Email remains the number one cause of data breaches against organizations globally; but the ways in which attackers are attempting to gain access to your data are changing rapidly. People, not systems, are now the biggest target for cyber-attackers, and so businesses must put protecting their people at the forefront of their security strategy.
To discuss these issues, and more, we spoke with Ryan Kalember, EVP, Cybersecurity Strategy at leading data and email security vendor Proofpoint. Kalember has over 20-years’ experience in InfoSec, and for five years has worked at the forefront of Proofpoint’s cybersecurity strategy operations.
Proofpoint is one of the world’s largest email-focused security platforms, securing more than 100 million inboxes around the world. In the 18 years Proofpoint has operated, email threats have changed dramatically. In Proofpoint’s earliest days, spam was the biggest email pain point, in a threat landscape focused mostly on browser insecurities. However, in the early 2010s, email threats began to increase, as attackers targeted vulnerabilities in operating systems with malicious attachments and URLs.
At the same time, the email security market saw rapid consolidation. Cisco acquired IronPort and Symantec acquired both BrightMail and MessageLabs, leaving Proofpoint one of the only publicly traded companies focused solely on investing in email security technologies. In 2014, Proofpoint began to strongly invest in sandboxing technologies and machine learning to help protect organizations from malicious attachments and social engineering attempts. Kalember argues this gave them a major advantage over other vendors, and helped to position them as a market leader in email security.
The changing email threat landscape
Since then, email threats have become a top risk to business security. “Whether we look at it in financial terms, or in terms of technical risk, email is the number one (cybersecurity) threat. I don’t think there is a CISO on the planet who would give a strong argument to the contrary at the moment,” Kalember says.
One of the major changes in the email threat landscape has been a move away from attackers targeting infrastructure, towards attacking people. “Water flows downhill,” explains Kalember. “It is so much easier to target a person than it is to target a sophisticated modern operating system, or cloud infrastructure. Attackers are simply going after the weakest link.”
“Modern email threats are extremely well researched,” he continues. “A business email compromise threat might actually come from your manager, someone in your organization, or a trusted partner. It might even come from their account, because it has been taken over. They might have been reading your email, and perfectly mimicking all of the texts that they typically send you.”
“Office 365 is the attacker’s playground”
As threats become more sophisticated, they become much harder to stop. When it comes to modern email threats, “Not only do you have to be really good at stopping malware, which requires a whole host of different detection techniques, you have to be really good at stopping phishing, you have to be able to identify when somebody is being impersonated,” Kalember says.
Proofpoint has invested heavily in technologies that can understand how people use email, so they can better detect email threats. This means learning behavioral patterns, IP addresses and where attacks are coming from within Office 365. Having this understanding is critical to being able to implement strong security controls, Kalember explains. These controls include authenticating email at the gateway in a whole new way, allowing email technologies to detect spoofed domains and lookalike domains that particularly fool mobile app users.
“This has actually pushed Proofpoint into two fairly obvious new markets,” says Kalember. “One is the email fraud market, which is classically thought of as the email authentication market. The other one is the Cloud Access Security Broker (CASB) space.”
CASBs protect cloud applications like Office 365 and associated apps, going beyond just the email channel to protect users. “We’re talking a lot about Office 365,” he explains, “because it’s really the attacker’s playground right now. It’s their whole infrastructure; it’s where they live.”
“If you’re not in Office 365 and G Suite, you’re not going to see that malicious activity. Being able to connect that with the email vector is incredibly important in solving the problem more broadly.”
User awareness Training
The final part of the puzzle to stopping modern email threats is user awareness training, Kalember says. Just over two years ago, Proofpoint acquired Wombat Security, which has now become Proofpoint Security Awareness Training. Since then, Proofpoint has also acquired Defense Works, a UK based awareness training company.
“Basically 100% of these attacks rely on successful social engineering,” Kalember says. “So, if you can identify which people inside an organization are relatively resilient, and which ones are relatively vulnerable, you can do a phenomenal job when you have real data and analytics on the type of people likely to be compromised.”
Should organizations be taking a multi-layered approach to email security?
In their latest guide to email security for the enterprise, research firm Gartner advised that all organizations should take a multi-layered approach to security, implementing inbound, outbound and internal detection and remediation capabilities.
Kalember agrees that organizations “absolutely” need multi-layered email security in place. “I think if you’re looking at what’s happening in Office 365, via at the very minimum the graph API that Microsoft provides there, you’re not really solving the problem.”
“Because it’s not purely an email problem, it’s to a large extent an Office 365 problem. The same people that are being attacked in the same ways are all living in that Office 365 cloud. That’s where their access is, that’s where you’re going to see the attacker on the front end of the attack, and it’s where you’re going to see everything happen afterwards.”
However, Kalember disagrees with the idea that organizations need to layer multiple email gateways in order to stop email threats. “That is something that people did very frequently, back when email was just such a headache that they wanted an email to have to hop through a Proofpoint, through a FireEye, and then have to go through Microsoft,” he says.
“That’s not really defense in-depth anymore. Because frankly, the malware detection techniques that vendors use are relatively similar. Some are better than others, static has been on the upsurge lately, versus behavioral or sandboxing.”
“But it’s not really where you get bang for your buck. Where you get bang for your buck is actually understanding what then happens inside Office 365 with broader context that connects to the email context. This is where we end up relying pretty heavily on machine learning in order to make detections work with so much data.”
“This is where I feel we have one of our more durable advantages because of our massive customer base. We see billions of emails every day, and we’ve got tens of millions of Office 365 users that we’re monitoring.”
The quality of data used to train machine learning models is the key to getting good results, Kalember says. “When we’re sitting on an ocean of really good data from some of the world’s leading organizations, it’s almost our responsibility to use that correctly, because that’s what actually helps us make progress.”
What does the future of email security threats look like?
As we look forward to the 2020s and beyond, Kalember thinks it’s unlikely that social engineering will be going away anytime soon. “Social engineering is such a deep, deep well for the attackers to draw from that it’s not going to run dry anytime soon,” he says.
“If you look at these mega-trends now that we have the benefit of a little bit of hindsight in cybersecurity, you can actually identify the era in which cybersecurity really grew up as an industry, as the anomalous era. Because we didn’t know how to write secure code and we connected everything to one big global network, without ever really having any idea about what it would be like to secure that!”
“Now, I think we’ve actually technically solved many of those problems. We can create a secure browser, we can create a secure operating system, we can create a secure cloud infrastructure. What’s left that we can’t secure? It’s the person. Going further into understanding people, how they’re attacked, how to protect what they have access to, I think is going to be our future; I think it’s going to be the industry’s future.”
“Hopefully, we’ll maybe even ditch the ‘cyber’ term, because that really is not the point. The point is protecting whatever matters most to the organization, business continuity, or it’s data. Increasingly that’s done through the lenses of people and that’s a very clear strategic orientation for us and I hope it will be for the industry at large.”
Advice for organizations struggling with email security risks
Kalember’s advice for organizations struggling with email security threats like phishing and account compromise is to start by quantifying their problem. “At this point, you can find a really quick way to quantify the problem. Anyone who purports to be able to defend your emails should be able to give you good data, to help you better understand your risk, in two weeks’ time for free. It’s absolutely worth seeing this data for yourself. Ultimately it is not about any vendors’ PowerPoint slides or any economics, it is about the data.”
“I’d also say to take a step back and realize this isn’t just an email security problem. It’s also an email fraud problem. It’s a user awareness problem. It’s a cloud and Office 365 problem. Insofar as you can look at it as one problem, and find the strategic partner that works for you, you’ll end up in a better place.”
Thanks to Ryan Kalember for participating in this interview. You can find out more about Proofpoint and their range of enterprise email security solutions here: https://www.proofpoint.com/us