Interviews | November 2, 2018

Companies three times more likely to get breached by identity-based attacks. Interviews with Agari, NCC Group, and Tenable

AJ Shipley
VP of Product Management

Mark Langton
Director of Sales, EMEA


Q1. AJ, what do organizations need to understand about identity deception and how to protect against it?

Identity deception is at the root of advanced email attacks, including account takeover, spear-phishing and business email compromise. The most common attack vectors are spoofing the email address, look-alike domains and display name deception. All of these attacks target the vulnerability of human perception by incorporating social engineering and publically discoverable information to craft convincingly authoritative messages, such as a fake request from a CEO impersonator to wire money to a fraudulent bank account. Traditional email security solutions, such as legacy secure email gateways are typically unable to detect these attacks because are no malicious content, such as malicious attachments or malicious URLs.

Artificial Intelligence is the solution. As a next-generation secure email cloud, Agari has global telemetry data of more than two trillion emails each year, which generate more than 300 million machine learning signals on a daily basis to create trusted identity graphs. Instead of trying to detect the bad, Agari first models the good and then detects deviations from it.

Q2. Mark, what do you see as some of the trends driving demand for email security technologies? What are some of the questions enterprises need to be asking when shopping for such tools?

As businesses navigate through their own digital transformation and embrace cloud and SaaS services, their attackable surface radius increases. Despite decades of technical development and billions of dollars of investment, cybercriminals are bypassing traditional defense systems by simply attacking the human part of your network and tricking people into trusting an email they shouldn't. It's a vicious Catch-22 in which a systemic lack of trust throttles growth.

The stats are shocking. Companies are three times more likely to get breached by identity-based attacks than actual vulnerabilities or malicious content. Phishing alone represents 98% of all identity-oriented attacks, and email is still the entry point 96% of the time. According to the FBI, BEC victim dollar losses are 50+ times more than malware and ransomware combined. Legacy security systems simply aren't working, because there's no malware or malicious content to detect. In short, we're facing an epidemic of identity deception—and it's costing us more than we know.

The impact is an erosion of our ability to rely on the very digital business processes that are meant to fuel our growth, revitalize our economy, and transform our industries. The real cost is a loss of trust in business, period.

It doesn't have to be this way. Agari's ingenious use of predictive AI to automatically detect and block these kinds of identity-based attacks is changing the game for individuals, businesses and government agencies of all kinds. No longer do we have to fall victim to impostors preying on our trust in each other.

Q3. AJ, how can behavioral analysis approaches help address existing and emerging email, and endpoint security threats in general?

Agari Identity Intelligence applies artificial intelligence in a unique way. Historically, the cybersecurity industry has spent decades and billions of dollars trying to anticipate, defend against and to recover quickly from what cybercriminals are doing. But the problem is it's nearly impossible to model what cybercriminals are doing in any meaningful way. And as soon as we figure out how to defend against one kind of attack, they adapt and change their approach. The malicious actors literally have a near infinite number of ways they can craft exploits to target any number of vulnerabilities. But Agari innovated a solution that instead uses predictive AI and machine learning to zero in on what known, trusted communications look and act like. In short, by modeling the good instead of modeling the bad, organizations and individuals can finally stop fighting a defensive, reactive battle and get one step ahead of cybercriminals.

Agari Identity Intelligence first engages in Identity Mapping, answering the question, "Who do we believe is sending this message?" Using machine learning, we examine a number of known "identity markers" such as the underlying email account, the display name and even the subject line. Second, we look at behavioral analytics, answering the question, "Does this message itself act like it came from this person?" The system analyzes 100+ aspects of an email's behavior, including its origin, destination, routing, time it was sent, etc., to detect signals of fraud. Third, the system conducts Trust Modeling to look at historical interactions between the real sender and recipient, and identify tell-tell signs that somebody is impersonating a trusted contact. All this is conducted in a fully automated, AI-driven solution that gets smarter every time it analyzes an email. Agari now analyzes more than 2 trillion messages each year and more than 50,000 new domains each day, and derives more than 300 million signals for our models daily.

Q4. Mark, what is Agari's main messaging focus at Black Hat Europe 2018?

Agari is on a mission to secure digital communications that ensure humanity prevails over evil. We fulfill this mission through the Agari Secure Email CloudTM -- a next-generation cloud that uses predictive AI to detect, defend, and deter costly attacks driven by social engineering, phishing, and Business Email Compromise. Legacy Secure Email Gateway (SEG) solutions have not adapted to the mass migration to cloud-native communications and new attack types based on identity deception. The next generation of email security controls requires context inspection for impostor defense, behavioral anomaly detection, automated post-delivery remediation, and AI-driven machine learning models.

The Agari Secure Email Cloud fulfills these requirements and also includes capabilities found in legacy SEGs, including URL analysis and attachment analysis. The remaining legacy SEG capabilities have been consolidated and commoditized into features of cloud email providers, including Office 365 and Google Suite. Agari provides the first, and only, advanced email security controls to protect the cloud inbox from advanced email attacks. In a cloud-first world, all you need is Agari Plus Office 365 or Google Suite.

Matt Lewis
Research Director

NCC Group

Q1. What were some of the main takeaways from NCCs recent analysis of vulnerabilities and vulnerability disclosures over the past nine years?

The main observation from our analysis has been that there is much room for improvement in the overall coordinated vulnerability disclosure process. Many organizations lack an understanding of the process and/or any capacity to engage in such a process. As a result, many vulnerabilities either go unpatched, or take an alarmingly long time to be resolved, putting consumers of those vulnerable products or systems at significant risk.

We also found that vulnerabilities such as SQL injection (SQLi) and Cross-Site Scripting (XSS) are still incredibly widespread and continue to be discovered in new web applications and frameworks, despite there being a myriad of advice and guidance out there on how to mitigate such vulnerabilities. This reveals that the messaging around secure software development and recommended secure software design patterns is not propagating within the developer community.

Our analysis did however identify some hope for the future of secure software development. Some classes of vulnerability appear to have diminished in their discovery and exploitability; notably memory corruption flaws, which while still discoverable are typically harder to exploit these days due to improved operating system memory protection capabilities, in addition to increased use of managed code which reduces many of the native code vulnerabilities that came with languages such as C and C++. Other classes of vulnerability that appear to have reduced in number include XML-based issues, presumably due to increased use of notations such as JSON, and encryption flaws, which likely pertains to fewer instances of developers ‘rolling their own' encryption who instead use more secure, peer-reviewed third party crypto libraries.

Q2. The report recommends more aggressive vulnerability disclosure timelines if vendors aren't cooperative and organizations get exposed to risk as a result. But given the speed at which adversaries can exploit newly disclosed flaws these days, wouldn't accelerated disclosure only make matters worse?

Potentially yes, and herein lies the difficult balance and risk judgment call that nobody really wants to make. Certainly our intention is never to render products, systems or the Internet at large, more vulnerable by way of any disclosures. However, if disclosure is the only way to get vendors to engage and react to vulnerabilities in their products, then there is a compelling argument for doing so, particularly if the disclosure isn't providing a direct, working exploit for found vulnerabilities. A disclosure could be a high-level statement that critical vulnerabilities exist in version X of a product and that those affected should investigate mitigating controls in the absence of a confirmed fix or workaround by the vendor. Any technical detail or proof of concept exploit of such vulnerabilities need only be shared with the vendor to impress upon the true risk and to allow them to expedite the necessary fixes.

For those organizations that do not have a process for handling disclosures, we agree that an accelerated disclosure process would not broadly help the security community. As such we feel that in the first instance, effort should be made on raising awareness about vulnerability disclosure, and why having a process is important for software companies. Few organizations are aware that there are freely available ISO standards on this topic (ISO 29147) and that with not too much effort and suitable role assignment internally, a working process could be established to ensure suitable reaction times to disclosure, commensurate with the risk ratings of those disclosures.

Q3. What do you want attendees at Black Hat Europe 2018 to know about NCC Group and its range of security services?

We want attendees to know that NCC Group are global cyber security and risk mitigation specialists, and that our range of security services is holistic. In addition, we have deep specialism within all of our services; for example while we have the world's largest penetration testing team, within that team we have specialist practices in the fields of hardware security, cryptography, red teaming, containerization, exploit development, web application and infrastructure testing etc.

In terms of incident response we have a world-class team of incident responders who work with our clients both proactively and reactively around incidents and threats, from small malware outbreaks to nation state APT infiltrators. In addition to this deep technical capability we have a dedicated Risk Management & Governance (RMG) team who on a daily basis support our clients across all sectors with their various compliance, certification and security transformational needs. Surrounding all of this we have dedicated managed security services from several global Secure Operating Centers (SOCs) to vulnerability scanning and even CISO as a service through our virtual security team offering.

Fundamentally I'd like Black Hat Europe 2018 attendees to know that underpinning all of our security services is research. Our research program is vast, covering offensive and defensive techniques, capability development and horizon scanning, whereby we're always looking to where the technology landscape is moving and keeping abreast of the security implications of new and emerging technologies. All of our research outputs feed our service lines which helps ensure our competitiveness in the market.

We are constantly working with clients across all sectors and in most markets on exciting security challenges. As we continue to grow, we are also always looking for talented individuals to join us in our journey in securing society.

Renaud Deraison
Chief Technology Officer


Q1. What are the biggest challenges organizations face with respect to risk assessment? What would your advice be for those struggling with the task?

We're living through a technological perfect storm where companies are undergoing their own digital transformation as they re-think their IT to increase their competitiveness. The emergence of new technologies, such as public cloud on one hand and a flurry of unmanaged IoT devices on the other, all combine to make the digital infrastructure a living organism that is ever changing. Security teams need tools to gain visibility, properly assess their cyber risk and find ways to communicate to the rest of the company in non-technical terms how these new technologies change their cyber exposure profile.

Q2. How do you see IoT threats evolving over the next few years? From an enterprise standpoint what's it going to take to properly mitigate the threat?

IoT is a very interesting space now, with a level of maturity from the vendors, which is extremely polarized. At one extreme, we have tech companies, which are pretty good at writing secure software, but have no experience maintaining hardware for more than five years. On the other, we have legacy hardware vendors with limited software expertise simply slapping a motherboard to their device and calling it smart.

The problem we're observing is that most of these vendors are dealing with IoT the same way IT was managed a few years ago. They're deflecting their responsibility to provide a secure product by forcing the end-users to be the system administrators of their fridge, smart lights and elevators. In the long term, this can't be good. We'll see a flurry of decade-old flaws -- not zero-days -- being exploited because they were never patched by the end-user. The impact of these attacks will be different—stealing not our confidential data but some of our most private moments.

From an enterprise standpoint, the best way to mitigate this threat is to vet vendors to be enterprise friendly - make sure they offer centralized management of all the devices, make sure their development practices are up-to-date and secure, and that they're offering solutions for self-maintained devices. Then, use the proper tools and technology to find devices that inadvertently find their way on the corporate network, whether they are smart TVs or smart speakers.

Q3. What would you like attendees at Black Hat Europe 2018 to know about Tenable's strategy and vision for the future?

We recently announced Lumin—currently in closed beta—which is a new application that translates raw audit results into business insights. We're very excited about it, as it will arm CISOs with the insight needed to improve cybersecurity effectiveness over time and effectively communicate cyber risk to the business.

Our vision is to empower organizations around the world to understand and reduce their cybersecurity risk. Gone are the days where the security teams default motion was to say "no" to new and emerging technologies. Tenable is providing a platform for CISOs and their teams to effectively assess their cyber risk across the attack surface, from traditional assets to modern technologies. We're helping to up-level the cybersecurity conversation from raw technical data to true business insights that the C-suite and board can use to make educated, risk-based decisions.

Sustaining Partners