<i>Case Study:</i> How Mesa Systems Resolved Its Phishing Issues

Established in 1981, Mesa Systems, Inc. is a full-service provider of residential, commercial, and logistics-based mobility solutions for businesses and individuals. We have helped many of the world's largest, most respected corporations move their employees, offices, and industrial facilities domestically and internationally.

As Director of IT, it is my responsibility to support over 150 transportation management specialists and relocation customer care professionals across multiple locations in the U.S. In my years of experience, I've come to understand that phishing is a constantly changing landscape, which requires my unwavering attention and focus.

Pain Point

We have noticed that email attacks come in waves; we receive approximately 10 phishing emails each week. Every company gets spam and other unsophisticated phishing attacks, which are obviously malicious (e.g., bad grammar, etc.). These are easy to detect and avoid for most employees. The challenge lies in the less obvious, difficult to detect and clever messages that can easily escape the untrained eye. This, coupled with a link or attachment directing them to take the wrong action, can cause catastrophe. Because I know the potential risk to the company if an employee were to take the bait, I treat each phishing email seriously.

The Problem

Initially, we rolled out a security awareness and training program that required me to customize content and take the necessary time and effort to monitor and train the employees — to teach everyone how to spot emails that might not be legit and report them. While the training increased overall awareness and guided more cautious behavior — which is a good thing — it also created additional work for me. Even with extensive training of my employees, I was still getting an exorbitant amount of questions such as, “Can I open this? What about this? How about this?” Investigating possible phishing emails has been a manual process, which required us to look into each email, verify if it was legitimate and then reply back to the employee with the outcome and instructions.

Depending on what we expected to find during our investigation, and how dangerous we thought the email might be when we initially inspected it, our practice had been to move the email to a non-network computer and test to see if it would cause internal issues. By this, I mean interact with the email in a “sandbox environment” and monitor what would happen to verify if it was malicious or not. In some cases, this process only took a minute or two to realize if the email was real or not, and in those cases we wouldn't need to move the email to a non-networked machine.

But, in many other cases, the emails were not as obvious that they were phishing. Consequently, they needed more time to investigate — as much as 30 minutes each — to move it to an offline machine, test the link or download the file/attachment, and see what the antivirus scanner comes disclosed. So, with this process, I had been spending about four-six hours per week just checking emails to see if they were phishing or not. This isn't the most efficient use of my time.

The Initial Solution

We first learned about Edgewave email security from our reseller Trebron. Since 2013, we've used Edgewave iPrism Web security solution for URL filtering, and when we asked them for a way to keep our email spam free, Trebron suggested Edgewave's email security solution called ePrism. Mesa has been using the cloud version of the Edgewave ePrism email security to filter our inbound emails for spam and threats since 2013. As emails are directed to one of our domains, it goes through the ePrism email security filter prior to being sent to our Microsoft 2016 Exchange server. This takes care of 99% of all threat type of emails coming to our users.

EdgeWave also realized that phishing is more sophisticated and the stakes are higher, so they recently launched a new add-on service called ThreatTest to deliver custom analysis of emails we think might be phishing. We installed ThreatTest in the fourth quarter of 2017 to evaluate how it works and how it might help us catch phishing emails before they cause issues in our network.

My Experience with ThreatTest

ThreatTest was installed desk side and can also be deployed globally via GPO (Global Policy Object), depending on the number of endpoints to which it needs to be pushed. Once installed, a ThreatTest icon is present on the employee's Outlook window, along the right side of the ribbon bar. Because using ThreatTest is a new method for reporting phishing, I socialized this with everyone so they understood how it works and what the value was. I sent my employees instructions on how to use the plug-in along with some light documentation provided by EdgeWave.

Because ThreatTest is new, there was a short transition period during which employees would call the IT department with unrelated Outlook or email questions. We used this opportunity to tell them about ThreatTest, show them the ThreatTest icon and how they would use it. Now, any time there's a question about the legitimacy of an email, the staff simply clicks the ThreatTest button to report the email, and EdgeWave starts the automated investigation. This means EdgeWave is doing the email checking and there is no longer a need for me or other IT department staff to personally look into the issue, which has saved me time and resources.

In addition to freeing up considerable time, I no longer need to maintain a dedicated off-network machine simply for the purpose of testing phishing emails. Further, instead of my employees needing to wait for me to reply to them about an email, EdgeWave is doing that directly. Within minutes, the employees get an answer and can move on with their day.

Of course, I still want to be in the loop even though I'm not directly managing each investigation, and ThreatTest has an option for me to receive triggered notifications when end-users submit and/or get confirmations. From a central management screen, I can see summary and detailed domain/category reporting. ThreatTest gives me one place to go to find out if the training we've invested in is paying off. In addition to summary reports, I can drill down to the individual employee level and see who is getting the most phishing emails and who is doing the most reporting of them.

Summary

Clearly, email security is important to us, but it is also not the only IT task we have to perform. To this end, ThreatTest has proven to be a real time-saver for the company. It has also provided me a certain level of confidence in the safety of our email system, since I believe our employees picked up the concept quickly and are now happy to be able to report phishing emails this way.

Part of training your users is in how to review emails and verify if it's a threat or not. When in doubt, if they are not sure it's a threat, they can click the ThreatTest button. We find most users are willing to do that as they know they get a response much faster than bothering IT. In other words, the users feel more comfortable clicking on the button than picking up the phone or having to contact IT, offering a win for IT and a win for our users. ThreatTest is helping to keep the company safe from even one employee making the wrong decision.

It should be noted that Mesa Systems is currently using version 1 of ThreatTest, which supports MS Exchange and Microsoft mail clients (Outlook or OWA). In January 2018, EdgeWave started beta testing of version 2, which is built on a new platform and will have easy Web-based provisioning for all users. In addition to Microsoft Exchange 2013/2016, version 2 will also add support for Office 365. ThreatTest version 2 will also add support for Macs and mobile OSes also running a Microsoft mail client. ThreatTest version 2 is a standalone solution and in addition to working alongside our ePrism Email Security solution, it can also complement email security solutions from other vendors. This provides advanced anti-Phishing protection for businesses who are using other vendors. They are not required to use EdgeWave's email security in order to use ThreatTest.

*****
Steven Davidson is the Director of IT for Mesa Systems, Inc.