In this webinar, in collaboration with SC Magazine, GreatHorn’s CEO, Kevin O’Brien outlines the big reasons why legacy email security strategies are failing to keep up with advanced threats–and the changes you can make to stop them.

Kevin looks at email security through the lens of the classic “People, Process, Technology” triangle–and highlights where we as an industry have fallen, and how we can get back on track.

 

Download the Slides >

 

Transcript

Three Reasons Email Security is Failing and How to Fix it

Doug Olenick: 

Hello, everyone, and welcome to today’s session.  My name is Doug Olenick and I am the online editor for SC Media and I will be the moderator for this program, which is sponsored by GreatHorn.  Our topic today is three reasons email security is failing and how to fix it. Our speaker is GreatHorn co-founder and CEO, Kevin O’Brien.  Now, before we get started, I would like to go over one quick housekeeping item. There will be a question and answer period after the presentation so please place your questions in the space provided on your screens at any time during the broadcast.  Now, one of the most common methods used by cyber-attack hackers to access an organization is email.  By using advanced social engineering methods that can fool even a well-trained staff, along with even newer types of malware, criminals are able to breach even the toughest defenses.  Today Kevin will examine email security through the lens of the old people processes, process technology triangle and highlight where, as an industry, we have fallen down and how to get back on track.  And, with that, I’d like to turn the show over to Kevin.

Kevin O’Brien:

Thanks, Doug.  And thanks to everyone for joining.  Looking forward to the conversation today.  You know, I think the right place for us to start this conversation is by looking at what the rest of the problem is.  Many vendors are coming out and talking about email security and why it’s important. But I want to ground the conversation in some of the more recent statistics and facts around the email security problem that we are all facing so that we can then have a more meaningful conversation about what we can do to address the root causes for the expansion of understanding.  Obviously, we have some stats up on the slide here and I won’t read them.  But let me broaden that a little bit and also talk about some of the problems in the sort of financial picture that we’re facing. 

Email security, as a market, has been growing over the past three years, significantly.  If you go back to 2017, it was a roughly two-and-a-quarter billion dollar problem and market.  And that momentum has grown year over year, uh, to the point that by 2022, uh, there’s an expected market size, according to the folks (inaudible 02:15)of nearly three-point-six billion dollars, just on email security alone. That’s huge.  And if you think about what that means, in part it’s because there’s such a wide expansion and rapid expansion in the number of breaches and financial loss that’s occurring based on a failure of the market and solutions that are out there to address the core problems, some of which we’re gonna take a deeper dive to look at today. 

Year over year, we have seen, according to the FBI, and they just recently, last month, published their, uh, internet crime report, the IC3 report, and it’s well worth reading.  Uh, you can get it for free on the FBI website.  But there’s been a 29% increase in business email compromise complaints.[00:03:00] Uh, and tha– those are, when we talk about business email compromise, what three or four years ago we would’ve referred to as spearphishing. It’s also been called whaling. This is targeted executive impersonations.  The kind that you probably see inside of your organization when your CEO or CFO supposedly asks that somebody go and buy 100 AmEx gift cards.  Or they send out W-2s and tax information around tax time for all staff as part of a wage study.  But, really, those are, are emails that are fraudulent and being sent by attackers.  The flip side of that nearly 30% increase in the complaints that the FBI is tracking is a nearly 80% increase in financial loss due to these specific crimes of email security threats.  In fact, there is now an average cost of a single, uh, business email compromise or BEC attack of, in aggregate, 60,000 dollars.  Just under about 58,000. 

So this is a major problem and as we note here, 48%, so almost half of all the financial losses that were tracked by the FBI last year, were due to just this one kind of, of email security attack.  And there’s an enormous number of security incidents that are directly correlated to these specific kinds of, uh, email issues and problems.  And so today we’re gonna spend a little bit of time to, to look at what the root causes are.  But I think it’s important to note, uh, that phishing is the top threat action, statistically, used in breaches.  And this is backed up by facts and statistics, if you’re interested and want to follow up following our presentation today, in the Verizon data breach investigation report, which also just recently came out for, for the year. And there’s a lot of information here about what that looks like, broken down by industry, by motivation and, unsurprisingly, most of the time when, when attackers are going after an email system, they’re doing so with financial motivation.  That’s about 70% of the time.  Or, and I think this is really important for us to talk about, uh, nearly a third of the time, the breaches are about stealing credentials.  And that’s maybe a point that’s a little bit more difficult to recognize the importance of, uh, on the face.  But credentials, especially if you’re running a cloud email system, G Suite or Office 365, are not just credentials into your email platform.  They’re probably also the same credentials that are used to gain access to, if you’re an Office 365 shop, your Share Point environment, or if you’re a Google shop, your Google Drive environment.  Which means that organizations that have, uh, information of strategic advantage that an espionage driven attack might go after from a competitor or foreign adversary. They can get your email credentials and get someone to fall for one of these phishing campaigns, not only can they directly go after money, the gift card scam that we just talked about, but they can also try to get someone to, to give away credentials and lead to a strategic espionage attack.  About a quarter of all breaches that, that both the FBI and some of the other industry players like Verizon track come from organizational attacks designed to yield that kind of espionage level information. So this is a bigger and bigger problem, right?  And it’s a problem that most organizations aren’t yet equipped to deal with.  Why is that?  Well, first, we have to acknowledge that despite the massive investment that we started this, this presentation by talking about, traditional email security tools are failing to pick these things up.  And most organizations have invested, at this point, in some form of email security but impersonation attacks.  And I’m gonna use impersonation attacks here to mean the entire range of modern email security threats, from executive impersonation to impersonation of an outside vendor to straightforward impersonation of, of, uh, of partner or colleague or organization that you might trust.

These tools, specially gateway-driven tools that are designed to be really basic perimeter or firewall-like protections, simply can’t detect or keep up with these attacks quickly enough, which is why we’re seeing such a, a rise in the efficacy of them and a reliance upon these attack types by the attackers that are going after either finances or, or, uh, sensitive data and crown jewel information. 

Secondly, we had a massive investment, from an industry perspective, in training over the course of the last four or five years.  There have been some major security vendor acquisitions and, and mergers in this space.  And if you roll the clock back and, and you think about the industry I was talking about, circa 2017, 2018, organizations are saying well, you gotta have a security training program, security awareness training, phishing simulation.  Might be true.  Uh, there’s some hope, uh, with, with regard to phishing ’cause click rates have gone down a good bit.  Uh, and as of 2019, the general click rate on a phishing campaign is about three percent. But the troubling news here is that three percent is still really high.  If you think about, uh, what that means statistically, one in 33 people will, will fall for something.  And, do the math.  When you have a major organization presence on email and, and everyone has an email account, for the most part, there’s a lot of threat there.  And despite nearly 450,000,000 dollars spent on, uh, training programs, the reduction in click rate between 2017 and 2018, according to, to the same stats which are cited, was about one percent. 

So training really isn’t getting it done.  And so training is important and it’s a necessary component of a robust email security strategy but it is utterly inadequate when you actually think about its security play designed to soften the, the sort of financial loss that we’re talking about here.  And there are other reasons why one might do it, such as compliance or, or in order to have a baseline or protection.  But over half of all professionals can’t differentiate a highly advanced email threat from spam and this is something that, that obviously means that a more robust response is, is necessary.  And then, finally, uh, tools and staffing.  So there are a number of vendors, and, and GreatHorn is obviously one. That’s why we’re sponsoring the webinar and at the end I’ll pitch just for 30 seconds.  But, um, regardless of whether you’re working with an organization like ours or you’re looking at some of the other market players who are, [00:10:00] who are investing in, in technology as a response, the problem here is that, uh, direct remediation action is something that needs to happen, uh, roughly one in five times.  So about 20% of the time.  And most of the traditional email security vendors out there are still thinking about the world either as a perimeter security play, that is something that will block and keep bad email from reaching the users, or it’s something where the technology that’s being pitched is supposed to work in concert with a traditional security email gateway.  The reality, though, is that if 20% of, of the phishing work that is coming in, or the email security work that is coming in requires hands-on keyboard.  You have to look at the broader, uh, stats around breach detection, which is that nearly 60% of all breaches take months or longer to discover or respond to.  And so incident response is a critical part of a coherent email security strategy. And every day, hour, minute you can reduce the level of effort and time to remediation, uh, that is required from a modern security play around email, translates to reduced breach exposure and reduced financial exposure.  Unfortunately, most of the folks that are in the space haven’t caught up with that and then they’re pitching or trying to pivot really old-school technologies that just can’t address this part of the, the problem.  And so you have in, in concert with poor detection and an over-reliance on training, uh, an under-developed tool kit for most of the vendors out there.  And so they are in a race to the bottom to try to make their, their solutions, uh, as robust as possible.  But there’s a fundamental set of flaws in terms of what they’re doing.

There’s three reasons that we see, uh, what is, to why these flaws are, are persistent in this market and why companies are still having a hard time.  [00:12:00] And the first is technological.  Really, if you roll the clock back to 2011, 2010, 2011, you will see an organizational shift from on-premise infrastructure to cloud infrastructure.  And this is not a point I’m gonna spend much time on because it’s almost, uh, redundant to talk about cloud migration today.  But there’s something that happens here, uh, when organizations began moving not just IT workloads in places like, uh, back-end servers, DWS or to Azure, but also some of their front-end or front office concerns. Things like email or file management to Office 365 or G Suite.  And that is the, the perimeter dissolve.  And many, many companies and security, uh, companies in particular have talked about this concept of dissolving perimeters, it’s become a marketing speak.  But there’s something real about that which you have to understand if you want to piece together why traditional email security and, more importantly, why traditional email security vendors and security email gateway vendors, in particular, not only haven’t kept up with the, the threat that we see today but never will be able to keep up with that threat. And that is that an organization that transitions to a cloud architecture simply doesn’t have the luxury of waiting for an email message to be filtered and quarantined or delivered before it’s received by a user because that experience, especially where those credentials are used to log into multiple different access points, multiple different pieces of the cloud architecture, uh, simply are, are designed to be continuously accessible from a highly heterogeneous end point environment. We talked about this seven years ago. This would be shadow IT, right? And there was consternation and hand wringing over whether users would bring their own phones or devices into the corporate environment.  Good luck getting an organization to not have users who bring their iPhones or their Android devices or their tablets to work or expect to log in on them.  That’s just the way of the world these days.  But it means that the perimeter and the concept of blocking at the perimeter don’t align to business operations.  And so a traditional approach, standing up what’s essentially a firewall around email, makes no sense.  And not only does it make no sense, it doesn’t support the kinds of threat modeling that attackers are now relying on when they’re going after people, whether that’s by sending an email at the start of the day when they know someone’s gonna be looking at their phone, uh, before they’ve left the house, or sending something on a Friday night or Saturday morning when they think they can trick someone based on some concept of urgency.  And that alignment to social engineering techniques, coupled with a better understanding of, of technological, uh, deployment of email means that security vendors that are very much good or bad but block things simply don’t have the, the capabilities to integrate into the cloud in the way that they need to.

I want to call something out here.  [00:15:00] We’re trying and seeing many of these legacy vendors start to talk about themselves as being cloud companies.  Uh, in fact, they’re using that in language to, to try to, uh, almost bamboozle end users.  We’re a cloud-native solution, they say, for email security.  What they mean is that they’re not going to literally ship a hardware appliance to a, a purchasing organization.  And that’s great, right?  But that’s fundamentally different from being integrated with the cloud that is being API driven and capable of doing analysis of messages, from an email perspective, both pre-delivery and post-delivery.  Both providing that level of analysis and detection before something is seen by a user, but also having that incident response tool chain that allows for remediation or redaction, even of, of emergent or zero-day attacks. 

And, in fact, that leads to the, the second piece.  What Doug said during the introduction is that we’re looking at this from a people process and technology perspective.  Uh, technology is not necessarily the panacea here and that might sound strange for a technology vendor to say that.  But the idea that you can have a model for looking at threat and, and blocking threats from coming in, that if you just had good enough threat intelligence or you just had enough features and functions, you’d shut down this attack type, it’s utterly flawed.  And it’s equally flawed to think that you can do this purely through people, by training them.  In fact, the very reason why training was hot was because many organizations started talking about people being the, the best perimeter or the last line of defense or the best defense.  But the reality is that, that training is theoretical.  And theoretical events are never as good as, as having something that’s capable of showing you, in real time, where a threat comes from.  I’ll sometimes draw the analogy when I’m talking about this.  Uh, having user training is akin to if you have children who are in elementary school, especially in the United States, uh, they’ll, they’ll go through fire safety training at some point and they’ll bring in the fire marshal.  And the fire marshal will say don’t hide in the closet if there’s a fire in the middle of the night or hide under your bed.  And, and you should have a plan for getting out of the house and you should practice it with your parents.  Right?  And so this is good.  This is what we want to teach our children.  But we don’t say well, that’s fine and we’ve trained them.  Let’s get rid of the smoke detectors.  You need something that’s actually able to tell you when a real incident is occurring.  And so relying solely on the people side means you’re telling people, in theory, these are the things that you should be aware of but there must be some technological component that complements that training and that is designed to alert people to real threats, not just theoretical threats. 

And, finally, the process side, right, there, there’s no good in having tooling that alerts you and a recognition that you have to both train and, and invest in that that tooling so that people are able to recognize threat in real time if you don’t have a playbook that those people can turn to when they see those alerts.  When they see that, that real time, uh, this is phishing, that something is happening. And, for many organizations, there’s very, very limited, uh, investment done on the business process side.  So, now, as we look at the evolution of the email security problem, we have to piece something together that touches all three of these.  And that’s where we start to see, uh, the, the real, uh, challenges around the pure technology deployment side, which is that the traditional security market for email has been based on static analysis.  And we’re seeing that static analysis, by which we mean the ability to consume known bad information, whether that’s yarovalis or CBEs or threat intel sources that glean from places like spam house or, uh, phish tank or phish, uh, phishing information sites, Google Safe Browsing technology.  This, this type of threat intelligence, although good, uh, is generic and it’s also inherently delayed because there have to be a set of reports.  There has to be a set of analyses done prior to that data being distributed through whatever the threat intelligence platform is, and then consumed by the technology vendors to be able to, to block things.  And, increasingly, we’re finding and hearing people say that the cloud platform providers, the, the Googles and the Microsofts of the world, are going to incorporate better and better threat intelligence.  And so organizations are asking a very reasonable question.  Can’t we rely on our technology platform partners to handle the phishing problem or the email security problem.  But the answer is no because these are, again, generic and black box.  And, and they’re good insofar as they will take the baseline attacks and the noise and reduce it.  But we are seeing sea level executives increasingly being proactively targeted by cyber criminals.  [00:20:00]

Verizon noted that last year executives were targeted 12 times more than they were in 2018.  And according to that same report, the increasing success in social attacks with business email compromised or CEO fraud, uh, can be linked to, uh, an increasingly busy and stressful world, right, where people have, uh, a need to go and act in real time.  And an increasing level of sophistication where an attack might only be live for a period of four, six, 12 hours.  Meaning that static analysis, things that are based on these threat intelligence sources, will protect you from yesterday’s threats.  But the one that your CEO or your CFO or your finance team is going to fall for is inherently going to be delayed, uh, because it’s not gonna be in those databases yet.  And so we start to see that, that this investment purely in technology just isn’t good enough, nor does the focused education on phishing solve for the attack type that is hyper-focused and designed to bypass the generic here’s a link, I need you to click on it, because it’s gonna look so much more realistic. 

So what do we do?  If the problem is that we have failed to adapt technology to the actual technological landscape in which we play, over-relied on end users and relied on punitive training-based methods to try to change behavior, and over-estimated technology’s capabilities with respect to static analysis and threat intelligence.  The good news is it is possible for us to begin to implement what we would think of as an adaptive risk and response model.  Adaptive risk and response is essentially about cyclical analysis.  So we look at this and say that email security should operate much like cloud platform technology itself.  That is there is an ongoing cycle here of incorporating not only some of the static analysis and the ability to, to detect threats, but also an integration of that analysis and the outputs from it that is what you choose to do on a per-message basis.  How you write end-user-focused language to alert somebody be careful, this message you’ve gotten is suspicious with ongoing training.  It has a place.  You should continue to do it.  But it has to be backed by that technology.  And best of breed blocking and flagging capabilities.  Detection here matters.  Ten percent increase in your detection capabilities has a market effect on the reduction of risk that you’ll face when it comes to an advanced attack, especially if you’ve integrated that detection capability with investments in technologies that allow you to alert a user in real time to a threat, training to tell them what to do and then constant, ongoing revision of that that’s coupled with an instant response framework so that your security teams can react in real time to an attack before it hits with the static analysis vendors and the traditional secure email gateway vendors are gonna be trying to block in 24 hours or 48 hours. 

So I want to talk about that by, by also introducing a different idea here.  And in some ways, this is an old idea.  It’s the idea of people-centric security.  And this comes out of, uh, a different market entirely.  It comes out of, well, originally it came out of logistics and, and traffic design study, which we’ll talk about in a moment, but it really was popularized, say, 2013 in the cloud access security broker space. And here’s the, the brief story. There was a traffic study that was conducted in Europe around a very particular rotary, a roundabout, where, where traffic would come into a circle and, and move through and, and exit at speed. And this particular rotary was, uh, notorious, and this is a Gartner study.  You can look up people-centric security and go find, uh, the folks who wrote about this and read the original data.  But this particular rotary was known for being incredibly dangerous and there was a high mortality and fatality rate, uh, from traffic entering at speed and, and running over pedestrians, because it was also mixed-use. And, uh, a study was commissioned around how to deal with this.  And everyone expected that the output of that study would be a set of traffic-calming devices that would be implemented.  Stop signs, lights, rumble strips, speed bumps.  Interestingly, what happened was, following a fairly long, uh, period of research, the recommendation from the consulting firm wasn’t to implement those things but, rather, it was to literally remove all of the traffic-calming devices that were in place and leave the roads unpainted, freshly paved, with no stop lights, no signage, nothing from a, an awareness, like a rumble strip or speed bump, uh, implementation for a driver.  And, paradoxically, when this was actually done, the fatality and mortality rate at that traffic circle dropped to near zero. [00:25:00] And the reason was that it was so disharmonious from what the drivers who are used to entering that rotary going at speed were expecting that they snapped out of their reverie for a moment. They stopped just driving on auto-pilot and they looked around and said, wait a minute, what’s going on.  I don’t know where the oncoming traffic is.  I don’t know what is happening.  And they hit the brakes.  This idea is designed around the concept that if you implement end-user functionality that takes someone out of the expected experience and trusts them to make the right decision, it is far more effective than when you step in and try to take a more colloquial approach and own the next step or the action.  That is, with respect to email security, quarantining a message repeatedly will teach end users they have to go check the quarantine for false positives because, in all likelihood, a critical piece of business, like a salesperson trying to get a contract signed at the end of a fiscal quarter, is gonna be stuck in the quarantine and it’s better to go check everything.  Whereas if you implement things that simply alert users without taking that kind of re– restrictive action, they’re more likely to pause and pay attention and use their intuition and whatever training you’ve invested in. 

That is the same problem, incidentally, that we’ve seen happen over the course of the last 20 years with respect to spam.  We don’t talk much about spam anymore.  spam, from an email security perspective, is a commoditized problem, right?  Everyone feels like we’ve got this solved, we’ve got this licked.  But the thing about spam is that spam is, one, how most non-technical users refer to all email security concerns, and, two, we’ve done such a good job at putting things into spam and junk folders that most organizations are now seeing end users go into those folders and open mail up and interact with it because they simply assume that the filters are overly broad and there’ll be legitimate messaging stuck in there.  [00:27:00] In fact, that’s often the case.  Why is it that we, then, believe that the cloud email platform providers who have invested in this kind of anti-spam technology are going to suddenly get it right with respect to anti-phishing when they’re taking the same black box approach and often times implementing spam level or junk mail filtering for advanced attacks?  Right?  So the idea here is that end users need to be trained in the moment of risk.  It’s the concept of the smoke alarm going off in the middle of the night rather than simply having theoretical training that if you smell smoke, you should get out of the house.  And there are ways that this can be implemented that are interruptive of, of the end-user workflow just enough to get them to pause but not so much that they say well, I can’t trust the corporate IT team or the security team. They’re getting in the way of doing my work like the spam folder or the quarantine filter.  I’d better work around that or just release everything or just go read everything ’cause the technology is getting in my way. 

When we think about what that means, it is possible for organizations to deploy this kind of technology and see real results. Right?  There’s a bit of a leap of faith.  If you’re tracking the email market, email security is part of a broader market around email technology that is, in the words of one analyst, venerable but vulnerable.  Email has been around, as of 2019, for 48 years.  And so there is a concept that we’ve seen everything, we’ve done everything. One major, uh, analyst firm that, that publishes statistical analysis of all different vendors and email security, actually deprecated their primary research in the space a few years ago. They stopped publishing, uh, an analysis of the leading vendors because their consensus was, at the time, there’s nothing new under the sun.  We’ve solved all of this to the best degree we’re going to be able to do and it’s not useful to continue to publish research or expect there to be heavy differentiation between vendors.  Not long after that, we began seeing that the, the types of threats were evolving and, uh, the stats that we shared at the beginning of this session around risk went up.  [00:29:00] But it’s worth noting that they were wrong.  And it’s not that particular market.  This was a secure email gateway market analysis, uh, should’ve been continued. In fact, there probably is no innovation left in that traditional vendor space.  But over the last four years, five years, significant numbers of new approaches have come to light where it’s possible to alert users in real time, at the exact moment when that employee is making that decision, analogous to that driver approaching that rotary and saying this is the moment when whether I step on the brake or the gas is determinate to about whether we’re going to have an accident or gonna slow down and not hit a pedestrian.  And so it’s possible, with the right types of technological investment, to do something different in the email security space. But what’s different here has to look different.  It has to be proactive and not reactive, right?  Because attackers are so good at landing messages in inboxes, that the fundamental point cannot longer be how do I keep my users from seeing bad stuff. Because it’s not possible to go and actually put together a filter that’s just going to block all the bad things in the world.  No technology is a silver bullet.  And, and thus the point we make about technology not being a panecea.  Instead, what we’re looking for is the ability to blend together detection capabilities with real time alerting and incident response. 

When that’s done, and, and I’m gonna draw from my own personal experience running GreatHorn and some of our client statistics, although this is not unique to our platform, per se, uh, is that we stepped into an organization about two years ago now, Fortune 500 company, running a traditional secure email gateway, heavily invested in the legacy approach to this. And in our first year of working with them, we found over 50,000 threats to that secure email gateway, well configured from a leading vendor, put together with the best of intentions and complemented by security awareness training.  50,000 events that were completely missed by that legacy piece of technology.  And the vast majority of them were business email compromise attacks.  They were the ones that could do real financial harm, second only, uh, or, or backed up very closely, rather, by credential theft attempts. So not only were these people trying to get financial access, but this is a bio-pharmaceutical company.  They were trying to get access to credentials, which would lead to a massive breach, a major, horrible breach, in fact, given the amount of regulated, sensitive information that that kind of an organization sits on top of.  So, what we talk about here, then, is that there is a way to build a comprehensive approach.  The reasons that email security are failing are that we are over-relying on technology or over-investing in training and hoping that our end users are just going to magically be able to spot every well-crafted attack because we showed them some theoretical examples.  However, it is possible for us to build something out and put together a robust way of addressing the email security problem without doing just more of what we’ve historically done.

If we talk about this, what we’re looking at here is the evolution of , uh, a major comprehensive reinvestment in, you know, security, but that looks like a paradigm shift.  And we’ve done this in other parts of the security market.  Right?  We have seen organizations start to put together an adaptive response mindset that assumes that you’re always under attack, that there’s always going to be some way to trick a user.  And then, instead of relying on technology to fix that, implementing the employees certainly as the cornerstone.  The vendors who were focused on, on thinking about training had it right, that users are your last line of defense.  But they’re not your weakest link.  And, in fact, if you arm them or equip them with the right kind of information, then it’s possible to then put together a framework for taking that and teaching someone in that moment this is the threat and here’s what you should do. And then use that same proactive model, that multiple-layer defense approach, for not just blocking those messages but giving an end user an alert, tracking what’s happening, modifying messages in flight to alert them to the kinds of things that come up and start to look like there is a, a framework for an attack here.  And then maybe even being able to redact them or, or shut them down.  So when we think about that, what we’re seeing is a very old security concept.  A defense in-depth concept, right?  The concepts here being rather than having a single point of failure like a gateway or an investment in an appliance, whether you host it or some vendor hosts it for you, having something that’s capable of addressing all layers of the (inaudible).  The detection, protection and response framework.[00:34:00] Or, in this sense, the comprehensive approach for dealing with this kind of a problem. 

That, obviously, is part of what we think about from a GreatHorn perspective.  And I won’t spend too much time on this because we want to take some questions. I know we’ve had some come in. But if we think about the before, during and after an attack, then you can start to see how this is possible. If you’re interested in our framework for doing so, GreatHorn.com has information about this and, and we have resources that you can download that you can start to see case studies of real world implementations.  And if you’re interested in also experiencing this, we’re happy to give a real world production-level deployment for an organization, show you what your threat surface looks like and, and arm you with some initial stats and information about where your risk points might be.  Again, GreatHorn.com has all of that information.  Doug, I think we’ve gotten a number of questions so why don’t I pause and turn it over to you and we’ll get through as many as we can.

Doug Olenick:

OK, that sounds great.  I will jump right in here.  Uh, the first one, how big of a team do you need to be able to execute this strate– strategy?

Kevin O’Brien:

[00:35:00] It’s a great question.  Um, it depends, right, which is a complex answer.  In part, you can do this with a very small team.  We have organizations that we work with who are rapid, high-growth technology companies growing from hundreds to thousands of people in a 12 to 18-month period who have still a single IT or information security resource dedicated to the space of the problem.  Uh, that is , there, the people who are responsible for managing email, not that they’re implementing the solution.  And they can implement something like GreatHorn and that’s the only experience that I have directly so I’ll speak to that.  And we’ll take that on, they’ll be up and running in a cloud native model in minutes because cloud native deployment and cloud native technology doesn’t require what a gateway does.  An email gateway says redirect your mail to us or, or bcc it to us or grant us journal access to all of your mail and cross your fingers that we’re compliant with GDPR and insure that we’re not going to have, uh, a major issue that’s gonna delay delivery.  And then after three or six months you know, we might start turning some things on.  It’s gonna be a slow implementation.  That’s hard. Combined with a legacy vendor, you probably need a pretty, a pretty sizable team.  But the cloud natives, uh, the folks for the new generation attacks can typically be up and running for you in less than ten minutes because they’re implementing from a programmatic perspective and they’re bringing to bear a federated data model, information gleaned from many, many different organizations.  A single resource can typically do this in factual amounts of their week and be up and running with, with 80 to 90% efficacy with only that little bit of incident response for the things that are truly brand new, zeroed in, spending less time than they would if they’re, they’re doing it manually without (inaudible) the technology in place. 

Doug Olenick:

All right.  Second question.  This is a fun one.  Uh, should user training be rewarded or punished?

Kevin O’Brien:

It’s a great question.  Um, there’s actually some really good information about this that comes out of the work that the guys who are working on, uh, the people-centric security model back in the cashby days did.  And, uh, certainly well worth going and looking at some of that.  The answer is that it should be rewarded.  Punitive measures do not show long-term efficacy. Fact, if I go back to a long time ago now but, but, uh, when I first started, before I, I started working full-time in email security, uh, I spent some time doing social work.  And one of the interesting things about incentive-based programs is that in any industry it’s just human nature characteristic that negative incentives will have a high immediate efficacy rate.  So if you name and shame people who fall for phishing campaigns, you’re gonna get them to stop clicking on things.  But we actually had a, a Fortune 500 whom we work with who did that before bringing us into the mix.  And what they found was they were so effective at embarrassing their executives that those executives simply stopped handling email and any time they got anything, they just forwarded it to IT and said you figure it out.  I can imagine that overwhelmed the IT department and it led to them having as good as no security, in fact, worse because those people were then so overwhelmed that they weren’t able to go and handle it. They had to shut down that part of their training program.  If you have a positive incentive program, if you recognize people who report phish and you make it transactional and easy for them to do it right from the message, hey, I think this might be bad and they can click a button and the end user who has reported that phish is then given the ability to sort of see the follow-up, you have a, a mechanism for saying we’re gonna reward people who are the best at protecting the organization ’cause we’ve armed them with tools to make that easy, this is much more effective.  It’s more effective in, in behavior modification, if you’re trying to get someone to stop smoking, and it’s more effective when you try to get someone to stop clicking on phishing links as well. 

Doug Olenick:

OK.  Next question.  I am using Office 365 with local client Outlook 365 on PCs running Windows 10. Is GreatHorn an add-on security solution or a replacement?

Kevin O’Brien:

So if you’re running, and, and we’d need to tease that apart right?  So if you’re running something like Microsoft 365, first, we’re, we’re fully compatible with any deployment model.  We have users across our customer base running on on-prem Exchange, uh, who have a hybrid mode deployment in O365.  We have clients running Outlook on the desktop, Outlook Mobile, Outlook on the web, Apple Mail clients, the gamut.  Um, and, and we support all of that.  But if you look at the security component, out of the box, that might be any number of things.  It could be just based on security from 365.  It could be at the E3 or E5 enterprise licensing models, exchange online protection, which is good and we complement that.  And most organizations will have that turned on.  It provides some basic anti-spoof capabilities as well as some basic functionality for, for stopping impersonations.  It could also be Microsoft’s advanced threat protection, their, their highest-end for-charge model that you typically will see at the E5 level.  And, uh, again, black box technology.  Good at some things.  Really good at stuff like malware detection and, and a really nice way to replace a legacy routed out to a a box to analyze a file to see if it might have ransomware or malware in it.  Not terribly effective at advanced targeted attacks.  Uh, in fact, that 50,000 that we found for that organization running, uh, a legacy gateway was also utilizing ATP.  And, in that case, they opted to keep ATP for some of the other things it provides, especially at the end point level, but found that from a pure email place, security model, bringing GreatHorn in was complementary.  Uh, we do occasionally replace it.  We do oftentimes, uh, beat it in, in our fees or, uh, side-by-side comparisons.  But GreatHorn is fully compatible with, uh, the platform-level control that you’ll get from Microsoft. 

Doug Olenick:

All right.  Next. With the real-time alerting that you’re providing the end user about potential phishing attempts, how do you prevent the user from continuing to make bad decisions?

Kevin O’Brien:

Great question.  So the, the answer here is also somewhat nuanced.  The first half of that is that you will never prevent intelligent, informed people from doing the things they want to do with respect to technology.  Right? So if you had something that was designed simply to be preventative in blocking, at worst your users will, let’s go back to the shadow IT days.  Just say well, forget this.  IT has made it so difficult, or security’s made it so difficult for me to use my email, I’m just going to set up my own email instance.  We see this all the time, by the way.  Companies that try to deploy technology to replace slow or, or cumbersome or, or preventative solutions will migrate to new ways of communicating.  We saw it in the early days when companies began seeing employees use things like Dropbox because corporate IT wouldn’t give them a great file sharing solution or they’d block sending sensitive information outside the organization walls. We’ve seen it more recently where companies, especially with heavy engineering focuses, have said email is slow and cumbersome.  We should all go use, uh, a chat-based program like Slack or, or Teams.  Uh, so the question really is not do I block or prevent but how do I ensure that users don’t do things they shouldn’t and make sure that that message, that alerting, gets complemented by appropriate technology. With respect to email, the primary threats you’re thinking about are most likely going to be messages that are impersonations that have no, uh, payload.  That is, it’s the go buy a, a gift card for me.  You can complement and deal with that by putting in place alerting when those messages come in.  So alert the end user.  But also say hey, Mary, in finance, just got a message saying go buy gift cards and we want the IT or infosec team to have real-time capabilities for seeing that. And not only do we warn Mary, but we also have a back end ability to claw that message back or do IR and see if anyone else has received it.  Or, worse, if Mary responded to it and said no problem, boss, I’m on my way to CVS to go spend, uh, 10,000 dollars in AmEx gift cards.  Secondly, for payload-based attacks, having a mechanism by which you can defang the attack itself.  So if they click on a link, they don’t go directly to a malware or credential theft site. [00:43:00] You interrupt that workflow. You say hey, be careful.  You’re about to go to this site that is, is nefarious. Or, better yet, invest in a technology platform like what GreatHorn can do where there is machine vision that can analyze, in real time, the destination to see if it might be a credential theft site.  Because the attacker might’ve weaponized that 15 minutes after it was sent to your user base and your user did nothing wrong but the attack was only live after it was received.  So having a technology play that can help address that programmatically.  And, finally, ensuring that you have customized ways of alerting users based on rule.  If you are a sales staff member, the likelihood that you’re going to go and send all of the W-2s for everyone in the company out to an attacker who claims to be from finance is pretty low.  You don’t have access to that info.  But the types of threats you will fall for are gonna be things around deal flow. So you need to have a solution that can be highly targeted, highly customized.  Not just you don’t know this person, be careful.  [00:44:00] That’s great but, in your role, these are the kinds of attacks you’re susceptible to and we’re going to enforce or back up your decision-making process in a role-appropriate way and your technology platform, uh, partner needs to support all of that to help those users be better informed about what they could actually fall for. 

Doug Olenick:

OK.  Next question’s a little long so just, uh, bear with me here.  Um, I understand the phishing threat and hijacking, I understand that, excuse me again.  I understand the phishing threat and hijacking uses email account for abuse. I also get the hacking, slash, breach of email database for abuse.  However, has there ever been a documented case of email packets being intercepted in flight, over-the-wire for abuse?

Kevin O’Brien:

Sure has.  In fact, part of what, uh, one part of the email, not the email stack but part of what the email authentication world is designed to stop is exactly this. [00:45:00] So what they, the question asked for here is, is basically, uh, saying is what if an attacker was able to, uh, get access to email in transit, either because they were routing mail through an open relay or they somehow managed to get access to the message while it was moving across the public internet and then modified, which is typically the way that this would manifest itself, modify that message in a way that leads to the user, you know, thinking that they’re getting the message from their boss but the message itself has been modified in some fashion. And once that happens, uh, the message will then be, you know, not what was originally sent and they could do something they shouldn’t.  That is, in part, solvable through better encryption.  And so there are standards-level implementations that are happening from all of the major email providers like S/MIME where there is better encryption being, uh, enforced and, and there’s a public key encryption model. That helps.  There’s also, uh, freely-available, uh, implementation. Not even technology but implementation-level work you can do through things like DKIM management where you basically, as the company using, say, Office 365, will publish a private key that goes out, uh, to your O365 environment and a public key that goes into DNS and your messages will be digitally signed.  And you can choose what you want to digitally sign against, whether it’s the subject or the header.  But you can also digitally sign the body.  If you choose to do that, what you’re saying is that you digitally signed essentially a hash of the body, that is the cryptographic, uh, contents of the message, and the recipient will be alerted, or, ideally, will never receive a message where once you’ve implemented DKIM, that body has changed in transit.  By doing that, you basically shut down this kind of an attack where, you know, packets being intercepted or, or modified won’t reach the recipient or will be highly flagged and should be, uh, most likely dropped by the receiving side technology once that’s been identified.  [00:47:00] So encryption will keep the passive men, the middle attacker from seeing what you’re talking about, assuming your encryption’s done correctly, and S/MIME platform provider will help with that.  You can invest in third-party encryption, uh, to, to take really sensitive information.  Your doctor’s office probably does this, right?  And you can also have something put together where you can use DKIM to ensure that messages aren’t being modified, uh, during that transit phase.

Doug Olenick:

All right.  Next question.  How do you suggest organizations address emerging threats besides email, such as WhatsApp or Slack use in the enterprise?

Kevin O’Brien:

Yeah, great question.  So, again, the thing to think about here is that you are going to see new technology come onto the scene all the time.  And defense-in-depth models are designed to inform you when someone is, uh, going to penetrate one, one channel you have, redundant security controls, such that a single point of failure doesn’t exist.  We talked a lot about this concept of credential theft today. And an email is still the most prevalent platform.  [00:48:00] Locking down email means that you’re going to help prevent someone from getting access to, uh, a user and credential set or a third-party application that’s able to integrate with those platforms.  So you might find that someone’s using Slack and they have integrations in the Slack environment that are relying on the OAuth token provided by their email account to them link it up to their SharePoint environment so you can drop a file.  Well, those are risks, too, right?  And so it makes sense to be monitoring for all of the different things that utilize those OAuth tokens or those, those points of, ingress and egress of data. And, secondly, although, you know, I obviously run a, an email security company, we’re not the end-all, be-all. You probably want to be thinking about some form of advanced end-point security.  There are new morphological end-point security platforms out there that do a great job at remapping memory on the fly through a lightweight agent so that if somebody bypasses whatever controls you have and they get an exploit of, say, Adobe onto the desktop, then that will be in a position where, uh, that memory’s been dynamically remapped and the exploit won’t work.  That makes a ton of sense.  You should also be thinking about things like cloud access security broker technology that incorporates UEDA or user entity behavior awareness.  If that slack instance suddenly logs in from a foreign country and you’re user’s not there, you have real-time alerting that can shut down that attack.  So, again, defense-in-depth is the, the coarse answer and a couple of examples of places you might invest in, on top of credential monitoring and email security. 

Doug Olenick:

All right.  Next. Uh, I heard you mention all types of Microsoft mail.  What about companies that utilize Google for email?

Kevin O’Brien:

Yeah.  So, great question.  Uh, there’s essential parodies between these platforms.  Uh, Microsoft tends to be more widely deployed inside of the enterprise. So if you’re at a large organization, uh, the likelihood is that you’re going to be running with 365.  They have roughly 70% market option in the enterprise space.  Google has about 25% marketed option there.  However, uh, a good, you know, security platform provider, or especially one that’s cloud-native and integrated with these platforms, should support both in a roughly equivalent fashion.  There are some minor differences between the two.  But, you know, GreatHorn certain does.  We have customers represented across both and the same considerations apply.  Everything we talked about when the question came up around, uh, tracking on the wire and DKIM, that sort of thing should be done regardless of whom your, your platform provider is.  And the same types of end-user alerting, the same types of integrated, proactive response and incident response.  Those apply, too.  Look for technology partners who, who are agnostic and can support you, especially if you’re running, uh, Gmail and might switch to 365 or vice versa.

Doug Olenick:

OK.  Next. Again, a slightly long question. Do you folks have some data on spam? I am seeing that as a problem because users are treating this as an oops and then going back into the folders and reading the stuff.  Do you have any examples that you can provide or discuss?

Kevin O’Brien:

Yeah.  Um, so great question and, uh, we actually eluded to this a little bit during the talk track, which is that when users have that experience, you are treating, uh, training them, essentially, to go look in their spam or junk folders and, uh, even more important, you know, I’ll answer the question in a moment.  But even more importantly, platform-level Google or Microsoft controls are often putting phishing and spoofing attacks into those same folders, increasing the likelihood that someone’s gonna fall for an advanced attack because it looks like a false positive inside of those folders. Uh, so there’s a couple things you can do.  Uh, first, spam, itself, is a commoditized space, meaning that essentially everyone has the same data lists.  You can turn on certain kinds of controls to reduce risk there.  Uh, I know that for many GreatHorn customers, we will actually take action on, and even quarantine or remove or modify messages inside the spam or junk folder because users do fall for that.  Secondly, if you’re using Microsoft, look into Exchange online protection.  You should have it with E3 or E5 and most organizations running scale will have that. [00:52:00] It’s not the most intuitive thing to set up but there are some pretty good anti-spam controls.  Google also does a reasonable job with spam and you don’t have to deliver spam to the inbox.  You can change some of the settings inside of the Google admin console to deliver it to a centralized spam folder that only the administrators have access to.  And, finally, uh, there are ways that you can take the most, uh, nefarious types of spam that you’re getting and with, uh, a platform that provides automated, configurable policies, again, drawing from my own experience with GreatHorn, you can start to redact some of those messages, even if they would be filtered at the platform level into the spam folder, and look for language or look for certain kinds of multi-variated attacks like spam plus an impersonation, and get them out of there completely.  So users who open up their spam folders don’t fall victim to that kind of an attack.

Doug Olenick:

All right.  Um, well, I think we reached the, uh, the end of our question list there.  Uh, quite a list today, too.  That was really great.  So, um, with that, I think we’re gonna have to wrap it up for today.  I would like to thank Kevin for his presentation and GreatHorn for its sponsorship of today’s session.  And, of course, thanks to all of you for taking the time to attend. Uh, I’d like to remind everyone that this webcast will be available online tomorrow at www.scmagazine.com. And that should be sent under the events tab.  Again, have a great day.

END OF DOCUMENT