Interview: How Accuracy, Isolation And Human Intervention Can Mitigate End User-Facing Threats

Tal Zamir is the Chief Technology Officer at Perception Point. Zamir has been active in the cyber space for two decades. In that time, he’s created multiple breakthrough cybersecurity products, including next-gen end user computing products at VMware, and the Hysolate threat isolation platform. In his current role at Perception Point, Zamir helps organizations combat some of the most dangerous and successful attacks that we’re seeing today: those targeting the end users.

At RSAC 2022, we spoke to Zamir to discuss how organizations can disrupt attacks against their end users with accurate detection, threat isolation, and human intervention—all of which are delivered via a single platform.

Could you give us an introduction to Perception Point, your key use cases, and some of the main challenges you’re helping your customers to solve?

Perception Point is a cybersecurity start-up based in Tel Aviv, Israel, founded in 2015. What we basically do is protect companies from any user-centric threats – these could be via email, cloud collaboration apps like Teams or Slack, cloud storage like OneDrive, Sharepoint, S3 Buckets, Blob Storage and Google Drive, and web browsers—basically any instance where a user is specifically in contact with potential threats.

When we think about the use cases, imagine a small business that has a modern IT shop where they have Microsoft 365 or Google Workspace as their email vendor but they don’t have all the tools that the bigger enterprises have. From the other side, a large enterprise has multiple security layers and solutions, which are producing an enormous amount of alerts and incidents which cannot be supported properly by their overwhelmed SOC team. With Perception Point, whether large or small, every organization receives a managed advanced threat protection service. The SaaS solution seamlessly plugs into all of those modern cloud applications—email, your Slack and your Teams, whatever you use as a business—and we give you peace of mind with unbeatable protection across all of those attack vectors. It doesn’t matter whether users are attacked when they browse the web or if they’ve clicked a link somewhere in an app or email—we close that gap and eliminate the threat before it reaches the user.

Phishing was traditionally an email-based threat, but attackers are increasingly using other methods to target their victims, such as social networking and collaboration apps. How successful are these alternative phishing methods, and why?

Because we are a managed advanced threat protection service, we are able to see all of the attacks up close. To strengthen the management, analysis and understanding of incidents, we have a dedicated incident response team of cybersecurity experts, which is included in the solution, that manages and watches for any kind of malicious incident that our customers are experiencing, 24/7. We definitely see a lot of non-email phishing attacks across all of those collaboration apps. It’s real, it’s not just the attacker going through email. The top two vectors are email and web, which are the source of 99% of attacks.

Whenever users are getting a link from any other SaaS app like their helpdesk system, or their Salesforce, or just from browsing and accessing a malicious website, for example, they could be lured to a phishing webpage where their credentials are harvested.  Malicious files are also being transferred via these vectors. So, the phenomenon is real. And there’s a good reason it’s successful. Hackers know email is a highly monitored channel, and organizations are protecting this vector at some level. But suddenly, with COVID and remote and hybrid work, along with adoption of cloud services, we’re using a ton of new collaboration tools and apps. And there’s a great opportunity for attackers to leverage, because those new apps and methods of business communication don’t yet have any serious security tools and have very basic protection.

Are people more susceptible to attacks across other channels rather than email?

Yes. I don’t think organizations have built strong enough security around email either, but if an attack is coming via your other channels, there’s virtually no security awareness training available for these new vectors. So, you have more severe issues in terms of user understanding which further increases the organization’s risk.

How does Perception Point help disrupt these types of attack?

Perception Point plugs into those services via API. So, in the best way possible, it taps into whatever collaboration app or email service needed, and deeply scans the content—text, files, and URLs—to detect any threat from phishing, BEC, malware, ransomware, ATO, advanced threats, spam, and zero-days. When I refer to deep scanning, it’s actually unpacking the content and scanning each piece of content with multiple detection layers including our next-gen sandbox. So, with an email you may have a link, and when you click it, it’s a Google Drive URL, and when you click download, you get a file, and when you click the file, it extracts stuff. And then there are documents and, within the document, there are other links. So, we go all the way down in this hierarchy, and we scan everything dynamically, which is kind of unique. And we are able to do this very quickly—it takes 10 seconds, on average—thanks to our technology. This way we can scan 100% of the content across all security layers.

But we’re not just fast, our analyses are also highly accurate. SE Labs recently tested a range of email security platforms and vendors, and we came out on top, with 100% accuracy, a result that the other solutions weren’t able to achieve. Our platform is very impressive in terms of the accuracy, the speed and the ability for our incident response team to create rules on-the-fly to adapt to new types of attacks. So, you actually get security for user-facing attacks out of the box, without any management investment.

Some security experts are predicting that adversaries will increasingly use offensive AI technologies to carry out cyberattacks in the coming years. How can Prevention-as-a-Service help to combat offensive AI?

Great question. There are two elements to tackle offensive AI. Number one goes back to the human team of cyber experts—when we’re facing AI, having humans looking at those attacks is critical. I think that offensive AI is mainly meant to bypass modern AI and play on its weaknesses. Machine learning and AI might build rules dynamically, but they’re still rules that can be sidestepped and there’s a limit to what you can do with machine learning today.

So, with a human eye looking at malicious incidents, you’re able to win the game against those types of attacks. There’s not yet a good replacement for human creativity, or the ability to understand that something is wrong.

And the second element that we have, which is unique to Perception Point, is our isolation technology as part of the platform. What that means is that if you get an email with a link that we can’t classify as malicious because we’re not sure, but it still could be dangerous, we can make you launch this link in isolation. So, when you click the link, you get a browser window, but behind the scenes, it’s actually wrapped in a little virtual machine, so that, even if you visit the website and you get a zero day vulnerability or malware downloaded inside the browser, it will be contained within that virtual machine and wouldn’t have any impact on the organization.

So, beyond the detection and the human elements, this isolation works well as an additional layer to ensure that the organization is not breached.

What are some of the benefits of using isolation technology, as opposed to more traditional web filters or DNS filters?

DNS filtering and web filtering solutions in general can only allow or block strictly URLs. And this block or allow protocol is a lose-lose situation, because if you allow too much, you increase risks, but if you block too much, the end user’s experience is affected and employees will be annoyed and not be able to do their work.

Isolation, on the other hand, offers a middle ground—it still allows users to visit URLs, even if you’re not sure they’re safe, so you let the user do whatever they need to do to complete their work, but the threat stays isolated. So, we’ve ended up creating a win-win situation.

And beyond that, web filtering can only do so much. It might think something is safe when it isn’t, it could miss a zero-day vulnerability. Isolation will make sure that no threats are escaping that boundary, even if we don’t know what the zero-day vulnerability is. It lets users access everything safely, allowing them to be more productive and for the security teams to sleep soundly.

You also mentioned a little bit earlier the fact that you’re able to offer all these capabilities—email security, collaboration app security, web isolation, and so on—via one platform. What are some of the benefits of using one unified platform, rather than a lot of disparate solutions?

You don’t need to approve and work with multiple vendors, and have multiple panes of glass to manage the system. You want to set as minimal a number of policies as possible and let the system do its magic. So obviously, with less tools, you have less configuration work, less manageability overhead and so on.

There are some giants in the industry that have suites of products and offer tools across the stack. But eventually, in many cases you need to configure and install each and every product that they have independently and in different places. And you’ll need different people who are experts in those specific domains to do that.

So, having one pane of glass, one system that makes sense and covers so many attack vectors and attack types is a huge advantage, I think, especially for SMBs that don’t have an army of IT people to do that.

With a managed service, you don’t even need to work with the system, because there are people managing incidents for you, who will only flag the ones that are clearly malicious and facilitate rapid remediation when necessary. 

What is your final piece of advice to organizations struggling to protect their communication channels against sophisticated attacks such as spear-phishing, BEC and malware?

Buying multiple security products is not necessarily the right solution. That’s not going to solve the problem. I suggest that organizations look for innovative solutions that can provide the best accuracy of protection for all types of attacks. These solutions will leverage unique anti-phishing engines, advanced prevention of file-based attacks using rapid next-gen dynamic technology, advanced BEC capabilities to prevent text-based impersonation and the identification of ATO. For sophisticated phishing attacks, products should incorporate advanced algorithms and ML capabilities like image recognition, NLP and social graphs that identify sophisticated impersonation techniques, domain lookalikes and more. For APTs and zero-days, there are next-gen sandboxes that do not rely on signatures or the attack’s behavior. There are next-gen dynamic scanning technologies that leverage CPU-level data that rapidly detect malicious files in a deterministic manner.

Go for a managed service, so that you can actually use the tool and get value from it, without overwhelming your organization with false positives. When you’re using Google Workspace, for example, and you turn on the built-in controls, you just get bombarded with alerts and so many of them are false positives. So, you need to have a tool that can eliminate the noise for you so that you really only get the critical stuff. This clears your plate to do the business that you’re trying to.  And also, in order to clear the noise and sleep better at night, you really should consider the isolation piece. This ensures that your organization is protected across every application that you’re using. So, isolation is a great way for businesses—especially for those that are struggling with many different attack vectors—to get that peace of mind, and say to their users, “You can use whatever tool you want, but I want it to be done in isolation, then I know that it cannot impact my sensitive data.” So, instead of trying to protect each and every user or endpoint against threats across each and every channel, just put those in isolation and be done with it.

Thank you to Tal Zamir for taking part in this interview. You can find out more about Perception Point’s advanced threat protection solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.