After almost three years of pandemic induced disruption, Black Hat 2022 marked the return to a semblance of normalcy in Las Vegas. The number one hot take from 2022’s show was the hope for the pandemic to finally be behind us.  One aspect, however, that will never be the same again is the rapid shift to distributed computing environments, across the world. This explains why cloud adoption is growing at an unprecedented scale, with Gartner forecasting almost $500 billion will be spent on cloud services in 2022, with the figure rising to nearly $600 billion by 2023.  Increasing complexity and a rapidly expanding attack surface area are some of the main drivers, according to former CISA director Chris Krebs in his opening keynote, of why cyber risk is going to get worse before it gets better. Krebs also called on the cyber community and the government to continue bolstering efforts to address cyber risk.

Phishing and multi-factor authentication compromise Phishing and multi-factor authentication (MFA) compromise were among the dominant threats covered by established and emerging security vendors at Black Hat 2022. Trying to stay relevant, one of the legacy email security solutions unveiled machine learning capabilities in an attempt to address cyber threats that are increasingly able to bypass secure email gateways (SEGs). Tessian’s CISO, Josh Yavor and KnowBe4’s Roger Grimes both focussed their Black Hat presentations on the how threat actors are leveraging social engineering to compromise MFA, with Roger underscoring that 70-90% of all breaches are attributed to social engineering, including MFA compromises. Although MFA remains an important security control, organizations have been prone to placing too much faith in this one particular security measure. Although underscoring the importance of MFA, Roger cautioned against the overstated claims that by adopting MFA an organization is near impenetrable.   Tessian’s Josh illustrated how MFA has become an important security control, but that threat actors are able to compromise it via a range of social engineering attacks. Josh ended his presentation with an appeal – only by adopting advanced anti-phishing solutions, that leverage machine learning powered behavioral intelligence to detect threats as they manifest, can the risk of a credential compromise be reduced. Some of the other themes observed at Black Hat 2022 included a focus on addressing cloud and end-user cyber risk, with a range of solutions that included contextually aware API security, intelligent vulnerability management, end-user isolation for a hybrid workforce, as well as ensuring that security awareness training actually strengthens security culture.  

Cyber risks caused by human error  Coinciding with the annual security conference, several high-profile breaches were trending, including a Lapsus$ ransomware attack on Cisco in early August, as well as Marriott International suffering a third breach since 2018. Both attacks were attributed to employee credential compromise.  In the case of Cisco, the threat actors compromised an employee’s personal Gmail account and gained access to stored credentials in that account. In the case of Marriott, a month prior to the 2022 Black Hat conference, an employee at one of its hotels provided credentials to a threat actor. Both instances underscore the reality that people make mistakes and that a layered security strategy is no longer a nice to have but is essential to reducing the risk of a breach. These instances also validate findings from recent seminal industry security reports including IBM’s Cost of a Data Breach 2022 and Verizon’s DBIR 2022 demonstrating that compromise credentials and phishing are the leading threat vectors.  Similar findings have been echoed in the vendor community, most recently by Palo Alto’s Unit 42, showing that 70% of its incident response is attributed to business email compromise and ransomware related attacks.

The future of cybersecurity is in the cloud Breaches are increasing in frequency as well as costs associated with a compromise, with the average breach cost now costing victims an average of $4.35m. That number jumps to $10.1m if you happen to be in healthcare. Only by leveraging best-in-breed cloud native security solutions will increasingly advanced attacks be detected and prevented. Cloud native security solutions benefit from not carrying technical debt from an on-premise world, but rather have the advantage of being engineered from the ground-up for adaptive, cloud-based threats. For example, Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – enabled by machine learning, using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – is able to detect threats as they manifest, in real-time. This includes threats that have been able to circumvent initial security controls such as MFA or legacy static, rule-based email security solutions like SEGs.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

With a wealth of experience in developing and leading security and awareness programs at companies including eBay and TIAA, Lola Obamehinti knows what makes a good program. Lola, the founder of Nigerian Techie and former ,  joined Tim Sadler, Tessian CEO and co-founder, on the RE:Human Layer Security podcast to discuss security and awareness training – why it matters, how to make it effective, and the secret to keeping employees engaged. Tim and Lola also discussed diversity in tech, with Lola reflecting on the work that remains and how to increase inclusivity and diversity in the industry. Listen to the whole episode or read on for some key Q&As from the interview. Q: Why is security awareness so important in organizations today? A: Security awareness and training are crucial for every organization because employees need to understand their role in protecting confidential company data and information. When cybercriminals target a company and attempt to gain access to networks and systems they do not only target IT or tech employees. Each and every employee has the potential to be a target, regardless of their role. So it is really important to equip employees with the proper tools to identify phishing attacks and other methods that cybercriminals may use to infiltrate an organization. Q: What does a good security awareness program look like? A: Effective security awareness and training programs require a multifaceted approach. It is not just training, and it is not just security awareness events or communications – it is all of those elements working together. You could even divide security training up further into phishing simulations, which then feed into additional security training, alongside required security training (that could also be role-specific). The communications pieces and events also play a big role because you need to let the employees know where they are missing the mark, and also lead effective security awareness events. Finally, you need to use data to track the progress of all of those particular programs. This well-tracked, multifaceted approach really helps to keep security at the forefront of employees’ minds, and in my opinion, is what works best.

Q: How do you improve a pre-existing program and engage employees? A: Additional funding is the best way to improve a pre-existing program. It may seem like the easy answer, but in my experience, I have noticed that security awareness and training is one of the parts of security that is often a bit underfunded. Companies often say that additional funding isn’t necessary, but whenever an incident happens security awareness and training is one of the first teams that is notified. Now when it comes to the content of the program, context is key. To engage employees and help them retain information, you need to provide context to the lessons you are teaching them. For example, when I was leading security awareness and training at eBay, we were entirely remote, so ensuring employees were well engaged was a key focus. One of the things we did was in January after the popular Coinbase advert that was shown at the Superbowl. The advert featured a QR code bouncing around the screen, similar to a bouncing DVD logo. So, I wrote an article about protecting yourself against QR code phishing, using the advert to provide context. The engagement was huge – a few of our engineers even created their own QR codes! Until then I didn’t think that level of engagement was possible, but it just goes to show what happens when employees are truly interested in a topic. You just need to make it relevant to them.

Q: What diversity and inclusion work is left and how can leaders help? A: Right now, there is a lot of work left to do in the industry when it comes to diversity and inclusion. The security industry reflects the greater technology industry where there is not a lot of representation. Even for San Fransisco-based companies, the representation of Black, Indigenous, and People of Color (BIPOC) teeters around 2-5%, which is really really disheartening. Particularly because in 2014 a lot of the major tech companies started releasing diversity reports, but the numbers really haven’t moved since. To change this I believe that the gatekeepers, from hiring managers to executives, need to give opportunities to individuals who might not have a traditional path. Maybe they just have a passion, maybe they have done a lot of extracurriculars like starting a podcast or YouTube or Discord to educate other individuals on security. They may not have the right certifications, but those individuals should be given more opportunities at entry-level or even management. Also, for the individuals who are already in the industry – if they don’t feel included or like there are proper opportunities for advancement they leave. We have all seen the lawsuits that are being brought against Google and other tech organizations where people have been discriminated against, experienced racial microaggressions, and were not promoted or compensated fairly. So the work doesn’t stop once you have a diverse workforce – you need to make them feel continually included. Finally, I would like to highlight that diversity is not just about BIPOC. It can be gender, background, or socioeconomic status, it can be anything. I think of diversity as diversity of perspective and thought – and it is so important for the overall success of a company.

As cyber risk continues to escalate, strategic collaboration between the Chief Information Security Officer (CISO) and Chief Financial Officer (CFO) is becoming more important.  In a recent webinar discussion between Tessian’s CFO, Daniel Kim, Jason Thomas, CIO at Cole, Scott and Kissane and Steve Kinman, CISO at Snyk, we talked about the key elements to addressing cyber risk at a strategic and fundamental level.  What did we uncover? Ultimately, the CISO and CFO roles are changing, and collaboration between these two important stakeholders is essential for businesses to mitigate cyber risk, while also driving business objectives forward. The panel also outlined some of the key principles necessary for enabling a dynamic risk mitigation and business value-led partnership.

1. Focusing on cybersecurity fundamentals  The risk for a cyber breach and the costs associated with breaches are increasing. In fact, the 2022 Cost of a Data Breach Report from IBM revealed that the cost of a data breach now stands at $4.35 million, up 13% from 2020.  According to Jason Thomas, CIO at Cole, Scott and Kissane, security leaders must focus on the security fundamentals as a starting point. This includes understanding your environment i.e. classifying your assets, knowing what you have from a technology and people standpoint, as well as the degree of cyber risk faced by your organization.  

2. Quantifying cyber risk  For Daniel Kim, CFO at Tessian, moving away from a binary quantification of cyber risk is the first and important step to addressing increasing cyber risk, so too is appreciating that “the risk is never going to be zero.”  As a next step, he says, it is important that companies also appoint C-suite steering committees that should operate in a similar fashion to disaster risk committees. This would move companies out of a reactive to a proactive position on cyber risk mitigation. 

3. Prioritize cybersecurity spending Prioritizing cybersecurity investments can often face questions of relevance from other business leaders on the value that these investments would add to the company. For Jason it is essential that company leaders ask themselves, “how much is one hour of downtime worth to the company.” For Steve Kinman, CISO at Snyk, many companies are still struggling to adequately prioritize cybersecurity program development, stating “what I hear a lot from teams is that they’re doing a lot of ad hoc security planning…and there’s no-rollup of that information to the C-suite or board.”  Every cybersecurity initiative, he says, must be aligned with the business and its objectives.    

4. Cyber risk as a financial risk On the growing importance of CFO and CISO relationship building, Tessian’s Dan underscores that the growing importance rests on two important aspects, namely the frequency and the impact of risk.  On frequency of risk, it is imperative that leaders understand what risks exist in their environment. This can range from natural, geopolitical, financial and cyber risk. On impact, the increasing costs associated with cybersecurity events, including loss of revenue, downtime, to the loss of data and IP, have rendered cyber risk as a financial risk, says Dan. Combined with regulatory changes that will result in the C-suite being held personally liable for cyber breaches is essentially elevating the importance of dealing adequately with cybersecurity risk – with Dan adding, “reacting to a breach after the fact is no longer a good business model.”    

5. Healthcheck on the CISO and CFO relationship Synk’s CISO Steve noted that for the majority of organizations a disconnect between the CISO and CFO is apparent, noting many CFOs don’t understand cybersecurity terminology and do not understand the real cyber risk facing their organizations. It’s important to shift the conversation from cyber risk to business risk. Touching on the evolution of the CISO role, Jason states it is critical that security leaders understand the fundamental financial aspects of the business in order to prioritize investments to address these risks.     

6. The importance of ROI Having measurable return on investment (ROI) from your security tools is non-negotiable for every business. For Jason, this entails conducting routine audits on the security tool efficacy. Not being able to get the data out of the tools and demonstrate what impact they are having leaves you unable to determine whether the tool is performing as expected and is delivering ROI. Using  a framework that categorizes the investment by the following criteria for Dan is helpful:   investments that generate revenue investments that cut cost investments that manage risk   Every business leader – including CISOs – need to be able to translate their area of expertise and programs underway to business outcomes, according to Dan. Learning how to speak the same risk language, being the catalyst for change and making it a collaborative journey is so important to achieving business outcome success.     

7. Become an effective C-suite communicator  It’s only once a breach has happened that cybersecurity programs are prioritized. This, according to Steve, is the well-known mantra of “not wasting a breach” to increase the cybersecurity budget.  Although this approach is commonly used in the industry, there is a need for a more proactive approach. Steve cautions, however, that security and risk leaders need to be tactical with their asks for additional cybersecurity investments – you need to have a well developed and well-communicated cybersecurity strategy in place first. Additionally, overcoming communication obstacles that may exist between the CISO and the C-suite, requires developing a set of metrics for reporting that conveys maturity of the program, rollout according to timeframes, and being able to show how risk is trending. The C-suite and board require a different type of language than most security practitioners are familiar with  – don’t go too deep on security jargon.    

8. Overcoming the cybersecurity perception problem In a 2022 Tessian study, we found that only 58% of employees believe that senior executives at their  company value cybersecurity. For Steve, recognizing that most companies recognize that cyber risk is the number 1 risk, and that’s where the acknowledgement stops.  Even large corporations don’t demonstrate how essential cybersecurity and cyber risk mitigation are to their overall growth strategies. Cyber risk needs to be intertwined in the business plan and commonly understood by all of the business units. When cybersecurity risk is not referenced in the business plan that is where the perception of cybersecurity not being valued manifests from. Jason and Dan agree that security awareness training needs to be ongoing and doesn’t need to be overly complex. Jason uses a constant messaging approach to drive security awareness on the risks being seen in the industry and measures his team have in place to safeguard his company.  

Building a Long-Term Relationship The importance of strategic collaboration between CFOs and CISOs is coming into sharper focus, particularly as cyber risk continues its upward trajectory.  For organizations that are behind the technology adoption curve, according to Dan, cybersecurity risk can no longer be seen as a standalone, siloed IT project, but rather it needs to be seen as key business risk facing the enterprise. Sharing information and intelligence i.e. constant communication on breaches threat trends in the industry as well as demonstrating what measures are in place helps Jason and his team build trust with the C-Suite.   Steve advises, it can be very intimidating to think that the CFO doesn’t care about cyber risk, get over that fear, go and speak to your CFO, build that relationship.  Building an effective relationship between the CFO and CISOs takes collective effort, as well as a shared view on the extent of cyber risk facing the organization. Having a well-oiled partnership between these two important business stakeholders can both mitigate cyber risk and as well as deliver success on business objectives.     

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Tessian has been recognized by Gartner in the Market Guide for Data Loss Prevention (DLP) 2022 as a Representative Vendor for next generation DLP. Gartner makes the distinction that, “DLP is a mature technology, but the emergence of tools with a focus on cloud and insider risk management use cases has provided SRM leaders with the option to invest in a next-generation data security tool.”  State of the DLP market and why email matters The need for cloud native DLP tools is growing in-step with increased public cloud adoption, and the report mentions that, “In 2021, Gartner fielded 29% more client inquiries on the topic of DLP than in 2020.” In the latest Gartner forecast, “Worldwide end-user spending on public cloud services is forecast to grow 20.4% in 2022 to $494.7 billion, up from $410.9 billion in 2021, according to the latest forecast from Gartner. In 2023, end-user spending is expected to reach nearly $600 billion.” Email is a significant threat vector for data loss. In separate research conducted by Tessian (2022), the risk for a data loss event occurring via email is high, with nearly 60% of organizations surveyed having experienced an email data loss incident due to an employee mistake in the last 12 months. Email was also identified as the riskiest channel for data loss, followed by cloud file-sharing and instant messaging platforms.   Gartner underscores the importance of addressing data loss risk on email due to the fact that “email is one of the most prevalent means of sending information and a priority for most clients.” And in reference email security DLP capabilities, Gartner states:   “Some email security vendors’ solutions can also address accidental data loss use cases, such as the sending of email to the wrong recipients or the sending of wrong attachments. These solutions use artificial-intelligence- based algorithms to track users’ email patterns and notify users if they may be accidentally sending sensitive information.”   These intelligent email DLP capabilities are native to Tessian, having the ability to prevent misdelivered emails and misattached files from being sent, as well as preventing malicious attempts at email data exfiltration.   Key findings from the Gartner Market Guide for DLP The report identifies three key findings: “Data loss prevention programs that are not tied to specific initiatives and goals are indicative of immature data security governance. Traditional DLP vendors that focus on conventional and data specific content inspection methods, can lead to fatigue and a siloed view of data movement. Legacy DLP tools rely on detection methods that were developed for on-premises workloads. Cloud migration has complicated the vendor selection process for clients, since these legacy approaches to DLP often are no longer viable.”   Some of the key recommendations include: “Define a DLP strategy based on data risk and the needs of the business.” Invest in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response. Overcome the challenges presented by a cloud-first strategy by implementing a solution to map and secure sensitive data across the hybrid environment.”

How Tessian protects against accidental and intentional data loss on email Tessian’s unique approach to securing the email ecosystem and preventing email data loss hinges on three pillars: Enabling intelligent and automated email security that leverages machine learning powered behavioral intelligence to detect both known and unknown threats, in real time. This prevention capability extends to automatically preventing email data loss from both malicious insider and accidental data loss use cases. Improving security operations (SecOps) efficiency by preventing data loss events from becoming incidents, reducing the time spent triaging incidents, as well as time spent configuring static DLP rules. Strengthening security culture by creating a positive end-user experience by empowering end-users to make the right cybersecurity decisions.

An intelligent approach to cloud email security  By leveraging machine learning powered behavioral detection, Tessian’s cloud email security platform is able to prevent both accidental and malicious data loss attempts from becoming incidents – ensuring data security compliance, while reducing the burden on SecOps.  Combined with contextual, in-the-moment end-user warning banners, security culture is strengthened by empowering end-users – through a range of DLP policy enforcement options – to make the right security decisions. Want more information on how Tessian can protect your organization against email DLP? Click here to schedule a demo.

To see how the Tessian Intelligent Cloud Email Security platform prevents insider threats and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn.       Gartner, “Market Guide For Data Loss Prevention”, Ravisha Chugh, Andrew Bales, July, 19, 2022. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

A good security culture is critical for any organization because as the old saying goes, you’re only as strong as your weakest link. Finding that weakest link and strengthening it then is seen as crucial. And that’s why we need to talk about phishing tests.  Because rather than fostering a strong security culture, phishing testing can sometimes have a detrimental impact on your employees security awareness as well as their morale. All too often phishing testing adopts a ‘gotcha’ approach, followed by ‘punishment training’. Our recent Security Cultures Report found that only 33% have had a positive experience with phishing simulations, and 18-24 year olds are 2-3x as likely to have had a bad experience. So when we saw this tweet, we were hardly surprised. It’s by no means an isolated incident. How NOT to run phishing exercises #infosec pic.twitter.com/m4icf9KUrZ — Jackie Singh (CISO at ANTIFA) (@HackingButLegal) December 17, 2021

Look, I can be as vigilant as I can, but at the end of the day, it feels like the entity sending me the most phishing emails is MY OWN company, constantly sending them as tests to try to trick us. — Brian Gray 🪩🥂💖 (@urbanbohemian) June 27, 2022 Meanwhile this example from GoDaddy in 2021 seems particularly mean spirited. It’s not entirely unrealistic to expect some sort of corporate comms like this from their own internal team during the holiday season. Dysfunctional security culture  These are classic examples of a dysfunctional security culture. The result: total fear and paralysis in the workforce that is actually affecting their ability to do their work. Work that brings in real revenue. Stopping phishing attacks by effectively shutting down the company’s ability to function normally can’t really be considered a win.  As we’ve discussed before, you can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases. It’s almost an unconscious muscle memory with some people.  It also has a cost to employees’ mental state, which, given the past two years, is probably already quite fragile – after all, no one should be publicly humiliated and lose their job for clicking a phishing test link.

It’s not just Dave in the Accounts team that this can happen to, even IT experts can fall foul, as this other thread on Reddit explains – look at why though… “I was just coming after lunch, joggling a few important tasks in my head and when I unlocked my laptop there were 20 new emails, so I tried to quickly skim through them”   In short, they were distracted.

Mistakes happen Phishing tests and security training more generally, delivers a poor ROI for CISOs and InfoSec teams. Security training is expensive, both in the cost to organize and run it, and the cost to the company more broadly from taking staff away from what they should be doing. It’s also… often boring, on a par with doing a tax return. What’s more, after just one day people forget more than 70% of what was taught in training, while 1 in 5 employees don’t even show up for SAT sessions. And this is despite some companies’ best effort to make it ‘fun’. After anger comes apathy IT can fix technology but it can’t fix apathy, but that’s where people more than likely end up after phishing training. This can result in a drastic drop in responsiveness and employee effectiveness.  Thanks to research by Dr. Karen Renaud and Dr. Marc Dupuis we know that unleashing fear, uncertainty and doubt on a workforce doesn’t work. It cripples decision making, creative thought processes and the speed and agility businesses need to operate in today’s demanding world.

What does a good security culture look like? Our 2022 Security Cultures Report found that although security leaders are prioritizing training (85% of employees in the US and UK participate in security awareness programs) just 36% of them say they’re fully paying attention. And while half (50%) do say it’s helpful, only 28% say it’s engaging. 36% say it’s out-right boring.  Perhaps that’s why 1 in 3 employees don’t even understand why cybersecurity is important, and nearly 30% don’t think they personally play a role in maintaining their company’s cybersecurity. Look, we’re not down on phishing testing per se. If done right as a research exercise it can provide valuable insights and data points for your organization as part of a much broader suite of security measures.

But what we are down on is victim naming and blaming. Technical tests like phishing testing should be an opportunity to better train and tune your companies filters and defenses, not used to punish your people. A user failure is, uncomfortable as it may be to hear, really an technical failure – because that phishing link should never have even got in front of a person in the first place.   Internal phishing tests are misaligned with their intended outcome. Too often we use the metric to beat users over the head, when we really should be using the data to tune curriculum. The test should identify vulnerabilities, not fix them. https://t.co/a13rQ6q2sF — Brian Anderson (@btanderson72) June 23, 2022

Why ‘in the moment’ training works How did you learn to swim? I bet you didn’t sit through an hour long presentation about it once a quarter, watch a video, then do a ‘fun’ quiz. You got in the water and worked things out ‘in the moment’. Your senses and instincts flagged potential dangers like getting out of your depth or diving too deep. Good security training is the same.  Training people away from their day to day working environments removes the connection between the danger, and where that danger is experienced. When Tessian detects a threat like a spear phishing email, employees see a warning message that they have to respond to. It’s written in plain English, and offers context around why the email was flagged.

It takes time and effort to develop a robust security culture that everyone subscribes to. That’s hard work when you’re fighting several other issues and problems. In order to foster and maintain a risk-aware workforce, security teams should play an active role in onboarding, offboarding, and day-to-day. This is especially important now, with remote and hybrid operating models being the norm.  But, according to our research, security leaders underestimate just how much they should be a part of the employee experience. But not doing so has an exponential negative impact on the organization which could result in a successful attack. Our 2022 Security Culture Report is a good place to start your journey to a stronger security culture. Download it here.

Each year it seems we are met with new complex challenges and risks that few could have predicted. In turbulent times, it is prudent to take stock of what business and security leaders can control. Allocating dedicated resources to more effectively manage both known and unknown risk is fast becoming essential to shore-up organizational resiliency.   Turning the focus to the sector that is germane to what we do at Tessian, effectively managing cybersecurity risk is now more critical than ever. In fact, cybersecurity risk is now considered the number 1 risk faced by businesses according to Allianz’s 2022 Global Risk Barometer, followed by business interruption (2) and natural disasters (3).   Read on to learn more about some of the key cyber risks organizations are faced with today, and how best to mitigate it.

Cybersecurity risk is increasing The costs associated with breaches are increasing each year. The global cost and impact of cybercrime damages is expected to reach $10.5 trillion in damages by 2025 – representing a 350%+ increase from 2015.    A sign of the worsening cyber risk can be seen in the cybersecurity insurance industry. Given the high number of recent claims, up by 500% in 2021, has resulted in cyber insurance premiums seeing significant escalations – essentially doubling over the past year. And as a result of recent developments in Ukraine, leading insurers are now excluding suspected nation-state cyber attacks from coverage provisions.  

Persistent and increasing email security risk   Due to its open nature, email remains the preferred method for delivering a malicious payload, including ransomware – responsible for up to 95% of breaches. Email also attracts the greatest investment in the attacker value chain and is the riskiest channel for data loss.    Until recently, detecting and preventing email threats relied on static, rule-based solutions like Secure Email Gateways (SEGs). These solutions are only able to detect known threats because they rely on a threat detection engine of already documented threat campaigns. But threats have become more advanced and are proliferating at an alarming rate, with the net result these threats are going undetected by SEGs and are reaching victims’ mailboxes.   According to Verizon’s DBIR 2022, email-delivered social engineering attacks are growing in complexity, with phishing responsible for 60% of these attacks. In addition, the FBI reported that $43 billion has been lost globally due to Business Email Compromises (BEC) in the past 5 years, with a 65% increase in BEC fraud related losses reported globally in the period 2019 to 2021.  

The growing ransomware challenge   Advanced cyber threats like ransomware are also trending in the wrong direction. Ransomware related damages exceeded $20 billion for 2021 – representing a 57x fold increase from 2015. By 2031 ransomware damages are expected to reach $265 billion. Responsible for 75% of cybersecurity insurance claims, Ransomware-as-a-Service offerings are mainstreaming the ability to carry out devastating ransomware attacks.    Russia-based Conti ransomware gang aka Wizard Spider has been linked to 50 incidents in April 2022 alone, including attacks on the Costa Rican and Peruvian governments. Currently there is a $15million bounty on Conti from the US government – indicative of the scale of the problem. The FBI estimates that over 1,000 Conti ransomware victims have paid in excess of $150 million in ransom in the past year.    Also concerning is the increasing proliferation of wiper-malware seen in 2022 in cyber attacks against the Ukraine in 2022. Disguised as ransomware, wiper-malware essentially wipes all data from infected hosts. In response to the growing ransomware threat, CISA announced the formation of a ransomware taskforce at the end of May 2022.   

Software supply chain vulnerability   Software supply chain cyber risk is another leading concern for CIOs and CISOs. The acceleration of digital transformation and cloud adoption, and increased speed of deployment through DevOps processes, have resulted in dramatically expanding the attack surface area with vulnerable code and applications exposed online.    Software supply chain attacks remain a vulnerable element given the high impact and high reward for the attackers as has been demonstrated in the SolarWinds and Kaseya attacks. 

Final thoughts for staying safe in a volatile cybersecurity environment   Prioritizing cybersecurity program development is now a core aspect of effective organizational risk management. There however remains a collective need in the vendor and the broader business community to elevate and educate executives particularly at the board level, on the importance of proactive cybersecurity risk management.    Assume you will suffer a breach. From this risk-aware position think about the proactive steps you can take to improve your cyber resilience. The escalating email, ransomware, wiper malware and supply chain vulnerability risks underscore the imperative for investing in intelligent and agile cybersecurity defenses.   Continuously seek out innovative solutions that keep your environment safe, while at the same time ensure high degrees of employee engagement on the importance of security awareness.  

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge. Enter Integrated Cloud Email Security.

What is an Integrated Cloud Email Security (ICES) Solution? The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.   ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record. Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant: “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”

Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why? In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?

Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.

The migration to the cloud More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include: Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.

What are the benefits of ICES solutions? ICES solutions offer more than just threat detection. Key features of ICES solutions  can include: BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes

How to evaluate ICES vendors The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed: Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.

Why choose Tessian? Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.   What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including: Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 

To summarize, there are four key Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 

The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a fresh approach to solving increasingly sophisticated and elusive email security threats. Here’s what to look for when choosing a ICES. Born in the cloud, for the cloud, ICES solutions are seen as an integral additional layer of email security to complement the native email security capabilities present in cloud productivity suites, such as Microsoft 365 and Google Workspace. At last count, according to the latest Gartner Market Guide for Email Security (2021) there were 13 ICES vendors – giving customers a lot of choice to choose from.  Not every ICES vendor however, offers the same completeness of vision, degree of protection, or intelligent capabilities. This short guide will bring insight on some of the key fundamentals that prospective buyers of an ICES solution should be aware of.

Why is there a need for ICES solutions in the first place? Evidence shows that email remains an important and attractive attack vector for threat actors; according to a recent study, it’s responsible for up to 90% of all breaches.  The fact that the vast majority of breaches are attributed to an email compromise, indicates that the current status quo regarding email security is incapable and insufficient at preventing breaches. This was confirmed in a Forrester survey conducted on behalf of Tessian, with over 75% of organizations reporting on average of 20% of email security incidents getting by their existing security controls. Threat actors are using more sophisticated email-based techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  In this new world, threat actors develop exploit kits and offer their services for sale. This has unfortunately led to a dramatic increase in the ability of attackers to find targets. And this explains why the cost of damages from cybercrime is expected to rocket to $10.5 trillion by 2025 – representing a +350% increase from 2015. Digital transformation is another key reason too. Cloud adoption was accelerating prior to the Covid-19 pandemic. In the wake of the pandemic, cloud adoption accelerated even more quickly. This dramatic shift to the cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  This structural shift in computing has also revealed the soft underbelly of legacy cybersecurity solutions built for an on-premise world, including the rule-based and static protection for email offered by Secure Email Gateways (SEGs). And this explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security – with behavioral intelligence and machine learning at the core.

ICES fundamentals  Approach to threat detection and prevention The key differentiator between SEGs and ICES solutions from a threat detection standpoint is that ICES are underpinned by machine learning and utilize a behavioral intelligence approach to threat detection.  The algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior. Unlike SEGs, this enables these solutions to detect threats as they arise, in real time.  Deployment architecture There are also important differences in the architecture and configuration of ICES solutions from SEGs. ICES solutions do not sit in-line like SEGs, they also do not require MX re-routing, but rather connect either via connect or API and scan email either pre-delivery or post-delivery – detecting and quarantining any malicious email. 

Degree of security automation  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces alert fatigue and the SOC burden, ultimately improving security effectiveness.

Key differences between SEGs and ICES SEGs ICES Requires MX records changes, sits in-line, acts as a gateway for all email flow Requires no MX record changes and scans incoming email downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Designed to detect basic phishing attacks, spam, malware and graymail. No zero day protection Designed to detect advanced social engineering attacks including spear phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO). Advanced zero day protection Static, rule and policy based protection. No intelligent component to threat detection for inbound or outbound, resulting in high false positives and significant triaging of email security incidents  Behavioral and machine learning detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and more SOC optimization Limited insider threat detection and no lateral attack detection capability. Once the threat has bypassed the gateway the threat actor as unlimited access to the victims’ data and information systems Advanced insider and lateral attack detection capability, stopping threats where and when they arise Basic email field scanning capability. Relies a threat engine of previously identified threats, and static rules and policies All of the email fields are analyzed using machine learning and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Advanced malicious emails go undetected and reach target inboxes. Some of the less sophisticated malicious emails end up in the spam or junk folder – enabling users to accidentally interact with it Advanced malicious emails are detected and automatically hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will in nanoseconds claw-back a suspected email determined to be malicious.  No in-the-moment employee security warnings. Security alerts are retroactive and aimed at SecOps, offering no context to employees or the ability to improve the security culture An in-the-moment security notification banner can be added to an incoming or outgoing email indicating the level of risk of the scanned email and the context. These real-time security notifications lead to improved security culture, by empowering employees to take safe action, in real time Basic DLP capability Some ICES like Tessian have advanced DLP capability

Five market differentiators for ICES solutions Not all ICES solutions however, offer the same degree of completeness in product and protection. It is important that prospective customers of ICES solutions understand and interrogate the following key differentiators during the vendor selection process: 1: Completeness of the product offering and product roadmap Does the solution cover inbound and outbound email protection (i.e. does it prevent email data loss events from occurring?) Does it have pre-built integrations with other cybersecurity tools such as SIEMs? 2: Degree of protection offered During the POV it is important to test the efficacy of the algorithm and determine a true baseline of detection, including the % of false positives. Verify the actual results from the POV against the vendors stated claims. 3: Deployment and management overhead Some vendors have unrealistic claims of “protection within seconds” – understanding the actual amount of FTE resources and time needed for deployment is crucial, as well as the product’s ability to scale. Determining the degree of management FTE required for managing the tool on a day-to-day basis is equally important. 4: UX and reporting capability The overall UX including UI for SecOps teams, and feedback from employees after using the product during the POV is essential. Evidence shows that if the UX is poor, the security effectiveness of the tool will be diminished.  Having the ability to on-demand pull or automate risk metric reporting down to the employee level, for inbound and outbound email, is crucial for cybersecurity and risk compliance leaders. 5: Degree of automation Automation is fast becoming a buzzword in cybersecurity. Here buyers need to be aware of the degree of automation that the ICES solution actually delivers, ranging from threat detection to the triaging of threats, as well as risk reporting.

The final word All it takes is one click on malicious content for a breach to take place. When assessing and selecting an ICES solution, it is important that customers consider the above listed criteria as part of their general vendor assessment criteria.   The considerations on the completeness of the product offering and the degree of protection offered should be weighed carefully.  Finally, it’s the human-side that often never gets mentioned in vendor assessments. The experience interacting with the vendor from the first interaction through to the end of the POV should provide key insight into what the future partnership with the vendor will look and feel like.

About Tessian Tessian is one of the few ICES vendors that offers comprehensive protection for inbound threats like advanced spear phishing attacks, as well as outbound protection, preventing malicious and accidental data loss.  Unlike many of our ICES competitors, we don’t treat our customers as test subjects – our algorithm was developed and fine tuned for 4 years before we went live. Due to this level of product maturity, we boast among the lowest percentage of false positives in our industry. We have among the most attractive UI, delivering a phenomenal UX. This includes advanced and automated cyber risk reporting, making security and risk leaders lives’ easier. We never make claims that we can’t back up. We deploy in seconds and protect within hours. Both the deployment and management overhead are extremely efficient due to product maturity and the degree of automation inherent in our product. Finally it’s worthwhile mentioning we take our customers seriously. Here’s what some of them have to about using our product:

Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.

How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.

What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.

Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.

Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.

As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 

The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 

Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 

What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.

How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.

How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.

Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.

The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.

‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.    Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.

The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.      Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.

How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   

Why Confidence Scores Matters    Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way.  Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.

Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  

Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.

What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)

Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.

We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.

We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.

We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.

We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.

We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.

With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.

And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.

Want to help us solve more challenges across use cases? Come build with us.