mnemonic security podcast
The mnemonic security podcast is a place where IT Security professionals can go to obtain insight into what their peers are working with and thinking about.
mnemonic security podcast
Email and Human Centric Security
In this episode of the mnemonic security podcast, Robby is joined by Matt Cooke from Proofpoint.
They discuss the evolving landscape of email security, emphasising the need for a multi-layered approach beyond traditional prevention methods, as well as the importance of pre-delivery, post-delivery, and click-time protection to combat phishing and business email compromise (BEC) attacks.
Matt notes that 76% of data breaches involve human error, and stresses the significance of threat intelligence and machine learning in detecting and mitigating threats. The conversation also touches on the role of AI in enhancing email security, the importance of DMARC for email authentication, and the concept of "very attacked people" (VAPs) to prioritise security efforts.
From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast. You are the weakest link. Goodbye, a famous punchline that all the cool kids remember from that show in the early 2000s, but when I hear it these days, it kind of makes me think of some algorithm preventing a malicious email from landing in an inbox. It probably also means that I'm just not cool anymore, and even if we hate email, we got to use it.
Speaker 1:And as I speak, thousands of people around the world are plotting and planning on how they're going to get you to click on something and enter your credentials. I'm pretty sure the advanced actors don't even need you to enter credentials these days, but that's another thing. According to my LLM, microsoft and Google handle 500 billion emails a day and have huge security teams to prevent bad stuff from happening in your inbox, but experience shows that you can't catch them all like Pokemon. So a modern approach to email security requires more than just prevention. In fact, there's a lot of things to consider these days, so I invited a friend of ours to come and provide proof to their points around email security. Matt Cook, welcome to the podcast. Hey, how you doing?
Speaker 2:I'm doing lovely. How about yourself? I'm doing very well. Thank you, sir. Very well indeed. I'm looking forward to the chat today.
Speaker 1:Been looking forward to this for a while I'm not sure what this is going to end up being. 115, 116 episodes and, believe it or not, you're the first marketing person on the podcast.
Speaker 2:So I'm going to count how many times you say AI. I actually can't believe that you've not ever had any marketing people, because I know that there's a lot of people out there like me that kind of hide marketing behind their job titles. Right, so I've been outed. That's how it goes.
Speaker 1:And I'm just kidding, you've been a consultant pretty much your whole life, so that's a very interesting career path move.
Speaker 2:My background is actually I was hands on IT. I used to run an IT team, I used to do a lot of the work myself, and then from there I kind of re-evolved through a whole bunch of different vendors, you know, before finding my way to Proofpoint.
Speaker 1:And hey, I'm just giving you shit. I saw that you came from the technical side, so if you were just marketing your life, I wouldn't make that joke. I know no exactly, and also it'd be the pot calling the kettle black. I'm a sales guy working with marketing, so I'm probably the worst of anybody.
Speaker 2:Oh yeah, well, there you go, we're both imposters.
Speaker 1:Wolf in sheep clothing, right. But hey, as you know, we have a tendency in security to hop on the new and cool bandwagon, right. So you know, these days one thing I hear a lot about in these walls or when a lot of stuff we're doing incident response on right is like Internet facing appliances, vpn gateways, and it's almost like if I hadn't been in security for nine years I would almost think that, like email security is kind of like over, like a thing in the past we solved that. I would assume that's not the case.
Speaker 2:That would be great if we did, though, wouldn't it Right?
Speaker 1:What's the status of email security in 2024?
Speaker 2:Do you know? It's constantly evolving. And you're right because you look at it from the outside and you think, hey, email security, that was done right. We used to buy an appliance and stick there and it used to do all that for us. We filtered everything and then all of a sudden, we went cloud and we went I don't know, know, maybe most of us went office 365 and your google workspace, whatever it happens to be, and they kind of did the email thing for us, and so we all thought that that problem was done.
Speaker 2:Um, but the reality is it hasn't, because it's, if you think from a from a cyber criminals perspective, like the most. The easiest thing for me is actually to get you to do bad stuff for me, right, because if I've got to sit there and try and exploit a zero day and try and hack into a system, whatever I've got to do, that involves a lot of work, and if I'm burning those zero days or burning the use of those vulnerabilities, that's a challenge that's really expensive for me. What's really easy for me is to effectively be a grifter, is to turn around and try and con you into doing stuff, and that hasn't changed because that can scale right If I can get you to click on a link, if I can get you to give me information, if I can get you to send me money, then you know I'm achieving. I'm out there, I'm winning as a cyber criminal, and so the way I communicate with you, well, it's ubiquitous, right, it's email.
Speaker 2:We've all been doing it, and so the job of the cyber criminal is actually just to evade those defenses. And so the job of email security and email security as a platform, really, rather than just a single thinking of a single box, it's actually kind of much bigger than that. Now it's to try and stay ahead of that. It's to try and spot some of those social engineering techniques, not just like, hey, it's a bit of malware, it's a virus, whatever it is, it's actually someone trying to trick you into doing something. That's a much harder equation to solve, for sure.
Speaker 1:So email is still in a threat vector. That's increasing, or what do the numbers look like there?
Speaker 2:Yeah, I mean it is and you know. You only have to look at like all the standard reports.
Speaker 2:I think Verizon came out was it a month or two ago with their data breach report About 76% of all incidents had some kind of human element involved in them, because, for the reasons that we just explained, right, you're the one that's being targeted rather than anyone else. It's not systems per se. It's just much easier to target you as an individual. So those risks are kind of increasing. And then, similarly, you throw in the mix the types of risk. Clearly, if I compromise an account, that could easily lead to ransomware we know that's a big challenge, we don't need to kind of go and chew over that one again. But business we call this thing in the industry business email compromise, which is more like this imposter fraud right, and me trying to trick you into sending money um, that is is massively on the rise. Unfortunately, that's one of the biggest areas where companies are losing money. Um, because it's just simple social, social engineering and often actually involves, you know, accounts that have been taken over. So so I guess that those are the reasons.
Speaker 2:I guess that the market has evolved and everyone thought that actually what we had was good enough and actually now everyone's realizing, no, it isn't good enough anymore. The market kind of evolved to saying, hey, we've got this package with, let's say, microsoft 365 or Google Workspace, includes email security, but we need something else. And so the market said, well, okay, let's try and do this thing called post delivery protection, where you know we can bolt a product onto behind that technology and start looking at emails after they've arrived in inboxes and trying to work out what's good and bad. Um, but, very quickly, I think the market evolved again and said, hey, actually that's still a problem, because that's that's actually too late If you think about, if you think about that like, like, if I want to send you an email and get you to say, to click on a link and give up your details through credential phishing or whatever, if that email's hit your inbox, I reckon I don't know, I feel like you're like an inbox zero kind of character, right, if it pops up, you click on it, you're there, right, and so that's how people work.
Speaker 2:And so just relying on this post-delivery protection becomes a bit of an issue. And I think yeah, that was again that was kind of brought out in some of the stats recently. I think it was again in the same Verizon report. They said that within 60 seconds, if you're likely to engage with a phish, you're likely to have done everything like given up your account details within 60 seconds of it arriving in your inbox. Yeah, and then, in fact, our own research. We see that, like one in seven malicious URLs that land in the inbox get clicked within 60 seconds as well.
Speaker 1:And so-. Maybe that's why they disabled links. I can't press a link on my phone, at least.
Speaker 2:Well, that's why they disabled links. I can't press a link on my phone at least. Well, that's probably one of the reasons. Yeah, and organizations look to do that in a different way. I mean, some companies will just completely disable them, some will put into isolation, some will build in click time protection, but interestingly that then becomes a real key part of your overall I guess email security package, if you like. So you start off with actually saying I guess email security package, if you like. So you start off with actually saying we can't just, we can't just let the bad stuff arrive in the inbox anymore and deal with it there.
Speaker 2:We now need to focus on what pre-delivery is. Let's keep more stuff, more bad stuff, away in the first place. In other words, let's do a better job than that kind of good enough protection that we thought was good enough that's packaged in those productivity suites that we use. Let's put something up front that says actually stop all the bad stuff there. Then let's do something post-delivery, just in case. But equally gives us the capability to remediate if something bad goes in.
Speaker 2:But we also need to build in click time protection for exactly the reason that you said, because you click on things on your phone because you click on things. On your laptop, you click on things. Yeah, it's just our nature, it's what we do. So and I think you know, going back to your original point, how's the kind of the market evolved? And that's how it has evolved. It's evolved from just being, you know, one piece of technology to actually now being multiple stages of pre-delivery, post-delivery, click time protection, which covers the suite, I guess, if you like, and gives us that platform to protect your people, because that's what we're in the business of. It's not email security anymore, it's people protection.
Speaker 1:Layered defense, yeah, cool. I know for a fact that one of my friends I asked him like, hey, what would you do if you didn't work in Mnemonic? And he was like probably like a researcher, maybe somebody like Proofpoint was like, okay, wow, so they must be really good at what they do.
Speaker 1:Nice, one of my colleagues here in mnemonic that said that okay, uh, and obviously, please, no, you cannot have him, no no, no, he's awesome, no, but uh, that made me think, like, obviously they're good at threat intelligence, right, and I know that obviously, if you know, you must be collecting huge amounts of data. Yeah, just a few words, I'm not even going to I don't even know how to phrase the question, but like threat intelligence for proof play, what does that mean?
Speaker 2:Yeah, it means everything. Actually, we see billions of emails every single day. I mean the volume of business to business and business to consumer emails that we see on a daily basis is astonishingly huge. But that gives us all of that intelligence, right. So a lot of our technology does also get put into some of the ISPs and some of the big platforms out there as well, in various different ways. And it is that breadth of visibility, the volume of messages that we see, and then what we do with that is you learn. You don't just learn hey, that's a bad IP address sending out a load of spam. Yeah, that's one of the things you can learn. But, more importantly, you can start to learn behaviors and profiles and you start to understand.
Speaker 2:You know, there's a really, really good example, just recently actually, of an organization that was a retail company. A retail company that sold essentially chairs, tables, that type of thing, and in order to sell them they had to deal with a company that made them right. The manufacturing company really small industry kind of, you know five, ten people, something along those sorts, uh, that sort of size made the furniture, gave it to the retailer. Retailer sold it. Once a month someone in the furniture manufacturer sends an invoice to the retailer, someone in the manufacturer's account gets compromised. Right, they got done with the phishing attack, the account, the account was taken and the sort of behaviors that you see right now is, you see, a cyber criminal is basically just going to sit there and look at the inbox and in fact, look at the outbox and look at the conversation threads and realize that once a month they send invoices and so when that thread happens, they jump on it and they hit reply all and it goes back through right, and so at that point the attacker's actually sending emails as if it were directly from that account, and so you're expecting it.
Speaker 2:Everyone's comfortable with the conversation. It's completely normal. The only thing that's not normal is the attacker's actually saying in the message hey, the bank account number's changed because we're having an audit at the moment. Can you send the money here instead? Now, if you look more closely, what they've also done is perhaps set the reply to address to be a domain externally, um, so that when the reply comes in, that conversation now happens to an external domain and it's not on the internal systems and it therefore evades detection.
Speaker 2:But what's essentially what's happening? There is an account, compromise has led to a what we call a business email compromise scam. Basically, you've lost a lot of money, right, your money's been sent to the wrong place. That's the type of challenge that people are dealing with. Now. How do you spot that becomes the real, real challenge for organizations. Because the message itself looks normal. There's nothing different about it other than the bank account number changed about it, other than the bank account number changed.
Speaker 2:And so a lot of what we're doing is around that intelligence piece and understanding context to say, yeah, matt and rob email on a regular basis and yeah, occasionally they'll talk about invoices. And yeah, actually, um, sometimes those numbers change. But this level of urgency being applied by matt is unusual. And so maybe we'll put a little banner across your top of your message and say, hey, just pay a little bit more attention to this, because this is maybe a little bit unusual. You need to just look into the details.
Speaker 2:Or, you know, maybe it turns out that actually we detect that Matt's account has been compromised. From that point, you know, we make that decision and say it really does look like it's been compromised. But now when Matt starts to try and email that other retailer, the competitive retailer they've also got business with, they've already had a warning in advance, and so they can almost see that, actually, that that threat is going to come through, and so that they can take action to block it straight away. So I guess the point is there's never, ever, just one thing, but what we're doing right now, and what that intelligence gives us, is the understanding of content and context to be able to make those decisions around those social engineering threats.
Speaker 1:And I would assume that to be able to build that, you're doing like natural language processing, you're looking at, like the, you're using machine learning to like break down the sentence itself and say urgency, looking at all the different factors and those together make a banner come up.
Speaker 2:Yeah, so you said you were going to talk about AI, but yes, yes, because that is exactly it. Right, yeah, it is. It's using essentially machine learning models. I mean, machine learning has been working within email security platforms for a long, long time already. But what the benefits we've got right now is that we can take some of those large language models, that, because they're much more freely available and you know we work quite extensively with a few of them and we build some of them around and use others as well that helps us understand that context a bit better. That helps us work out what is the intent here.
Speaker 2:Is this conversation typical? Can we, can we get those indicators from it? And? And so, yeah, absolutely that helps us do that at scale. And again, we're now able to sit in line and do that pre-delivery, and so if we can make these decisions actually are based on content and context as the email's coming through, then all of a sudden now we can stop a vast majority of these types of threats actually landing in the inbox. And so, where the market you know previously had evolved to saying, hey, we need this post delivery thing looking at just for these business email, compromise email emails. Actually, that's not good enough.
Speaker 2:Now we're doing that I use a marketing term at wire speed um on pre-delivery right Because the messages are coming through and that's kind of huge because that's, I guess, what the advances in AI have meant to us Cool.
Speaker 1:So do you have lockdown mode on your phone, assuming you have an iPhone?
Speaker 2:No, I don't actually.
Speaker 1:Okay, so one of the things about lockdown mode if Apple sees something new, they have so much control over their telemetry like oh that's new, block it. Or it goes to their like super, super shock or their IR team. Right yeah, does Proofpoint have something like that in place for emails, like stuff that you've? You know, you've never seen this and I guess it racks to the AI machine learning discussion.
Speaker 2:Well, it kind of is. Yeah, and actually one of the best sources of telemetry is actually all the bad emails that we're seeing. Right, they're hitting your organization. Because that can tell us like who's targeting your organization right, which criminal gags are kind of after you at the minute. What are the type of scams that we're seeing? What are the objectives? Are you facing ransomware threats? Is it what the objectives? Are you facing ransomware threats? Is it business email compromise? But also it tells us who's going to and we can endow and now say, hey, robbie is currently being targeted by a number of different criminal gangs with business email compromise threats, because they've worked out that actually he's not a salesperson like he said he was, he works in finance, he's got access to money. Um, you know, he's got access to money, he's got privilege, and so we're going to target him with those scams.
Speaker 2:Now, of course, we can start to see that in through the intelligence and based on that we can almost grade and score all the bad stuff that we're seeing and blocking and say, actually, that now gives us an indication to say, actually, robbie is one of our very attacked people within the organization. And very attacked doesn't necessarily mean just volume, it doesn't mean that, hey, you're getting tons of rubbish coming at you, coming your way. It means that really unique stuff as well, maybe just that one threat that was completely unique, we'd never seen it before. And so all of a sudden, your very attacked people score rate goes up. The algorithm says, hey, you are now kind of pretty high at the top of the list, and what you've got there then is a list of essentially where your risk lies within the organization, because underneath that we can also take a view as to do you have access to money? Do you have access to data? What's your privilege look like? Are you an admin? Those types of things. If we can factor that into the algorithm now we can say, okay, they're vulnerable, they're being attacked and they've got privileged. That is risk. That's where we can kind of then center that risk in an organization, and in fact, one of the great, we've got this super cool thing called the Nexus People Risk Explorer, which is a Venn diagram of risk, and it shows those people that essentially present the most risk for the organization right now, right in the middle, and you can then apply better controls over that.
Speaker 2:So you talked about lockdown mode on your phone. One of those controls could be hey, you're in the VAP list. Well, we're going to now tell your authentication gateway that who's in that list automatically and so that you might be required to reauthenticate a couple of extra times during the day when you're logging into various different websites, rather than using cash credentials. Or maybe we apply that to isolation. You again, you talked about links on your phone. Anyone in that vap list will any link that gets sent to them right now. We're going to isolate that, so they've got click time protection on everything. Or perhaps we'll force all of their web traffic through isolation.
Speaker 2:Um, and that's just just examples of some of the controls that you can kind of do, because that that actually it opens the door to pretty much anything, because that information that we can offer up through apis and we can then hook that into your other reporting tools within your security ecosystem to say, yeah, here's where we think most of your risk is right now, at this moment, on this day, at this time, and it's always there and it's available for you and you can then utilize that how you need to. So, yeah, those lockdown kind of we call them adaptive controls, I guess is kind of what we refer to them because it's dynamic, because the risk profile of the organization is always changing.
Speaker 1:Very interesting. Tell me more about the very attacked people. I would assume, like you said, finance developers.
Speaker 2:I would also assume, salespeople just because we're just clicking on shit, true, I mean. True, I mean, quite often you tend to see a lot of VIPs in there, right, the important people in the company, the execs, more often than not because their name is out there, right, and everybody knows they've got privilege and stuff like that, so they will tend to float up there. But certainly you'll see a lot of finance in there. You often will see a lot of HR in there as well, hr dealing with people, information, right, a good source of data that criminals are kind of after. Um, but, as I say, it's quite dynamic and you'd be surprised how much it can change on a fairly regular basis, um, but when, once you factor in things like vulnerability and privilege as well, it does add a little bit of stability to that list, um, because you know.
Speaker 2:You then need to know if where to target your training. You know, for example, another one of those adaptive controls might be hey, let's. You know, for example, another one of those adaptive controls might be hey, let's. You know, sales people are always clickers. Let's make sure that that we keep them up to date with their, with their awareness training, that we feed them those little snippets every now and again, just to keep their knowledge levels up and their awareness levels up. So, yeah, and vaps is um, it's an interesting concept. These are people that we currently think are imminent targets within our business. I mean, this is what we're doing about it and these are the controls that we're putting in place, and it can be really powerful to help optimize the risk within an organization.
Speaker 1:I got an email from my probably shouldn't be saying this, but I'm saying it anyway. I got an email from my salary department and they were like this can't be you, right, smiley face. And it was like you know. Obviously it was from the super shady Gmail, but it was written in perfect Norwegian and it was asking my colleague to change my account number for my salary. Right, and she laughed because she was like it was written in Norwegian, that's obviously not you, perfect Norwegian. So I was like ow, but yes, that's not me, you know.
Speaker 2:The good thing about that is your colleague immediately thought yeah, this is not right. But if you think about that from an attacker's perspective, if they can scale that, yeah, that's worth quite a lot of money. And again, those types of scams are incredibly annoying, but incredibly popular as well at the moment.
Speaker 1:So the million dollar question I think one that everybody in this podcast would appreciate hearing is like why doesn't microsoft just get their shit together and do what you're doing on their side, since they are like the default uh choice included in the package, right? Uh, yeah, I know that microsoft has a big threat intelligence team that does a lot of the similar work that you guys are doing, right, of course, so course. So why does Proofpoint exist? Yeah, I don't mean that in a negative way.
Speaker 2:No, absolutely. Yeah, I'll answer the question with a question why doesn't Microsoft get their shit together? Absolutely? I mean, I like it that they don't, because actually it means that there's an ecosystem that can kind of focus on doing the right thing with protecting people and is not necessarily just focused on, you know, building that productivity suite, and I think that's kind of that's the balance is. You've got, you know, I'm using it right now, right, office 365, using it every single day and it's awesome to a certain degree.
Speaker 2:There are things we don't all like in there, but there are things we love right, it works, it's ubiquitous. So there are things we love right, it works, it's ubiquitous. So there are things in there, like, imagine, I stick a file on OneDrive and I decide, hey, robbie, I need to send you the PowerPoint presentation, I'll just share it with you. On OneDrive, it's fine, you get the link. That kind of comes through. There used to be a time in cybersecurity where you know you'd look at, you'd basically tell people when you get an email, hover over that link and if it looks legit, okay, click on it. If it looks a bit dodgy, don't do that. You can't do that with OneDrive or a SharePoint link or anything like that these days, because there's these massive, great, big, long links and they're really hard to understand. Of course, attackers know that. Attackers know that we're all using Office 365. They know it's ubiquitous. So what do they do? Well, they abuse those technologies as well. They actually launch their campaigns. They'll stand up a 365 tenant, they'll share malicious files in OneDrive, they'll use the tools that we're using against us and, of course, that then becomes incredibly hard for someone like Microsoft to be able to defend against, because essentially, the attackers are using their own platform to attack people on their own platform. And so you get to a point where you actually need to look at security slightly differently and say, actually, are they best placed in order to defend our people? And the answer for most organizations is often no, because actually there's huge value to be had in that whole.
Speaker 2:Everything that we talked about and it's not just email security as being one product anymore, it's pre-delivery, it's post-delivery, it's click time protection, it's that complete story. It's also security awareness training. It's also how we integrate with all those other pieces of technology in your security stack. It's all of that that now becomes, you know, effectively email security is now a platform platform, if you like, um, rather than one piece of technology and and that's something that you know organizations like microsoft that are building those suites. They don't necessarily get that, and I think that's part of the reason why, um, they, you know they do a good enough job to keep bad enough stuff away. It's okay, but it's not stopping any of this, um, all the types of threats and things that we we talked about, and and organizations are not getting those values of understanding where their risk is and ultimately mitigating human risk with marketing terms. I said I'll try and pretend not to be a marketing person. We call it human centric cybersecurity because that's ultimately what it is right. It's protecting people.
Speaker 1:Yeah, they have this super complex environment now and I guess they're. If they were to get their shit together, you know Proofpoint would be struggling, CrowdStrike, all these other companies that we know and love, would be.
Speaker 2:But would they? I mean, I wrestle with this one because I think about that and I think actually would they if they really did, you know, if they really really did a really good job? Are we, as cybersecurity professionals, happy to put all of our eggs in one basket and say do you know what Microsoft to have everything and become now not only the platform that we use, but we're the platform to protect the platform that we use, and I don't know? I think I see that. Yeah, I think that becomes a problem.
Speaker 1:But we both can agree that people are gravitating towards a platform play now 100? Yeah, no 100, but then your point stands, even more importantly, that you should use something else to secure if you're putting everything in the platform. Yeah, no absolutely.
Speaker 2:I mean, you're a salesperson, right, you understand that at the minute people are looking at consolidation. They're saying, actually, can I reduce the number of vendors that I work with and and get actually these larger platforms in order to protect my organization? And to a certain degree we see a lot of that happening with. I guess SASE is kind of one industry where that's kind of happened, where you know zero trust is kind of combined into SASE and people are looking at hey, have I got one platform play there, Maybe on EDR? You mentioned CrowdStrike, you know SensorOne and all those other good vendors that are doing some great stuff on the endpoint. That's almost a platform play there as well from an EDR or managed detection response, XDR type stuff. And then you've got what we've just described as human-centric cybersecurity as well, and I think that's the third platform.
Speaker 1:They say identity is new perimeter. How does identity have a relation to human-centric security?
Speaker 2:It comes in a number of ways. So one is, account takeover is a real problem. The biggest source, I guess, of account takeover is usually credential phishing. We see things like multi-factor authentication phishing kits being used, where we all thought that that token would prevent people taking our account over, but actually it doesn't see some of these reverse, proxy phishing attacks. We're actually logging into the main websites and they're just stealing our session tokens and taking our accounts on from there. So that's a problem. And so again we're hooking in via APIs into Microsoft and actually working out, say piecing it all together.
Speaker 2:Say phishing came in. We know Matt clicked on phishing link. After Matt clicked on phishing link, a rule was set up in outlook that says redirect emails to this place or something along those lines. Or maybe a login happened from this particular site or even another one, a third party or application. You know those plugins to outlook that we love to use, like to schedule a meeting or to book a Zoom or whatever it happens to be.
Speaker 2:When those accounts, we see those apps kind of getting compromised and actually have permissions to the accounts as well. So being able to monitor that all forms part of the human-centric story, because we need to control identity, and identity's at the center and identity's at the center. And it actually then goes beyond that as well, because if you get to the point where, oh, my account's got compromised, that as well. Because if you get to the point where you know, oh, my account's got compromised, I've got a small problem. We now need to stop that small problem becoming a much bigger problem and the attacker ultimately is going to look to try and escalate privileges on the device, move laterally within the organization, before it then moves on to data, because it then finally gets into data loss. And you know, data loss also forms part of that whole human surgery piece as well.
Speaker 1:I want to come back to data loss, but I had a colleague. He told me that I had to ask you about. I keep forgetting what it was. It's probably because I don't understand it, but it's DMARC, dkim, spf, these things. What's happening in the world right now that makes those important?
Speaker 2:So these are email authentication standards, right, and what they allow us to do is to say, okay, that email that we've just received, it came from a place that we know it should have come from. In other words, this isn't somebody trying to spoof and trying to send emails on our behalf from a domain you know is that a valid sender has it come from a valid host. We can check all of those things before we let that message appear in your inbox.
Speaker 2:If those standards are in your inbox, if those standards are in use, if those standards are in use and applied correctly. Yes, because that's another big part of it and they've been about for a little while actually. Um, and to the point where a lot of governments actually around the world and kind of national security and cyber security agencies in governments turned around and said, hey, all our government, you have to be doing this. And some countries took that on board and some countries didn't, like Denmark, for example, did an awesome job.
Speaker 1:I was just going to say Denmark did that yeah.
Speaker 2:They did. I think it was like 2020, maybe even slightly before that. They came out and said hey, government institutions, you need to actually start enforcing this because we want to take advantage of that and what it does it both. Basically, you know, it prevents people from spoofing domains, it prevents emails looking like they've come from somewhere that they haven't, and so that's a cool thing. The problem was, uh, industry didn't really adopt that very much. Um, yeah, it didn't massively take off and I was. I was complicated or something. What is what's?
Speaker 1:what's up with that?
Speaker 2:Yeah, it's, it can be a lot of. There's a perception of risk around it, right, if you're a big business and you send emails, the last thing you want to do is break email, cause if you break email, that's a problem, right, your phone is going to ring. That's an impact to the business. In fact, we did some analysis back in January that looked at the Forbes Global 2000,. Right, so, largest 2000 organizations around the world Only I think it was more than one quarter of the Global 2000,. They ultimately hadn't deployed DMARC to the right levels, and so that was disappointing.
Speaker 2:And so what happened was Google and Yahoo at the same time, and also Apple, although they did it kind of quietly came out with an announcement that said if you're going to send emails to people on our platforms, if you're going to send lots of emails to people on our platforms, you need to be using DMARC, you need to be authenticating your emails properly. They said a few other things as well around that, and that gave a huge amount of organizations a kick out the backside to say we need to, we need to deploy it, and so there was this big rush to try and get it done I think it was before april, before they that those platforms turned around and said we're going to start rejecting emails at that point. And of course it'd be. If you think about it, if it's on google, if it's on yahoo, if it's on apple, it's consumer. So it's really business to consumer type companies that we're talking about here. But they had to do it and they did right, which is great. That was really really good.
Speaker 2:Now the knock-on impact has been now these companies can stand up and say hey, we've done this authentication piece in our business to business conversations, we now want you to do that authentication piece, because when you send me those emails with those invoices for those pieces of wooden furniture for me as the retailer to send, I want to be sure that those emails are coming from your systems and they're not coming from anybody else. And so what we're starting to see now is organizations in their kind of supply and procurement contracts actually saying you need to do email authentication. And so we're at a point where email authentication, and demark specifically, has become not just a nice to have, it's become an essential part of of kind of doing business. And so that's the perceived problem. It's not a problem, but it is a perceived problem. Um.
Speaker 2:It gives us that intelligence and ultimately it then feeds our overall picture as to what risk looks like for the business. Because now, in that same place of where you see all your people risk, you can actually see all the risk that's associated with your brand as well. You know who's spoofing your brand out to the outside world, and it gives you that great visibility into that as well. So if you haven't done it, do it Definitely. Look at it. In some cases it's a zero cost thing. In other cases, you can work with companies like Proofpoint and others to help you do it without the risk, and it will make a huge difference to your risk profile Not only just the messages that you're sending and the way your brand can be abused, but also how enforcing it on the inbound as well can make a big difference.
Speaker 1:Who was that? I forgot who said it. But like, don't be a digital asshole, fix your d mark yeah, and we talk in security about doing the basics right.
Speaker 2:We always talk about that, like people say oh, you know do the basics. Just make sure you you're keeping your patches up to day, you know patching those vulnerabilities. Make sure you've got a firewall running, just to do all those basic things. I kind of feel like email authentication is one of those basics. Now, yeah, just don't be a doofus, do D-mark.
Speaker 1:Architecture recommendations that you typically give your clients. What does that look like these days?
Speaker 2:I think the vast majority of clients that we talk to, most of them are probably using Office 365, unless they've got some kind of reason that they can't, that maybe they're running their own mail servers on premise or whatever it happens to be for confidentiality jurisdiction, whatever that happens to be.
Speaker 2:What we tend to talk about when we're talking about architecture is we talk that overall story of that pre-delivery, basically the journey of an email. Right, it's like what happens before it comes in, what happens once it's in, what happens when it's been sat on the inbox and someone's interacted with it. So that pre-delivery, post-delivery, click time, and so for us, when we talk about email security as a platform, we do talk about those kind of three steps and making sure that you've got all those three steps covered in your security architecture, rather than just one of them, which seems to be the most popular, you know, with a lot of organizations, which is that they just rely on post-delivery, which is for those reasons we talked about earlier that you know people interact too quickly with emails. It seems mad. So definitely you know that thinking about the journey, the life cycle of an email and making sure that you're covering all the basis is kind of key in that architecture flow, I guess.
Speaker 1:All right. So we've talked about AI, threat intelligence. Combine those two. What's the future of email security? Look like I would assume it's something to do with those two.
Speaker 2:Yeah, I think you're right. We don't know how the tax is going to evolve, but we've kind of got a good feel for what those techniques look like. We also know that, actually, that probably the hardest attacks to stop are the ones that are just the words. If it's something malicious in there, it's easy. We say it's easy but you know we can find it. So we need to work out how you know how attackers are getting creative and we need to stay ahead of that. But we also need to think about you know what happens after the fact. You know what happens after the fact, what happens after bang, and often it's around data loss. We talked about email security as a platform. We talked about human-centric security ultimately being that platform. Data loss forms a big part of that and I think that's a lot of where the future is going Working out.
Speaker 2:Actually, does Matt regularly email Robbie? And if I was, maybe do I regularly email you invoices? Do I regularly email you attachments with lots of customer information in? Did I try and send you that email by mistake? Because we have all done this thing where you've tried to send an email to Matt, you've typed Matt in and it ended up going to the different Matt, the wrong Matt. That happens all the time. Or you put the wrong attachment on the email and you send the whole file instead of the subset of the data that you wanted to share, and so, where that falls now under the banner of email security, picking that up and say, actually did you mean to send that to matt, because normally you send it to the other map and like maybe?
Speaker 2:you should just change that. So they'll stop it at one. Yeah, exactly so. We stop it when you send it, because it's a problem for everyone. We've all done that misdirected email and in fact here in the UK we have the Information Commissioner's Office, right. So if anyone has a data breach or anything like that, they have to report it to the Information Commissioner. That's the kind of setup here, and they put a report together every quarter.
Speaker 2:That says you know how do people lose data? And every quarter at the top of the list is misdirected email. It's again. It goes back to being a human problem. It goes back to being a human centric problem. It's like I mean, it's not a problem, it's just. It's just way the technology is built. It allows us to send things to the wrong place. It shouldn't do that. Also, what that has the added benefit of is hey, robbie, you're leaving the company right now. You've just emailed the company's contact database out to your Gmail account being able to stop those types of exfills as well. Did you really mean to do that? And that helps us kind of understand the overall picture and protect against the simplest and most common form of data loss, which is misdirected email.
Speaker 1:Mr Cook, do you have any closing thoughts?
Speaker 2:I would just implore people to take a look, just to rethink email security. It isn't one piece of technology anymore, it is human-centric security and to actually almost use human-centric as the lens that they look through when they're examining their security operation.
Speaker 1:Well, human-centric security Talk to Proofpoint Awesome and mnemonic, hopefully. Thank you so much, mr Cook. Cool. Thank you, sir, have a great summer and we'll talk soon. Awesome, thank you. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicnet. Thank you for listening and we'll see you next time.
