Yeah, it's not the first time that's happened with Minecraft. I mean, the, the term mime obviously comes from the multimedia internet exchange format, messaging exchange format, which has been as an RFC around basically allowing for attachments for quite some time. So that really was one of the factors, and actually one of the founders and long-term chief technical employees was the, the person who wrote the RFC for that, for that standard. What I'm gonna talk about is really how to elevate your email security, because what I'm seeing is obviously the, the risk increasing.
We looked at fraud, for instance. I think other things like business email compromise and other attacks are much more prevalent and really require some more additional security. The other part I wanna talk about is if you are looking at increasing your level of security, how easily can you justify this by quantifying risk? And then also how can you reduce the complexity through integration? So that's really what I'm gonna try to cover in the next few minutes.
Yeah, let's start with a state of email security and, and, and then go onto the risk controls and again, looking at risk quantification and the, in the end, some automation ideas and concepts for that. So what I always like to say first is technology doesn't solve all problems. I think in the, in the cybersecurity industry, that's always the big wish.
Oh yeah, we got this new technology. If, if you talk to CISOs, you're gonna hear, please not another tool. I got enough tools. So first of all, try to get the people in the processes straight and then leverage the tools and controls that are available to you that you have in the most efficient matter. And then identify the gap and see, you know, what technology am I missing?
You know, is there something I can use to address that gap that I have? So I just wanna be clear on that.
That's, I'm not stating I have the solution for all your problems. So, just a bit of a background, what does Mimecast do? It says email, advanced email collaboration security. So our core business is email security, as the name also implies really building on that, finding new ways of using, leveraging machine learning, commonly termed AI to identify business email compromise to help analyze certain incidents and emails.
So for instance, we have a service called email incident response, which where we internally leverage machine learning to really allow our, our male incident responders, our so-called MOC to really be able to pre-filter certain information and, and make sure that we can analyze those, that information in a, in a good way. But as you can see, there's a lot more to it. We're not gonna cover that.
You know, we can talk about archiving brand, exploit detection and protection, but really what I want to talk about is elevating your email security today.
We also publish a, so that's the seventh annual state of email security report. That's what the SOES stands for, where we ask about 1700 professionals just for feedback on input on certain questions. And I mean, obviously email is still one of the main attack vectors.
It's a, it's a bit underestimated seen as a commodity control point. You know, you have a gateway.
Yeah, fine. That's great. I'm gonna focus on the endpoint on the N-D-R-X-D-R aspect of things. It's a sort of a shift back and forth between gateway and the, and the internal points, but nonetheless, it shows that there are challenges around that. Phishing emails, getting through business, email compromise, emails getting through, causing tremendous amount of damages. We saw that early on.
I mean, alone business email compromise is just causing billions and billions of damages. The other point that we, we found interesting was the response that they feel they need stronger protection for what they already have. A lot of customers have moved to M 365 or Google Workspace, they have basic email security included, and very often I see CISOs trying to struggle to get the budget approval to get additional security because they just know there's stuff coming through there.
I mean, most Analysts are saying it's not enough. There is stuff coming through, you need some additional protection, be it behind it or before it actually the email reaches that system.
So that's where, where also a bit of the complexity part comes from. Typically when you have email and collaboration security, you have, well, different point products. That's the history, the best of breed approach. On the other hand, you want to reduce complexity, you want try to have a consolidation if possible, of your infrastructure and solutions.
So if you look at the complexity challenges, then, right, do I have the skills in house to use all those controls? Very often there are a lot of tools in in house not enough people to, to properly configure and manage them.
There is, you know, can I focus on risk strategy or am I just putting out fires because there's too much different sources of alerts and log information to, to identify. And then also, yeah, just having multiple point solutions. The complexity is also a risk factor that needs to be addressed.
So obviously there's this big wonderful world where I can say, wonderful, the Microsoft Cybersecurity reference architecture shows me what I can do with their solutions.
You know, I can have a CSS B solution, I have an identity solution defender for endpoint defender for Office 365. And that is important and that's good that they're offering this as, as a baseline, but it's not necessarily the all end to that security problem. What we see is still a lot of malware, actually M 365 being even part of the whole security issue ecosystem. So there's still 12% of the, the malware we detect and block originates from Microsoft infrastructure, from ips, from the infrastructure.
So that shows you how many of the systems are compromised, which you can see up here the credential attack. So what, what credential attacks are very interesting. Those of have being on M 365 either doing lateral attacks within the company or attacking other supply chain customers from within a, within that ecosystem.
And the other part we see is, you know, this might not seem as much, but if you look at these numbers and, and add them up, you get around 6% of emails that still get through.
Not all of them extremely dangerous or malicious, but actually we don't know a lot of, you know, these spam emails that are, that we'd still detect, which make it through, still contain things like business email compromise, things like impersonation, wailing phishing attacks, that sort of thing. But typically we try to attack, detect them on, on other levels just showing that there is just still a residual rather high risk. It's not like 0.1% or something. It is quite, quite a large amount.
And that's really the question that enterprises or, and also just companies need to look at what risk am I willing to accept? And I just feel that there's a certain lack of maturity with regards to risk management and risk acceptance and risk appetite, which I'm pretty sure the increase in regulation regulation even for mid-size companies now upcoming within the next year will require them to do more risk-based analysis, risk-based investments. Suddenly they have to learn what risk management means. They have to learn what ISO 27 0 0 1 means.
They have to learn what incident response means and that's gonna open up another can of worms.
So, but it's not necessarily this choice, you know, do I go for a single vendor consolidation strategy, have have things there. It is a also a, a risk in the sense that dependence on a single system attracts risk. We add the compromise of Microsoft, actually they've had I think multiple, I think four incidents per quarter almost. And the last ones was obviously pretty, pretty big. Having the, the, the keys stolen and that sort of thing.
We could just imagine the potential for damage if they actually have full access to the whole security platform and then, you know, basically can open up everything they need to have access to. On the other hand, you have the complexity you want to have best of breed, but you know, are they talking to each other? Are they integrated that that might not be the case. So it's a bit like the old story.
Yeah, we're, we're monitoring all these logs, but no one's looking at them or the, or my or seam system is great, it's creating alerts, but we don't have the resources to properly categorize and quantify them.
So I just wanna very simply try to outline the developments we're seeing. First of all, risk is increasing.
Yeah, that's, that's the problem. We've seen the increase in cost also from business email compromise, from phishing attacks from ransomware, even though ransomware had a little bit of a dip, even business email compromise. But we're pretty much up there. So you have the security cost, which is rising because you have to approach that risk, those risk mitigating factors. And then you have the com platform complexity, which Inver involuntarily just rises because you invest more in security, you have more solutions. That risk increase, that complexity increases as well.
Now the promise here is wonderful. I'm gonna get everything from that one platform, that single platform reduce my cost, reduce the complexity, and yet hopefully also reduce the risk because I'm, I'm addressing all these risk factors with that, that single platform.
Now the reality is, is often a bit different because the complexity, the more you implement the various components of that does actually increase.
I just mentioned the fact that you have a dependency of a single risk attack point where you're potentially exposing yourself as opposed to having maybe multiple points where you, you know, if one gateway solution gets attacked or compromised, it doesn't impact your entire security estate. So just, yeah, what we're looking at is really making sure that if, if you combine that it it's, it sort of addresses the point, you are reducing the risk that that little bit of delta actually, that's the part you need to focus on because you, you're reducing the risk and for specific incremental cost.
So it becomes much more necessary to see, you know, how do I justify this additional cost? Because it's important that you actually address that risk because you do want to get the risk further down. You don't wanna sort of get up to that baseline. You do want to maybe get it below where you think you can get it.
And yeah, just also addressing the complexity issue, which I'll cover in the later point.
I just wanna also share some information from our own security team, you know, what strategic blueprint we're following when we're looking at security, but also something we like to exchange with, with other CISOs. So first of all, make clear that cyber risk is business risk. It's not just something abstract or it is a core business risk needs to be on the board level. Do use a layered multi-layered approach.
So it's not just a, you know, look where you have gaps in your key controls, monitor management, manage those and look at the human element in, in that sense, really, do you, do we have the resources to properly manage that? And you know, it's, it's okay if you get, you're at good and you're looking at implementing the controls, but what you wanna do is you wanna get better, which is implementing things like Mitre attack framework to quantify or at least identify where your gaps are.
But the real value comes at what we feel is leveraging a risk quantification where you can actually say, I calculate the risk of this happening and costing this much money. That's something the board understands where you're going like this is the, this is not just some vague assessment, yeah, we're on green or it might be dangerous and that sort of thing. They want to make sure are we safe, how safe are we?
But also what do we need to do in order to avoid this incremental cost that might be coming because there might be a 40% chance of a breach that could cost us a tremendous amount of money.
So if you're looking at this from a budget perspective, there are a lot of controls in place and again, we're focusing here on the potentially missing controls or on these here which are effective and missing. Obviously there might be missing controls, which you don't need, but really, you know, justifying that, making sure, proving that they work.
And that's won't go into detail on that because that means really leveraging metrics, showing how much protection you've increased, you know, how much you've, you've stopped of potential breaches and that risk reduction becomes measurable afterwards. But if you want to quantify risk, this is, I'm, I'm not a fair expert, you know, there's a fair institute, you can go Google it and look it up.
That's a methodology also our CSO uses to categorize our internal security and it's, it's fairly simple in the sense that you have, you know, threat frequency, event frequency vulnerability, that's the loss event frequency and combine that to, to primary risk.
Basically what you need to remember is, you know, what is the law risk of loss primary and secondary and how can you combine that that not only from a magnitude side but also from a potentiality from a probability side and really use numbers, use values that are, you know, scientifically and and of gathered and not just sort of guessed randomly. There's even a tool around that from the Fair Institute just showing that in the end you do have actual dollar values which you can then use.
So what's the advantage of this approach now as opposed to just going like, yeah, here we've gone from low to medium or from green to yellow. Actually say, you know, there is a 10% probability of a damage of $150,000 occurring in the next 10 months by ransomware. How are we going to address this probability, this potential loss event? Are we going to invest maybe $10,000 to reduce that or to mitigate that in addition, or are we just gonna accept that risk? Now could be that a malicious insider, you know, also that risk has increased from yellow to red, it's very dangerous, very risky.
Or is it actually a quantifiable probability? I think you get the picture really making sure that you have the ability to be much more tangible with your approach to justifying budget and budgetary increases.
Finally, the reduction of complexity.
So I, I mentioned that the complexity does pose a certain element of risk because sure if, if you aren't in controlled or you haven't implemented the controls because of complexity, you aren't properly leveraging all the information automation, then your incident response process on the technical level at least is weak. You know, I think it's very important that you do things like tabletop exercises, getting those processes ongoing. I mentioned people process and technology, but on the technology process as well.
You know how much with those few skilled people you have, can you actually do within a certain amount of time Also looking at the increased regulatory requirements on incident response, 24 hour reporting requirements or 72 hour requirements. In any case, you need to respond fast both to respond to an incident in a communication perspective and reporting it, but most importantly in mitigating the damage that's done post bang.
And the other part is reducing alert fatigue because that's what happens if you don't really automate and don't pre-filter.
So there are a few, I would say three main scenarios which I think are really easy wins. Use threat sharing, use the integration between technologies where you can have a file hash from one technology and automatically share it with your other security estate. You're automatically increasing or improving the security of your detection capabilities of your controls is really sort of a very easy win. These indicators of compromise, it doesn't have to be file hashes, it could be URLs, email addresses and so on.
I still see a lot of companies that do that manually and I mean they might have a nice web interface and, but you know, the more you can do quick, the less you can then have to do, oh yeah, our security team didn't get around to pressing the button to to share that with solution X and that's why it got through our control y.
If you make that sure that that's automated, then you have that increased protection level visibility of threats, making sure that you actually have all that data consolidated in your SOC workbench, be it your seam tool, be it your incident response tool.
Just getting that visibility through getting risk information we look for at user behavior analysis, you know, how can that impact a risk score and provide contextual information as to how to respond to an incident. If I see maybe a user with a very high risk score and some anomalous behavior, maybe I should respond differently than, you know, with, with a, with a good risk score. So these are just ways of making sure that your XDR and detection tools also have contextual information. And then finally the third case is really then the automation orchestration.
As I said, it's a sort of, the threat sharing is also automation, but this really means how can I improve my incident response process by maybe getting evidence automate automatically quickly from system getting forensic data quarantining systems, making sure that you know that those systems are isolated and the incident is contained. So that's, you can really summarize that in these basic three categories.
You know, the automation is more like services oriented, but making sure that you're threat sharing investigation and alerting integration with your SIEM technology and the whole X-D-R-E-D-R point of how can I integrate ED endpoint and network security in automating my response.
That is basically it. What I want to do really show the first of all, risk approach really elevating your email security. That's the focus through integration through use of ai.
What I actually also want to cover is, yes, we do use a lot of machine learning and AI technology to do these kind of business email compromise detections to improve the way we find, for instance, the sender being spoofed as could be the name of the CEO was actually an external sender. There might be language words you being used, certain phrases which might be seen from AT dictionary.
And those are different ways of using AI to just improve that, which we feel the typical platform and collaboration platform providers aren't there and may never completely be there because their focus is not entirely on the whole security advantage part, but really making sure that you're having a working collaboration platform. That's it from my side. Thank you. Thank you.