ICES is a term coined by industry analyst, Gartner, in their 2021 Market Guide for Email Security. In the same report, they suggested that by 2025, 20% of anti-phishing solutions would be delivered by these types of platforms, up from 5% at the time of publication.
Another analyst, Forrester, also coined a term for these platforms – cloud-native API-enabled email security (CAPES). Their definition broadly aligns with Gartner’s, so for simplicity, we will use the Gartner term throughout this article, in which we will explain what ICES solutions are, how they came about and why you need one.
The three drivers of ICES
ICES is an evolution of email security solutions referred to in previous Gartner Market Guides as cloud email security supplements (CESS) and integrated email security services (IESS). Three driving forces led to the emergence of this category of email security:
- Sophisticated, evasive phishing: email attacks used to consist of malware hidden in attachments and downloaded from servers linked in the email. A few years ago, they evolved to payload-less phishing attacks and links pointing at seemingly innocuous content designed to steal credentials. These attacks evaded detection by existing email security and a new solution was needed.
- The emergence of intelligent detection: innovations in machine learning, social graphs and linguistic analysis made detection of advanced phishing attacks possible.
- The migration to Microsoft 365: the shift to cloud email platforms made possible email security solutions that were easy to deploy to provide post-delivery inspection of emails and remediation of threats.
Today the above factors are driving the rapid acceptance of ICES solutions.
Simple to deploy, with no rip and replace
ICES platforms are not designed to replace existing email security, but to augment it and solve for the use cases that it cannot. Therefore, they co-exist with existing secure email gateways (SEG), including the native security provided by Microsoft 365. This means that no change is necessary to the domain name services mail exchanger (DNS MX) record, resulting in ICES security being deployed in minutes.
There are two common methods of deployment, and both are implemented with just a few clicks:
- Use the Microsoft Graph API to claw back emails from the inbox post-delivery, inspect them and if a threat is found, either quarantine them or add a warning banner and return them to the inbox. If they are clean, they are returned to the inbox in their original format.
- Deploy mail flow rules into Microsoft 365 which divert emails to the ICES platform, where they are inspected and if a threat found, either quarantined or a warning banner added before delivering to the inbox.
Both approaches use the Graph API to enable remediation of emails that are delivered and later found to be malicious. This is a function of mail-focused security orchestration, automation and response (M-SOAR). We will cover this in a future blog.
The first approach has been criticized by some for introducing an over-reliance on the Microsoft Graph API, as under times of heavy load, it can throttle the connection. This is well documented on Microsoft's support site and results in potentially malicious emails sitting in users’ inboxes for tens of seconds, if not minutes, during which time the user could open one and fall for a phish.
The second limitation of this approach is related to the ICES platform being unable to claw back emails delivered to devices that are using their native email clients, rather than the Outlook app. Again, this results in potentially malicious emails being available to the user.
Enables consolidation around Microsoft
According to Gartner, 75% of organizations are pursuing a vendor consolidation strategyi. Much of this strategy is centered around Microsoft 365, with organizations recognizing that they are under-utilizing much of the functionality they have already paid for with their E3 or E5 license. By augmenting Microsoft’s native email security, ICES platforms are helping many organizations realize their consolidation goals by enabling removal of their SEG.
Functionality separates it from SEGs
ICES vendors often refer to their products as intelligent because they use self-learning technologies. This is unlike the rules and signature-based policies used by SEGs, that require constant maintenance and updating, soaking up the time of IT and security administrators.
ICES platforms provide 3 key capabilities:
- Intelligent detection: there are 3 key detection technologies used by the leading ICES platforms: machine learning understands normal email behaviors and flags anomalies; social graph technology learns normal sender/recipient trust relationships and again, flags anomalies; and linguistic analysis detects signs of language used in social engineering attacks.
- User engagement: ICES platforms exist to do the hard yards – they must detect the difficult threats that have evaded other security controls, and they are the last line of defense before a phishing email is presented to the user. Therefore, the opportunity for false positives is extremely high. Consequently, most platforms do not quarantine suspicious emails, but instead they add a warning banner that is typically color-coded to highlight the level of suspicion. Many banners also contain contextual information about the nature of the threat, and some allow the user to click through for yet more information and report the email as malicious or safe.
- M-SOAR capabilities: when a user does report an email as malicious or when a suspicious email is discovered through other means, a security analyst needs to investigate, contain, and remediate any threat as quickly as possible. Most leading ICES platforms provide the means to do so through search and destroy functionality. This surfaces all emails with signs of any risks associated with them, indicators of compromise (IOC) and often a visual representation of the original email. They also allow for all matching emails to be remediated with a single click.
Looking beyond ICES
Many organizations are looking beyond the threats that can be detected by ICES. In much the same way that intelligent detection technologies have revolutionized inbound threat protection, they are transforming outbound threat protection. In the 2021 Market Guide, when Gartner introduced ICES, they also introduced the term email data protection (EDP).
EDP adds protection against data breaches caused by human error that leads to misaddressed emails, incorrect attachments, excessive recipients in the “to” field, and emails containing sensitive information sent unencrypted. It uses similar technologies described above to understand normal sender and recipient behaviors and prompts the sender when an anomaly is detected. Like ICES adding warning banners, the goal is to nudge the user right at the point of risk by intervening in their normal workflows.
As organizations begin to quantify this human activated risk that results in data breaches, ICES vendors are looking to add EDP to their portfolios. However, few can provide the full suite of inbound and outbound protection.
This buyer's guide from Osterman Research will help you understand more about ICES and EDP platforms and guide you through the process of choosing and justifying the right solution to meet your needs.
i Infographic: Top Trends in Cybersecurity 2022 — Vendor Consolidation, Published 19 August 2022 - ID G00765917.