Targeted Threat Protection - Optimization

This article contains information on optimizing Mimecast's Targeted Threat Protection, including best practices for policies, URL and attachment protection, impersonation safeguards, internal email monitoring, and advanced configurations to enhance email security and user productivity.

While simple spammers and phishing malware are still real risks, the most damaging attacks now occur with well-researched social engineering, targeted malware, precise impersonations, and specially constructed credential phishing sites. The only way to keep your organization safe from these types of attacks is to use an equally sophisticated and versatile email security system.

Targeted Threat Protection is an evolving product suite that has received ongoing developments to address these issues. This guide is designed to help administrators perform a review of their current environment and learn about the latest Targeted Threat Protection optimizations and recommended best practice settings.

Prerequisite Considerations

Before beginning, we recommend:

• • • Evaluating Policies and Definitions: Check to see if you've got definitions but no policies set up for them, as your Targeted Threat Protection settings won't be applied to any email traffic. Similarly, identify if you have too many policies and/or definitions configured, as there may be conflicting settings that restrict your users.
    • Test Before Deploying: Targeted Threat Protection definitions and policies have many settings. Prior to deploying a feature organization-wide, ensure you have performed testing within your IT department or some other isolated team. This allows you to understand how the settings affect your users.
    • Inform Users Prior to Deploying: Targeted Threat Protection settings affect your users' experience and should be communicated before enabling. Take advantage of the following resources to help you:
      • Customer Success Training available on Mimecast.com.
      • Mimecast Education.
      • Targeted Threat Protection Asset Library.

Optimizing Targeted Threat Protection

Having evaluated and tested your environment's policies and definitions, as well as our best practice recommendations (see above), continue to our tips on how to get the most out of your Targeted Threat Protection deployment.

Enabling Display of the URL Destination Domain

Applies to: URL Protection

Many organizations may be initially hesitant to roll out a URL rewriting solution, as security teams often train users to hover over URLs and look at the link destination. Mimecast rewrites URLs and, in the process, obfuscates the URL string to ensure users are not able to bypass the protection. There have been several enhancements to URL Protect to help you. For example, the Display URL Destination Domain option provides users with the ability to see where a link is going without compromising security.

Protecting Against URLs Within Attachments

Applies to: URL Protection

When configuring a URL Protect definition, enable all the options under URLs and Attachments. These settings protect your organization from URLs with dangerous file extensions, rewrite URLs, as well as scan URLs in attachments that cannot be rewritten. It's important to set the URL File Download setting to Sandbox, as this causes inspection of a directly downloaded file for deep security analysis.

Enabling Advanced Similarity Checks

Applies to: URL Protection, Impersonation Protection

Mimecast added the ability to identify advanced impersonation attacks, where the domain of inbound emails or links appears similar to your internal domains or domains of external organizations. To utilize this, enable the Advanced Similarity Checks options for Inbound mail when configuring a definition. Depending on your organization's preferences, select Action to either warn users when a similar link is detected or block users from accessing the link and display a block page.

Populating Your Custom Monitored Domains

Applies to: URL Protection, Impersonation Protection

Attackers often impersonate domains of key business partners or application providers in an attempt to gain your employee's trust. Adding these external domains to your Custom Monitored Domain list ensures these domains are analyzed in URLs as well as headers of inbound emails. View the Custom Monitored External Domains page for more information.

Maximizing User Productivity via Attachment Protection

Applies to: Attachment Protection

Mimecast's Attachment Protect inspection is versatile and flexible, and many organizations find it beneficial to apply different settings to various user groups. See the TTP Attachment Protect - How It Works page for details of how you can gain more granular control over your organization to protect users from malicious files.

Enabling Device Enrollment

Applies to: URL Protection, Attachment Protection

Device Enrollment enhances security when accessing rewritten URLs and attachments in messages by using an authentication system that stores a cookie on the end user's device. This cookie enables Mimecast to identify the actual user, which is particularly important when URLs or converted safe files are forwarded around an organization. See the Targeted Threat Protection - Managing Device Enrollment page for further details.

Avoiding Issues with One-Time Click Links

Applies to: URL Protection

Mimecast rewrites URLs in inbound emails, which can cause an issue with one-time click URLs (e.g., password reset links). Once a rewritten URL is clicked, Mimecast analyzes the site before redirecting the user. To avoid issues with one-time links when deploying URL Protect either:

• • • Configure a Bypass Policy to exclude specific senders or recipients. For example, set a bypass for your automated system that sends password reset emails / links to users.
    • Whitelist a URL or Public IP in your TTP URL Protect - Managed URLs and select Disable rewriting for this entry to prevent Mimecast from rewriting or scanning one-time click links of these URLs.

Using More Than "Mark All Inbound Items As External" Setting

Applies to: Impersonation Protection

Mimecast's Impersonation Protection includes a general action to Mark All Inbound Items as External. While this is useful for some organizations, many users tend to stop seeing an external tag after a few days if every email from outsiders has that flag applied. Instead, leverage Impersonation Protection's Identifier Actions to apply.

Inspect and Remediate Internal and Outbound Emails

Applies to: Internal Email Protect

Most organizations focus on inbound emails when it comes to protecting against phishing. However, internally generated emails are a growing threat to organizations, as they are used to spread an attack using a compromised account or are a vehicle for careless user activity.

Internal Email Protect adds Outbound and Journal settings (for internal-to-internal emails) to the URL Protect, Attachment Protect, and Content Examination (DLP) definitions. This allows you to inspect and remediate internally generated emails that contain malicious URLs, attachments, or policy-violating content. Additionally, Internal Email Protect constantly monitors the status of all file attachments globally. If the security score of a delivered file changes, Mimecast can:

• • • Automatically or manually remediate attachment-based malware.
    • Quickly alert and update administrators.
    • Log incident actions.

View the Internal Email Protect and Threat Remediation pages for additional information.

Using Multiple Policies and Definitions

You can apply some of our best practice recommendations and optimization tips in a variety of ways. Here are some additional considerations to help finalize your Targeted Threat Protection configurations:

• • • You can configure more aggressive security settings and more frequent user awareness training for their end users, but a more relaxed setting for the IT team.
    • With Attachment Protect, consider that an organization's Legal and Finance team often works with macro-enabled files. Therefore, their emails should have Pre-Emptive Sandboxing applied, while the rest of the employees have Safe File conversion enabled to speed up mail delivery.
    • Administrators can apply more restrictive Identifier settings for Impersonation Protect for Executives and other key employees while applying a broader set of Identifier settings against end users. This is because executives are far more likely to be impersonated by attackers.
    • While Internal Email Protect allows organizations to monitor internal and outbound emails for malicious URLs and attachments, administrators can also configure Content Examination policies to monitor, detect, and remediate emails based on content that should not be shared between users. For example, the healthcare industry can use Content Examination to prevent patient records from being sent to unauthorized users, whether intentionally or accidentally. See the Content Examination - Configuring page for more information.

See Also...

• • • Impersonation Protection Definitions
    • Impersonation Protection Policies
    • TTP Attachment Protect - Configuration
    • Configuring URL Protection