A combination of humans and technology is needed to truly move the needle on email security
Understanding the email threat landscape – what is emerging, who the threat actors are, what the latest tradecraft is, and the most commonly deployed attack techniques effectively circumventing legacy email security technologies – is critical for an organization to protect themselves. Every email that bypasses vendor email security technologies and lands in the inbox of employees of organizations is a potential for significant compromise or loss of data.
The leading method for compromising someone is credential harvesting, and it is also the leading initial attack vector into an enterprise as it does not entail getting malware to the inbox – creating a blind spot for most Secure Email Gateways (SEGs). There is no way around it: the vast majority of companies will be attacked through credential phishing and the SEG is simply not in a position to fully protect you. Luckily, your employees are human, and humans are exceedingly good at recognizing patterns.
YOU ARE UNIQUE, BUT YOU AREN’T.
Your company is indeed unique. You have ‘x’ employees, exist in ‘y’ vertical, operate using ‘z’ email provider, etc. All these variables do make you different. What is not different is that your company is made up of people who are both vulnerable and able to be trained to report suspicious emails, and your SEG has shortcomings that are exploited everyday by nation-state actors and cybercriminals.
These truths are the foundations for a few key principles: 1) People must be encouraged to report things they feel are suspicious, and 2) Leveraging the power of the collective human ecosystem for detection, along with strategically applied technology solutions to scale response and remediation is how you deal with a continually changing threat landscape.
Technology doesn’t work in isolation; the SEGs inability to block emerging threats, are a great example of this. However, when you leverage human knowledge to create a feedback loop with appropriate technology in the fastest and most actionable way, you can create a crowd-sourced, self-healing email ecosystem that can position your company to be ahead of the threats that make it through the SEG.
MEASURING WHAT YOUR SEG DOESN’T SHARE
The number of blocked malicious emails isn’t a true measure of success in the land of email security, but rather how the ones that went by the front-line controls are rapidly detected and prevented from turning into a data breach. It is the threat bypass rate that matters – the threats that bypass SEGS that SEG vendors don’t share.
From a business perspective, this makes perfect sense: SEG vendors don’t have a vested interest in sharing what they missed. They don’t have visibility into what they missed, and though they do seek to improve their filtering, they don’t have a vested interest in highlighting how long it might take them to update their technology to improve that filtering. Security teams know this, and are often resigned to acknowledging some percentage of bad will get in.
No security solution is perfect. If it were, there would not be a multi-billion-dollar criminal industry hammering away at companies. However, the application of detection and response technology can turn the tables on the risk-reward equation for an adversary. This is evident in the expansion of tools that provide detection and response capabilities, such as MDR, EDR, XDR, PDR, etc.
A WORD TO THE SOC AND AWARENESS MANAGERS
A combination of humans and technology is needed to truly move the needle on email security; leveraging humans for detection makes it hard for the attackers to predict whether or not their malicious emails will be identified and using technology to automate response provides scale and speed in resolution. As soon as a SOC can part with the mantra ‘the human is the weakest link’, they can begin to see this for themselves.
For the Security Awareness Manager, simulating threats that are as close to real is critical. The threats you simulate must be relevant to the circumstances of the time, the demographics and regions, as well as the industry, scale and other external factors that influence your business and your employees. Thus, security awareness managers and SOC operators should work in unison to devise simulations that closely mimic the latest threats targeting your organization.
There is a full range of philosophies around how to simulate email attacks, and how to deal with employees that fail tests. Punitive programs that admonish employees who repeatedly fall prey to phishing simulations, though tempting, creates significant drops in reporting by the employees and creates an environment of mistrust between corporate security teams and the rest of employee base; this is obviously counter-productive. I don’t recommend a three-strikes-you’re-out policy, and adamantly reject any policy that punishes employees for reporting emails that turn out to be benign. Positively reinforcing employees that accurately identify malicious emails and gently guiding those that may have reported innocuous ones fosters an environment of trust and learning, hence yielding the best outcomes.
Awareness teams should steer clear of hinging their programs on ‘click rates’ but rather focus on resilience as measured by the ratio of employees accurately reporting simulated attacks to those falling victim. Employees hate having their time wasted. Whenever the employee’s time is not respected, engagement drops, results drop, and phishing response doesn’t improve. However, when an employee is trained on threats that are known to bypass the technology stack you employ, and you share the knowledge that simulations are intended to be tricky, but represent a real threat, you can position your employees to be your biggest asset.
It is through the combination of harboring the wisdom of the collective, with the wisdom of your specific employees and responding to that wisdom promptly and efficiently through the application of technology that you will stay ahead of email threats.