Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
09:00 AM
Rik Turner
Rik Turner
Connect Directly
E-Mail vvv

Research Highlights Significant Evolution in Email Security

Email security is in transition, from on-premises to the cloud, from inline to API-based, and from stand-alone to integrated into XDR. New research from Omdia highlights where the market is today, and where it is heading.

Email is the most popular vector through which to initiate successful cyberattacks. Statistics indicate that anywhere between 90% and 95% of all such attacks involve email, whether to deliver malware, to hoodwink a user into visiting a website from which ransomware will be downloaded, or simply to imitate a CEO or CFO and demand that a multimillion-dollar payment be expedited forthwith.

It should be no surprise, then, that email security is a core requirement for any organization. So much so that, in 2020, market leader and pure-play email security vendor Proofpoint produced more than $1 billion in revenue for the first time.

This is a sector in transition, however, as Omdia explains in a newly published report comparing top email security vendors, entitled "Omdia Universe: Selecting an Inbound Email Security Platform."

Omdia qualifies the description with the pseudo-epithet "inbound" because outbound email security is still quite a distinct market, at a much earlier stage in its development. Outbound email security features a different set of dedicated vendors, while only a few of the inbound security vendors have added features to address this requirement.

Inbound email security represents the lion's share of the overall email security market, and with good reason. Dodgy email attachments spawned the antivirus industry way back in the 1980s, creating a few industry titans like Symantec and McAfee along the way, and while creative solutions such as malware sandboxing have emerged to blunt the threat, email remains the easiest way into a target environment, particularly now that malware, spam, and spyware represent just a few of the tactics adversaries employ.

Change in the email security landscape is driven by two primary factors. First, there is the aforementioned evolution in the types of attacks, with methods such as phishing, business email compromise (BEC), and executive fraud now predominating (and doing the most monetary damage). Second, as with virtually every other area of IT, is the cloud.

Cloud Changes Everything
Since Microsoft started delivering email from cloud-based email servers in 2011 with the launch of Office 365, that part of the market has mushroomed; a decade later, the software giant now serves some 300 million corporate inboxes from the cloud.

One of the first consequences of the success of Office 365, now renamed as Microsoft 365, was to force all the vendors of on-premises email security products (the so-called secure email gateways, or SEGs), to develop cloud-based versions of their offerings.

More interestingly, however, an entire new market segment has now evolved, made up of companies with security platforms that reach into Office 365 via Microsoft's application programming interface (API). This is in contrast to SEGs, which sit in front of the email server (or, these days, service) and rely on an MX redirect for the message to go to them first and are thus a "one-time" security check.

Figure 1: The SEGs move into the cloud
Source: Omdia

Figure 1: The SEGs move into the cloud
Source: Omdia


The Redmond Leviathan Enters the Ring
Just as consequentially, Microsoft's move to the cloud for email services also brought it into the world of email security, in a way it had never been when it resided on corporate premises with an Exchange server. Its email security offering now includes two different products: Exchange Online Protection (EOP) to guard against malware, spam, and spyware; and Advanced Threat Protection (ATP, now also known as Microsoft Defender) to combat more modern attack methodologies.

So, is Microsoft a competitor in this market? Well, yes and no. It bundles EOP into all the various SKUs of Microsoft 365 and offers ATP as part of the higher-level, more expensive E5 SKU. It does not, however, offer them as stand-alone products, and one certainly wouldn't expect to use either platform to defend, say, Gmail accounts.

Nonetheless, the availability of Microsoft email security products does make the work of other vendors offering email security for O365 that little bit harder. Indeed, one might wonder, "If I'm already getting EOP, why do I need a SEG?"

One could ask a similar question with regard to ATP and the newer generation of email security vendors, which for simplicity's sake, Omdia calls simply the non-SEGs. (A competing research firm refers to these vendors with acronyms including IESS and CESS, but they don't seem to be catching on in the market, perhaps because no vendor wants to be classified as being in the CESS pool!)

However, both SEGs and non-SEGs insist that their detection and remediation capabilities are much better than Microsoft's, citing the number of corporate customers that use them, despite the availability of EOP and ATP.

Meanwhile the non-SEG vendors, all of whom are far smaller than the big SEG players, argue that a combination of Microsoft EOP, to stop the common-or-garden email-bound threats, and their technology for protection against the more advanced attacks, is a cheaper and more effective alternative to the SEGs, even though many of the latter have also added protection from phishing, BEC, and so on in recent years.

Email as a Fourth Pillar of XDR
As Omdia was finalizing the report, one of the most interesting of the non-SEGs was acquired by a security industry heavyweight, with Check Point buying Avanan.

Omdia highlighted Avanan as a leader in the space, despite its minuscule size compared with the likes of fellow leaders Proofpoint and Mimecast, because of its differentiated technical approach: It started out as an API-based non-SEG like the rest, then added an inline inspection capability to sit after, rather than before, the email service, casting itself as a "last line of defense." It also covers other software-as-a-service applications besides O365 and Gmail, including Box, Dropbox, Teams, and Slack.

The acquisition, aside from bolstering Check Point's email security offering, also highlights a broader trend, namely the integration of data from email security products into so-called extended detection and response (XDR) platforms. XDR takes telemetry from multiple security tools (particularly in the areas of endpoint, network, and cloud), analyzes it centrally, usually in a cloud-based data lake, and then takes decisions about remedial actions and pushes them back out to the individual tools for enforcement. And email is fast becoming the fourth obligatory pillar.

Figure 2: The four pillars of XDR
Source: Omdia

Figure 2: The four pillars of XDR
Source: Omdia

This situation favors those security vendors with portfolios covering all the pillars required to feed telemetry to an XDR platform. Three of the top five SEG players, Broadcom/Symantec, Cisco, and Barracuda, fall into that category. Numbers 1 and 2 on the list, however, are Proofpoint and Mimecast, neither of which are broad-based security players, so both must rely on integrations with partners' products if customers want to use them in an XDR deployment. Meanwhile, Check Point has already stated that the Avanan product will integrate with its Infinity architecture, which is its XDR offering.

Looking Ahead: The Future of Email Security
Omdia forecasts growth in the cloud-based SEG-as-a-service portion of the SEG market through 2024, when it should reach $2 billion, up from last year's $1.6 billion.

But which vendors are best placed to take advantage of that growth? Will it be existing SEG vendors, emerging players, or indeed, will Microsoft itself seek to mop up that extra email security spending by enterprises?

While Omdia believes competition will remain robust in all segments of the email security market, observers should watch Microsoft carefully. The vendor has promised to invest $20 billion in security during the next five years, quadrupling its current spending. Should Microsoft decide to add to its existing email security offerings, or merely make access more challenging or costly for email security vendors, the ramifications would be felt far and wide.

Rik is a principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.