In this 20-minute webinar, GreatHorn CEO and co-founder, Kevin O’Brien will help you understand targeted phishing, how it’s evolving, and what to do to protect your organization from business email compromise. Specifically, he’ll cover: How attackers execute social engineering attacks targeting your employee, 4 common misconceptions or “myths” about email security, and new approaches to email security for Office365 and GSuite to protect against advanced threats.
Hello, everyone. We’re just waiting for a few people to join, and the webinar will start in about one minute. Thank you.
Hello, everyone, and welcome to today’s session. I’d like to introduce our presenter, Kevin O’Brien, CEO and Co-Founder of GreatHorn. Kevin will talk today about the latest phishing and social engineering techniques, and why it’s time for a new approach to email security. Following Kevin’s talk, which will run for about 15 minutes, we’ll do a Q&A session, so please send him your questions through the screen that appears on the webinar. This webinar will be available on-demand on the GreatHorn website within the next 24 hours, and we’ll send you an email once it’s posted. And with that, I’ll turn it over to Kevin.
KEVIN O’BRIEN: Thank you, Christy. Hello, everyone, thank you for joining. So, briefly, before we dive into the content, a little bit about who I am, and why I’m speaking today about the email security landscape and how it’s evolving. I’ve been working in the cyber security space for about 20 years. I was part of the @stake team that was founded in 1999, early 2000, acquired by Symantec in what feels like prehistory of 2004. I’ve had a number of roles over the course of the last 20 years or so, including a founding-ish role at CloudLock, and a founding ream role at a business that was acquired by Thomson Reuters back in 2007. I started GreatHorn almost 3 years ago, now, with a focus on next-generation email security, and evolving the email security landscape as more and more businesses are moving to Office 365 and Google in the cloud. We’ll talk more about what GreatHorn does as we come towards the end of our formal presentation, but from a high-level perspective, what I want to spend some time today on is where the email landscape is changing, and how that’s happening. We hear a lot about various kinds of email security-related threats, and there’s a fundamental shift that is occurring from the kinds of security issues that organizations are grappling with, as they think through their email security infrastructure, versus what they might have been doing ten or even five years ago. We’ll spend time looking at why that’s happening and why it necessitates a change, [04:00] with respect to your email security strategy, and some of the misconceptions and myths that people carry about email security based on what the technology landscape looked like in earlier generations and eras of email infrastructure, and then we’ll segue into a conversation about how that evolves for Office 365 and G Suite, the predominant cloud email providers today. As Christy mentioned, we’ll leave a few minutes at the end to answer questions, and I’m looking forward to taking as many as we have time for.
One of the things that we sometimes get when we begin these kinds of conversations is a head scratch, and that head scratch typically comes because someone will look at their email security system and say, “we’ve been doing this for a long time, I thought we had it solved.” The problem here is that many of the kinds of email security risks and threats that we see are different from those that we encountered when the primary problems [05:00] with email were deliverability or spam. Over 90% of all data breaches today begin with a highly-targeted email attack, and those email attacks result in stolen credentials, loss of intellectual property, and in many circumstances, east-west migration attacks that go from email into core backend systems that contain customer data or even financial access.
Although phishing is evolving as an attack type, the problem itself remains unsolved. In fact, if you look at some of the statistics in the industry, on average, US businesses alone suffer from nearly $343,000 in damages every hour. And this number has been going up year over year, for the last five years, according to the FBI. Some of the things that we think about when we start to address that problem are the trifecta of attack types that many of the malicious actors today who are executing these attacks have found to be incredibly pervasive and effective at getting around traditional email security products. The first is business email compromise, which we sometimes refer to as “spear phishing”, and we’re going to spend some time looking at exactly at how these attacks evolve and how they work, but you can think of business mail compromise as an impersonation attempt, either of an individual executive at a company, or of a known service that an organization might use, like a DropBox or a SalesForce, that gets impersonated, and that impersonation leads to a more sophisticated attack than you might see from generic phishing, where someone gets an email that says that they’ve received a million dollars and they have to wire money somewhere. We all, as consumers, have seen the latter over the course of the last decade, but business email compromise [07:00] is different from generic phishing in that it tends to be highly-targeted and very advanced. The second attack that we see get around many of the traditional products and offerings today are malicious URL attacks, and these are attacks that get weaponized or turned into threats after they have been delivered. The canonical example that we see is a WordPress site, a common blog software package that runs on servers that people often fail to update. WordPress attacks will execute themselves by delivering a URL into the inboxes of users, and then the compromised site will be modified to either steal credentials or deploy malware or ransomware hours after the initial email is sent, giving the attacker a sufficient amount of time to ensure that those emails reach their targets, and then they become threats. And finally, malicious files are still responsible for a significant number [08:00] of data breaches and data loss events. Often, today, what we’re seeing are not what signature-based end-point security solutions will pick up. That is, these are not viruses, but they’re more sophisticated examples of APT or advanced persistent threat attacks, or in some circumstances, ransomware, as over the past year or so, we’ve seen with things like the Locky attack, or some of the other major data breaches that have shut down large swaths of industry.
How does this work, though? Well, the thing that you have to understand as you begin to think through the modern email security challenge is that attackers are incredibly smart. Take, for example, a manufacturing company, JABIT. JABIT has a website and a presence that an attacker decides they’re going to utilize as part of a targeted attack, because they want to potentially steal some intellectual property, or maybe they want to execute a fraud or other impersonation-driven attempt, to get someone to give them access to the backend systems that JABIT runs. The first thing that an attacker will do when they’re executing an attack like this is they will go and look at the JABIT website. They will begin to understand the markets in which this organization plays, how they describe themselves, the brand, the colors, the logos, all of this information that’s made available. From there, they will select a target, such as someone who is in charge of finance inside of the organization, and that person, in this case, David Beamen, may actually be someone who is listed on the “About Us” section of the public website, and like many people, David has a LinkedIn profile, and the LinkedIn profile gives you the formal title of that individual, as well as, and importantly, their picture. Most of us look at email today, and they see a colleague’s picture and their name, and that’s how they recognize whom the email is from, but so much of this information is available on LinkedIn, we’re putting it out there on social networks, or they’re on secondary platforms, Facebook, Twitter, other business networking sites, that a motivated attacker can get a tremendous amount of information about the individual. Maybe David writes the occasional LinkedIn contributor post, or tweets actively, or has a blog. With this kind of information, tone, grammatical choices, the kinds of language that David uses, all become available as well, and, if David has integrated something like a trip software, a TripIt piece of integration into LinkedIn, the attacker can even begin to understand where this person might be, in terms of their physical presence, and can make reference to events and things happening in David’s life, all of which will deliver to their intended target a degree of believability, and that is 100% provided by David, and something that an attacker can then utilize when they begin to go after their intended target at JABIT.
The way this works will typically then look like an attack email that is believable. So, my attacker in this model, and we see this often amongst our clients, will send a note first to someone at the sales team at JABIT. Sales people tend to be pretty responsive, so they send a note back, “oh, you’re interested in something that we do, happy to talk about it,” and in doing so, they’ll hand over the format of the signature for the organization, any logo or color or website links that should be there, and it’s trivial for that attacker to then modify the signature of the sales executive with that of their intended impersonation target. Note, here, that this attacker has actually registered something like [email protected], associated the picture they grabbed from LinkedIn, noted, by looking online, what the various things that David does are, maybe they see that David has a large set of relationship points with sellers at ADP for payroll, and make a reasonable guess that JABIT is using ADP, and they select the secondary target, in this case, someone on David’s team, to send this note to. This email is coming from the [email protected] account that this attacker has created, however, none of that shows when this is looked at on a phone. Because, for the typical user on a mobile device, especially if this email is sent beginning or end of day, when they may not be in front of their computer, all they have are the picture and the name of the person sending it, and because it’s coming from a consumer email service, it’s going to pass the mail authentication checks that many organizations rely on to block spam or direct brand impersonations. For them, this email from javabit.com, that was set up a G Suite account, looks and feels for all the world like the real thing.
The problem is, this is a complete fraud. And if this email is sent at the end of the day on a Friday, and says that we have to make an update to ADP and it goes to a subordinate of the executive, it’s very, very likely that they will actually take action and perform whatever is being asked of them. This combination of psychological pressure and sophisticated attack creation will lead to many of the high-profile data breaches that we will see, both in the near future, and as systems continue to provide more and more personal information to attackers, either through the use of social media, or as a result of some of the large-scale data breaches we’ve seen. Think for a moment about how much personal information is lost when a credit agency suffers from a data breach. You not only have the names and pictures of people from LinkedIn, but you might have information about what cities they live in, what other jobs they’ve worked at, information about maiden names, if it’s a female executive, things that can be used to create very sophisticated and nuanced attacks.
So, the first myth that many people land on when they hear this is that it’s a problem that will be solved at the platform-provider level. Google or Microsoft, who are providing these email services, will clearly fix the problem with spear phishing. Well, unfortunately, this isn’t true. Much of the work that goes into solving for this kind of an attack is incredibly specific to the organization in question. Google and Microsoft do a tremendous job of protecting against data loss through somebody actually getting into a back-end email server, or walking into a data center and stealing information from a server rack. But the specific modification of the rules and deliver mechanisms inside of a company, and protection against impersonation of executives, relies on a detailed understanding of whom those people are inside of the organization, and how they communicate. Those are not things that Google or Microsoft are in the business of providing, that is the prevue of security, not infrastructure.
So, the second misconception or myth that often comes up in this kind of conversation is that email security is an old problem. We’ve been doing this for nearly 20 years, clearly, the legacy email gateways and providers who offer perimeter security solutions should protect against these kinds of attacks. Now, don’t get me wrong, you can look at your email’s security gateway and think about it in terms of stopping basic spam, or obvious virus lead files. But these targeted attacks are intentionally crafted to get around these kinds of solutions, and because perimeter security tools are only able to affect whether or not a message is delivered, the ability to graph the relationships and reputation of senders and recipients, identify legitimate versus illegitimate mail based not on whether or not there’s a piece of signature accessible malware, or something that has been known bad in the past, but rather, an emergent attack, something that is the equivalent of a zero day, but for the email security landscape. Email gateways simply don’t have the technology or the technological access as a pre-delivery solution to build that kind of analysis into the mix without causing massive delivery delays, which are incidentally one of the weak points of secure email gateways overall, many of which have had numerous and notorious email outages over the years. Email gateways cannot protect against business email compromise attacks, let alone against attacks similar to the WordPress example we mentioned earlier, where they’re weaponized downstream.
So often, what we see now, our organizations move to the human element. If you go back three or four years and think about cloud infrastructure, the concept of the human firewall, or protection through end user education comes up. The problem with security training is that security training, from an email perspective, teaches us to hover our mouse cursor over links. You don’t have a mouse cursor on a mobile device. Or, it tells us not to take action when we see an email that might be suspicious, but these kinds of attacks aren’t suspicious-looking. So, although security training is a requisite part of a compliance program, it has very little to no impact on the ultimate efficacy of a targeted social engineering attack, because targeted social engineering attacks are based on psychological pressure, seniority, time, urgency, the kinds of factors that we saw in the example of David a moment ago, and training will not provide any benefit against these highly-crafted and well-executed examples of a security threat.
And the fourth, and often final, misconception or myth that comes up, is that clearly, we’re fine. It hasn’t happened yet, so we don’t need to change anything. We either aren’t a large enough target, or we’re safeguarded by the things we’ve been doing. However, if you look at the industry statistics, time-to-detection for a breach has been increasing year over year, since studies began being run, where as time to data [exfiltration?] in breach has been decreasing. What that means is that, for many organizations, not having been owned yet, or not having experienced a breach is, at best, circumstantial, and at worst, when it does occur, it won’t be discovered for three, six, or even nine months. Relying on a lack of known negative outcomes is equivalent to saying, “I’ve never been in a car accident, so I’m not going to wear a seatbelt.” Security needs to occur before something happens, not after the fact, when the repercussions and damage to reputation and brand have occurred.
So, what can we do? At GreatHorn, we believe that the answer is to rearchitect the email security market specifically for the next generation email security platforms that organizations are using. Especially as more and more companies move to the cloud, cloud-native protection against targeted phishing and business email compromise, malicious links and files are essential components of a modern security stack. And, unlike legacy gateways, a cloud-native approach does not require redirection of mail through a third party, bringing about not only delivery problems, but also compliance issues, as organizations around the world grapple with emerging standards like GDPR. And, unlike the legacy gateway, a deployment of a cloud-native security platform can occur in minutes, not weeks or months. GreatHorn has been doing this for three years, and we have been recognized across the industry as being capable of detecting these carefully-planned and targeted attacks, and providing automated remediation that drives down both times detection and time-to-response, such that organizations can safeguard themselves against these kind of attacks. That is what we have for a formal presentation perspective. I believe we’ve gotten a few questions, so, Christy, why don’t I turn it over to you, and we’ll take as many as we can.
C: Yeah. Thanks, Kevin. Now, we’re going to take a few minutes to answer some questions, so if you do have questions, please go ahead and type them into the question window that appears to the right of the screen, and we’ll try to take as many of these as we can. So, the first one, I see one here, it says, we have an email gateway in place. Can you talk a little bit more about, would GreatHorn replace that?
KO: Sure. So, it’s a good question. The answer is that, oftentimes, our clients are replacing their traditional email gateways with a new implementation of GreatHorn. However, it is not technologically required, and we have clients who have been locked into long-term contracts with legacy providers, and who have then brought GreatHorn on board when they have experienced phishing attacks that have bypassed those gateway solutions. We don’t need to eliminate the gateway in order to function, but often, it’s redundant security, and once GreatHorn’s in place, those lengthy contracts can be removed or cancelled.
C: Another one, what are the main things to look for in an email security solution, specifically for Office 365?
KO: That’s also a very good question. Our friends at Gartner have written quite a bit about this recently, and if you’re a Gartner client, you can go and find information on the emerging security markets, specifically around advanced threat protection. And, that’s very much the answer to the question directly, which is that email security has evolved because email attacks are evolving, and in Office 365, many of the foundational protections that are available to clients running at E3 or E5, such as Exchange Online Protection, also known as EOP, can do a very good job at stopping low-level spam and low-level malware. These kinds of things should be configured out of the box, and if not, you should speak with your rep at Microsoft, or your cloud migration provider to ensure that those have been put in place correctly. However, that level of protection needs to be augmented with a solution that doesn’t remove the value or diminish the value of having migrated into a cloud environment. Avoid things that will cause delivery delays or performance delays of 365, and augment by finding cloud-native protections, ideally with partners who are running in the same infrastructure as Office 365 itself. Look for Microsoft Platinum partners who have gone through the work of deploying using the APIs that Microsoft makes available, and who can augment the native protections with advance threat protections.
C: Great. Here’s another one, what email does GreatHorn see? Is it all email? How does it connect to my environment?
KO: Yeah, also a very good question. So, GreatHorn analyzes every piece of mail inside of a mail environment when we’re connected to it, and that means that all of the incoming mail, or inbound mail, as well as all of the outbound mail, will be used to drive the machine learning model that GreatHorn uses to detect these kinds of advanced threat. Unlike a gateway, however, GreatHorn doesn’t take copies of any of those messages. We don’t create an additional repository of your email. All of that analysis happens post-delivery, and pre-send, but it occurs in real-time with no downtime, and no shadow copying or BCCing of mail to an insecure third party. [24:00]
C: All right, we have probably time for one to two more, but one says, can you give a high-level view into how GreatHorn detects these phishing emails? Do you have competitors that are doing the same thing?
KO: Very, very good question. So first, I will say that on the screen right now, we have information for how to get in touch with us, and we’d be happy to walk through this and provide more of a technical demonstration of the product, and some features and functions around how we do this, but the high-level answer is that the traditional mail gateway market has focused on signature-based detection. That is a combination of real-time blacklists, analysis or known spammers or malware providers, and information based around the kinds of things that would trigger an end-point security solution as well, looking at malware based on an integration with a partnership, providing AV. GreatHorn inverts this model. We take a non-deterministic, or in other words, a [saristic?] approach to looking at mail. We build a social graph that bases all of our deep relationship analytics on factors such as how often senders and receivers communicate, whether or not there’s an existing relationship between a new email address and individual contacts inside of an organization, and correlate that to the data that we’ve generated over the last three years, we’re analyzing hundreds of thousands of mailboxes every second to identify anomalies and emerging threats. Probably not time to get into it in great detail here, but underpinning this entire system is a machine learning system, a very trendy word right now, but something we’ve been doing for over three years as part of our core platform, that gives us the ability to detect those emergent attacks without relying on signatures.
No one else in the market today is doing what we do. No one else is providing a cloud-native post-delivery analysis solution, predicated on the use of the APIs and the email model that we have. Email gateways are starting to appropriate some of the language that GreatHorn uses, but no one else offers the same level of technical ease or sophisticated analysis.
C: All right, one last question. Can you explain post-delivery protection again? Does this mean threats will be in the employee’s mailbox?
KO: So, there’s a distinction between a mailbox and an inbox. The inbox is what you see when you look at this on your phone, or you’re looking at a particular client. The mailbox is the technological place where all of that lives. GreatHorn’s post-delivery model means that mail moves into the mailbox, but our implementation does not allow a user to see a message until it has been fully analyzed by GreatHorn, and if it is something that looks like threat, through the use of our customizable policy engine, we will either remove or modify, to defang any potential attacks, before a user interacts with them. We can do this without causing delivery delays, unlike a gateway, because we don’t route mail through a system that we’re holding. That’s a major security vulnerability in and of itself, and one that we don’t present. However, the mail is at the mailbox level before a user sees it.
C: Great. Well, it looks like we’re at the end of our time, so, for any questions that we didn’t get to answer today, we’ll follow up with you directly. So, thank you everyone for attending today’s webinar, and please reach out to us with any questions or to schedule a demo. Thanks a lot.
KO: Thanks, everyone.
— END OF AUDIO FILE —