Symantec Email Security Community

Announcing Deep Visibility into Advanced Email Attacks 

Aug 25, 2017 09:10 PM

Email continues to be a top incursion vector for attackers.  As a result, organizations need to gain better visibility into their email, which is the most critical and exposed control point. Understanding threat actors and the email threat landscape has become imperative for customers today, as they are looking to quickly investigate, correlate, and respond to threats.

Symantec Advanced Threat Protection for Email already provides deep visibility into the threat landscape with Indicators of Compromise (IOCs) on malicious emails such as file hashes and URLs as well as attacker information such as sender IPs & sender countries. This intelligence can be seamlessly ingested into third-party Security Incident and Event Management tools (SIEM) such as Splunk, IBM QRadar, and HP ArcSight, which enables Security Operations Center (SOC) teams to investigate and respond to advanced email attacks. Customers are leveraging this information for use cases such as correlating malicious file hash information from emails with their endpoints, feeding malicious links into their Web proxies to gain insight into attackers, and increasing protection by understanding targeted threats against their organizations.

Figure 1 – Intelligence on malicious URLs found by deep link analysis in Symantec Cloud Email Security.  This includes both the original URL and as well as the destination URL from where malicious payloads are served.
Figure 2 – Symantec offers visibility into the threat landscape, including where attacks originate.

Last month, we announced new Business Email Compromise protection and deeper visibility into advanced email attacks. Today, we are excited to announce the launch of new APIs as part of our Advanced Email Security Analytics, which provide deep visibility into both clean and malicious emails by extending our intelligence to all emails scanned by our Symantec Email service. These APIs enable organizations to:

  • Gain near real-time visibility and analytics into the email threat landscape
  • Investigate and correlate threats by providing actionable intelligence about IOCs, including spoofed domains, spoofed users, malicious URLs, detailed sandbox behaviors and associated network communication
  • Accelerate response to targeted and advanced threats by tracking email-based attack campaigns and outbreaks
  • Understand end-user risk profiles and improve the overall security posture and awareness of email threats
Figure 3

Over the next couple of months, we will release an updated version of our free Splunk application that will leverage these new data sources to provide enhanced advanced analytics at your fingertips.

Figure 4 – Ability to create campaign view to track email outbreaks.

Getting Started

This feature is available to Symantec Advanced Threat Protection for Email customers today. To enable the data feeds, please refer to settings section under Advanced Threat Protection:Email in Email portal. You can also download our admin guide that provides detailed information about the data points provided and sample Python scripts to get started quickly.

Figure 5 – Email data feed settings in Symantec Email console.

Join our webcast on August 30 to learn more about the latest capabilities and see them in action!



0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.