NetworkSage vs. Secure Email Gateways

Sometimes I'm asked about how Network Interpreters and Secure Email Gateways compare. I wanted to share how I think about the similarities and differences of these tools.

Secure Email Gateways

Secure Email Gateways (SEGs) are platforms that integrate with your enterprise's email solution to analyze the subject, content, and metadata of all received emails. This level of access provides a powerful way to look for attacks that may look convincing to a user but obviously suspicious to the platforms models. However, such deep level of inspection comes at a cost. Your enterprise must decide whether this level of analysis is an appropriate trade-off for the loss of privacy and potential for loss of sensitive data (should the vendor become compromised).

Shortcomings of SEGs

Beyond the tradeoffs mentioned above, SEGs have several shortcomings associated with them.

1. Sophisticated Misdirection Attacks Bypass Defenses

Attackers are constantly evolving their tactics in order to exploit the weak points in their target's defenses. One way that has been occurring more frequently in recent months is disguising malicious activity much deeper into the attack sequence. As an example, if an attacker uses anti-bot technology to validate that the thing visiting a phishing link is in fact a human, the SEG will no longer be effective.Malicious site with Antibot technology

Figure 1: Malicious site with Antibot technology

2. Only Corporate Email is Protected

In a world changed by flexible work policies, the traditional separation between work and life is blurring more and more by the day. One effect is that users will commonly have different email accounts open on the same system -- whether that's work email on their personal phone, or personal email on their work laptop. Therefore, an attacker who wants to bypass protections afforded by a SEG can simply choose to target a user's personal email account.

3. No Visibility into Other Attack Types

While the majority of today's attacks do enter the enterprise via email, there are significant compromises which begin through other attack vectors. To give an example, attackers have (for years at this point) been targeting commonly-searched topics (such as "free PDF conversion software") and creating sites that provide trojanized browser extensions. This is a relatively common and successful vector, as evidenced by numerous threat reports [1, 2, 3].

How is NetworkSage Different?

Because NetworkSage works with your network flows (no payload needed!), it is able to explain and visualize which steps were taken by your users while preserving your privacy. This is true for all attack types which have network traffic, whether or not that traffic is associated with your enterprise services or employs advanced evasionary tactics.
In the interest of full disclosure, I'll note that -- on its own -- NetworkSage does not prevent attacks, whereas SEGs are intended to do so. The data found within NetworkSage, however, can be even more powerful when leveraged by these and other platforms via API.

Additional Resources

To dig deeper into what NetworkSage has to offer, I recommend the following resources:
Or, if you just want to get out and start exploring, you can register for a free account and start submitting samples now!