It’s no secret that the RSA Conference (RSAC) is not what it used to be. Every year the number of attendees grows, the “cool” new vendors come and (unfortunately) go, and the sales and marketing tactics get more aggressive. This year, however, we noticed that the FUD-filled messaging and “scary hackers in hoodies” imagery seemed to be (thankfully) on the decline. In general, we saw a transition from conversations about “scary risks” to genuine and thoughtful conversations about the differences in philosophical approaches that we can take to actually protect customers and address these issues.

RSAC is still a CISO show

Coming out of last year and leading up to the conference, we heard a lot of chatter about how not many Chief Information Security Officers (CISOs) attend RSAC anymore. But in speaking with CISOs both on the show floor and off of it, we found that the reality is in fact quite a bit more nuanced. There certainly is a vocal segment of the CISO population that avoid the “circus” of the show floor, preferring instead to have 1:1 meetings off the floor or to avoid the show entirely.

However, we found an equally vocal contingent that found RSA to be a critical barometer of new technologies coming out of innovative start ups. Both of these points of view were represented at a CISO breakfast we attended hosted by Marcie McCarthy of T.E.N. Some of the CISOs who we sat down with mentioned that they attend the conference to simply “walk the perimeter” of the show floor to check out all the emerging vendors and latest technologies. And when we broke down the numbers, we found more than five percent of our conversations at the booth were with CISOs.

There’s a loud and clear demand for email security

Right now, the email security space is hot. According to Market Research Future, it’s supposed to increase to $18 billion by 2023. There were many attendees wanting to learn more about email security. And they were in luck, because there was a large number of email security booths—from the industry benchmark players to the rookies. While we still saw a number of those vendors focus on ransomware in their messaging and ads, the actual attendees were far more concerned with impersonations and credential theft. “How do I get rid of these ‘Office of the CEO’ emails?” was a common question, as was frustration at Microsoft’s inability to catch / block phishers spoofing Microsoft.

Email is still ubiquitous. Even with the adoption of team collaboration tools and services like Slack, Microsoft Teams, etc., email remains the preferred method of communication for many businesses. We heard a lot of requests for a product that could be tuned to different levels of risk tolerance for highly targeted employees, such as executives, finance, and HR departments (Spoiler Alert: GreatHorn can do this).

This year at RSAC, we conducted a survey asking attendees about the current state of their email security, what types of email threats they’re seeing, and how often they need to manually remediate. Almost half (47%) of the respondents still see malicious threats (not including spam) making their way into corporate email inboxes—threats like business email compromise (BEC), wire transfer and W2 requests, payload attacks, and credential theft attempts. And 23% see these threats make it into their inboxes (not quarantined) on a weekly basis – despite what email security measures they currently have in place.

Another pain point identified in our survey results that particularly stands out is the issue of managing incident response and remediation. We asked respondents how often they needed to remediate an email-based attack (like suspending compromised accounts, writing PowerShell scripts, resetting compromised third-party accounts, etc.) On average, one in three respondents said that they need to take a direct remediation action on a weekly basis—1.65x the previous year. This is particularly distressing because of the already increasing security skills gap.

We’ll be conducting our survey through the end of June (including at the Gartner Security & Risk Management Summit – come see us there!) and will report on the results in early July. To participate and be alerted when we release the report, take our survey. Curious what we learned last year? Download last year’s report here.

The rise and fall of secure email gateways

We got a lot of phishy questions at the booth this year. Phishing attacks are one of the biggest security concerns facing organizations. According to the FBI’s annual Internet Crime Report, BEC and phishing account for 48% of Internet crime losses. This is largely due to the rise and fall of traditional secure email gateways and the lacking capability of native email security controls.

Much like a firewall provides network security at the perimeter, secure email gateways (SEGs) serve as a similar layer of protection from external threats. Functioning as a filter for inbound emails, these solutions were–and still remain–highly focused on protecting the business group from external threats. The SEG uses tactics such as sender reputation filters, URL filters, spam filters, and web scanners to identify known threats. Over the years, SEGs gained new features and capabilities, from encryption to advanced threat detection and remediation, but the approach has largely remained binary.

Despite being in the cloud, integrated email security features such as what’s offered in G Suite Enterprise or through Microsoft Advanced Threat Protection (ATP), operate in a very similar fashion. Although industry authentication protocols, such as SPF, DKIM and DMARC are helpful authentication tools, many organizations lack the technical talent to accurately implement and configure, rendering them inadequate as sole arbiters of safe versus unsafe emails. Even when effectively leveraged, these protocols cannot detect impersonation attacks that use popular free emails services, such as Hotmail or consumer-facing Gmail to mimic email addresses. Because Microsoft and Google properly authenticate these accounts, they pass authentication protocols with no issue.

This linear approach makes it nearly impossible to detect more sophisticated attacks, such as BEC and other impersonation attacks. These attacks are missing the key components typically used to identify threats, such as attachments, known malicious sender information, or URLs.

Because SEGs—and even the integrated email security features within Office 365 and G Suite—assume success based on binary factors, they lack an enhanced means of remediation beyond quarantine. Even those that incorporate threat intel from external sources can only act on information that is known. Because zero-days are, by definition, threats that have not yet been publicly identified, it is impossible for threat-intelligence-heavy methods to detect and prevent them.

Relying on decades-old tools is a front-page data breach waiting to happen 

One of the most important takeaways from this year’s RSAC is that as an industry, we must adopt more than just a perimeter-focused security such as secure email gateways if we really want to protect our organizations. Changing our mindset to recognize email security is so much more than just a point-in-time gateway – that the perimeter is just the first, not the only, defense – will allow us to limit the risk exposure.

Overall, this year’s RSAC was a great success for GreatHorn. We want to thank everyone who stopped by our booth. We enjoyed the conversations and hope you (and your kids) are enjoying GreatHorn’s stuffed owls and our extra soft T-shirts.

For a glimpse into GreatHorn’s busy booth this year, check out our quick recap video above.

P.S. The booth staff appreciated all the compliments on our custom “Chuck Phish” Converse sneakers.