Trystero

Pentagon Illustration

InQuest was founded by security practitioners who defended the Pentagon's Enterprise Networks for nearly two decades. We vetted and implemented the best-of-breed solutions across the spectrum, yet sophisticated threats were still evading detection, so we invented a platform to fill those gaps in attack coverage. By arming ourselves with two new technologies, Deep File Inspection (DFI™) and RetroHunting™, no threat was too elusive for discovery. It didn't take long for others to notice and InQuest’s footprint spread throughout the defense sector.

In 2020, we turned our focus to the Enterprise. With 95% of successful attacks starting with an email, we went back to our roots in gap analysis to study the shortcomings of Microsoft and Google's email offerings. Every day we collate emerging threats from around the world and determine which are capable of bypassing their detection and reaching the inbox. These are exactly the kinds of threats that result in successful ransomware attacks and subsequent headlines.

The "Trystero Project" is our code name for the experiment that we've been actively conducting for the past two years to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware.

According to the 2021 Verizon Data Breach Investigations Report, thirty-six percent (36%) of breaches covered involved phishing.  CSO Online stated in March of 2020 that "94% of malware is delivered by email". It doesn't matter who you ask, email is the vector leveraged for the vast majority of successful attacks. The basic idea for this project is to take real-world threats daily and loop them through the two most popular cloud email providers, Google, and Microsoft. We then monitor which samples make it to the inbox and compare the results over time. As a research team, this allows us to focus our efforts where it matters most.

Trystero Illustration

While we are comparing a number of mail provider and third-party security stacks, we are focusing on Google vs Microsoft O365 with Advanced Threat Protection (ATP). Some of the real-time accessible data in the dashboard below also include information for Outlook.com and Microsoft O365 with ATP and enhanced Phishing protection. See some embedded statistics from the past month below or dive into the data via an interactive dashboard we host via SolarWinds Librato.

So who's the best? No one! It's actually quite interesting to watch the back and forth in top-detection between Microsoft vs Google. Here's what we do know:

  • You should be augmenting your email security, we'll typically see at least a 5-10% miss rate, some days it's lower than 1% other days it's higher than 40%. Regardless, there's a gap that needs to be addressed.

  • Microsoft is typically better at blocking Office-borne malware whereas Google is typically better at PDF and Java-borne malware. Graphing bypass rates by MIME is a new data point we are tracking.

  • While there is back and forth, Microsoft w/ATP generally out-performs Google's security efficacy... at an additional cost of course.

  • There are more third-party security providers for Microsoft than there are for Google.

 
 

Real-world malware campaigns come in waves and that notion is directly captured in how we sample and replay data. Sudden large gaps are likely indications of an emerging campaign that happens to bypass that particular provider.

Learn more about Email Security Assessment:

Email Security Assessment