Plan. Deploy. Relax:
Cloud email security, simplified.
Area 1 Security’s Email Security Migration Guide is for busy people who would rather prevent phishing attacks than wrestle with complex configurations. Implementation is streamlined, flexible and intuitive, so you can get up and running quickly on what matters most—airtight email security and stopping cyberattacks.
Impact on traffic: None. You’ll see no effect on your visibility and flow. In fact, the only way you’ll know we’re running is that phish stop arriving.
Integration: Simple. Our API First cloud-native solution enables maximum agility in integrating with your existing security architecture.
Configuration options: Your Choice. We recommend deploying Area 1 as the MX for your email domains. But whatever way you choose, we’ll optimize your protection.
View this diagram-rich guide, which breaks Area 1 implementation into:
Planning: Understanding and mapping out your email flow, including external and internal threats, plus considerations for hybrid environments
Implementing: Making the required configuration changes and testing to validate your plan before enabling the full production flow
Integrating Beyond Email: Streamlining integration with DNS, data analysis tools, SIEMs, SOARs, identity platforms, firewalls, SEGs, and proprietary systems
Of course, our Customer Success team is standing by to help— including on custom integration with proprietary systems. Check out the guide now to see the many options for your ideal email security fit.
Area 1 Security is known for our ability to preemptively and comprehensively protect your organization against phishing and targeted threats. We secure your email environments, web, and network traffic, and do this with an accountable business model that improves your Total Cost of Ownership (TCO). Our cloud-native architecture makes it quick and easy to deploy Area 1’s solution in your organization, catching the threats other defenses miss.
This guide will provide an overview of considerations and general steps needed to deploy Area 1 in your production environment. Whether you’re migrating off your Secure Email Gateway (SEG) or integrating us within your security stack, these guidelines will ensure a smooth transition so you can get the most out of our security capabilities.
As each organization’s adoption timeline is different, and some of these steps may require collaboration between multiple teams, we’ve broken this process into three phases:
- Planning Your Area 1 Deployment
- Integrating Beyond Email
You may find your specific situation requires additional steps or phases, so think of this overview as a baseline that you can add to and amend. We have also included links to related resources, such as configuration guides, to help you gather all relevant information as you prepare for your deployment.
Phase 1: Planning Your Area 1 Deployment
The primary objective in this first phase is to understand and map out your email flow with Area 1.
Preferred Deployment Architectures
In order for Area 1 to have the greatest visibility into threats and preemptively stop them before they reach your inboxes, our recommendation for most production environments is to deploy Area 1 as the MX for your email domains. In the event that an existing email security solution is already in place, Area 1 may also be deployed downstream from the existing solution to detect any missed phishing campaigns.
In your Area 1 Phishing Risk Assessment, you likely evaluated the efficacy of Area 1 using the BCC or journaling deployments, allowing Area 1 to provide visibility into threats without affecting your production mail flow. For production deployments, you’ll need to transition from this evaluation architecture to either MX or inline mode.
In either MX or inline mode, improper routing can mean emails don’t reach their intended destination, so it’s important to plan and test email flow to ensure all scenarios are accounted for. Area 1 provides robust message tracing and alerting so you can verify messages are being routed properly.
Mapping Out Email Flow
Consider the following questions when mapping out your email flow to ensure you’ve accounted for details and exceptions.
Where is email going?
Where does email from each domain route to? Having this information mapped out will facilitate the initial configuration process.
What are your different routing layers?
Are there other email security layers? Are there MTAs that relay inbound messages? Having a good understanding of the logical and physical SMTP layers within the organization will ensure proper routing of messages.
Your organization may also have internal and DMZ routing layers with different appliance and access permissions. Make sure the systems and appliances across these layers can accept and forward messages from Area 1.
What email traffic will Area 1 scan?
For External Threats: Scanning all inbound email traffic with Area 1 will certainly afford the most visibility and threat protection, but you may have specific use cases where some traffic needs to be exempt from Area 1 scanning. For example, you could be using a security training vendor whose phishing simulation program emails should not be scanned by Area 1. Another example could be exempting traffic from another security organization providing threat intelligence.
Additional Considerations for Hybrid Environments
Traditional on-premise, hardware-based applications and appliances cannot adapt quickly to traffic spikes. However, Area 1 Security’s cloud-native, multi-tenant architecture means we’re able to dynamically scale our service based on your email traffic environments.
Before transitioning Area 1 to MX or inline mode, consider how this may affect any hardware-based appliances (e.g. FireEye appliances, etc.) that email traffic must pass through. If your previous email security system or SEG queued messages to account for message spikes, you may need to resize appliances downstream of Area 1 to ensure those appliances aren’t overloaded.
Mapping Out Email Flow
For Internal Threats: Most organizations will have thought about inbound and outbound traffic (or north/south traffic). But what about internal or east/west traffic? Unlike most SEGs, Area 1 can also scan for internal threats. If you’re concerned about these threats, add internal traffic flows to Area 1 for inspection and visibility through an internal connector or internal journaling. (Note: This deployment may differ depending on whether you’re using Microsoft Office 365 or Gmail. Our Customer Success team can help you with this implementation.)
Where does Area 1 fit in existing email policies?
If you’re adding Area 1 rules to existing email rulesets, you’ll need to review your current email policies first to determine the correct position of the Area 1 rules. For example, if your MX is pointing to your email provider Office 365, most organizations will have blocking rules in their policies. These blocking rules are generally at the top of the policy table, i.e. if a message is going to be blocked or rejected, it does not make sense to do any further process the message. Therefore, the Area 1 routing rule should be inserted after these blocking rules.
Additionally, you may want to reconsider your existing whitelisting rules. Traditionally, these rules have been established to prevent messages from being identified as spam. With phishing, whitelisting for this purpose may create a security gap as many attackers will use trusted infrastructure or compromised partners to conduct their campaigns, thus exposing your users to a phishing threat.
Phase 2: Implementation
After auditing and mapping out your email flow, the next step is making the required configuration changes and testing. Most of the configuration required for the deployment of Area 1 can be done without immediately affecting the production email flow. This allows the configuration to be validated before enabling the rules to the full production flow.
The following provides a basic checklist for configuration changes that need to be made. However, each organization is different, and this is not an exhaustive list, so you may need to make additional changes for your organization.
Configuration changes typically required for Area 1 production deployments:
When Area 1 is deployed as the MX record:
- Configure the downstream service to accept mail from Area 1
- Ensure that Area 1’s egress IPs are not rate limited or blocked as this would affect delivery of messages.
- If email server or SEG is on-premises, update firewall rules to allow Area 1 to deliver to these systems.
- Configure remediation rules (e.g. quarantine, add subject or message body prefix, etc.).
- If a SEG is downstream from Area 1, ensure that the SEG can continue to see the original IP. Otherwise, this may impact its ability to evaluate messages for spam detection if you continue to use their anti-spam engine.
- Test the message flow by injecting messages into Area 1 to confirm proper delivery. (Area 1 can assist with this step.)
- Update MX records to point to Area 1.
When Area 1 is deployed downstream from an existing email security solution:
- Configure the proper lookback hops on Area 1, so that Area 1 can detect the original sender IP address.
- If your email server is on-premises, update firewall rules to allow Area 1 to deliver to the email server.
- Configure remediation rules (e.g. quarantine, add subject or message body prefix, etc.) on the system downstream of Area 1.
- Test the message flow by injecting messages into Area 1 to confirm proper delivery. (Area 1 can assist with this step.)
- Update the delivery routes on your SEG to deliver all mail to Area 1, instead of the email servers.
You should always test email flow before cutting over to ensure configurations are correct and email is flowing as intended. Make sure tests include all use cases and email domains. Remember to add or modify the appropriate exceptions to your policies as well.
This is also a good time to check that your monitoring and alerting processes are working properly. Area 1 alerts on malicious, suspicious, spam and spoof messages. Ensure workflows for each verdict are set up and can be acted upon. This may also require integration with other security systems, which is explained in more detail in the next section.
Once email routing configurations are complete and appropriate access is given for Area 1’s delivery of email, you should be able to cut over MX records to point to Area 1 or enable inline routing through Area 1 as the final step.
After cutover, make sure you continue to monitor that email routing and delivery are working as desired, especially for systems that send email on your organization’s behalf (e.g. Salesforce, survey and marketing automation tools, etc.).
Phase 3: Integrating Beyond Email
Area 1 knows that security doesn’t exist in silos. Our API-first architecture allows for easy, streamlined integration with many other security systems and tools. Our detailed detection forensics also adds considerable value to data analysis tools.
After completing the email security implementation with Area 1, you may want to consider integrating Area 1 with other parts of your organization, allowing you to derive additional value from existing security investments.
Here are our customers’ most common post-email next-steps and integrations with Area 1.
Integrating with DNS
Area 1 includes a recursive DNS service to extend our protection to the web and DNS channels. By using our recursive DNS service, or connecting Area 1 with your DNS services, Area 1 protects end users from accessing phishing and malicious sites through email links or web browsing. Related article: Recursive DNS
Integrating with Data Analysis Tools
Area 1 provides multi-level forensics and context for all our detections such as threat actor information, campaign and indicators of compromise (IOCs). This, along with message tracing and email statistics, can be readily ingested by your data analysis tools for additional reporting, correlation and statistics.
Integrating with SIEMs
Area 1’s detailed and customizable reporting allows for at-a-glance visibility into threats. By integrating with SIEMs through our robust APIs, you can easily correlate Area 1 detections with events from network, endpoint and other security tools for simplified incident management.
Integrating with SOARs
While Area 1’s Autonomous Phish SOC and built-in remediation via Message Retraction allows you to respond to threats directly within the Area 1 dashboard, many organizations also choose to integrate our platform with orchestration tools for custom response playbooks. Many customers leverage our API hooks to integrate SOARs to manage response processes across their organization. Related article: SIEM and SOAR Best Practices
Integrating with Identity Platforms
With credential harvesting one of the objectives of phishing campaigns, it makes perfect sense to integrate identity and email security as a combined defense. Area 1 integrates with Single Sign-On (SSO) and identity platforms like Okta and OneLogin to control access to the Area 1 administrative console for additional security. Related article: Configuring SAML and Single Sign-On
Integrating with Firewalls & Network Security
By using our recursive DNS and API functionality, customers can integrate Area 1 with their firewalls and network detection and response (NDR) systems to correlate detection and IOCs. Through integration with network security systems, Area 1 can help detect attacker communication with command and control infrastructure and evidence of exfiltration.
Integrating with Proprietary Systems
Many enterprises have customized security systems and tools that can be integrated with Area 1 via our APIs. Our Customer Success team is always available to help you with configuration and implementation guidance, including custom integration with these proprietary systems.
Switching to better email security does not have to be a herculean task with Area 1 Security. With a few configuration changes, your organization will be protected with preemptive, comprehensive email security with fast time-to-value and an improved TCO. You can find out how to use our advanced features like our Autonomous Phish SOC, see how we integrate with your security ecosystem, and more at our Customer Knowledge Base.
Ready to get started? — Reach out to your solution architect to plan your migration.
About Area 1 Security
Area 1 Security is the only company that preemptively stops Business Email Compromise, malware, ransomware and targeted phishing attacks. By focusing on the earliest stages of an attack, Area 1 stops phish — the root cause of 95 percent of breaches — 24 days (on average) before they launch. Area 1 also offers the cybersecurity industry’s first and only performance-based pricing model, Pay-per-Phish.
Area 1 is trusted by Fortune 500 enterprises across financial services, healthcare, critical infrastructure and other industries, to preempt targeted phishing attacks, improve their cybersecurity posture, and change outcomes.
Area 1 is cloud-native, a Certified Microsoft Partner, and Google Cloud Technology Partner of the Year for Security. To learn more, visit www.area1security.com, follow us on LinkedIn, or subscribe to the Phish of the Week newsletter.