Artificial Intelligence & Machine Learning , Email Security & Protection , Fraud Management & Cybercrime

Proofpoint, Cloudflare Dominate Email Defense Forrester Wave

Barracuda, Mimecast, Trend Micro Fall From Leaderboard as Cloud Takes Center Stage
Proofpoint, Cloudflare Dominate Email Defense Forrester Wave

Cloudflare and Check Point joined Proofpoint and Microsoft atop Forrester's email security rankings, while Trend Micro, Barracuda Networks and Mimecast tumbled from the leaders category.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

A number of security vendors have gotten into email protection in recent years by acquiring cloud-native, API-enabled email security - or CAPES - startups that go beyond blocking spam and malware to spot more sophisticated phishing attacks, said Forrester Senior Analyst Jess Burn. Cloudflare, Check Point, Fortra and Cisco have all bought CAPES vendors, and Abnormal Security has linked arms with CrowdStrike.

"Email has gone from this siloed stand-alone security solution to a much more integrated part of a full detection and response security solution," Burn told Information Security Media Group. "We're seeing all these platform folks get involved with email security because they realize so much starts with an email. There's so much trouble that can start with a successful phish."

Forrester once again sees Proofpoint's current email security offering as the strongest, though others have closed the gap. This time around, Microsoft, Check Point and Cloudflare captured second, third and fourth place, respectively. That's in contrast to May 2021, when Trend Micro, Broadcom, Barracuda, Microsoft and Cisco took second, third, fourth, fifth and sixth place for their offerings, Forrester said.

Burn said Proofpoint has built out a native CAPES capability and acquired organizations such as Illusive that help the company think about communication more holistically and detect whether or not account takeover activity is occurring (see: Sonatype, Snyk, Synopsys Top SW Comp Analysis Forrester Wave).

"If you've got somebody in your supply chain who's been compromised and they're sending you emails from what looks like a legitimate sender, you need to be able to detect whether that person has had some sort of account takeover activity and use it to make sure that your own company is not going to be targeted from some link in the supply chain," Burn said.

Proofpoint and Cloudflare tied for gold in strategy in the latest Forrester Wave. Microsoft took bronze, Google and Trend Micro tied for fourth, and Check Point and Tessian tied for sixth. That's very different than May 2021, when Trend Micro and Microsoft tied for gold in strategy, Mimecast captured bronze and Proofpoint, Barracuda and Google ended up in a three-way tie for fourth, Forrester said.

"There's so much trouble that can start with a successful phish."
– Jess Burn, senior analyst, Forrester

Burn said Cloudflare can spot campaigns being formed thanks to being able to see other domains that are spun up. The company can bring together a lot of the data and threat intelligence that organizations already have in their product set and apply email protection capabilities to the customer inbox, she said.

Outside of the leaders, here's how Forrester sees the enterprise email security market:

  • Strong Performers: Trend Micro, Google, Barracuda Networks, Mimecast, Tessian, Abnormal Security, Fortinet
  • Contenders: Sophos, Cisco, Fortra, Broadcom

Burn expects the email security space will broaden over the next two years to include communications and collaboration technology such as Teams, Slack and SharePoint that are susceptible to account takeover. She expects to see a resurgence of activity around email security from the XDR providers that are today outside the leader space and want to up their game by integrating organic investment and acquisitions.

"Most people are planning to do a lot of the things that some of the leaders already have," Burn said. "It's just a matter of getting to it and offering it to the customers within a specific window."

How the Email Security Leaders Climbed Their Way to the Top

Company Name Acquisition Amount Date
Check Point Avanan $227.1 million September 2021
Cloudflare Area 1 Security $156.6 million June 2023
Microsoft FrontBridge Technologies Not Disclosed July 2005
Proofpoint Illusive Not Disclosed December 2022

Proofpoint Focuses on Lateral Movement, Supplier Compromise

The Illusive acquisition has helped Proofpoint clients see an attacker's blast radius within a compromised account including stored credentials, privilege level, attack path to crown jewels and the administrative capability to deploy ransomware, said Darren Lee, executive vice president and general manager of security products and services. Illusive's identity tool generated more sales pipeline in its first 90 days than any product in Proofpoint's history.

Proofpoint also used data on compromised email accounts to launch a supplier threat protection tool, which identities if users in an organization are in contact with a third-party that has been compromised, Lee said. Proofpoint also has doubled down on spotting account takeover in cloud applications such as Microsoft 365 to ensure threat actors can't use that to gain broader access inside a compromised user (see: Getting a Tighter Grip on Supply Chain Security Risk).

"Every time we step into a proof of concept, every time we do a comparison, nobody disputes Proofpoint's efficacy is dramatically better than the rest of market," Lee told ISMG. "Do you value the efficacy and the efficiency that we can bring through the security stack? If so, Proofpoint's really a no-brainer."

Forrester urged Proofpoint to better integrate with itself for a more seamless user reporting and investigation experience. Lee said Proofpoint's user interface has long focused on enabling sophisticated customization for large enterprises, but a new user interface debuting over the winter focusing on obfuscating the knobs to simplify the user experience and abstract away a lot of the complexity.

"By the end of the year, you'll see pretty much the entire user experience flowing through a brand-new interface to address some of the concerns customers had," Lee said.

Cloudflare Takes on BEC, Phishing With Area 1 Technology

Cloudflare has focused on phishing-based business email compromise attacks in which adversaries either extort users or convince them to send emails outside the organization, according to Chief Technology Officer John Graham-Cumming. This makes it easier for adversaries to pursue direct theft, steal information from organizations and finance their operations, he said.

The Area 1 email security technology has been integrated deep within Cloudflare so that the controller and domains are all in one location and customers can address security, performance and privacy from a single pane of glass, Graham-Cumming said. Integrating Cloudflare's insights into how often domain names are looked up with Area 1's deep understanding of phishing and fraudulent websites gives clients a big advantage (see: CEO Matthew Prince on Why Cloudflare Got Into Email Security).

"A huge amount of data flows through our network, and we're able to use that data to understand new threats, emerging threats, as well as the performance and outages," Graham-Cumming told ISMG. "And when you bring that together with what Area 1 built, which is a real deep understanding of phishing of fraudulent websites, you have just an incredible amount of signals you can put together."

Forrester criticized Cloudflare for relying on email infrastructure providers and partnerships for encryption. Graham-Cumming said Cloudflare's native technology focuses on encryption at the network level rather than the message level to ensure the connection between the servers used for sending and receiving email are encrypted.

"That's up to the individual end users to look at what messaging service they're using and what encryption it provides," he said. "We will ensure that the connections used for receiving email and sending email out are encrypted."

Microsoft Takes on BEC Attacks by Probing Compromised Assets

Microsoft introduced a new capability that automatically identifies assets compromised by sophisticated attacks such as business email compromise and isolates them to prevent lateral movement and shut out the attacker, a company spokesperson told ISMG. The company can automatically disrupt ransomware and BEC attacks using Microsoft 365 Defender, according to Microsoft.

The company has focused on improving default system settings for customers through investments in built-in protection and secure templates as well as bringing improved ML models to its protection stack. Microsoft also has looked to bring differentiated protection to priority accounts and offer better tools to improve the resilience of users with predictive campaigns for simulations, a spokesperson said (see: Microsoft Security Sales Hit $20B as Consolidation Increases).

"Email continues to be a significant vector of attacks as attackers gravitate toward the ease and openness of email to target humans in phishing/social engineering style attacks," the Microsoft spokesperson told ISMG. "Business email compromise and ransomware attacks spread over email platforms are rampant."

Forrester and reference customers criticized Microsoft for lacking hosted and managed authentication management and reporting services, inconsistencies in reporting across dashboards and the number of malicious emails that continue to reach inboxes. Microsoft declined to comment on the issues raised.

"We remain committed to ensuring that customers get the most comprehensive protection from our offerings," the spokesperson said. "We’re constantly listening to customer feedback and updating our approach and focus, innovating across a variety of dimensions and partnering with customers to deliver on the things that are most important to them."

Check Point Uses Artificial Intelligence to Spot Bad Emails

Check Point has invested in artificial intelligence to catching phishing attacks by assessing the likelihood that an email was actually written by its purported sender, said Vice President of Email Security Gil Friedrich. By comparing the sentence structure and syntax in the email to those in legitimate emails from the user, firms can catch business email compromise attacks in which adversaries impersonate a business partner.

The company has extended encryption capabilities to the email security technology acquired from Avanan, ensuring that users won't receive an email until Check Point opens the encrypted files and ensures they are clean, according to Friedrich. Check Point uses AI to translate emails written in a foreign language and to analyze sentence structure to assess whether or not an email is phishing (see: Check Point CEO Gil Shwed on Why Prevention Beats Detection).

"This technology really helped with what we call BEC 2.0 attacks, where it's not an impersonation in the classical sense but it's actually a compromised account with your partner sending you emails," Friedrich told ISMG. "For hackers, it's another obstacle to try and create emails that look like the original owner and writer."

Forrester criticized Check Point for lacking native email authentication capabilities and needing more context around its alerts. Friedrich said Check Point plans to ensure it has a drill-down explaining what a security event is about in all cases rather than just 90% to 95% of cases. It has debuted a DMARC offering for larger customers in beta mode to address this gap in the company's portfolio.

"We constantly look to improve," Friedrich said. "We've broken them into specific improvements, and we're just going to address them one at a time and fix all of them."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.