#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 9: Email & Phishing Protection
/

Episode 9: Email & Phishing Protection

Jan 11, 2022 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose, and this is Episode Nine: Email and Phishing Protection.

In last week’s episode, we examined Zero Trust and how it has become a model for a more effective security strategy. With the help of our cyber expert cast from ConnectWise, JumpCloud, LastPass, TBI and ThreatLocker, we discussed why you should “never trust, always verify.” To learn why security experts say it might be the best way to stop data breaches, check out episode eight on Zero Trust. 

In today’s episode, we take a look at number nine on our #topcyber21 cybersecurity best practices: Email and Phishing Protection, as we focus on the many aspects of this critical risk vector, prevention tools, and best practices to further protect from devastating compromises like ransomware. We’re thankful to our cyber expert cast joining us today from Inky, IronScales, Red Sift, and TBI in helping us educate our clients and prospects on the road to #secure, reliable, trusted technology!

Don’t forget we’ll be releasing a new episode every Tuesday, starting 10/20/21 through late spring of 2022, with brief time off for holidays with family and friends. We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode.  We hope you’ll find this an immersive, hopefully simple, educational, and enjoyable experience. So how do you tune in?

To easily follow the journey ahead, we’ve diversified your access options to all (23) of our coming episodes. You can follow along here on our blog or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered directly to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev  
Welcome back to “Who’s In Your Cloud?” 21 steps to Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose and the host of our blog series. We’re starting off 2022 strong. Back now for our second episode of the new year, and we have an exciting topic for you today, as we’ll be discussing Emailing and Phishing Protection. Before we meet our cast of cyber experts today, I wanted to remind our viewers that you can catch up on episodes one through eight of the series on LinkedIn, Facebook, YouTube, or Spotify. And if you’d like us to send episodes straight to your inbox, sign up for our blog at TechOnPurpose.net/blog. Last week, we launched our first episode of 2022 focusing on zero trust and discussed how this top cyber 21 best practice number eight delivers enhanced protection for critical credentials, systems, and data by adopting a cyber posture of “trust but verify.” On deck today is top cyber 21 practice number nine, Email and Phishing Protection. And we’ll take a closer look at the many aspects of this critical risk vector, prevention tools, and best practices to further protect from devastating compromises like ransomware. Well, we couldn’t do any of this without our super cast of cyber experts. So, let’s start off by meeting everyone. Okay, I feel like this first cast member needs very little introduction, but we have TBI Security Architect, Jim Bowers, back once again. Jim actually joined us for our episode last week, so thank you for helping us kick off the new year, Jim.

Jim Bowers  
You are more than welcome and I couldn’t be at a better place starting off the new year. So, thank you for having me back, it’s awesome.

Lauren Lev   
Thanks, Jim. We always love having you. Okay, next up, we have another familiar face joining us, Stephen Kowski from IronScales. Stephen, great to have you back. You were here, it seems like a lifetime ago, in episode number one on security awareness training. So, it’s only fitting that you’re back now, since these episodes go hand-in-hand, and it’s almost like I planned that out. I don’t know.

Stephen Kowski  
Yeah, I really, really appreciate it. It’s an honor to be here with this distinguished panel. Thank you very much for having myself and IronScales on this, in today’s session.

Lauren Lev  
Absolutely. Okay, so our next two cast members are actually new to the Blog. So, we have Brian Westnedge from Red Sift and Dave Baggett from Inky. We are excited to have both of you joining us. Hopefully you have enough fun, you’ll come back for more and if you have any doubts, ask Jim.

Brian Westnedge  
Thanks Lauren, great to be here. Hope to get asked back as well.

Lauren Lev   
Of course.

Dave Baggett  
Likewise. Great to be here.

Lauren Lev   
Well, thank you guys all for being here. And last but never least, we have TechOnPurpose Founder and CEO, Matt Tankersley himself.

Matt Tankersley  
Hey, everyone. Happy New Year.

Lauren Lev   
Alright, guys, let’s get into it. Matt, I like to think at this point, most people have some sort of idea about email and Phishing Protection. At least that’s what we all hope. But what will we be covering today that our audience may not be as familiar with?

Matt Tankersley   
Well, thanks, Lauren. And again, I’d like to thank our casts and our listeners who are sharing this “Who’s In Your Cloud?” journey with us, 21 steps to Secure, Reliable, Trusted Technology. So, you know, we’d like to believe everybody’s heard of this stuff before. But I don’t think- I think that’s probably a bad assumption. So let’s, let’s set the stage right and realize one of those common delivery systems for ransomware is spam, phishing, email, right? It’s an email that’s masquerading as a trusted person or a company and it’s prompting you to open an attachment or click on a link. And that’s when bad things happen, like ransomware. Right? So, if you’re following along, you know, we discussed this in top cyber 21 best security practice number one, security awareness training. Welcome back, Stephen, to this episode as well. We learned very early on in our series that the foundation of 95% of compromises have been the result of end user things, like clicking links and opening attachments and emails, you know, sort of warrants that to be where it is. So do we simply trust that our staff are trained and would never do this? Not in your life. So here’s a few alarming facts and trends from a recent FBI internet crime report to consider, as we get started in the conversation today. In just one month from January to February in 2020, phishing spiked 510%. And there was a 69% increase in complaints to the FBI from 2019 to 2021, with losses exceeding $4.1 billion, with a B, right? In 2020 alone, we saw 6.95 million new phishing and scam pages created. The record for the highest number of new phishing scam sites in one month was 206,310. That’s one month of new sites. 74% of US organizations have experienced a successful phishing attack, 30% higher than the global average by the way. I don’t know what’s going on in the US. Maybe we trust a little more, I don’t know. And 96% of phishing attacks obviously occur through email. So this is serious. It’s devastating life and company changing stuff. I think it’s time we heard from the real cyber experts who joined us today, Lauren, let’s get our cyber cast introduced to our audience and get things underway. 

Lauren Lev   
Perfect. Awesome intro, Matt. Appreciate it. So, right now we’ll go around the horn here and have each of you introduce yourself and tell us more about your background, your company. And then in round one, we will talk about the issue. So, what is it, why is it important, why should we pay attention? Then in round two, we’ll want to make sure that our audience knows your company’s approach to combating this problem. So Jim, as our VIP cast member, you’re always up first. I know you need no further instruction. So, kick us off.

Jim Bowers   
Awesome. Thank you, Lauren. And again, thank you, Matt. And thank you to David and Brian and Stephen for being here, guys. So, I’m Jim Bowers, Security Architect at TBI. TBI is the technology distribution organization where we enable our 2000 plus partners with multiple vendors to take an agnostic approach to their clients. I’m part of the architectural team, that is a resource for our partners, to enable them to start selling this security solution. Which is why Matt came up with the top 21, right, it’s critical in today’s business, as well as build out our security vendor portfolio, and work with such great partners as TechOnPurpose. But, really glad to be here. This is honestly one of my favorite blogs, video blogs. Great experience, so thank you for having me back. 

Lauren Lev   
Oh, I’ll send you that $100 I owe you for saying that. 

Jim Bowers
It was 200. It was 200. 

Lauren Lev   
Okay. Okay. All right. So Stephen, unfortunately, you drew the short straw and have to go after Jim, but take it away.

Stephen Kowski  
Hard to live up to all that, but I’ll try. Yeah, so Steve Kowski, Global Director of Sales Engineering for IronScales. We emerged, started and founded in 2014, exited out of a number of IDF, Israeli Defense Force members and wanted to kind of pivot the technology and the learnings from fighting bad actors, you know, and terrorist and in the real world, right, to a more commercial space and use those lessons learned. Both started out as a phishing simulation training tool and have now evolved over the time to be a more comprehensive messaging solution- messaging security solution.

Lauren Lev   
I actually did not know that about IronScales’ beginning, so that’s interesting. Okay, perfect. Thank you. Next, we will have Dave. Dave, tell us more about yourself and about Inky.

Dave Baggett   
I am Dave Baggett, I’m the founder and CEO of Inky. My background is in software development. I actually worked on the video game Crash Bandicoot, if you’ve ever heard of that. Mario for the Sony PlayStation, and then after that I co-founded a company called ITA Software, which you probably wouldn’t have heard of, but Google acquired it. And now it’s Google Flights. So, if you’ve used Google Flights, you’ve used some of my work there. If you’ve played Crash, you used some of my work there. And since around 2015-2016, I’ve been running Inky and we’ve been focusing on this phishing issue. We primarily work on blocking phishing, you know, some more of a proactive use of AI to block phishing as opposed to training. But we do actually give users guidance on email they receive. So rather than sending simulated phishing, we provide guidance on the real email they received.

Lauren Lev   
Thanks, Dave, you have a very eclectic background. I like it.

Dave Baggett  
People often ask how do you go from games, to travel, to cyber. There’s actually a lot of interesting overlap between those areas, but that’s a long tangent. We would need another blog to go through that. 

Matt Tankersley   
Justin, who is our Director of Shares and Support who hasn’t been on one of our episodes, he’s behind the scenes making all this stuff work with all of our partners that you got. He and Lauren have a very close relationship. And Lauren, you’ll have to let Justin know that you’ve met the founder of Crash Bandicoot. He played it quite a bit when he was a kid.

Lauren Lev   
Okay, perfect. Okay, Brian, you’re gonna round us out here on these intros, tell us more about yourself and Red Sift.

Brian Westnedge  
Yeah, thanks, Lauren. And I look after our partnerships with service providers like TechOnPurpose, and have been in the email security space for about the last 15 years. DMARC specifically, which is a protocol I’ll be talking about around email authentication for about the last 10 years. And Red Sift is a global company. We’re headquartered in the UK. We have offices in Spain, Australia, and in the US. Our founders were not from gaming, like Dave, but they helped develop the app Shazam, which of course identifies songs and music, and then they got into the security space as well. But we have three email security products, one of which on DMARC, I’ll focus on today. So thanks for having me.

Matt Tankersley   
And David, if we get one of those meteors coming to earth and we have to load up the spaceship with people, everybody on this message is going on with us because I think we’d be busy and entertained.

Jim Bowers  
Talking about Shazam, I brought down East Carolina’s computer lab, downloading the Shazam. Very familiar with it. 

Lauren Lev   
Alright, well with that, Jim, we’ll have you start us off on our first round table hot topic. So why is email phishing and protection important? And why should we care? 

Jim Bowers  
Like Matt said, I’m definitely gonna start off with a couple of statistics, right? 96% of phishing attacks emerged from email. 20% of data breaches started with a compromise, compromised user credentials. 82% of users within an organization admit they use passwords across multiple accounts. And let’s think about what we’ve gone through with the pandemic. Phishing, right? Trying to trick you. Threat actors love chaos. What have we been going through? They’ve had a lot of content to make very relevant phishing and spear phishing opportunities. We also dealt with that influx of remote workers by organizations that didn’t have laptops, so they allow users to use their own devices (BYOD devices). As well as, we all got smartphones, which have Gmail on it in other areas, right? And then the bigger piece is, why is it so important? Because we’re the weakest link? Right? We’re the ones that are gonna use I- you know, I talked to Matt on a weekly basis. I think, Matt, Matt, it’s a really funny cat video, but don’t click on it. So, with a pandemic, with the influx of remote workers, with the environment we’re dealing with, phishing is still the number one attack vector. I mean, email is still the number one attack vector for phishing distribution that started to change with social media, as well as texting since we’ve got cell phones. But it’s still very critical we try and protect. Probably one of the most frequently used applications within an organization for employees is email. So, what a better platform to distribute ransomware and malware for a threat actor. And so, it’s extremely important. It’s a critical piece in an attack vector and a gateway into an organization that is exploited numerously and multiple- Probably about 30, 40, 50% of the breaches. You see, I went 30, 40, 50? I covered my areas there. But so, yes, very critical. Email is not going to change, the environment we’re changing in, it’s a rich environment for these threat actors. And that’s why we’re starting to see this continue to be one of the top attack vectors.

Lauren Lev   
Okay, so Brian, can you add on to Jim’s thoughts and touch on how we can motivate the audience to be even more proactive about email protection?

Brian Westnedge  
Absolutely. So I would say, you know, from a general perspective, you know, email has been around forever, right? It’s been around, I think the original RFC for SMPP email, is like from the late 80s. And email was originally a one-to-one communication medium between, you know, the government, government employees, and people in educational institutions. And it wasn’t really, you know, conceived of what it would be like today, where it’s mass broadcast, you know, many-to-many communication. And we’re kind of bolting on email security, you know, after the horses left the barn, if you will. You know, Jim talks about email, it’s still the number one threat vector. It’s not the sexiest topic in cybersecurity. I don’t think you know, we’re not, we’re not a social media, you know, application we’re not, you know, we’re not slack or teams, but email is the workhorse of modern business still, much to the chagrin of our high schoolers who enter the workforce and find out that email, they actually have to use it. But we’re bolting on security after the fact, I think. There’s no one ultimate solution to solving spoofing and phishing. And if any vendor ever tells you there is, I would be highly skeptical of those claims. You know, the reason that, you know, Jim works with companies like Inky and IronScales and Red Sift is because we’re filling gaps that aren’t addressed by Google Workspace and Office 365 and commercial email gateways. You kind of need a layered approach to solve for different use cases that we’ll be talking about today. And again, you know, that you can’t just buy, you know, Google Workspace and Office 365 and expect that attacks are not going to make its way to the inbox because, you know, we’re all human. We’re doing an okay job of protecting our infrastructures. So, the easiest way to get access into an organization is through people these days, rather than infrastructure. And the way you get access to people is through phishing and spoofing, you know, through all the tactics we’ll talk about today. So, I think we’re gonna see ransomware and business email compromise and wire transfer fraud and spoofing and phishing, I think it’ll still dominate the headlines for the foreseeable future. But the thing we’ll talk about today is, there’s a way to protect yourselves and the panelists will talk about. You know, it’s not a losing proposition. There’s ways that you can be proactive about not being in the news and not being the next, you know, data breach that you see.

Lauren Lev   
Yeah, we’ve said it on the series before, your cybersecurity is only as strong as your weakest link. So absolutely correct. All right. Thank you so much. Let’s turn it over to Dave. And then Stephen, we’re coming to you next to close us out.

Dave Baggett 
Yeah, I mean, I wanted to add a few things to that. I thought all that was really, really, really key and right on point, one of the things I tell people is, you know, the remote work shift is huge for the phisher’s because as we pointed out earlier, phishing is often dependent on impersonation. The attacker needs the victim to believe he’s a brand or a person the victim knows and trusts, right? So, you know, in a workplace where you can walk down the hall and ask your colleague, Hey, did you just send me a wire request? It’s a lot easier than if you’re all sitting at home, with your kids yelling and your dog barking in the background distracted. So, the phishers have exploited this. And so, it’s really important that we try to find ways to verify the identity of email senders. Some can be totally manual, like use Slack, go on Slack and ask somebody was that really you? Something outside of email to verify their identity. And that’s irrespective of what kind of mail protection stack you use. The other thing I would point out is that we talk a lot about clicking on links. And that’s certainly a way that bad things happen, but it’s also we’re seeing a lot more kind of second order effects here, where there might not be a link in the mail, but it might be hosted on Google Drive on the web, right? So, it’s not in the mail itself. It’s not detected by a typical O365 Google Workspace detection that just looks for links in the mail. We also see now lots of emails that are, there is no link, but the person’s asking the victim to do something like, Hey, go buy gift cards for me, we’re doing a giveaway, right? Or pay this invoice. And people often think well, my workforce is sophisticated, they’re not going to fall for this. You know who fell for the biggest publicized fake invoice payment? Google and Facebook, between the two of them, paid $100 million to a Latvian guy who set up a fake quantum computing company. So don’t think you’re too smart to get fooled by the fake invoice thing. You know, and then the third thing I’ll mention is, everyone talks about humans as the weakest link. And I think that’s true to some extent. But it’s a little unfair. And the way I like to think about this is, we want to believe there’s some magical AI that will just solve this problem. And I think Brian pointed out something I tell everyone also, which is if anyone tells you their AI is going to do it perfectly, don’t believe anything they’re saying. They’re either lying or just clueless. So, what we try to do is we try to think of it almost like self driving cars. The holy grail is you have this AI that will just drive the car for you and you can just go to sleep. We’re not there yet and the risk of the AI not being perfect is you die, right? So, this is a very severe failure mode for AI. So, but that doesn’t make the AI useless. It means that we can still use AI to help us, right? Like it can keep us in the lane while we’re still paying attention. It can follow the car in front of us during traffic. That’s kind of the way we think about AI at Inky. We use Inky, we use AI yes to identify obviously malicious stuff that gets through O365 and Google Workspace and we block that stuff before the user sees it. But then there’s that middle category of, hey, you know, this doesn’t really look like that person who’s claiming to be your vendor because they wouldn’t normally write that. It might not be them. We can’t prove it. So, we’re not just going to send that to quarantine. Instead, we’re going to deliver it and give the user an extra bit of guidance like, hey, this might be an account takeover. We’re not saying it’s definitely bad, but think twice before you do anything with this mail. And what we find is, using the AI that way as an affordance to the human makes the human much more capable of evaluating the risk of the mail.

Lauren Lev 
Absolutely. That’s a very good point. Stephen, will you finish us out on this first topic?

Stephen Kowski  
Right? You know, the reason why this is such an important topic, right? Will go just a couple of statistics, right, is the medium median impact of this is somewhere around $260,000. The top 10% is around about $10 million. Right? It’s those 1% of phishing attacks that are causing 99% of the problems for companies. And what we’re seeing in that market, and what we’re seeing change, even this year, is social engineering. Right? That is the big change that we’ve seen, we’ve seen it rise, if you’ve listened to, I think, or read the Verizon DVIR, you’ve seen that rise from 22% to 35%. But what you’ve also found is a really interesting statistic is, what’s the cause of the breach and the endpoint, right, that you’re using, or someone’s using, right, has fallen below the person, right? Meaning more likely that the breach was caused by the human being sitting in the chair than the thing they’re using? Right? So, the breaches are far less technological in nature, and far more fraud based and financial based. That’s what we have to kind of recognize that that user is the new endpoint. That’s who we have to engage with. And right, it’s, and I agree with what’s been said, right, our AI and ML and our threat email threat mitigation that’s automated, it will do quite a great job. However, no one’s going to represent that it’s 100% bulletproof. It’s how do you do that, as well as engage the users and make them participants in the email threat response process? A combination of real time alerting, a combination of outside the box training, right? And also, what happens when they report? Right? Well, we’ve now created a new problem for the sock teams, right? And managing all that extra noise is a job unto itself. So making that simple, making it approachable, making it easy, is critical to good kind of security practice when dealing with the problem of email phishing. So, you know, I think the biggest statistic I didn’t kind of raise, and one that we’re always interested in, is specific to each individual company, most folks really have no clue as to is this a big problem in my environment or not? It’s the unknown-unknown. There’s not enough resources to go scanning and wandering around and asking, you know, have you been phished lately? Right? And there needs to be some other kind of way to do that measurement. I can give you all kinds of industry statistics, but what really matters is your particular company. How effective are your existing tools? If you have stuff in the environment now, how good are they doing? Or bad are they doing at keeping these things out of the mailbox? And then also, how are your users kind of increasing or decreasing as far as their sophistication over time? Like, these are the kind of critical things that we see, it’s why we need to be thinking about it. These folks are going to get exploited if we don’t put that knowledge in their hands. They’re getting hyper personalized with these mails. So they’re specific to who you know, what you say, how you speak, right? With things like open GPT3 and AI enabled kind of email phishing, it’s very cheap and easy to send these mails now. It’s very, very simple. So it’s critical that we- I think Jim alluded to it, phishing is still the number one ingress point of all security breaches, still 2021-2020. I imagine 2022 would likely, unfortunately, be no different. But I’m waiting on that data. It’s a little early here in January. But I think that that’s the number one thing, really put that deadbolt on the front door, make sure that the number one place you’re sinking in good resources, and also you get the data. And I imagine all these vendors on this panel probably can’t help, but get the data on your particular environment and understand what the threat means to you specifically. Is it a big problem? Is it a small problem? It really is going to be specific to your company.

Lauren Lev   
I’m going to challenge your statement about 2022 being no different than the last two years, because people are going to watch this episode, and they’re going to empower themselves and they’re going to take action and be motivated. So, come at me in December of 2022 and we’ll check the stats.

Stephen Kowski  
Alright, let’s do it. I will take that challenge.

Lauren Lev   
Okay, Matt, I’ll hand the reins back over to you. And we’ll have you introduce our second round table topic.

Matt Tankersley   
Yeah, absolutely. You know and guys, thank you fabulous introduction you were spot on. So for those of us who spent a lot of time thinking and planning and protecting clients with a- in our very intentional diversity of portfolio offerings. There’s a reason why we have three partners on each of these calls. And there’s a reason why we have 21 steps to secure, reliable, trusted technology is, we said over and over and over again, not to be redundant, especially for our listeners, there’s no silver bullet, right? And what’s interesting is, everybody on this call plays a particular role in solving this problem. So, I’m really excited about getting into round two now and let you each speak about your company, your approach to solving the problem that we all just discussed. And Lauren, I’d say take it away. And I’m guessing you want to- you probably want to finish with Jim this time. So where are you going to start?

Lauren Lev   
Right, exactly, exactly. Okay, so I’m going to actually start with Dave. Start us off. So tell us about Inky’s approach to keeping users and data secure from the risks of email phishing and protection.

Dave Baggett 
You know, we talk about users, and often we say they’re the weakest link, which implies that they’re to blame. And that creates sort of a hostile relationship between security and the users. And we’re really trying to change that. And the way we’re trying to change that is, the users need help. Right? Just like, if you’re sleepy driving your car, it’s good to have help that the car will keep you in the lane and wake you up if you’re falling asleep in the car, right? You don’t want to blame the victim, you want to actually help them. And so, what we’ve done is we’ve built AI that will identify signs of impersonation of people, signs of forgery of brands, and we use that to block more stuff before it gets to end users. But critically, we also use it to provide what we call an email assistant to the user. So now, instead of just getting the email, and maybe it says it’s external, which doesn’t really tell the user much. Now imagine the user in a minority of mails, 10% of mails get some additional information at the top of the mail that says one of maybe 100 different things. And it could be, hey, you know, this doesn’t look like the typical mail from Sally, we don’t really think this is Sally. We’re not gonna send it to quarantine because we can’t prove that but we want you to know, we don’t think this is Sally, right? So, this may be a risky mail, we can’t prove it, so we didn’t move it to quarantine. The other case would be, this looks like a completely legitimate mail, but it’s very sensitive. It’s about wiring money, it’s about changing your password. Don’t do that without confirming outside of email. And by the way, if you’re unclear on the company policy on wires, here’s the link to your company’s policy. And we give admins the ability to put that right in the mail. And then finally, what we do to help users is reporting is a huge issue. You know, the admins want the users to report phish. But then the users do that and they produce huge amounts of reports. Also, the users are like, I know I’m supposed to report, but how do I do that on mobile? Because my button that’s supposed to be in my toolbar isn’t there. So what we do at Inky is we just put a link in the mail that lets the user report by clicking that link. And then when they report, we asked them, hey, user, what do you think this is? Do you think it’s phishing? Do you think it’s safe? And we got it wrong? Or do you think it’s spam? And if they say it’s spam, then we asked them, you just want to block this without dealing with the sock. And then it doesn’t go to the sock, right? The sock doesn’t see this stuff. That’s just the user saying, I don’t want this newsletter. So it keeps the sock from getting inundated with stuff that’s not really security related. So what we’re trying to do is use AI, yes, but not just as a silver bullet to block everything, but to give the user more visibility into things that he or she wouldn’t normally be able to see. And help the user almost have, you know, almost like a superpower to evaluate the mail with greater clarity in those cases where we think it’s important to call it out.

Lauren Lev 
You brought up a lot of really good points, Dave, that I wouldn’t have even thought of. So thank you very much. Brian, we’ll have you up next, tell us about Red Sift’s approach and solution. 

Brian Westnedge  
Yeah, I think Steve touched on this a little bit. It’s really hard for a human being to look at an email these days, and determine whether or not it’s malicious and especially if it doesn’t have malicious links or content or attachments. Maybe it just says, “Hey Lauren, this is Matt. I’m on the road today. You need to make this wire. You can’t get a hold of Justin or me, don’t bother, you know, but do this right away.” You know, we’re all wired as humans to want to, you know, please others, especially those within our organization, especially, also executives. So just like we use LinkedIn for perfectly legitimate business reasons, malicious actors use LinkedIn to try to figure out connections within organizations. You know, the most damaging attacks these days don’t have, you know, grammar mistakes, you know, they’re well crafted, they’re researched. And again, if there’s no malicious content, it’s really hard for a human to try to figure out, doesn’t set off alarm bells necessarily. And if you look at a malicious message and a legitimate message side by side, they may not look very different. So definitely people should still invest in security awareness training and phishing simulations. But one of the tactics we take at Red Sift with DMARC, is it’s a way for you to authenticate your own mail in your own domain, and block any unauthorized use of your domain. So some folks are familiar with authentication and other contexts, like yeah, they’re used to authenticating their websites and their endpoints and their devices and users. But they haven’t really thought about email, because it’s taken for granted. Maybe the IT team looks after Google Workspace with, you know, TOP, maybe marketing uses Mailchimp or SendGrid. There’s no like email governance function within the organization that looks after email and all the other cloud services we’re using, like, you know, Freshdesk, and ServiceNow, and Salesforce and Marketo. All these other cloud services, it sends email as the organization, essentially what DMARC does, it allows you to inventory all of your legitimate assets, then you decide, you know, which ones you want to authorize, you know, maybe there’s shadow IT that you don’t want to authorize. And essentially, you authenticate all the good stuff and then you block all the bad stuff that claim to be from your own domain, but don’t authenticate properly. So DMARC is actually interesting in that it doesn’t make a determination whether or not a message is malicious or not. And it’s, you know, Dave mentioned, there’s lots of, you know, real world use case scenarios for AR in ML, DMARC doesn’t really do that. It just says, Does this message authenticate properly for the domain it claims to be from? And if not, instead of a policy in your DNS, it tells your email gateway or other email gateways, your customers and your partners and your supply chain, Here’s how to treat messages that impersonate my domain but can’t authenticate properly. So, it’s pretty straightforward proposition. It’s not a black box, it’s all about who sent the message and can you trust them versus what’s in the message and is there malicious content? So it’s an interesting- it doesn’t solve for every single phishing use case or scenario, but it kind of helps you lock your front door, you know, stop your own domain from being impersonated first, Doesn’t mean attackers won’t use other domains and random domains and custom look like domains to try to attack you. But at least DMARC helps you stop your own domain from being impersonated, gives you visibility into who’s using your domain for email both legitimately and maliciously. I think probably, Dave, Jim, Steve and I, we see in the space today, you don’t have to have a lot of technical expertise to launch a phishing attack. There’s plenty of web forms out there. Phishing as a service kids, you don’t have to be highly sophisticated to send a phishing message in today’s world. And DMARC is just a way for you to kind of secure the foundation. And again, it’s one element of a multi-layer strategy.

Lauren Lev   
Stephen, can you talk about IronScale’s solution?

Stephen Kowski  
What I would say, IronScale, how we approach this, the problem of email phishing, right, is a comprehensive approach, applying depth defense and depth principles. Right? All across our platform. So talking about AI and ML, talking about the email automated technology based solutions, definitely part of our platform, something we’re using to try and really not only find the, solve the security problem, but also the resource problem, because many of these companies don’t have resources to be chasing these things down all day. So can we automate that? How much of it can we take out of their hands and automatically resolve? The other piece of it is, I think Dave may have alluded to it earlier, right is viewing those users as an asset, bring them into the fight against email phishing, how do you do that in a managed kind of scalable way? That’s critical. So how do they know what to report well starts on the basis of a good security awareness culture, training them of what to even look for. And it needs to be kind of changing and dynamic over time because these things are- we’re not, this isn’t a static problem. This is- we’re painting a moving train here. And it’s always changing. The threats we’re seeing last month from this month are changing. And they’ll go through different campaigns against your company, they’ll change and switch them up. So important to at least give the users that awareness of what to look for then simultaneously give users on specific messages, awareness alerts within the mail that says, I know this sender by this name, but it’s coming from a totally different email, or this domain is a lookalike. Giving that specific context in real time, that can really help. Then at the same time, if we already can see, obviously, this is a message that is definitely phishing, AI, and MI pull that out. So it’s kind of an all encompassing solution that tries to address it in a number of different ways, leveraging human beings as assets, right? Because they really can be the difference. And the goal is not to drive a wedge in between technology groups, and the rest of the organization, right. Ultimately, this is a business risk problem where every single person in an organization has a stake in it. So we have to be able, this is not a technology problem alone to solve, right, we pay for technology, we throw it at the problem, and it goes away. If that was the case, likely the three panelists wouldn’t be here today is my guess. Because there’s been a number of vendors that have tried that approach. So we have to kind of shift our perception, shift kind of how we’re approaching. And I don’t think it’s necessarily the tools alone that need to be rethought, but the overall strategy. Phishing at the end of the day is a human and machine problem that requires a human and machine solution. So how we do that, how we make it scale, at IronScales, we approach it kind of overall, and attack it in a number of different ways. And eventually moving into the messaging security space, right? We’re seeing them pivot out of email and move into other vectors, trying to take account takeovers, trying to move laterally through organizations through other means. But I think that’s the biggest thing is combining that technology, combining the humans, bring them in using them as an asset, and empowering those sock teams, so that they’re not wasting huge amounts of time searching around the environment, searching and deleting, right, or even kind of viewing the all these reports, right? We- that is the best way we know how to kind of solve this problem of email phishing.

Lauren Lev   
It’s a very layered approach for sure. Jim, we’ll have you close us out today. So, how do we motivate our listeners to take action and do you have anything else to add about email and phishing protection that we haven’t covered yet?

Jim Bowers  
I wasn’t expecting that. I was just going to wrap it up. But I will, I will. I will. I am going to go off with something Dave said. And I think it’s a very interesting point of talking about looking and using AI for potentially, is this user who they are right? And let’s take that to the next step of what’s going to come up and that’s deep fakes. Right? We’ve seen the deep fake, it is very good technology. Right? And if you don’t mind, I’ll show you how good it is. Oh, can I share something real quick, Lauren, or no? 

Matt Tankersley   
Yeah, go for it. 

Jim Bowers  
Okay. But yeah, you got to give me the share. Host disabled share. 

Matt Tankersley   
All right, I think that’s me. Hang on. There we go. 

Jim Bowers  
I think our panelists will enjoy this thoroughly. So if you’ll see the deep fake this is not Austin Powers it’s Matt. So what I want to say is this technology is there, right? I couldn’t resist. I’m sorry. But what I want to say is it’s evolving to security is not it’s not a destination. It’s a journey. And that’s why I love what Stephen said, I love what Brian, all these- You guys are awesome. And you’re spot on because it’s going to continually change and AI cannot keep up with that chain. We still have to have that human element. And I love the aspect of saying AI is here to assist right? And that’s a key point. Guys seriously, everybody uses email constantly on my multiple devices. It’s a huge attack vector for all organizations. And here’s the kicker, you’re not gonna have a choice to. Cyber insurance companies are going to start mandating it. That’s the key difference here, because they’re losing too much money. I think, Matt, you said it earlier, there’s no silver bullet, you got to have this top 21. Right, you have got to have this defense in depth. Because they’ll get around the spam filter, they’ll get around your EDR, but do I have visibility, right? So I see this evolving and changing. I agree with Stephen, it’s going to morph as we- population comes up, and how millennials digest information. I’ve seen a huge attack vector for cell phones, then people are moving to a Hosted Voice, I can get a text just as much as I can get a call. So these guys and their technologies- And what’s really cool was, you’ll all look at it a little differently. And that shows you that there’s not one way to solve this problem. But you’re all good. And by the way, I do want to talk to all you guys further down the road, but these panelists have been wonderful. Email is not going to go away, it’s still going to be the number one business application. It’s still gonna remain- top three of attack vectors. So this is a critical component within an organization’s defense in depth approach. And they’ve got to have it. So by the way, great panelists, guys, that was awesome. And, you know, what I tried to do is connect with guys like Dave, Bryan, and their organization to enable my partners to leverage the solution that you have in place. So great stuff.

Lauren Lev   
Jim, you’ll have to send me that video so I can use it for other-

Jim Bowers  
Oh, I got one more for you. I will definitely send it to you. You can blackmail him. 

Matt Tankersley   
Yeah, send it. It’s all good. Yeah, baby. 

Jim Bowers 
Yeah, baby. I’ll do you as Patrick Swayze too.

Lauren Lev   
Yeah, I love it. Send them all my way.

Matt Tankersley  
If you’ve watched our series, you know, this is important stuff. This is critical stuff. We’re trying to give you a way to simply approach, how do I get started with cybersecurity. You’ve got a great group of panelists you are watching with us every week, don’t take, you know, take it for granted that what we say is number nine on the list shouldn’t be number two for you based on your unique circumstances and the issues that you’re dealing with right now. But hopefully, what we’ve done is give you a way to get methodically started into achieving secure, reliable, trusted technology on a sustained basis. Let me say this about a few things that we’ve talked about today, and I always try to summarize some of the things that we’ve talked about today. When we start talking about phishing, when we start talking about spam, whether it’s in the office at the watercooler and panels like this, I think there were a couple of things that were said about this, we’re generally focused on protecting that end user from those malicious actors. You know, the people in that desk that would be receiving emails for my company. And what I love about what the folks at Red Sift and on DMARC are doing, and Jim and I both have a lot of propellers onto these hats. That’s why we have to wear them, guys, because otherwise it’s spinning out of control and people have got to wear sweaters and jackets and stuff. So I love what these guys are doing all of you. What Brian’s doing, if you didn’t pick up on what his team’s doing, is they’re protecting the identity of your company from being used by these malicious actors to make your company look bad. And Jim, we’ve definitely seen situations and dealt with situations in recent months. I’m trying to think, we had a company that called us, they had their slightly different topic that’s totally related, right? Makes the point. Their phone system was compromised. Somebody called out from their phone system to people and said, I’m from the company. Right? It looks like it is because the phone numbers are going through and it says it’s from the company and somehow they’re getting money from them. By the way, that evolved into spam and a link and a phishing and a financial, you know, compromised, right? Risk- My point in this and email and phishing risk is two directions when it comes to email, guys. So not only do we need to protect our workforce with tools like IronScales and obviously security awareness training, whether you’re getting it you know, with folks like IronScales or somewhere else and then bolting on phishing technology from Inky like we do with a ton of our clients, right? You also have to protect your brand. And Brian, it was interesting to me that you didn’t bring up Bimi, and you know, I don’t know of any closing- it doesn’t make sense to bring that up as a point and let me just sharpen the pencil we’re talking about how do you protect your brand from being exploited like I just described with the phone system?

Brian Westnedge  
It’s fine, there’s not a lot of rewards for the defenders at the company. You know, there’s a lot of rewards for the attackers if they are able to breach and exfiltrate data or information or financials, but there’s not a lot of rewards for the defenders. The reward is staying out of the news and you know, protecting the organization. If you do a good job nobody ever hears about you. I think Bimi to me, Matt, is kind of the reward for doing the hard work of implementing DMARC. So if you’re in a small medium sized business you’re working with TOP, you do the hard work to authenticate your mail, implement DMARC, the reward is a new spec called Bimi. But it basically allows you to display your logo in an email client, instead of that default avatar we all see up by the from address, you know, usually it’s initials or sometimes it’s blank. But in Google Workspace in particular, Bimi is a DNS record. If you’ve implemented DMARC, you’ve got to DMARC enforcement, then you can display your trademark logo in the mail client. So it’s a reward for doing DMARC. It gets other people in the organization interested in doing DMARC outside of IT and messaging and security. And it really, like he said, I think we’ll see a lot more in 2022 as we look ahead. It was just released at Google in July. So 2022, Matt, I think we’ll see a lot of companies that want to adopt Bimi. It may just be a means to an end, you know, DMARC may be the means to an end to a marketer getting their logo displayed in an email.

Matt Tankersley   
Right. And Jim, final thoughts on Brian’s team and their tools. Best toolset I’ve seen yet for diagnosing email problems related to SPF DKIM or DMARC. You use their tools, you can- you get a generic email, you send an email, it’ll dissect that email header and tell you in plain English, what the heck is going on. And you’re like, oh, that’s what I need to do instead of trying five or 12 things. And so, grateful to be partnered with you guys. Brian, thank you for that. Inky and IronScales, most people like I said, we’re focused on protecting our end users, you can’t go wrong, you guys are doing a great job of that. And we’re obviously grateful to have both of you. And legacies like Bandicoot and the Israeli Defense League, or it’s not the league. That’s a movie, it’s a movie and a combination of a security force, and what was that the Justice League? No, that’s not it, alright. Guys, we’re grateful for you. Lauren, how about last words, let’s just go around the room once and then you can close this out. Thanks, everybody.

Lauren Lev   
Absolutely. If anybody has any last words, go ahead and take the floor.

Dave Baggett   
I was just going to comment on one thing, you know, Brian talked about companies protecting their own brands. One thing that we do is we actually make the AI look at the mail almost like a person because we want the AI to know who the person is going to think the mail is from, right? So if the person is going to think the mails from Microsoft, we want the machine to know that. So we do all this computer vision stuff to make the machine understand, hey, it looks like it’s from Microsoft. But then the question we have is, how do we prove that it’s from Microsoft or not. And that’s where what Brian’s doing DMARC and DKIM and SPF, that’s where those things come in. Because they give a system like ours the ability to say, hey, if this looks like it’s from Microsoft, it better be from one of these domains and we better be able to prove that. And things like DMARC and DKIM and SPF, those are the mechanisms by which we can prove that in the software. We can prove the mail came from this particular mail server, and we know that it’s controlled by Microsoft or MailChimp, and not by some random attacker.

Stephen Kowski  
I think the only other thing I’d add, right, is analyzing this problem, finding out whether or not you have an issue to begin with, right, is a critical first step. At IronScales we give that kind of free analysis to folks, we want to make sure that they understand what their particular risk exposure is. So we always want them to kind of put us to the test without kind of impacting their users or their environment whatsoever, first and foremost, to understand what the impact might be and how we might be able to help.

Matt Tankersley   
Love it. We’re big on free tests. You’re going to talk about that a minute, I think, Lauren. Jim, do you have any final thoughts? 

Jim Bowers  
Yeah, I mean, I want to hop on one thing again. I think I’m picking on Dave, nothing against Brian and Stephen. But Dave, I think one thing you stated, was this work from anywhere, right? And I think what people don’t understand is the psychological aspect of being working from home. Lauren touched on it. Kids running in, multitasking, it’s a whole new environment. Your mind’s not in that mindset, right, of in a business office. That little piece, again, are all these reasons why these threat actors are being so successful. And it’s companies like this, that provide a critical component into that layered approach. Right? This is one piece of it. You still need the other pieces. And companies like Inky- I’m going to butcher, I know IronScales- Red Sift. These are the guys that are making, they’re keeping up with the threat actors. They’re playing the cat and mouse game, right? It’s companies like you guys that are going to change that. Hey, threat actors the cat, I’m the mouse. You’re gonna flip that paradigm. And it’s coming. Right? But great panelists. Great, great solutions. And Matt, great platform. So, love being here. Thank you.

Lauren Lev   
All right, guys. That is it for us today. So one thing I wanted to hit on if we haven’t said it over and over again in this episode, I’ll say it one more time, your employees are the last line of defense. The biggest danger your organization faces when it comes to phishing is whether your employees can spot the signs of a scam and act appropriately. You have to be able to rely on your employees to stay vigilant and act responsibly. This all begins with stack security awareness training. Well, you’re in luck, because episode one of the series focuses entirely on security awareness training. So check that episode out, along with all of our other episodes on LinkedIn, YouTube, Facebook, and Spotify. And get direct delivery of the vlogs straight to your inbox by signing up at TechOnPurpose.net/blog. And like we mentioned earlier, if you would like to start a free trial from any of our solution partners here today, send an email to . And something we haven’t mentioned yet is, if you want a free cybersecurity risk assessment, you can visit our website at WhosInYour.Cloud to sign up for that. Alright, next week we are back with episode 10 on Cloud SaaS backup and you don’t want to miss it. Once again, sending us off in the new year, I am Lauren Lev, Marketing Manager for TechOnPurpose. We hope all of you are having a great start to your new year, and may 2022 bring you peace, prosperity and most importantly, cybersecurity. That is all for us today. Goodbye everybody!

 

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey