Of course, as close as we are to Halloween, we had to incorporate the theme of the holiday in our TECH Talk today. I’m joined as always, by Shahin Pirooz, DataEndure’s CISO and chief technology officer. Hello Shahin.
Hello, I’m out in the field, as you can see.
Just watch your back. That’s all I have to say. But, honestly, joking in place and aside, we do have adversaries who are looking to get us, whether we’ve got our backs turned or our lights off. And our cyber adversaries kind of tie into this whole idea of Halloween in a whole bunch of different ways. But if we just go back to the childlike time of trick or treat, we do have people that are taking advantage of organizations and individuals really around email, around phishing. If you take a look at what happens even more so around holidays, people really are at risk. And so we are tying in the trick or treat to our theme today.
And Shahin, I’m going to open it up to you, but let’s talk a little bit about how individuals within organizations really are challenged more and more with the things that look like the treats, or as something they should be paying attention to that are really our adversaries that are attacking us or are trying to attack us. And what is it that we can do, especially around the holidays?
So it’s always really good. A lot of companies, most companies out there today have embraced the notion of security awareness training. And it’s a critical piece of your education to your end users. And most security awareness training comes in the form of teaching them how to identify phishing attempts, because email, 98% of attacks start from email. So if we can start – if we can put a stop in front of that tide, we may be able to weather whatever storm is coming.
But the biggest issue that happens is the hackers are also already inside your network because they’ve been phishing for months waiting for the Black Fridays and whatever shopping events there are. They use those things to get people to click on links and they get a foothold inside your network. And they’re sitting there and they’re looking in. On average, it takes about 200 days before an adversary is identified inside of your network. So 200 days is a long time to plan your attack and to plan, find what data you want to exfiltrate.
And if you don’t find data to exfiltrate, then plan on encrypting the whole environment and getting ransom. It used to be that everybody was a target to hacking, and it still is to some degree, because the hackers used to take a shotgun approach and phish everybody, and as soon as somebody was on the hook, then they would reel them in. That still happens. But when we saw a 600% increase in phishing attacks in the beginning of COVID and where we’re at today with the rise in attacks and compromises in ransomware, all of that is still there.
So they’re still targeting mass numbers and trying to get people to click on links and do phish bait and all that, but there’s a lot of industries that are now starting to be targeted. And those industries are industries that are service industries to large organizations, because they don’t care about the small industry, they care about the large organization that a $2 million, $3 million ransom is like a drop in the bucket to. Yes, they can get all of the average mid-market companies at 100,000, 200,000, 300,000 ransom, but that’s not really their goal.
The ones who are doing those are usually the script kiddies who are doing a shotgun blast approach. But industries that have access to their customer’s networks type organizations that have to manage the HVAC systems, or the electrical systems, or whatever for their customers. They now have a segue into that customer’s network, and so they probably have hundreds of those customer connections and therefore they’re Target. And they have been, they were one of the first actually, if we go back to the Target breach, they got in through their HVAC vendor.
They hacked the HVAC vendor whose security wasn’t as tight as Target, and got through the access that that HVAC vendor had. Fast forward to today, we’re seeing over the last two years that MSPs are now the target because MSPs have tools inside the network to manage the customers IT. And it really doesn’t matter what IT organization, it takes a lot of work to go and evaluate a company and their technology and what software they have and what information is important. But what if you can get access to tens of thousands of customers at one shot?
That’s the type of thing that hackers are looking for today. And that dormancy is what the trick or treat is, is they wait until holiday weekends when we’re eating our pumpkin pie, they’re busy trying to encrypt your environment. And if your lights are out and nobody’s watching then that’s when problems start to happen.
For sure, for sure. Or to use another Halloween example, they have a great disguise, right? So they’ve been able to get in, they’re able to put on whatever that disguise is and stay hidden until they deem the time is right where they can make the biggest impact or get the most financial gain out of it.
So coming back to your question, the things you can do, number one, I think advanced phishing is critical. So you’ve got to train your users to make them more advanced, more intelligent about the emails they see. And for the most part, most of our users today with the large amount of email phishing tests that we do against them, I’ve really gotten a better sense of wait a minute, that doesn’t look like it’s from the CEO, the name is spelt wrong.
So the basic phishing stuff is easier to detect these days, but the hackers keep getting smarter. And obviously, the first level of defense is prevent those things from getting to the user. The problem is that most of our email security solutions are really focused on email hygiene. And they’re still stuck in the days of antivirus where they’re at the gateway detecting bad attachments. Or in some cases, the better ones are detecting links that go to known bad sites. But they’re really not looking at intent as much.
There’s a few platforms that are getting better and better at that, but all of the email hygiene, email security solutions out there are targeting messages as they go in and out of the gateway. So the problem with that is there’s already millions of messages inside your inbox that nobody’s looking at. And are there any dormant threats in there that somebody sent last year and now a user clicks on and you didn’t have the really cool email security tool last year, but you have a really cool one now.
Our approach, we have an advanced phishing prevention solution, which is our entire approach with security is always don’t rely on logs and throughput, have multiple sources of telemetry. And for email hygiene and email security, we take logs from the email hygiene solutions and from the email systems like Office 365, but we actually have an API integration into Office 365, where we go and we crawl every inbox and every message, and find dormant threats and block them from the user ever clicking on them.
So those first layers of defense take out 98% of the attacks that are coming into your environment. So if you do that well, the email security awareness training, or the security awareness training is only going to help catch that 2% to get through it. And usually those are going to be pretty complicated, new variants of phishing attempts anyway. I’ve had customers often ask me, so if I do your advanced phishing, do I need my X, Y, or Z email security tool? Yes, you need both, and you need to keep your KnowBe4 or whoever you use for your security awareness training.
I was at a conference this week, and I had a security expert tell me that this whole notion of layered security is BS. It’s not layers of security, it’s angles of security. And I cocked my head sideways and I said, “Can you tell me the difference between an angle and a layer?” He said, “Well, one is angular and the other one is layers like a cake.” And I paused and then I stared
both focused on multiple vectors, isn’t that what we’re really talking about? It doesn’t matter if they’re stacked or layered or if they’re coming from different directions.” He said, “Well, yeah.”
So whether you call it angles or you call it layers, you got to have multiple vectors that you’re protecting yourself against. It’s not a single – there’s no single golden bullet or golden ticket that protects you. And then I made the joke about the lights out, but at the end of the day, if we’re all at home eating pie and we have a SIEM or a set of security tools and nobody’s looking at them, I always say a SIEM without a SOC, it’s just like having a guard tower without a guard.
So if we’re all asleep at the switch, then it’s very easy for the adversaries to start to do something. The best time to catch them is in the first minute or two, when they’re starting their attack. That’s when you can thwart the attack and stop it, and prevent it from getting laterally back in your own environment. And some tools are really good at catching those things and stopping them in an automated fashion, but there’s never a substitute for security engineers monitoring your environment while that’s happening and taking action.
For sure, for sure. In the vein of Halloween and trick or treating, certainly we have put out there a lot of the challenges of what’s going on today and what the bad guys are doing. I’d like to provide a treat for our viewers. So with all of the tricks that we’re hearing are going up against them, as DataEndure, we do have a treat that we can put out there for our viewers today in the guise of an email security health check.
And Shahin, why don’t you describe that a little bit. And for anyone who’s listening, for anyone who is concerned, and maybe it’s not just about the holidays coming up, but if you think about your email security, if you think about how users and data are more and more distributed, and how really that single point of entry with email is so critical. We’d love to be able to help. And we’d love to be able to help you understand where exactly you are today and maybe what the opportunities might be to improve. So Shahin, let’s talk a little bit about our security health check.
It ties back to what I was describing earlier with our advanced phishing protection. For lack of better words, a mini PoC of that, we use the same platform to go in with API integration. It takes about five minutes to set up, and you set up a credential in your Office 365 environment so that our tool can go in and start scouring through your emails and find what evil lurks in the dark corners of your inboxes.
And as opposed to other email security solutions, like I said, we’re not looking for things when they go through the gateway, either inbound or outbound. We’re going to go crawl the entire inbox ecosystem inside your mail and Office 365 and inspect every single message and find the threats that lie there. But it doesn’t stop there. We also look at intent and behavior. We also look at protecting your brand.
So are your DMARCs set up properly? Who are your most targeted users? What are the types of attacks that you’re seeing? And in addition to all that, we also give you who’s your biggest at-risk user. So somebody who’s doing a behavior that looks like they’re getting ready to leave the company, or that user has malicious intent, whether it’s themselves or they got compromised. It’s literally a five minute set up, and then within a week we have enough information to pull a report together and present you with what threats exist in those dark corners.
Well, that sounds like a treat that should not be missed, something that ought to be wrapped up in or unwrapped and consumed like a Reese’s Peanut Butter Cup or something like that. Well we’re going to keep it short today. We just really wanted to focus in on what we’re seeing folks struggle with mightily out there right now, which is email and email security, and just wanted to tie it in in a fun way with the holiday that we have coming up. But we really do encourage you.
We say this kind of tongue in cheek, but even if you think what you’re doing is good, even if you think, okay, we’re good, can you inspect that? Can you demonstrate that you’re good, and is good good enough? And we just want to be available to help you understand really where you are today. And if there are changes that you can make, if there are vulnerabilities or gaps that maybe you’re not aware of, we want to help eliminate those for you so that you see them and know and can act on them before someone with malicious intent can.
So please, if you are interested in this email security health check, please reach out to us on dataendure.com at the contact us. You can reach out to Shahin at firstname.lastname@example.org, and we’d love to get to some place for you and set you up. With that, we will wish you a happy and safe Halloween. Shahin, watch out for the guy at your back.
He’s getting closer.
And we will see you next month. Thank you everyone.
Happy Halloween, everyone.