Cloud Email Security Migration Guide

Plan. Deploy. Relax:
Cloud email security, simplified.

Overview

Area 1 Security is known for our ability to preemptively and comprehensively protect your organization against phishing and targeted threats. We secure your email environments, web, and network traffic, and do this with an accountable business model that improves your Total Cost of Ownership (TCO). Our cloud-native architecture makes it quick and easy  to deploy Area 1’s solution in your organization, catching the threats other defenses miss.

This guide will provide an overview of considerations and general steps needed to deploy Area 1 in your production environment. Whether you’re migrating off your Secure Email Gateway (SEG) or integrating us within your security stack, these guidelines will ensure a smooth transition so you can get the most out of our security capabilities.

As each organization’s adoption timeline is different, and some of these steps may require collaboration between multiple teams, we’ve broken this process into three phases:

1. Planning Your Area 1 Deployment
2. Implementation
3. Integrating Beyond Email

You may find your specific situation requires additional steps or phases, so think of this overview as a baseline that you can add to and amend. We have also included links to related resources, such as configuration guides, to help you gather all relevant information as you prepare for your deployment.

Phase 1: Planning Your Area 1 Deployment

The primary objective in this first phase is to understand and map out your email flow with Area 1.

Preferred  Deployment  Architectures

In order for Area 1 to have the greatest visibility into threats and preemptively stop them before they reach your inboxes, our recommendation for most production environments is to deploy Area 1 as the MX for your email domains. In the event that an existing email security solution is already in place, Area 1 may also be deployed downstream from the existing solution to detect any missed phishing campaigns.

In your Area 1 Phishing Risk Assessment, you likely evaluated the efficacy of Area 1 using the BCC or journaling deployments, allowing Area 1 to provide visibility into threats without affecting your production mail flow. For production deployments, you’ll need to transition from this evaluation architecture to either MX or inline mode.

In either MX or inline mode, improper routing can mean emails don’t reach  their intended destination, so it’s important  to plan and test email  flow to ensure all scenarios are accounted for. Area 1 provides  robust message tracing and alerting so you can verify messages are being routed properly.

Mapping Out Email Flow

Consider the following questions when mapping out your email flow to ensure you’ve accounted for details and exceptions.

Where is email going?
Where does email from each domain route to? Having this information mapped out will facilitate the initial configuration process.

What are your different routing layers?
Are there other email security layers? Are there MTAs that relay inbound messages? Having a good understanding of the logical and physical SMTP layers within the organization will ensure proper routing of messages.

Your organization may also have internal and DMZ routing  layers with different appliance and access permissions. Make sure the systems and appliances across these layers can accept and forward messages from Area 1.

What email traffic will Area 1 scan?
For External Threats: Scanning all inbound email traffic with Area 1 will certainly afford the most visibility and threat protection, but  you may  have specific use cases where some traffic needs to be exempt from Area 1 scanning. For example, you could be using a security training vendor whose phishing simulation program emails should not be scanned by Area 1.  Another example could be exempting traffic from another security organization providing threat intelligence.

Additional Considerations for Hybrid Environments

Traditional on-premise, hardware-based applications and appliances cannot adapt quickly to traffic spikes. However, Area 1 Security’s cloud-native, multi-tenant architecture means we’re able to dynamically scale our service based on your email traffic environments.

Before transitioning Area 1 to MX or inline mode, consider how this may affect any hardware-based appliances (e.g. FireEye appliances, etc.) that email traffic must pass through. If your previous email security system or SEG queued messages to account for message spikes, you may need to resize appliances downstream of Area 1 to ensure those appliances aren’t overloaded.

Mapping Out Email Flow

For Internal Threats: Most organizations will have thought about inbound and outbound traffic (or north/south traffic). But what about internal or east/west traffic? Unlike most SEGs, Area 1 can also scan for internal threats. If you’re concerned about these threats, add internal traffic flows to Area 1 for inspection and visibility through an internal connector or internal journaling. (Note: This deployment may differ depending on whether you’re using Microsoft Office 365 or Gmail. Our Customer Success team can help you with this implementation.)

Where does Area 1 fit in existing email policies?

If you’re adding Area 1 rules to existing email rulesets, you’ll need to review your current email policies first to determine the correct position of the Area 1 rules. For example, if your MX is pointing to your email provider Office 365, most organizations will have blocking rules in their policies. These blocking rules are generally at the top of the policy table, i.e. if a message is going to be blocked or rejected, it does not make sense to do any further process the message. Therefore, the Area 1 routing rule should be inserted after these blocking rules.

Additionally, you may want to reconsider your existing whitelisting rules. Traditionally, these rules have been established to prevent messages from being identified as spam. With phishing, whitelisting for this purpose may create a security gap as many attackers will use trusted infrastructure or compromised partners to conduct their campaigns, thus exposing your users to a phishing threat.

Phase 2: Implementation

After auditing and mapping out your email flow, the next step is making the required configuration changes and testing. Most of the configuration required for the deployment of Area 1 can be done without immediately affecting the production email flow. This allows the configuration to be validated before enabling the rules to the full production flow.

The following provides a basic checklist for configuration changes that need to be made. However, each organization is different, and this is not an exhaustive list, so you may need to make additional changes for your organization.

Configuration changes typically required for Area 1 production deployments:

When Area 1 is  deployed as the MX  record:

• Configure the downstream service to accept mail from Area 1
• Ensure that Area 1’s egress IPs are not rate limited or blocked as this would affect delivery of messages.
• If email server or SEG is on-premises, update firewall rules to allow Area 1 to deliver to these systems.
• Configure remediation rules (e.g. quarantine, add subject or message body prefix, etc.).
• If a SEG is downstream from Area 1, ensure that the SEG can continue to see the original IP. Otherwise, this may impact its ability to evaluate messages for spam detection if you continue to use their anti-spam engine.
• Test the  message flow by injecting messages into Area 1 to confirm proper delivery. (Area 1 can assist with this step.)
• Update MX records to point to Area 1.

When Area 1 is deployed downstream from an existing email security solution:

• Configure the proper lookback hops on Area 1, so that Area 1 can detect the original sender IP address.
• If your email server is on-premises, update firewall rules to allow Area 1 to deliver to the email server.
• Configure remediation rules (e.g. quarantine, add subject or message body prefix,  etc.)  on the system downstream of Area 1.
• Test the  message flow by injecting messages into Area 1 to confirm proper delivery. (Area 1 can assist with this step.)
• Update the delivery routes  on your SEG to deliver all mail to Area 1, instead  of the email servers.

You should always test email flow before cutting over to ensure configurations are correct and email is flowing as intended. Make sure tests include all use cases and email domains. Remember to add or modify the appropriate exceptions to your policies as well.

This is also a good time to check that your monitoring and alerting processes are working properly. Area 1 alerts on malicious, suspicious, spam and spoof messages. Ensure workflows for each verdict are set up and can be acted upon. This may also require integration with other security systems, which is explained in more  detail in  the next  section.

Once email routing configurations are complete and appropriate access is given for Area 1’s delivery of email, you should be able to cut over MX records to point to Area 1 or enable inline routing through Area 1 as the final step.

After cutover, make sure you continue to monitor that email routing and delivery are working as desired, especially for systems that send email on your organization’s behalf (e.g. Salesforce, survey and marketing automation tools, etc.).

Phase 3: Integrating Beyond Email

Area 1 knows that security doesn’t exist in silos. Our API-first architecture allows for easy, streamlined integration with many other security systems and tools. Our detailed detection forensics also adds considerable value to data analysis tools.

After completing the email security implementation with Area 1, you may want to consider  integrating Area 1 with other parts of your organization, allowing you to derive additional value from existing security investments.

Here are our customers’ most common post-email next-steps and integrations with Area 1.

Integrating with DNS

Area 1 includes a recursive DNS service to extend our protection to  the web  and  DNS channels. By using our recursive DNS service, or connecting Area 1 with your DNS services, Area 1 protects end users from accessing phishing and malicious sites through email links or web browsing. Related article:  Recursive DNS

Integrating with Data Analysis Tools

Area 1 provides multi-level forensics and context for all our detections such as threat actor information, campaign and indicators of compromise (IOCs). This, along with message tracing and email statistics, can be readily ingested by your data analysis tools for additional reporting, correlation and statistics.

Integrating with SIEMs

Area 1’s detailed and customizable reporting allows for at-a-glance visibility into threats. By integrating with SIEMs through our robust APIs, you can easily correlate Area 1 detections with events from network, endpoint and other security tools for simplified incident management.

Integrating with SOARs

While Area 1’s Autonomous Phish SOC and built-in remediation via Message Retraction allows you to respond to threats directly within the Area 1 dashboard, many organizations also choose to integrate our platform with orchestration tools for custom response playbooks. Many customers leverage our API hooks to integrate SOARs to manage response processes across their organization. Related article: SIEM and SOAR Best Practices

Integrating with   Identity Platforms

With credential harvesting one of the objectives of phishing campaigns, it makes perfect sense to integrate identity and email security as a combined defense. Area 1 integrates with Single Sign-On (SSO) and identity platforms like Okta and OneLogin to control access to the Area 1 administrative console for additional security. Related article: Configuring SAML and Single Sign-On

Integrating with Firewalls & Network Security

By using our recursive DNS and API functionality, customers can integrate Area 1 with their firewalls and network detection and response (NDR) systems to correlate detection and IOCs. Through integration with network security systems, Area 1 can help detect attacker communication with command and control infrastructure and evidence of exfiltration.

Integrating with Proprietary Systems

Many enterprises have customized security systems and tools that can be integrated with Area 1 via our APIs. Our Customer Success  team is always available to help you with configuration and implementation guidance, including custom integration with these proprietary systems.

Conclusion

Switching to better email security does not have to be a herculean task with Area 1 Security. With a few configuration changes, your organization will be protected with preemptive, comprehensive email security with fast time-to-value and an improved TCO. You can find out how to use our advanced features like our Autonomous Phish SOC, see how we integrate with your security ecosystem, and more at our Customer Knowledge Base.

Ready to get started? — Reach out to your solution architect to plan  your migration.

About Area 1 Security

Area 1 Security is the only company that preemptively stops Business Email Compromise, malware, ransomware and targeted phishing attacks. By focusing on the earliest  stages  of  an attack, Area 1 stops phish — the root cause of 95 percent of breaches — 24 days  (on average) before they launch. Area 1 also offers the cybersecurity industry’s first and only performance-based  pricing  model,  Pay-per-Phish.

Area 1 is trusted by Fortune 500 enterprises across financial services, healthcare, critical infrastructure and other industries, to preempt targeted phishing attacks, improve their cybersecurity posture, and change outcomes.

Area 1 is cloud-native, a Certified Microsoft Partner, and Google Cloud Technology Partner of the Year for  Security.  To  learn  more,  visit www.area1security.com,  follow  us  on  LinkedIn,  or  subscribe to the Phish of the Week newsletter.