Post Delivery Detection and Security Orchestration Automation and Response (SOAR) capabilities in Graphus

January 21, 2020

The recently published report on email security by Gartner – Market Guide for Email Security, discussed Post Delivery Protection and M-SOAR. These capabilities help detect and remediate malicious emails that have passed all existing security controls to land in the Inbox.

Since the end user may open these emails it is necessary to alert different tools, entities, and processes like SOCs, SIEMS, Security personnel for investigation and remediation.

There are generic security orchestration automation and response (SOAR) tools available in the market with some form of phishing response playbooks. It is generally time consuming and expensive to configure and use these tools for phishing-specific use cases.

At Graphus, our focus is on email security. We provide deep integration with APIs of cloud email providers like GSuite and Office 365, as well as several external tools like Sandboxing engines and SIEM products. These capabilities allow us to create customized and default SOAR playbooks. These playbooks help customers address post delivery detection, investigation and response capabilities which are unique to their threat landscape. Graphus simplifies an otherwise challenging and time consuming process.

As an example, one Graphus customer was attacked on a daily basis with emails that asked recipients to login to a phishing site to checkout the money that was credited in their account. These emails were sent to the same group of people with similar content and text but different Zero Day URLs. Attackers would create a new Yahoo email address to launch these attacks everyday. The customer was looking for ways to auto-remediate these attacks but was not able to do it with any existing security tools at their disposal. Graphus quickly created a playbook for this customer with the following steps:

  1. Detect malicious emails post-delivery, matching this pattern.
  2. Invoke the Cloud APIs and quarantine these emails from all recipients Inboxes.
  3. Send an email notification to the admin for this organization.
  4. Publish an event in the Splunk SIEM for this organization.

Another example is where Graphus processes user reported suspicious emails for an organization. The organization admin has set up an Inbox where employees would forward suspicious emails. Without Graphus the admin was spending several hours investigating and remediating these emails. Graphus quickly created a customized playbook with the following steps:

  1. Process each of the suspicious reported emails by end users.
  2. Extract the meta attributes of these emails and make them available to the organization analyst for investigation and response.
  3. Publish an event in the Elastic SIEM for the organization.
  4. Provide capabilities to manually view the content of the emails.
  5. Provide capabilities to Sandbox attachments and URLs in the emails.
  6. Provide the capability to remove a confirmed phishing email from all recipients Inbox.

Besides customized playbooks, Graphus has several default playbooks that work out-of-the-box. These include auto-quarantine of emails with malicious attachments and insertion of an interactive warning banner on suspicious emails. With Graphus running in an email environment one can be assured of best of the breed out-of-the-box post-delivery detection, investigation and response capabilities with the added advantage of any number of customized playbooks for more targeted attack scenarios.

Please reach out to [email protected] or click on the button below if you would like to learn more about these capabilities and see a demo of the product.