Review: GreatHorn offers a better way to secure enterprise email

GreatHorn takes a modern and highly effective approach to protecting enterprise email that goes well beyond the capabilities of legacy mail scanners.

finger on keyboard with email icons floating out of monitor
thinkstock

Email is probably the most ubiquitous technology of the modern office. Businesses and simply could not exist in their current form without it. And this is true regardless of the size of an organization or their specialization. If an enterprise network exists, then there will certainly be an email component.

Criminals know this as well, which is part of the reason email-based attacks are on the rise. From annoying spam to highly specialized phishing efforts that might only target a handful of people in an organization, email is always one of the top jumping-off points for attacks and scams of every stripe. Yet despite this, most organizations still use binary protection methods where an appliance or software tool evaluates incoming mail and simply deletes it or passes it on to users. After that initial decision process, most email protection schemes simply move on without a second glance.

The new email protection platform from GreatHorn takes a different approach, sticking with specific email messages throughout their lifecycle and protecting users even if a previously approved message becomes malicious. It’s different right from the install process too. Instead of existing on an appliance or virtual server, it integrates right into the mail program itself. A mail administrator, working with the GreatHorn staff, can get the program up and running in about ten minutes. Users will see a GreatHorn icon on their email client, but no agents or programs are installed on endpoints.

GreatHorn Bar John Breeden II

Unlike mail appliances or other older protection methods, GreatHorn requires no internal assets and no data ever needs to leave the network. The program integrates with the existing email program. Clients see a GreatHorn button on their email, but nothing is actually installed on endpoints.

We tested GreatHorn in a production environment using an enterprise version of Office 365. It also works with Google’s G Suite and most other enterprise email applications. Once integrated with Office 365, Great Horn basically became part of the enterprise email service. No message is ever redirected out of the network for analysis. And there are no agents and no need to install anything on endpoints.

GreatHorn can work in conjunction with a legacy email gateway, though much of its basic functionality will mirror what most of those appliances do. In other words, GreatHorn removes known bad email such as advertisements for medications or email with attached viruses and malware from the stream, never passing it on to a user. It has a much deeper engine than most appliances and will likely catch things that they won’t, but you can use it in conjunction with other mail protections and it does not harm the functionality at all. GreatHorn will simply examine and monitor whatever mail the legacy appliance passes to it.

Where GreatHorn shines is in that grey area where an email doesn’t have enough bad traits, like an attached piece of malware, to label it as completely malicious, but shouldn't be fully trusted either. One of the things it looks for is email that comes from .net or .cn when the company’s top level domain is actually .com. Registering a similar domain in order to impersonate company officials is something advanced email phishers do. Or, attackers might reverse a couple letters or add a character and hope nobody notices.

Most email protection programs, when faced with a binary choice of passing along an email or blocking it, will opt to pass it along. But GreatHorn, which is fully integrated with the mail program and not sitting back at a gateway, can hedge its bet because it can continue to monitor mail even after it has reached a user’s inbox. During our evaluation, mail with changes in the normal or expected domain was passed though, but users were warned that they had never gotten an email from that address before. It pointed out the inconsistencies and suggested that this was likely evidence of a phishing attempt.

GreatHorn Suspicious Link John Breeden II

In addition to stopping known spam or malicious emails, GreatHorn will continue to monitor all mail, even when there is not enough evidence to initially consider it bad. Here, GreatHorn has blocked a link in an email to a compromised Microsoft login page.

GreatHorn officials say that the platform has analyzed billions of messages during the lifetime of the program and has been exposed to almost every kind of email phishing or scam attempt. Based on that information, the company recommends certain procedures for dealing with grey email and sets those recommendations as default policy. Of course, GreatHorn’s behavior can be assigned or modified from the admin console. For example, if a phisher is using a .cn address to try and spoof an organization’s credentials, it can be set to be blocked all together instead of sending it through and alerting a user about the potential danger.

Administrators can also create custom messages in response to context-aware scanning. For example, one of the surprisingly effective email scams these days is simply impersonating a company official and asking for money. GreatHorn can recognize those kinds of requests and add a bright red warning flag to the top of the message reminding the recipient that it is against company policy to respond to money transfer requests via email. If that’s not what the message is really about, the warning does no harm. But if it is a scam, the recipient will be made aware of the suspicious nature of that request.

GreatHorn Policy John Breeden II

The GreatHorn platform lets administrators set the level of interactivity given to users. Certain conditions can trigger a customized message, such as a warning that the company does not authorize money transfers using email.

In this way, GreatHorn can train users to be better stewards of company information, but in a more effective way than most training programs because the GreatHorn training is being given on the fly in response to a real potential attack. It's the difference between handing out instructions about what to do in the event of a fire (instructions that users are likely to forget in the during an actual emergency) and telling users, "There is a fire in the kitchen right now. You need to walk to the north stairway and get out of the building." The former method is likely to be forgotten; the latter situation probably won’t.

GreatHorn Users Info John Breeden II

Recipients can use GreatHorn to analyze email, looking to see if they have a history with the sender, and if the return address matches the name in the display.

There is also the option to keep users completely in the dark, letting mail administrators handle the work of examining all suspicious email. The obvious problem with that approach is that unless you have hundreds of mail administrators, the staff will quickly fall behind. Having users become a part of the security process, with heavy assistance from GreatHorn, is a far better solution to stopping suspected malicious mail and eliminating false positives.

But asking users to help without providing a safety net is no good either. That is where another key feature of GreatHorn comes into play. If an email has a suspected bad or compromised link, GreatHorn will create an isolated browser instance whenever that link is clicked. The browser will show a preview of the destination page, and warn that, for example, the user thinks they are going to ChaseBank.com when they are actually being directed to ChasesBank.com. Even if there is malicious content on the destination page, the user is protected from it. Hopefully, the user will stop there, but if they do click through anyway, the administrator is notified.

The admin panel shows at-a-glance how many users clicked on the link to the preview page, and how many then went all the way to the spoofed page. That can be helpful because, for example, if that page has malicious content, then users who clicked through could have their machines isolated for examination with other defensive tools.

The GreatHorn console also has the power to draw mail back out of inboxes. In our test network, the banking spoof email went to 37 people, 12 of whom clicked on the link and were sent to the safe preview/warning page, and two who clicked through to the bad site. Administrators can find all instances of the mail, or variants of it, anywhere in an enterprise email box. They can then automatically remove all of them and prevent any new versions from ever entering the network again.

GreatHorn Link Blocked John Breeden II

Even if GreatHorn approves an email, it will still block outgoing connections if they contain malicious links.

GreatHorn was able to ferret out everything from the most advanced attacks to the most common spam mail during our evaluation. And it carefully monitored and warned both users and administrators about any mail that fell into a grey area, even providing a safety net to prevent careless users from clicking through to anything that might be bad. With subscription model pricing based on the number of mailboxes being protected, with no regards to volume, it’s a modern and highly effective way to protect enterprise email that goes well beyond the capabilities of legacy mail scanners. Given how prevalent email attacks are these days, it’s a solution whose time has come.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!