Ed Bishop is the co-founder and Chief Technology Officer at Tessian, where he leads the company’s engineering, product and data science teams. Tessian is a cloud email security provider that uses machine learning and behavioral analytics to eliminate advanced threats caused by human error, including data exfiltration and business email compromise.
At RSAC 2022, we spoke to Bishop to discuss the benefits of cloud email security over legacy SEGs, the evolution of social engineering—including the use of alternative phishing delivery methods and the potential threat of adversarial AI—and how businesses can protect their inboxes from today’s sophisticated email threats.
Could you give us an introduction to Tessian, your key use cases, and what differentiates you from other providers in the email security space?
Sure! So, Tessian is an intelligent cloud email security platform. We solve for three kinds of major use cases: two on the data loss side and one on the inbound, advanced business email compromise, account takeover side. So, what differentiates us is the fact we’re a full-fledged platform that looks at both data loss and inbound threats. We think there’s a real benefit from bringing those two worlds together and sharing findings and signals.
Specifically for the use cases for our customers, we really focus on sophisticated, advanced threats, and then also advanced data loss incidents that traditional approaches to email security really struggle to solve.
I can go into a little bit of detail about that. Essentially, there are three use cases. The first is human error with emailing. So, lapses in judgment, sending data to completely the wrong party by accident, autocomplete and fat finger mistakes. The second is data exfiltration, which is on a spectrum but it’s people sending sensitive data out of the organization to non-business contacts. It could be their personal email accounts, it could be their family, it could be competitors, it could be the press, it could be anything. Then, as I mentioned for the third one, its advanced threats that are passing through and bypassing your existing traditional email infrastructure like Microsoft or secure email gateways. We really go after those highly targeted, socially engineered threats that occur in lower volume but have a much greater impact if successful.
We have a behavioral approach, which means no policies, no rules. I like to describe it as, rather than being top down and managed by the security team, we flip the model and work bottom up. So, it’s understanding each individual user, their relationship, the projects they normally deal with, how they communicate and with whom, etc. And it’s by understanding historical email sending patterns and behaviors that we can then go after these advanced threats and really kind of layer in on top of that traditional email security stack.
In recent years, we’ve seen huge changes in the ways in which people work and engage with digital services, particularly with the wide-scale adoption of cloud services. What are some of the biggest security risks you’ve seen since the last RSA conference, as a result of this?
Yeah, I think it’s definitely changed. Some organizations were really well positioned for the pandemic and the move to remote work, and now this hybrid model everyone is finding themselves in.
I think from one perspective, from the employees’ or end users’ perspectives, they’re busy and they still have to get the same amount of work done, and it can be harder to do that at home. There are more distractions around, and maybe they don’t have the tools or they’re on different computers, maybe they have a lack structure to their days, etc. So, with all of this combined, it just makes it harder to do what might’ve been easier when they were in the office. When people are busy and rushed, instances of human error become more prevalent.
That means when inbound emails that are coming in, you don’t have the person on your right to ask, “Hey, did you receive this email from HR telling us to click this link?” You know, we’re operating in a different world. So, down to human error you have people making the decision to click the link because it looks legitimate. You don’t have that crowdsourcing of the office environment.
But then from a tooling perspective, which is really interesting, we saw a spike in what we would call data exfiltration—people sending emails with very sensitive, perhaps customer related or high company IP related work to their personal accounts. Now sometimes that’s malicious insiders, trying to leak data to competitors and so on, or leave for another company and take the data with them.
But for the majority of use cases, it’s this really messy gray area where people are just trying to do their jobs, they’re not trying to break the rules and exfiltrate data. Maybe they just want to print something at home, and the easiest way for them to do this is to maybe not go through the corporate VPN and all the challenges of those tools, but just do the lowest friction thing and email it to their personal email accounts. From a regulatory compliance standpoint, this is the exact same as the malicious insider sending data outside of the company because now that data resides outside of your corporate environment. They’ve probably broken customer data agreements, because that is now on a public cloud, on Google’s or Microsoft’s infrastructure, and there’s no way of getting that back.
So those are some of the things we’ve seen, but really it’s this focus on human error which seems to be more prevalent than ever, or at the very least more obvious. It’s what our customers are telling us and it’s really what our focus is. And before approaches like ours, human error was just viewed as the cost of doing email. If you want to use email, people are going to make mistakes. They’re going to click links. They’re going to send emails to the wrong people. They’re going to ignore IT policy. But now there is the tooling and technology for us to actually go and tackle those advanced threats. That’s really our focus area, that human error piece.
You mention that some of the more legacy gateway technologies aren’t able to stop these threats. Why is that? And how have you developed and updated the Tessian platform to fill those gaps?
Yeah, it’s a good question. It really just comes down to the technology. It comes down to the approaches and how they’re architected. With security email gateways, the technology is literally decades old. They really have an approach that’s rule based, policy based, threat intel based. So, say a phishing email comes in. The SEG will assess the URL and quarantine it if it’s bad, and if it’s good it’ll let it through. This only works if your threat intel feed is up to date and this particular threat has already been seen in the wild. But the most sophisticated attacks don’t use known threats, which don’t appear with any threat intel feed, so they don’t get flagged by your SEG.
Our approach is entirely different. It relies less on the threat intelligence approach, and more on the historical, behavioral understanding of how users operate. What does their day to day look like? Who do they contact? What do they talk about when they contact them? We establish a baseline of what known good behavior looks like, then we train machine learning models to be able to detect the kind of anomalies that go against that known good, and that is how we’re able to detect advanced, sophisticated impersonation attacks, business email compromise, and vendor account compromise.
Some security experts are predicting that—in the coming years—adversaries will increasingly use offensive AI technologies to carry out cyberattacks. What could this look like, and how will it affect our current approach to email security?
Yeah, I kind of agree with that idea. You see it more and more. We’ve definitely seen it in the world of deep fakes, which is a good example of how it could be used. You can either do voice calling or even videos, where you take known audio recordings of public figures, you train models, and then you can essentially get these public figures to say anything that you want them to say in their exact voice. Plenty of high-profile CEOs have videos of themselves talking on YouTube. Take those audio recordings, you can then ring an employee and play the CEOs fake voice through. So, deep fakes are an example of adversarial AI that have been seen in the wild and have been successful.
When it comes to emails specifically, I don’t think we’re seeing it yet—but I think we’ll start to. Where that gets scary is, if you think about how the majority of threat actors operate, it’s basically just a mass phishing campaign. They send hundreds of millions of emails to end users in the hopes that a small percentage will click the link. And these campaigns are cheap to run, because it’s just one email sent to many users.
Now, as I’ve mentioned, those emails are not necessarily the kind of emails that cause serious breaches, right? A lot of people with good security awareness training will spot emails that are poorly written or poorly formatted, and are obviously fake. But the sophisticated and targeted socially engineered attacks where maybe only one email is ever sent—that’s kind of the risk profile and where AI can be leveraged. And it can be used to automate that side of highly targeted, highly sophisticated attacks.
I don’t think we’re seeing that yet. I imagine we will start seeing it and then, just like other areas of security where AI is used more, it will become a battle of the Ais, and it will be nonstop. It is constantly evolving.
Another area in which we’re seeing these attacks evolving is in the method of delivery, with adversaries starting to use other communication channels, such as social media and instant messaging, to send phishing attacks. Do you think these attacks are as dangerous as email-borne threats, and do you have plans to expand the Tessian platform to offer protection for these other channels?
Do I think that they are equal? Absolutely not. I think it’s orders of magnitude difference; email is by far the number one threat vector used by attackers, and it will always be. Why? Because email is open by design. I can quite literally email anybody.
With social media, that’s true to an extent—if you have your DMs open, someone can reach out to you. But I don’t think much business, at least in the market that we serve, is done over social media. In fact, it’s incredibly locked down in regulated industries; you’re not allowed to use WhatsApp in financial organizations, for example. So, email is still the most prevalent communication channel.
As for instant messaging—there is a threat there for sure. It’s, again, just orders of magnitude lower in terms of the number of attacks that are sent over instant messaging. The propensity for attackers to even use instant messaging is relatively low—why would you use instant messaging when there’s email—and organizations generally lock down instant messaging, so you can’t message someone from outside the organization.
But I think companies like Tessian will inevitably expand into channels that our customers want us to protect. Instant messaging certainly will be one of those. I just don’t think the risk is anywhere near as prevalent as via email.
Now, there are threats like account compromise, which are really interesting from an instant messaging perspective. This is where you think you’re chatting on Slack or Microsoft teams to your colleague, but actually you’re talking to a threat actor who has stolen your colleague’s credentials. And that’s a threat that’s prevalent in any communications channel. And we are looking at ways in which we could potentially solve that for our customers.
Finally, what is your advice to organizations struggling to secure their inboxes against the sophisticated email threats we’re seeing today?
I think it’s about looking at where your risks lie. Look at the risks over a certain time period, say a year, that actually caused issues for your organization. Then look at your existing technology stack and assess whether you would have expected it to solve those risks or not. Often, the answer is that there’s no way a SEG would’ve really been able to detect these risks. So, looking at integrated cloud email security tools like Tessian, which has a behavioral approach, is a much better solution. We are advising that organizations look to Microsoft, for example, as a foundational layer of security, and potentially remove their SEG. We think SEGs won’t exist anymore in a Microsoft world.
But for the sophisticated threats and the sophisticated risks both on the inbound business email compromise and the data loss side, you need a different approach. You need a behavioral approach. You need to leverage your existing email data and turn that into a kind of bespoke, unique protection for every single user.
The other piece of advice I’d give is to go and speak to your security team, and find out how they’re spending their time. Are they effective with their time or are they triaging and investigating tons and tons of false positives and alerts? A tool like Tessian really helps reduce the burden on a security operations center so that they can themselves take a little bit of a step back, let the technology do that early triage and engage with end users so that they can be the first layer of defense. And through engaging the end users, you can raise the security awareness of your organization. You can get them engaging with security concepts and looking at threats as they come into your organization. But ultimately, let the security team investigate what they should be investigating, which is advanced threats, versus scrambling triaging things that, quite frankly, they’re only triaging because the technology is not up to scratch. So, look at where your team is spending their time, and if you’re not happy how they’re spending their time—if they’re overworked, overstressed, or not working on the things that you think are high impact—look at a tool that can lower the burden on that team and let do what you hired them to do.
Thank you to Ed Bishop for taking part in this interview. You can find out more about Tessian’s cloud email security solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.