Industry Trends

Why ICSA Advanced Threat Defense for Email is So Important

By David Finger | October 27, 2017

Verizon’s 2017 Data Breach Investigations Report found that two-thirds (66%) of all installed malware that successfully made its way past established defenses were delivered by email.  This is particularly concerning as our weekly FortiGuard Labs Threat Intelligence Brief lists ransomware downloaders –typically delivered via email – as consistently among the top 5 pieces of malware in most weeks.

The reality is that while brand new attacks like WannaCry and Petya make the headlines, it is often established attacks like Locky, that continue to reinvent themselves, that pose the highest day-to-day risk.  As we’ve blogged multiple times this year – in pieces like “Locky Launches a More Massive Spam Campaign with New ‘Lukitus’ Variant” and “Locky Unleashes Multiple Spam Waves with a New Variant ‘ykcol’” – Locky continues to consistently deliver updated variants via new spam campaigns in an attempt to compromise systems and collect ransoms. 

That is why I ask every organization I speak with at our Executive Briefing Center what they are using for email security, how long it has been in place, and whether it includes an integrated sandboxing component. As Gartner notes in its 2017 Market Guide on Secure Email Gateway, advanced threats (such as ransomware and business email compromise) are easily bypassing the signature-based and reputation-based prevention mechanisms that a secure email gateway (SEG) has traditionally used.  We see this all the time when organizations evaluate our FortiMail SEG behind their installed solution, most of which were initially put in place three, four, five or sometimes more years ago!

Ensuring strong security that remains effective even as this top email vector attack continually evolves is critically important. Which is why we value the regular independent testing conducted by organizations such as ICSA Labs, a division of Verizon, for their accredited certification testing of Advanced Threat Defense (ATD) for email.

Every quarter, they collect new email-borne threats that reflect the current advanced threat landscape to see how well participating solutions do at stopping them.  In their most recent test cycle, completed in 3Q 2017, their testing reflects the resurgence of ransomware seen in the wild. 

There were 106 test runs that included ransomware families such as Ergop, Locky, Cerber, and more. Fortinet’s FortiMail and FortiSandbox combo, a key part of our broader Advanced Threat Protection Solution and Security Fabric, were effective in stopping 100% of them while demonstrating overall high effectiveness combined with low false positives. We attained our ICSA ATD-Email Certification when this specific testing began over one year ago, and we have committed resources and personnel to continue renewing this certification every quarter.

For more information, I’ve embedded links in this article to information resources like our Threat Intelligence Newsletter, related security blogs, and more.  If you are interested in learning even more about ransomware, our FortiGuard Labs experts conducted a free webcast, The End of Ransomware and it is available on demand. You can also download our guide below which outlines what organizations must do to ensure they have adequate protections across the entire attack surface.