Stop BEC & Phishing, Protect Data, Prove It
Email is still the #1 attack path—phishing, BEC (Business Email Compromise), malware, MFA bypass links, OAuth-app abuse, and data loss.
SolveForce builds Email Security as a system: identity & posture at login → layered inbound/outbound controls → brand/domain protections → DLP & encryption → incident automation—wired to SIEM/SOAR so you have audit-grade evidence.
Connective tissue:
👤 Identity → /iam • 🔐 Privileged → /pam • 🚪 Zero Trust → /ztna / /sase
🖥️ Device posture → /mdm • /mdr-xdr
🔏 Data → /dlp • 🔑 Keys/Secrets → /key-management • /encryption
📊 Evidence/Automation → /siem-soar • 🚨 IR → /incident-response
🎯 Outcomes (Why SolveForce Email Security)
- BEC & phishing down — impersonation, spoof, and link-in-browser attacks blocked or neutralized.
- Data stays put — DLP, auto-encryption, and safe sharing prevent accidental exfiltration.
- Credential theft prevented — login is Zero-Trust (SSO/MFA + device posture); risky sessions revoked in minutes.
- Supply-chain trust — DMARC enforcement, MTA-STS/TLS-RPT, DKIM rotation, OAuth-app governance.
- Audit-ready — logs, detections, actions, and training results stream to SIEM, with SOAR evidence.
🧭 Scope (What We Build & Operate)
- Inbound security
- Advanced phishing detection (ML + heuristics), attachment sandboxing, time-of-click URL defense.
- Executive & vendor impersonation protection; look-alike domain and display-name controls.
- Malware/graymail policies; SPF/DKIM/DMARC alignment and policy monitoring → p=reject.
- Outbound security
- DLP (keywords, regex, ML) for PII/PHI/PAN/secret patterns.
- Auto-encryption rules (TLS-only, S/MIME, portal) per sensitivity label or DLP trigger.
- Transport security: TLS enforcement, MTA-STS (and TLS-RPT), optional DANE where supported.
- Identity & access
- SSO/MFA everywhere; Conditional Access; device posture (MDM/UEM + EDR) for clients. → /iam • /mdm • /mdr-xdr
- OAuth app consent governance; risky token detection; session revoke & token rotation playbooks.
- Domain & brand
- SPF flattening/managed includes; DKIM key rotation and selector hygiene; DMARC reporting & enforcement roadmap.
- BIMI (with VMC) for brand trust where applicable.
- Awareness & simulation
- Role-based training, phishing simulations, and targeted coaching for high-risk groups (finance, execs, IT).
- IR automation
- SOAR workflows: auto-quarantine messages tenant-wide, revoke sessions/tokens, reset creds, block domains/URLs, update transport rules, notify finance/legal. → /siem-soar • /incident-response
🧱 Building Blocks (Spelled Out)
- Authentication & posture
- Passkeys/WebAuthn preferred; step-up MFA for new geo/ASN; impossible-travel detections.
- Mobile & desktop clients require compliant posture (disk encryption, EDR, OS minimums).
- Content & link controls
- URL rewriting with real-time decision at click; attachment detonation; safe-view for risky files.
- VIP & vendor allow/deny models with relationship graphs (invoice/payment spoof defense).
- DLP & encryption
- Sensitivity labels drive policy; PAN redaction; PHI masking; auto-encrypt or portal delivery on triggers.
- Customer-managed keys (CMEK/HSM) and rotation policy for S/MIME or gateway encryption.
- Logging & evidence
- Message trace, auth logs, admin actions, DLP events, sandbox verdicts → SIEM within ≤ 120s; retention per policy.
📐 SLO Guardrails (Measure What Matters)
| Domain | KPI / SLO | Target (Recommended) |
|---|---|---|
| Detection | Phish catch rate (known bad) | ≥ 99% |
| Malware catch rate | ≥ 99% | |
| False-positive rate (legit mail) | ≤ 0.1–0.3% | |
| Response | BEC MTTD (user→alert) | ≤ 5–10 min via SIEM |
| MTTC (revoke/quarantine start) | ≤ 15–30 min | |
| Domain | DMARC policy to p=reject | ≤ 60–90 days rollout |
| Transport | TLS coverage outbound/inbound | = 100% (policy) |
| DLP | Block/auto-encrypt coverage (in-scope) | = 100% |
| Training | Simulation failure rate (QoQ) | ↓ trend (target < 5%) |
| Evidence | Log delivery to SIEM | ≤ 60–120 s |
SLO breaches auto-open tickets and trigger SOAR (quarantine tenant-wide, revoke sessions, rotate keys, update rules). → /siem-soar
🔒 Compliance Mapping (Examples)
- PCI DSS — PAN detection & tokenization; DLP; encrypted recordings/transcripts; key custody (HSM). → /pci-dss • /key-management
- HIPAA — PHI labels, minimum necessary, secure messaging, audit logs & retention.
- SOX / ISO 27001 / SOC 2 — change, access, logging, IR evidence.
- GDPR/CCPA — consent, minimization, retention, subject-rights workflows.
📊 Observability & Evidence
- Dashboards: phish/malware catch, click-throughs, quarantine counts, DMARC alignment, TLS coverage, DLP actions, OAuth-app grants.
- Artifacts: message samples, sandbox reports, admin change diffs, training results, incident timelines—all exportable to SIEM & auditor packs. → /siem-soar
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Assess baseline — mailbox rules, forwarding, legacy auth, DMARC/SPF/DKIM, TLS state, OAuth grants.
2) Identity hardening — SSO/MFA, Conditional Access, device posture; disable legacy/basic auth. → /iam • /mdm
3) Inbound layers — anti-phish/impersonation, URL/time-of-click, sandbox, VIP/vendor models.
4) Outbound policy — DLP labels, auto-encryption, TLS/MTA-STS; journaling/retention.
5) Domain trust — SPF/DKIM tune, DMARC report→quarantine→reject; DKIM rotation; BIMI.
6) SOAR runbooks — quarantine tenant-wide, revoke sessions/tokens, reset creds, notify finance/legal; test with drills. → /siem-soar
7) Training & sim — launch campaigns; coach repeat clickers; report KPIs to leadership.
8) Operate — monthly rule review; quarterly phishing drills; key/selector rotation; policy recertification.
✅ Pre-Engagement Checklist
- 📧 Tenant(s) & gateways; legacy auth status; forwarding & mailbox rule audit.
- 🔐 IdP/SSO/MFA posture; Conditional Access; device posture sources (MDM/UEM/EDR).
- 📨 DMARC/SPF/DKIM state; MTA-STS/TLS-RPT; BIMI/VMC intent.
- 🔏 DLP labels/policies; encryption method (TLS/S-MIME/portal); journaling/retention.
- 🤝 Vendors & VIP lists; executive protection scope; finance/AP workflows (invoice wire risk).
- 🧩 OAuth-app governance; consent policies; risky grants inventory.
- 📊 SIEM/SOAR destination; alert routing; IR comms matrix; training cadence.
🔄 Where Email Security Fits (Recursive View)
1) Grammar — messages traverse /connectivity & endpoint posture from /mdm//mdr-xdr.
2) Syntax — delivered with SSO/MFA and /ztna//sase edges.
3) Semantics — /cybersecurity + /dlp preserve truth; keys/logs/backups prove it.
4) Pragmatics — /solveforce-ai assists triage with guarded RAG and citations.