Skip to main content

General Documents

Search Affected Users and Block Malicious Emails on Mimecast Email Gateway

Abstract

Download PDF

Category: Email Gateway

Cyware Products Used:

  • Cyware Fusion and Threat Response: Fusion and threat response solution to manage the incidents, investigate, and respond automatically using cyber-fusion powered collaboration between your internal security teams.

  • Orchestrate (CO): Security orchestration solution to manage the playbook and third-party integrations.

  • Cyware Situational Awareness Platform (CSAP): Situational awareness solution to send automated alerts to warn affected users.

Third-Party Integrations Used:

  • Mimecast: Email gateway that provides comprehensive cloud-based secure email services that stop known and emerging email-borne threats before they reach your network.

Problem Statement

Email-related threats are emerging and evolving continuously at an alarming rate, and the time to respond to an incident has become a critical aspect for security teams. As soon as the threat is detected and confirmed in the network, security teams have to quickly respond to the threats as fast as possible and maintain a zero or negligible impact on business continuity.

Solution

It is important to provide the strongest protection against email-related threats. Security teams must be equipped with advanced capabilities that block all email-based threats as soon as they are detected in your organization’s network.

Search_Affected_Users_and_Block_Malicious_Emails_on_Mimecast_Email_Gateway.svg
How do we solve this problem?

The playbook workflow starts when it receives malicious email indicators from threat detection.

  1. Block Malicious Email: The playbook retrieves the list of malicious emails and domains identified in the email and blocks them on the Mimecast Email Gateway. You can also use a preferred email gateway service. See Email Gateway Service.

  2. Search Affected Users: The playbook retrieves the details of affected users from the threat detection and performs the following actions.

    1. One user Affected: If only one user is affected, the playbook alerts the affected user using email notification. The playbook also sends a CSAP advisory notification to other members of the organization.

    2. Multiple users Affected: If multiple users are affected, the playbook creates an incident in CFTR and adds the list of affected users to perform quarantine actions. The playbook also alerts all affected users and sends a CSAP advisory notification to other members of the organization.

Benefits
Quickly Investigate and Respond to Incidents

The solution eliminates the errors and errors natural to manual handoffs across systems, and teams and helps security teams to respond rapidly to evolving threats while optimizing and orchestrating enterprise security operations.

Increase Resilience

The solution allows security teams to automatically identify the affected users and notify them about the compromise in real time. Additionally, it also proactively notifies all stakeholders in the organization’s network to prevent the spreading of the threat.

Proactively Detect and Respond to Zero-day Threats

The solution allows analysts to proactively block zero-day threats and targeted attack vectors detected by threat hunting and sandbox tools.