses or when they need it for other use cases, such as journalling and archiving, that Microsoft 365 cannot provide. Regardless of an organization’s approach they need the advanced capabilities of an ICES solution, such as Egress Defend, to ensure they are protected from sophisticated phishing attacks.