Security and Email Security

What is integrated cloud email security (ICES) and why do you need it?

by Egress
Published on 16th Jun 2023

Integrated cloud email security (ICES) is a term coined by industry analyst, Gartner, in their 2021 Market Guide for Email Security. The guide was reissued in 2023 and stated that ‘by 2025, 20% of anti-phishing solutions will be delivered via API integration with the email platform, up from less than 5%” at the time of publication’.

Using machine learning, natural language understanding (NLU), and natural language processing (NLP), an ICES solution goes beyond blocking known threats to detect zero-day and emerging attacks, as well as detecting text-based attacks that leverage social engineering. These solutions can also educate employees in real time.

ICES is an evolution of email security solutions referred to in previous Gartner Market Guides as ‘cloud email security supplements’ (CESS) and ‘integrated email security services’ (IESS). Three driving forces led to the emergence of this category of email security:

  1. Sophisticated, evasive phishing: attacks used to consist of malware hidden in attachments and downloaded from servers linked in the phishing email. However, attacks have evolved. In particular, there has been an increase in payload-less phishing attacks that rely on social engineering and hyperlinks pointing at seemingly innocuous content designed to steal credentials. These and other advanced attacks evade detection by existing email security, such as secure email gateways (SEGs), and a new solution was needed.
  2. The emergence of intelligent detection: innovations in machine learning and linguistic analysis (NLP and NLU) made detection of advanced phishing attacks possible.
  3. The migration to Microsoft 365: the shift to cloud email platforms has led to easily deployable email security solutions that provide post-delivery inspection of emails and the remediation of threats.  

Simple to deploy, with no rip and replace

Integrated cloud email security (ICES) solutions are not designed to replace cloud email platform’s native security, but to augment it and solve the use cases that it cannot. Therefore, they co-exist with Microsoft 365’s native security. While they also compliment secure email gateways (SEGs), continued enhancements to Microsoft’s offering means many customers experience a total duplication of functionality between Microsoft and their SEG, and are discontinuing use of the latter.

As ICES, such as Egress Defend, augment existing infrastructure, no change is necessary to the domain name services mail exchanger (DNS MX) record, they can be deployed in minutes. There are two common methods of deployment, and both are implemented with just a few clicks: 

  1. Use the Microsoft Graph API to claw back emails from the inbox post-delivery, inspect them and if a threat is found, either quarantine them or add a warning banner and return them to the inbox. If they are clean, they are returned to the inbox in their original format.
  2. Deploy mail flow rules into Microsoft 365 that divert emails to the ICES platform, where they are inspected and if a threat is found, are quarantined or a warning banner added before delivering to the inbox.

Both approaches use the Graph API to enable remediation of emails that are delivered and later found to be malicious. This is a function of mail-focused security orchestration, automation, and response (M-SOAR).

The first approach has been criticized by some for introducing an over-reliance on the Microsoft Graph API, as at times of heavy load, it can throttle the connection. This is well documented on Microsoft's support site and results in potentially malicious emails sitting in users’ inboxes for tens of seconds, if not minutes, during which time the user could open one and fall for a phish.

The second limitation of this approach is related to the ICES platform being unable to claw back emails delivered to devices that are using their native email clients, rather than the Outlook app. Again, this results in malicious emails potentially being available to the user.

Integrated cloud email security (ICES) enables consolidation around Microsoft 365

According to Gartner, “The adoption of cloud email providers (e.g., Microsoft ...) that provide built-in email security hygiene capabilities is growing. Advanced email security capabilities to supplement these native capabilities are increasingly being deployed as integrated cloud email security solutions rather than as a gateway... Initially, these solutions (ICES) are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”  

As a result, 75% of organizations are pursuing a vendor consolidation strategy. Much of this strategy is centered around Microsoft 365, with organizations recognizing that they are under-utilizing much of the functionality they have already paid for with their E3 or E5 license. You can learn more about the drivers for consolidation in our blog 'Take a holistic approach to email security to reduce vendor sprawl'.

By augmenting Microsoft 365’s native email security, integrated cloud email security (ICES) platforms, such as Egress Defend, are helping many organizations realize their consolidation goals by enabling the removal of their SEG.

Why organizations need integrated cloud email security (ICES)

Cybercriminals are continually evolving their attacks, making use of a variety of tactics to evade traditional email security. For example, according to the Egress Email Threats Pulse Report 2023, there has been a 121% increase in the use of legitimate URLs as carriers for malicious payloads, a 51% increase in attacks sent from compromised accounts, and 71% of malicious payloads were HTML smuggling attacks. These types of attacks bypass the traditional signature-based and reputation-based detection present in Microsoft 365 and secure email gateways (SEGs).

In contrast, integrated cloud email security (ICES) solutions use AI and machine learning models (such as natural language processing (NLP) and natural language understanding (NLU)) to detect and thwart advanced phishing attacks.

Looking beyond ICES

Many organizations are looking beyond the threats that can be detected by integrated cloud email security (ICES) solutions. In much the same way that intelligent detection technologies have revolutionized inbound threat protection, they are transforming outbound threat protection. In the 2021 Market Guide, when Gartner introduced ICES, they also introduced the term email data protection (EDP).

EDP adds protection against data breaches caused by human error that leads to misaddressed emails, incorrect attachments, excessive recipients in the ‘To’ field, and emails containing sensitive information sent unencrypted. It also uses machine learning technology to understand normal sender and recipient behaviors and prompts the sender when an anomaly is detected. Like ICES adding warning banners, the goal is to nudge the user at the point of risk by intervening in their normal workflows.

As organizations begin to quantify this human activated risk that results in data breaches, ICES vendors are looking to add EDP to their portfolios, as we have done with Egress Intelligent Email Security.

The Gartner Market Guide for Email Security, published in February 2023, will help you understand more about ICES and EDP platforms.