Kirstin Burke (00:00):
Hello, and welcome to our June version of Tech Talk. I am Kirstin Burke, and I am here with Shahin Pirooz as always. Hello, Shahin.
Shahin Pirooz (00:12):
Hello! I can’t believe it’s June already.
Kirstin Burke (00:14):
I was gonna say it’s not June already. It’s July in a few days.
Shahin Pirooz (00:17)
I know, but when you said June, I was like, wait, what?
Kirstin Burke (00:19):
Well, I had to think about it. I’m like, where are we? So, welcome. We hope you are enjoying your summer, your fleeting summer, as are we. Thank you for joining us.
We are talking today about something that is probably near and dear to everyone’s hearts, simply because we all use it, as users, whether you’re business or personal. It’s email and it’s, it is all of our key communication tool now, besides texting and, one of the issues that we have and that is growing and growing and growing is email security. And we wanted to talk today about what is going on and why is email security falling so far behind? And you don’t have to look far to see the evidence of this. 93% of all attacks, successful attacks, start with email. 74% of breaches involve some kind of a human element. So, social engineering, things like that. And then 50% of all social engineering attacks, are pre-texting. And that’s something that’s really kind of evolved more and more. And in fact, it’s doubled over the last year. So you kind of look at all these things and say, what the heck is going on? And shouldn’t this be easier to protect against? So we wanted to talk about that today. So Shahin, lead us off, what’s going on? What is the issue?
Shahin Pirooz (01:53):
Yeah. Before we jump into that, we just got some breaking news from a handful of customers that are on Google Workplace. And Google three days ago notified customers that there’s something wrong with their spam engines and they’re working on it. We have some very small customers, that, have notified us that they’re getting 500 spam messages a day. Oh, wow. And, and on in a mailbox, in a single mailbox. And, and so it’s an example of one of the things we rely on – gateway based email security solutions and those gateway based email security solutions if they fail in any way you get an example like this where you’re getting a flood of emails in your mailboxes that are unwanted. But what’s really the bigger problem is some of those messages are actually malicious.
They have links to bad sites. They may look like they’re coming from Amazon or something else, or, or from other shopping places, but in fact, when you click on them, they attempt to do credential harnessing. They attempt to capture passwords for people effectively. So really what’s, what we’re struggling with email security historically has been email security is just like traditional antivirus was to today’s EDR platforms. It’s a file-based solution. It’s based on definitions and signatures and heuristics. And this, there’s an attachment that looks like it’s malicious or there is, we know that the URL in this message is not going to Amazon, but the message looks like it’s coming from Amazon. So there’s some heuristics that are happening to try to weed out the majority of the unwanted, um, spam in general and antivirus messages, but also trying to break into this phishing tactic that hackers are using.
The, the challenge is, it’s a lot, it’s, it’s, it, email gateway solutions are basically a sieve. You are pouring millions and millions and millions of emails through it for a given company and hoping that the holes in the sieve are the right size, the stop, the bad stuff. Mm-hmm. . But if they’re too big and the hackers keep making the, the bad stuff smaller and smaller to look more and more like a regular email, it’s gonna get through. Um, the other thing we heavily rely on, a lot of conversations I have in pre-sales with customers, they say We’re good with phishing protection. Mm-hmm. , we have, um, we have company X, Y, or Z. And you know, there’s, there’s some great technology companies out there that do gateway email security. Google themselves acquired Post’s team years ago, Microsoft, uh, acquired a company called Antigen and they integrated that into their email security portfolio.
So the big email providers, Microsoft and Google have their own email gateway solutions and security solutions on the front end. And then there’s third parties who add a layer of security on top of that, but it’s still a gateway based solution. And what it means is that the emails are going through the gateway first. It’s getting checked for is it good, is it bad? Is it malicious? Is it, does it look funky? And they quarantine it, and then the user has to go into the quarantine and look at it and say, this was real, this was not. And it learns over time. Those are the heuristics we’re talking about. And the learning over time, if one of your users says, this was good, but it wasn’t good, now that it’s taught the heuristics something wrong. And so there’s a lot of human behavior that creates problems in this ecosystem.
So what do we do? We jump to the second thing, which is email security awareness. We’re good. We have gateway and we have email security awareness. We’ve got, again, a list of 10 companies that are great at email security awareness, um, training and, uh, simulated phishing at best. The challenge with that is you’re still relying on your people to be your security tool, your security control, and I don’t know about you, but sometimes I run too fast and I click something and I am in the industry. I ought to know better, but I still do it. Yeah. I’ve been caught by our email simulated phishing attacks, and as soon as I click it, I knew I did something wrong. And then I get prompted, right? That says, oops, you did something wrong, , your company’s protecting you don’t do this. This is bad. You’re going to training. Um, and so if, if someone who is a practitioner and has been doing this for 30 years can get caught by something, how do you expect your person in finance to be able to a hundred percent of the time not do that?
Kirstin Burke (06:33):
Well, and I think, uh, the, the adversaries are so creative, right? And, and the social engineering tactics are evolving so quickly, right? I mean, the commonality is they prey on our, the, the good side of our human nature, right? Yeah. We want to help, we want to fix, we want to, so they’re, they’re preying on the good nature of someone, or they’re preying on fear, right? Oh my gosh, something’s happened. I have to fix this. Yep. And so to your point, you know, we are, we’re, we’re asking people to be a very strong first line of defense. And I read a great article last week that said, you know, the cybersecurity vendors have to be better at people proofing the solutions. Which, which is a great point, except at the end of that line is always the person. Yep. And on top of that, we blurred, um, personal and work, right? You know, on your, on your iPhone, right? You’re picking up your work email and your personal email on your work laptop, your access to your Google Mail. So we’re, we’ve got people already that can be fooled. We’ve got devices that are working with both personal and corporate data. And so even if the company is doing a great job with their email, I go to my personal Gmail and do something and I could do much harm to the rest of my access to the corporate file. So a hundred percent so complicated. Yep.
Shahin Pirooz (08:07):
Yep. A hundred percent. The, um, the, the attacks that are coming in, the social engineering attacks that are coming in, um, and, and it’s, uh, social engineering people usually think about, um, somebody’s picking up the phone and calling and pretending like there’s somebody we’ve, we’ve evolved to where we’re not doing that, and we, meaning the bad actors not doing that as much, but they’re doing it through email. So they’re now social engineering through email. One of the most common ones over the last, um, uh, five years or so was you get a text from your CEO and then a email from your CEO saying, I’m in Boca Raton and I need you to transfer $10,000 to my personal account. Here’s the account number. And it used to catch people, and people did it and lost money. And it was, it was frustrating. That was, uh, account impersonation.
They were impersonating, and what they were typically doing was creating an account that looked very similar to the CEO’s name and sending it and fooling people into not paying attention to an L instead of a one or a one instead of an L and zero instead of an o. Those kind, those types of things. So it was very easy to make mistakes. Um, fast forward today, and the biggest attack vector right now is, um, BEC business email compromise. And what’s happening is it’s a man in the middle attack where the hackers are compromising somebody’s account, um, either on the vendor side or the customer side, and they’re watching traffic. They’re not doing anything. They’re just sitting and watching traffic. And the way they do this is first by phishing and doing a password capture, and then they log in and just watch.
And when they see something that comes in, let’s say from a vendor to an account’s payable person that says, you haven’t paid this invoice, um, they immediately follow up with an email that looks like that vendor’s domain to that person that says, by the way, please change the account number to this one. We just changed our bank. Here is the new, I can tell you a dozen conversations I’ve had where people have lost hundreds of thousands of dollars on that simple social engineering trend mm-hmm. , and it, it, again, we are relying on our people to be able to see the LS instead of the ones that, it’s not abc, uh, company.com, it’s abc.xyz, and things like that. So it’s very hard to be able to notice without paying detailed attention to every email, and how many of us have time to pay that kind of attention.
So fast forward to what the, what the market is saying, what the analysts are saying, we believe there’s a better way. We believe that we, we, and again, we try not to be salesy here, but we’ve got an advanced phishing protection suite that is really designed around after the mailbox, after the security awareness training, once it hits the mailbox and passes it and bypasses the gateways, uh, and is in the mailbox, how do we find threats inside the mailbox? How do we find threats in your drives, your Google drive and your, uh, OneDrive and SharePoint, all those areas. And that’s probably the area where most of the manufacturers out there in terms of email security are trying to get into, but they’re not doing a great job at it yet. They’re really coming from a mindset of traditional AV versus behavior and EDR.
So being able to spot impossible log-ons, being able to spot, um, a account, takeover, a password, capture a, uh, the BEC compromises, being able to model the types of conversations somebody normally has and baseline it and say, this person’s not their, their intent and tone is very different than normal. And setting off flags, those are common things that are starting to become prevalent in the email security space. Um, we’ve been doing those for years, and, and we think that that is, we’ve always said XDR should be much more than endpoint and firewall. We believe that DNS and, uh, the advanced phishing protection we’re talking about is critical to that portfolio, but it’s not like you were discussing, it’s not just in the inbox. It’s not just your corporate email. I’ve got my Gmail account, my personal account, all my accounts coming into my single mailbox on my Mac.
And so what happens if I’m relying on me as a security control and I click on something not in corporate email, but in my personal email on my corporate machine, and I go out to a bad site, and then it says, you need your office 365 credentials to get to this document. And unwittingly, I type it in and we’re off and running. Mm-hmm. , now we’ve got a business email compromise account takeover. Um, if I’m an admin now I’ve got a risk of a hacker capturing my domain admin account mm-hmm. coming into my Azure AWS environments, compromising my servers, encrypting the environment, and now of a ransomware situation. So how do you protect against that? And that’s where the DNS defense is missing. No matter where your users are, you, 80% of the attack, 80% of malware requires d n s to function. So if you can block that 80% from getting the command and control from doing C2 callbacks, from bypassing DNS, um, by going to IP directly, you’re going to take the lion’s share of those phishing attacks and cut ’em off at the knees.
Kirstin Burke (13:44):
Well, it would seem, so I’ve heard two things. One is layers. So it seems one of the issues when we go back to why are we falling behind that we’re relying on two layers, um, that are farther from the user, and that if we can put additional layers in between X and the user, um, inside the mailbox or whatever, to just continue to winnow away at at wherever that risk might be, that’s a good thing. And then we’ve got this data devices, people everywhere issue that we have to factor in. Yep. Why are we falling behind? Because everyone went home, or everyone, you know, went remote. And so now, um, organizations had to adapt so that users could have broader from anywhere access, but the implications of that email security probably wasn’t ready to accommodate.
Shahin Pirooz (14:40):
Yes.
Kirstin Burke (14:41):
So, in understanding all of that, um, how does, I mean, you, you’ve talked about dns, you’ve a little bit about email security. Um, how, how does someone think about defending this? I mean, it seems like you really need to know the d n A of the attacker to effectively defend it, which, which you do, which data endure does. Um, how, how does someone move forward effectively? I mean, with, with as complicated as this is,
Shahin Pirooz (15:18):
We’ve said, you know, over the several years of tech talks, we keep repeating one thing, which is you have to have layers and layers in depth to be able to protect and secure your environment. So those, the five core layers we always talk about is you have to have email security, you have to have DNS security, endpoint security, network security, and then you need 24 x 7 operations monitoring. All of the data comes that comes from those things correlating all of the data that comes from those things. In, in total, an organization who wants to build a proper stack to do what I just described, you’re talking about 20 to 30 tools and 24 x 7 operations team monitoring those tools. Um, so it’s, it’s not an insignificant lift to get there, which is, which is effectively why the, if you look at the garters and the foresters, they keep talking about how MSPs are the way to go, and it’s because of this challenge.
How do you get, make that lift when you, you know, under a 5,000 seat company? It’s, it’s, you’ve got so many things you’ve gotta focus on to make you successful and differentiate you from your competitors. How do you now make that kind of investment and time and energy and people and technology to do what we just described? Um, it’s very difficult for a company, um, below 10,000 seats to have the security subject matter experts that can cover mm-hmm. all 20 to 30 of those tools. So what companies like us bring to the table is the selection of technologies that make sense, the integration of those technologies. And what’s a little bit different about us at data endures, we’ve productized this so that you don’t get handcuffed into a technology. Right? We do continuous improvement where if this particular email gateway solution is no longer good, we’re going to change it across all of our customers.
As a matter of fact, we happen to be making that transition right now for our customers. If this particular EDR solution isn’t good, we make that change across all of our customers without having to come in and do a TCO or resell. It’s just an underlying engine. Mm-hmm. beneath the surface of what we do. And that advantage makes us unique in the space, and that it’s a continuously improving security portfolio of best in class technologies. Mm-hmm. , and it’s not static tech. I’ve said before, security companies, technology companies have a five to 10 year at best lifespan. Mm-hmm. , their technology becomes, um, uh, old or defunct or starts to fade away in terms of efficacy. As new companies come out in new ways, uh, to protect against new threats come out. Uh, and they can’t keep up because of their technical debt.
A company like us who integrates commercial products has doesn’t have that problem. Mm-hmm. because when that five year time span expires, we put in the next new cool, shiny thing that does all the things we say we do, and we, we, we productize it in such a way that those features make sense. So how do you address it? You build a data, endure is the short answer. Mm-hmm. , you do that internally, um, or you look for somebody like us, um, and uh, that that can help you cross that gap and put in the controls that are gaps today. We’ve got a, a we’ve talked before about the, um, our economic roadmap, which helps to identify where you have holes in your security portfolio based on that five layer security model mm-hmm. That we talked about, security maturity model, and then you implement the pieces and parts that make sense. And over time you’ll make transitions to a fully managed security offering, but it’s at the times that your software becomes up, comes up from renewal or refreshes need to happen, or the technologies become defunct and it’s reached its five year limit or whatever decision point you have. Right. Um, and in the meantime, how do you know security health checks?
Kirstin Burke (19:19):
Yeah. Yeah. Well, it’s interesting, I, going back to the topic, you know, why is email security falling behind and hearing you talk? It seems it’s falling behind because people are thinking of it solely as email security. Yeah. And if you’re looking at these varying areas as point solutions or as piece parts, um, you’re going to have those gaps, right? You talked about all of these dependencies mm-hmm. , um, for email security or for the eff efficacy of your whole security posture. And if someone is just out there shopping and saying, oh, I need an email security tool, but you’re not aware or thinking about the implications everywhere else, you’re gonna fall behind mm-hmm. . And so hearing you talk about it and talk about the layers, um, while it does seem overwhelming, it makes a lot of sense, right? That, that you’ve got these attacks coming from everywhere. Um, you’ve got new attacks that haven’t been created, they’re gonna come at you. And so having someone who has built, um, innovation into the model so that you don’t feel it when it’s changing, but it’s continuously adapting to stay on par with the adversary. Right. Um, seems like a win. Yes. For sure.
Shahin Pirooz (20:37):
Yeah. That’s, you know, I’m, I would say I’m slightly biased on that topic, but I, I, I agree. It’s, it’s probably the biggest challenge in my career has always been, um, how do you continue to do technology evaluations and refreshes while not losing the integration between technology. Mm-hmm. and 30 years of doing that has, uh, gotten myself and my team, which has significant tenure with me mm-hmm. , by the way mm-hmm. , so that helps, they, I don’t have to retrain from the ground up. Um, integrating technologies becomes part of the core of how we operate. So it’s, there’s a constant evaluation and integration cycle that happens, and we pick technologies that will integrate that meet the needs, that have the features and capabilities we’re talking about, and more importantly, are effective. They have the efficacy to do what it is we’re trying to accomplish.
Our goal at the end of the day, there’s a lot of, um, if you think about the, some of the pricing models out there, um, SIEM solutions in general, and a lot of the SOC as a service players, the more garbage you throw at them, the more data, the more logs, the more, um, alerts, the more events, the better it is for them, the more money they make. So the incentives are all broken in this industry, the incentive is not to clean you up because if they clean you up, they lose revenue because there’s less data in the SIEM, we don’t work that way. We’re, we’re literally a price endpoint per month that covers all those moving parts that is really charging a fair price to protect the environment and has this holistic view. XDR for us means much more than endpoint. Yeah.
Um, I remember a, a common peer of ours, um, I created a offering decades ago. Uh, that offering was called R three. And um, it happened to include three technologies, and he added two more technologies to it, and card it called it R five, R three was an acronym. And, and so it, it didn’t make any sense. And, and it’s, that’s kind of how I feel XDR is we had EDR and we decided to add management to it. So that became MDR and then we added firewall logs to it. That became XDR. That should have been MDR plus firewall logs, not extended detection in response. And that’s the biggest frustration I have in the marketplace today. And the reason I bring up XDR is cuz email security is a factor for us. Mm-hmm. in the, in our XDR portfolio, you have to have all those five layers in XDR. If you don’t, you’re not actually extended. Exactly. You’re doing endpoint.
Kirstin Burke (23:14):
Yeah. Yeah. Well, and I think if you go back to what is the end goal here? Yeah. Right? Whether it’s email security, what is the end goal for any organization mm-hmm. , it’s, it’s to reduce dwell time, right? You talk about at the beginning where, you know, someone gets in and then they just sit and they watch. Yep. Right? That’s dwell time. How long does somebody have in your system to wreak havoc? And so when you think about what any solution ought to be able to answer and do for you is what are you doing to help me produce dwell time? And, and we, we use this phrase, we say it’s all about time. Yeah. So you’ve got the dwell time that is a priority. And then I think for organizations, um, for, for building it, implementing it, integrating it, that is a time suck, right?
Um, just to roll out one tool, but think 2, 3, 5, 20, however many you’re talking about, companies don’t have time today. This is not an area that you want to spend six months, nine months, 12 months getting right. I mean, you gotta get it right now. And, and the adversary is not waiting. And you’ve got people, you know, all over the place trying to break down the door. And so I think if you look at those two time advantages, right? Take it away from the adversary and give it to you by accelerating how fast you can have a healthy posture. That’s what we’re all about here. And, and however it is we can help people get there. Um, that’s why we have the economic roadmap. We know you’ve already spent some money, we know you’re already invested, but where is it? What is the low hanging fruit? Where is it that, that we would advise you to, to shore up or to think about investing in, um, the security health checks? You know, where is it that you might be at risk now? Um, these are things that we offer on a complimentary basis because we care about time. Yep. We care about that. That those moments that you have, um, to, to get more secure before someone else knows that you’re not,
Shahin Pirooz (25:16):
Uh, and, uh, the most of the, the entire security world is a reactive world. Mm-hmm. . So we, we create what the world looks at as realtime protections. And realtime protections means what something bad happened and in realtime we stop it. Mm-hmm. , that’s too late. Right. Everything that you just said is about the dwell time and what happened the six months before the attack happened. Mm-hmm. , and that’s, that’s the important data that helps us to identify. There’s malicious activity in the network and we need to stop it before they take hold, before they take root, before they do something. And it doesn’t always take six months. Um, the average number in the industry is about 200 days. Um, but there’s much shorter attack with those that we’ve seen in incident responses. Um, but ultimately where, where another factor to our approach to this is I mentioned that our incentives are tied to reducing threats and events and alerts in your environment.
Part of the way we do that is we do two things that are very proactive that nobody I’ve seen does. Number one, we integrate vulnerabilities into the threats, um, and the events and the correlation of those vulnerabilities to identify in behavior is somebody targeting a system that has an exploit. And if they are alarm levels go up. Number two, we do continuous pen testing inside and outside the network and external posture and cloud posture management. And that’s included in our XDR service. Those are like, if, if you just think about the things I said email security, I mentioned there’s three factors. That’s three tools. The DNS defense, there’s obviously something at the firewall, but something distributed, there’s at least two or three tools there. Endpoint security, you want a file-based antivirus solution to protect against the file downloads and all that. But then you also need an EDR. There’s another two tools. Um, network security, you want VLANs and, and hypervisor based and cloud-based security and, and segmentation and VPN or ZTNA. Now you’re talking four or five tools and it, and you just keep going. Then, then you add a SIEM, then you add vulnerability management, then you add risk management and posture management, and then you add 24 x 7 staff to monitor all that. Or a hundred person company, you’re looking at about half a million dollars a year to operate that.
Kirstin Burke (27:39):
Just to protect your data.
Shahin Pirooz (27:40):
And we come in at 70% less than that in on average for a company of that size. So it’s, it’s in intense security up and running in 30 days. Yeah. Comprehensive. I said I wouldn’t sell, but I sold.
Kirstin Burke (27:59):
Well then, here’s the thing. You know, we care, yes. And so, you know, we see these organizations and, and unfortunately some of them, we come in to fix something that’s already gone wrong. Um, uh, and you know, even the folks that we speak to in a pre-sale cycle, right? We care about helping organizations do what it is so hard for them to do on their own. And we care because there is a literal, there are literal bad guys out there, right? This isn’t, um, driving down the road and saying, oh, I hope, you know, I hope I get to where I’m going today. You know, I hope there are no accidents. I mean, this is like you driving down the highway with bullets and rockets and cars and things being thrown at you all the time. I mean, this is what this environment is like.
Yep. And, um, we know more than the average person because we see it all the time. And so we, we do care about helping organizations be aware, if nothing else, be aware of what’s going on in your environment now so that you can understand how to best defended. So thank you. And I know we went a little deep and I know we went a little wide, um, you know, but the, the topic was email security and, and I hope we shed a little bit more light on that. And, um, some of the factors that maybe you want to be thinking about that you’re not, um, key takeaway is it’s not just about email security, I think. And, um, if you are curious how you stuck up, if you’re curious whether the investments that you are making or planning, um, are the right ones to be thinking about, let us know. Um, well, we’re happy to do this economic roadmap for you. We’re happy to do a security, um, a vulnerability check, a security controls check. So just, just reach out to us. Um, and with that, we will wrap up. I will pause to recognize the July 4th holiday that is coming up. So we thank any and all of you who are in the military, who are military families who, um, take care of our country. We salute you and thank you. And we will see you again in July. Take care.