Email Security

Interview: Why Truly Clean Inboxes Are A Myth

We spoke to the Chief Security Officer and Head of Marketing for Cyren, a legacy cybersecurity company with a powerful email security solution.

Article thumbnail image

Despite the ever-increasing prevalence of business communication and collaboration tools like Slack, WhatsApp, Teams and more, email still stands as the largest attack vector into a company. A recent report from Verizon revealed that an astounding 81% of companies have seen in an increase in email phishing attacks since 2020.

We spoke to Lior Kohavi, Chief Strategy Officer, and Mike Fleck, Head of Marketing, from cybersecurity specialists Cyren. Their recent work has included the Cyren Inbox Security product—a powerful and intuitive tool that utilizes machine learning to detect and remediate threats at inbox level. Both have strong backgrounds in the cybersecurity industry, with Kohavi in particular having 30 years of experience in cyber, with notable stints with Microsoft.

We spoke to them about how they factor in collaboration and communication tools, how the email security market is changing, and why a truly clean inbox is a myth.

Can you give us a brief introduction to Cyren, your key use cases, and what differentiates you guys from other vendors in the email security space?

Fleck: We’re here at InfoSec to talk about the enterprise cyber business. And really, the foundation of that is an offering called Cyren Inbox Security. There are a couple of different ways you can think about this solution.

For the next generation, email security is evolving into this concept of inbox security. Fundamentally, it automates the detection and incident response that people are doing manually today. Cloud email providers and secure email gateways are failing to stop all the malicious content from getting delivered. Right now, you rely on users to report anomalies, and then security operations center analysts chase that up and look at it manually. We’ve basically taken that process, which might normally take hours, and shrunk it down to seconds by combining continuous monitoring of mailbox content and automated incident response.

Kohavi: Just to add to that there are two things Cyren does that I believe are very unique to us. One, Cyren is a legacy security DNA company, which means we have had threat intelligence as an API, as an OEM for many years. In fact, you’re probably using us without even knowing. If you have a Gmail account–Google is a customer of ours–you’re using our technology. In fact, many of the cybersecurity vendors at Infosecurity Europe are consuming Cyren threat detection and threat intelligence. This is our DNA and we’re very proud of that.

We very strongly believe that there is no way to truly clean your inbox and anyone who says that is b********ing you. What distinguishes us is we’re very realistic. It’s not a problem that can be solved at 100% level. We’ve built a cohesive solution to mitigate the risks. But it’s not the end of the world that you have bad stuff in your mailbox, as long as you know about it early and are automatically capable of responding fast to remediate it. 

Of course, we have better detections and all of that, and I can go into the details of that. But I’m telling you this is a nuance between what we do and what others do. You cannot create a clean pipe, so what do you need? First, you need a new automate concept that will Continuously scan your Inboxes (unlike old SEG approach hat inspect only once). Then you need the user to be aware, so we created informative banners. We need to get a pattern that you can scan in real time— we’ve created that. You need an API at the back end that will remediate fast, you need a 24/7 team that will deal with that over the weekend—we built all of those elements. You need to continuously inspect the emails because the emails reach the inbox. 

Where do you see yourselves fitting into the cloud email security market?

Kohavi: Unlike many of our competitors, we are not a startup. We are a startup with this product, but we are a much more stable and historic company. And we have what we call the “global view”, so if something happening in the phishing world, we know about it because we are the cloud of the cloud.

We believe that secure email gateways will get replaced by the native security features of the cloud provider plus solutions like Cyren Inbox Security. We see ourselves as the leading edge of this new approach to deal with email security. The new maturity model drives enterprises to think and act based on email remediation and response (vs. ‘only’ clean pipe/ detection). We believe it’s becoming the norm in the email space in a similar way the Endpoint market moved from detection (anti-virus) to EDR/XDR. We are basically the email XDR platform.

Fleck: I think there’s a few things to unpack there. We see ourselves as in that ICES category. As Lior said, that ICES category will just be the email security category because email has changed as that “workflow” moved to the cloud. 

The really interesting thing about our competitors is that if you look at when they started, Artificial Intelligence was this bright, shiny object. Artificial intelligence doesn’t exist in cybersecurity, right, so really, it’s machine learning that is being promoted as the new technology that’s going to save the day. ML is a good way to detect some of the things that sneak in, but it’s not a cure-all. One of my favourite things about Cyren is that we take a more pragmatic approach; we know that nothing is going to detect 100%. So, we’ve created a pipeline of machines, users, SOC analysts, and so on to cover more blind spots.

So, if phishing or malware passes undetected through all the detection models, then it goes to users and SOC for ultimate classification. And we haven’t seen where anybody else has that complete pipeline.

Kohavi: I think that’s the difference between a gateway and identity-based management. Once a customer puts us to work, our systems start by learning their users’ habits. We learn who users communicate with, when they communicate, why they communicate, what the language is. We want to be able to identify abnormalities in the behaviours. And then we also analyse all the traditional markers like file attachments, URLs, headers, and all of that. So, we see the traffic internally, not just the external stuff. We also see communication with colleagues, account takeovers, business email compromised vendor email compromised. We’ve learned the ecosystem of the emails and we apply the best that we can including remediation because there is no bullet proof solution otherwise. Does this strike you as different, compared to everything else you’ve heard today?

Yeah, it’s a different approach. We cover a lot of email security and the market is really crowded. I think you’ve got a strong differentiation. As you say, a lot of the vendors in this space are fairly new.

Kohavi: Definitely. And we actually believe the problem is a messaging problem; it’s more than email. We happen to have it for Office 365 and email, because just that’s the killer app in the last several years. Everybody is moving to Office 365. But we know the fraudster world, in and out. And we believe that at some point, there will be a different go-to messaging platform for attackers. It might be Slack, Teams, mobile apps, SMS, WhatsApp, you know. Our system is agnostic to that because we didn’t build the solution for email security. We built the solution end to end to deal with messaging and involving the users.

Stemming from that, we have all these new communication tools popping up, especially in this hybrid world we work in, but email continues to be the biggest attack vector. Why do you think this is?

Kohavi: The simple answer is the return investment is huge. It’s very easy for a fraudster to launch a phishing email campaign. I don’t want to scare you, but after this meeting I can send a phishing email that will end up in your inbox for sure. And it will 100% appear as a legit email because the evasive techniques are so easy to pull off. It’s just become such an easy way to penetrate all of these solutions, because it’s an application level. And I can just take one of the techniques that has been happening in the last several weeks, which is just embedding a link within a Google Drive or OneDrive, or Dropbox file. Just create a new file, embed those links, and send it as an email attachment. It will 100% arrive because the sandbox will not catch it. No one is doing time-of-click protection for URL in remote files. The only way to find it is in real time. Either the user reports on that or systems continuously scan content and classify it in real time. 

Fleck: Everybody says it’s the old cliche, but the weakest link in any security program is people. Email is a straight shot to this weakest link. I think it’s an issue of distraction because people are very busy. They’re busy and overwhelmed because they have Slack, they have Teams, they have WhatsApp. These things haven’t replaced email. They’ve been added on top of email. So, it’s just more social engineering-based attacks taking advantage of that.

And the bad guys sort of transformed their businesses just like we have. They’re using the exact same techniques as legitimate businesses, sometimes the exact same services, to launch these phishing attacks. 

As a final question, what advice would you give to companies looking to develop their email strategy?

Kohavi: They need to think out of the box. Anyone that is building an email security strategy needs to think about reality, remediation, and response. Don’t just think about extra filters. Filters are good, but think about, “How do I get visibility? How do I respond fast? How do I involve the users instead of spot testing them with pass/fail exercises?” I think this is the approach companies need to implement, and then go from there when it comes to vendors and finding the right one. Cybersecurity leaders should ask themselves: “What should we DO when we identify bad content in email?” The solution is to be able to warn the user, involve admin and most importantly – automatically respond fast and remediate it across *all* of the attack surface.

Fleck: In my experience, talking with CISOs, you ask them, “What’s the weakest link in the security program?” They always say it’s the people, and then we say, “Well, what are you doing in terms of addressing the fact that things were always going to get through the mailboxes?” The response is always, “Oh, well we have a great security awareness training program.”

Okay, cool. So, you are closing what is probably the most dangerous gap you have in detection and incident response by using the thing we just agreed is the weakest point in any security program? You train people up; you get them to this point to defend against specific attacks. But then a new one comes up. So, you have to train them again. 

Kohavi: So, there’s a reason coverage of the SEG market is getting discontinued by Gartner. It’s sad that SAT is also discontinued. There is no magic quadrant. The winners in SEG and SAT are clear. Yet the problem still hasn’t been solved. It’s hard to have a conversation like that, or to challenge them. But they really have to change if we want a culture of security.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.