Opinions on Egress/KB4 Defend vs other email security gateways?
Posted by JerradH@reddit | sysadmin | View on Reddit | 15 comments
Currently, we're using Symantec Email Security Cloud as an MX based first-line email filter, and we're looking to get away from it due to a multitude of issues we've had with it over the years.
Our top option right now is KB4 Defend, formerly Egress. We're already in bed with KB4 with security training, and after doing the PoC, it looks to be a really solid product, especially when paired with PhishER to handle user reported phish alerts.
That said, are there any other email security platforms we should be looking at that you believe is better in terms of performance, automation, and cost?
TahinWorks@reddit
We were a KB4 customer, looked at Defend, and decided against it and went with Abnormal instead. The difference was that Defend did not take action on detected email, it was a visual classification tool only, and still relied on the user reporting the email into PhishER for any automations to trigger.
Compared to other AI products on the market, this was an enormous design lapse. We want to augment M365 security with something that takes proactive action to remove threats, not just identify them.
CaptainMoloSFW@reddit
Defend definitely does remediation as well, not just the visual banners.
Lad_From_Lancs@reddit
So KB4 Defend delivers a detected threat email to a user's mailbox and just tags it with some words rather than holding it back?!
snookpig77@reddit
Have you looked at abnormal AI?
JerradH@reddit (OP)
Nope, not yet.
snookpig77@reddit
I moved to abnormal about a year ago and love it. I was using KNB4 for my phishing coaching and now Abnormal does that itself. Auto generated by the types Of emails a user has been receiving. You just have to set the schedule.
improbablyatthegame@reddit
Sublime being another contender in this space, although sublime contends they can sit inline, rather than strictly API based.
JwCS8pjrh3QBWfL@reddit
Yup, we looked at the KB4 products (even as existing customers) and ended up with Abnormal instead.
Lad_From_Lancs@reddit
Following! We currently use Mimecast > Exchange Online with KnowBe4 for training! Had this setup for many years and have not had much grief.
We have been presented with Eset's ECAT at half the price of KnowBe4's training - its missing a couple of features, but overall it felt like a sensible move....
However, I then learned about the potential of KB4 defend, which ties in with their training and phishER button - im quite pro in having a single pane of glass for end users rather than multiple platforms, just lessens the friction.
Their biggest sell was BEC (Business Email Compromise) detection, we are about to get with Mimecast anyway...
For us, it would be a 2027 switch as we are too close to our Mimecast renewal this year, but need to know if I should move to KB4 defend in 2027 as that will sway my decision on staying with KB4 or switching to ECAT!
JerradH@reddit (OP)
The tie-in with training and PhishER is a big plus for us, particularly PhishER as right now we're manually handling any reported emails through auto-generated Help Desk tickets. And by we, I mean me. Lol. It's a time consuming PITA.
Lad_From_Lancs@reddit
yeah im not a fan of having to manually look through emails, but it's a necessary evil, and I always tell anybody who will listen, I would rather spend 5 minutes looking at an email a few times a day than having to deal with an incident raised by somebody mis-clicking. Although as it stands, we just use the report button and dont have a PhisER subscription. Awaiting costing on that one, but I dare say it might be out of reach - pockets are only so deep :(
My concern with defend + PhisER - if the email got through their defend product, and somebody pressed the PhisER button, then I would assume there would still be work to do, as I suspect the PhisER won't find anything wrong with it the second time around.
Staying with the Mimecast [or insert other 3rd party scanner here] > Exchange approach, along with PhisER or even just a 'flag it to help desk', it adds another layer of defence, but is a manual button push, meaning the user needs to do something first, rather than it being automated before it gets to the user!
JerradH@reddit (OP)
PhishER, if it does what it claims, will minimize the manual process significantly. I'll at least be able to look through the audits easier, rather than having a help desk ticket generated, change the fields, do my investigation, block/allow/do nothing, and close the ticket.
Calm_House8714@reddit
I still like Mimecast.
sryan2k1@reddit
Who is hosting your mail? The E5 security features of M365 are on par with 3rd parties and eliminate the need for another vendor.
JerradH@reddit (OP)
M365 Exchange. We have Security E5 licenses with BP for end users, and while it does an overall good job at filtering, it's definitely letting through a good amount of obvious phishing emails, or is inconsistent in that it blocks bad stuff for some users, but not for others. We have best practice policies in place along with some custom mailflow rules to block bad stuff with established patterns (e.g. gmail + keywords).
Thus far the KB4 PoC has caught a good amount of what Exchange hasn't, and has also done a good job of labeling things. It does tend to be overly aggressive with Graymail tagging however.