Cloud-native email security for Microsoft and google
Darktrace DETECT + RESPOND/Email
Darktrace/Email leverages the best data source to detect and neutralize threats in emails: your employees.
UNDERSTANDING THE DATA
Stopping the bad, allowing the good.
Businesses change, and as they do it's important email security solutions can determine the difference between unusual benign and unusual malicious.
Many emails are entirely legitimate and are critical to your business, and every legitimate email is essential for understanding normal to answer determine who emails whom, tone, types of links and attachments, and other metrics.
And answer questions like has your organization ever communicated with anybody at this domain? Does the email with soliciting text appear unusual compared to previous emails?
Many emails are entirely legitimate and are critical to your business, and every legitimate email is essential for understanding normal to answer determine who emails whom, tone, types of links and attachments, and other metrics.
And answer questions like has your organization ever communicated with anybody at this domain? Does the email with soliciting text appear unusual compared to previous emails?
Contextual AI
Machine analysis. Designed for humans.
Effective email security doesn't come with baggage, and shouldn't be left to a human to decipher, triage, or adjust. Darktrace/Email uses powerful AI to not only detect and respond to unusual emails, but ensure a human's interaction and intervention are left to the absolute minimum, saving time and resources for both the security team and end users.
50%
Anomaly scores
Calculated to display to a security admin the overall ranking of an email against the understanding of normal.
0% being completely usual and 100% representing an email that doesn't belong in the environment.
0% being completely usual and 100% representing an email that doesn't belong in the environment.
Out of Character
Suspicious Link
Spam
New Contact
Contextual tags
Provide high level descriptors of an email through Darktrace/Email's eyes.
Narrative
A natural language summary of Darktrace/Email's analysis, including the key unusual metrics like links, file and attachment links.
Written to be easily understood.
Written to be easily understood.
Email security that doesn't disrupt business
It’s all about precision.
Every email is different, with different content sent at different times to different people. What’s normal for one user may be unusual for another. Proportionate response means all data is understood, contextualized, and weighed so the right decisions are made.
When email security solutions are working, they should be invisible, working in the background to reduce risk while allowing legitimate emails to flow. Emails are protected while business flows normally.
When email security solutions are working, they should be invisible, working in the background to reduce risk while allowing legitimate emails to flow. Emails are protected while business flows normally.
The secret is not in the actions, but when you apply them.
That said, here's a glimpse at the tool belt.
That said, here's a glimpse at the tool belt.
RESPOND ACTION
No action necessary
.svg)
Move to junk
Flatten an attachment
Rewrite a suspicious link
Unspoof the sender
Completely deny access to link
Remove an attachment
Hold the message back entirely
... and many more.
UNDERSTANDING NORMAL
Thousands of Data Points. Every Email.
Darktrace/Email is constantly learning your normal email patterns, analyzing thousands of data points from every email to develop actionable metrics.
Raw Datapoints
Extracted directly from email
Sender IP
Sender Name
Has attachment?
Links in attachments?
. . .
Darktrace-Enriched Datapoints
Mathematically & AI-enhanced data features
Potential solicitation?
Potential extortion?
Is the link suspicious?
Is the tone consistent?
. . .
Once raw and calculated metrics are extracted, Darktrace Self-Learning AI works to understand the email in its entirety, with Darktrace DETECT determining unusual metrics.
For every metric DETECT asks
is it unusual for this sender or the organization?
is it unusual for this sender or the organization?
Sender IP
Sender Name
Low
Has attachment
Has links in attachment (2)
. . .
Potential solicitation?
Low
Potential extortion?
Link appears suspicious
High
Is the tone consistent?
. . .
And with its complete analysis of which elements of an email exist, Darktrace RESPOND steps in to neutralize either the risky parts of the email or the whole thing.
All metrics considered, is the email normal?
And issues the perfect counter response for the threat.
And issues the perfect counter response for the threat.
RESPOND ACTION
→
No action necessary
Rewrite the suspicious link
No action necessary
And the best part?
This all happens in milliseconds, with no human interaction necessary.
/Email +
/Apps +
/Network
/Apps +
/Network
Employees have ever-evolving lives and work across different devices, applications, and locations.
Darktrace understands a human's complete digital footprint, without reducing them to their inbox.
The complexity of humans behind the inbox are fully contextualized, making actions even more nuanced and precise.
Darktrace understands a human's complete digital footprint, without reducing them to their inbox.
The complexity of humans behind the inbox are fully contextualized, making actions even more nuanced and precise.
Unusual Link Detection
Email communications are observed and learned to create “patterns of life” which help answer the question of whether an email belongs in the inbox. The understanding of a domain within an organization is determined by any observed domain data, which may include data outside of Email - like Network and Endpoint.
Asking questions like:
- Has anybody in the organization ever communicated with this domain?
- What do those communications look like?
- What is the typical sentiment of the emails?
Link Rewriting and Locking
Rewriting every link is never the right answer. Darktrace/Email rewrites suspicious URLs and nothing else, determining in real time whether the link belongs in the email.
Tag Spotlight
Suspicious Link
Indicates behavior consistent with an attempt to deliver a payload via a link, whether hidden, embedded in an attachment, or exposed on the email body.
Lock Link
Rewrite a suspicious link
Applied to suspicious links, users are redirected to a landing page while Darktrace/Email makes a final determination to allow or deny access to the URL.
Double lock Link
Completely deny access to link
Applied to the highly suspicious links, users are redirected to a landing page where their intent to visit the link is recorded in Darktrace/Email but access to the URL is denied.
On-click, real time webpage analysis
When a user clicks a locked link, additional checks are performed to determine the legitimacy of the end-destination to identify fake login and similarly-dangerous pages. Analyzing the webpage's overall intent to determine if the page is secure enough to send the user to.
To determine intent Darktrace/Email weighs the answers of thousands of questions and data points, like:
you might check if it's asking a user for a username and password, are there pre-populated fields, are there recognizable logos but not on their expected domains?
To determine intent Darktrace/Email weighs the answers of thousands of questions and data points, like:
you might check if it's asking a user for a username and password, are there pre-populated fields, are there recognizable logos but not on their expected domains?
Unusual Attachment Detection
Malicious attachments are qualified in two key categories: Attachments containing malicious text content like links or inducement text and those containing malware.
Asking questions like:
- Does this user typically receive attachments like this?
- Does this sender typically send attachments?
- Is this attachment what it purports to be?
- Does this attachment appear suspicious?
Attachment Conversion & Stripping
Darktrace/Email rewrites or strips attachments when a risk is identified.
Tag Spotlight
Suspicious Attachment
An attachment which poses as a legitimate file may be designed to deploy malware on the recipient’s device when opened. Alternatively an attachment may not contain malicious code but could be used fraudulently to induce a bank payment or the sharing of sensitive data.
Convert attachment
Flatten attachment
Applied to attachments with one or several unusual components, the attachments are flattened to a neutralized version.
An example of this is the neutralization of a suspicious spreadsheet with macros enabled, it may be flattened to simply disable the macros.
An example of this is the neutralization of a suspicious spreadsheet with macros enabled, it may be flattened to simply disable the macros.
Strip attachment
Remove the attachment
Applied to the highly suspicious emails/attachments where the attachment is completely removed from the email.
Spoof Mitigation
Darktrace/Email's understanding doesn't stop at your users. Learning about who they correspond with, and how, is crucial to combating potential spoofing.
Leveraging established email security techniques, like SPF and DKIM, and combining them with rich contextual information about a user, their correspondents, and their organization, Darktrace/Email is able to detect when an email is sent from a user posing to be someone else.
Darktrace/Email reveals the true sender to the end user, stopping spoofing attempts.
Unspoof
Mitigate the psychological impact of a spoofed email address.
Tag Spotlight
Spoofing
Elements of these emails contain some weak indicators which are suggestive of spoofing attempts where an attacker may be masquerading as a known contact or commonly used service.
Tag Spotlight
Spoofing Indicators
Spoofing involves fixing some visual aspect of the email headers to make the email appear as if it came from someone recognizable to the recipient, such as a senior member of staff or the internal support team. Once the user’s interest is engaged they may be asked to download a file or divulge sensitive information.
Unspoof Action
Remove impact of spoof
Darktrace/Email will remove the impact of a spoofed From header by replacing it with the envelope, making it clear to the user who the email is from.
A use case for everything
The right approach can handle anything
Auto-Identify your most exposed, at-risk users
Dynamic risk assessments beyond your C-Suite, identifying the highest risk and most exposed individuals at any moment.
Trends you can do something with
Customizable dashboards displaying the previous 14 days of data for all the queries you value most.
Examples:
- Show me all emails that were unactioned by my gateway but stopped by Darktace/Email
- Show me emails actioned against my riskiest users
- Show me any legitimate emails my gateway moved to junk
Executive reporting and data where you want it
Data doesn't need to stay in a dashboard. Get the data you need wherever you need it.