<i>Case Study:</i> How Mesa Systems Resolved Its Phishing Issues

But, in many other cases, the emails were not as obvious that they were phishing. Consequently, they needed more time to investigate — as much as 30 minutes each — to move it to an offline machine, test the link or download the file/attachment, and see what the antivirus scanner comes disclosed. So, with this process, I had been spending about four-six hours per week just checking emails to see if they were phishing or not. This isn't the most efficient use of my time.

The Initial Solution

We first learned about Edgewave email security from our reseller Trebron. Since 2013, we've used Edgewave iPrism Web security solution for URL filtering, and when we asked them for a way to keep our email spam free, Trebron suggested Edgewave's email security solution called ePrism. Mesa has been using the cloud version of the Edgewave ePrism email security to filter our inbound emails for spam and threats since 2013. As emails are directed to one of our domains, it goes through the ePrism email security filter prior to being sent to our Microsoft 2016 Exchange server. This takes care of 99% of all threat type of emails coming to our users.

EdgeWave also realized that phishing is more sophisticated and the stakes are higher, so they recently launched a new add-on service called ThreatTest to deliver custom analysis of emails we think might be phishing. We installed ThreatTest in the fourth quarter of 2017 to evaluate how it works and how it might help us catch phishing emails before they cause issues in our network.

My Experience with ThreatTest

ThreatTest was installed desk side and can also be deployed globally via GPO (Global Policy Object), depending on the number of endpoints to which it needs to be pushed. Once installed, a ThreatTest icon is present on the employee's Outlook window, along the right side of the ribbon bar. Because using ThreatTest is a new method for reporting phishing, I socialized this with everyone so they understood how it works and what the value was. I sent my employees instructions on how to use the plug-in along with some light documentation provided by EdgeWave.

Because ThreatTest is new, there was a short transition period during which employees would call the IT department with unrelated Outlook or email questions. We used this opportunity to tell them about ThreatTest, show them the ThreatTest icon and how they would use it. Now, any time there's a question about the legitimacy of an email, the staff simply clicks the ThreatTest button to report the email, and EdgeWave starts the automated investigation. This means EdgeWave is doing the email checking and there is no longer a need for me or other IT department staff to personally look into the issue, which has saved me time and resources.

In addition to freeing up considerable time, I no longer need to maintain a dedicated off-network machine simply for the purpose of testing phishing emails. Further, instead of my employees needing to wait for me to reply to them about an email, EdgeWave is doing that directly. Within minutes, the employees get an answer and can move on with their day.

Of course, I still want to be in the loop even though I'm not directly managing each investigation, and ThreatTest has an option for me to receive triggered notifications when end-users submit and/or get confirmations. From a central management screen, I can see summary and detailed domain/category reporting. ThreatTest gives me one place to go to find out if the training we've invested in is paying off. In addition to summary reports, I can drill down to the individual employee level and see who is getting the most phishing emails and who is doing the most reporting of them.

Summary

Clearly, email security is important to us, but it is also not the only IT task we have to perform. To this end, ThreatTest has proven to be a real time-saver for the company. It has also provided me a certain level of confidence in the safety of our email system, since I believe our employees picked up the concept quickly and are now happy to be able to report phishing emails this way.

Part of training your users is in how to review emails and verify if it's a threat or not. When in doubt, if they are not sure it's a threat, they can click the ThreatTest button. We find most users are willing to do that as they know they get a response much faster than bothering IT. In other words, the users feel more comfortable clicking on the button than picking up the phone or having to contact IT, offering a win for IT and a win for our users. ThreatTest is helping to keep the company safe from even one employee making the wrong decision.

It should be noted that Mesa Systems is currently using version 1 of ThreatTest, which supports MS Exchange and Microsoft mail clients (Outlook or OWA). In January 2018, EdgeWave started beta testing of version 2, which is built on a new platform and will have easy Web-based provisioning for all users. In addition to Microsoft Exchange 2013/2016, version 2 will also add support for Office 365. ThreatTest version 2 will also add support for Macs and mobile OSes also running a Microsoft mail client. ThreatTest version 2 is a standalone solution and in addition to working alongside our ePrism Email Security solution, it can also complement email security solutions from other vendors. This provides advanced anti-Phishing protection for businesses who are using other vendors. They are not required to use EdgeWave's email security in order to use ThreatTest.

*****
Steven Davidson is the Director of IT for Mesa Systems, Inc.