Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/30/2019
02:00 PM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Email Threats Poised to Haunt Security Pros into Next Decade

Decentralized threat intel sharing, more public-private collaboration, and greater use of automated incident response are what's needed to combat phishing

As organizations begin to plan their cybersecurity strategy for 2020 and beyond, email security will certainly be high on leadership's agenda. That’s because phishing attacks continue to increase in sophistication and frequency, and email remains the number one vector for all cyber incidents. In fact, 90% of all cyberattacks begin with email, and the breadth of phishing detection, prevention, and response has become the ultimate SOC team burden.

As such, one thing is clear: Enterprises are losing the email security battle. This unpopular truth exists partially because of the complex email threat landscape. After all, it’s almost impossible for any organization to proactively defend against 130 million phishing attacksper quarter, not to mention the tens of thousands of permutations associated with each. Another contributing factor is the proliferation of payload-less, social engineering-driven phishing, such as business email compromise (BEC) and account take over (ATO), which enable attackers to bypass traditional server-level email security tools and trick human defenses with relative ease.

Presently, when it comes to phishing mitigation, the industry is guilty of holding the same conversations that it’s had for the past several years. Comparing and contrasting secure email gateways. Evaluating both the real and perceived benefits of phishing awareness training. Debating the pros and cons of authentication and encryption protocols. While all three tactics remain popular, they are decreasing in effectiveness.

Thus, as we approach the next decade, it’s time to move away from the trivial arguments of yesteryear and focus on what’s needed to defeat the phish of 2020 and beyond. From decentralized threat intelligence sharing and greater public-private collaboration to automatic incident response and mailbox-level security, these safeguards are better suited to combat the future of anti-phishing because they rely on human and technical controls working together 24/7/365. 

Evolution of email security
Looking back over the past decade, email security has, admittedly, come a very long way. Eight years ago, organizations relied almost entirely on spam filters and antivirus software to protect against Nigerian scams. Eventually, antivirus products were rejected as the sole line of email defense, as attackers found creative and cost-effective ways to defeat these controls.

Phishing technique advancements prompted secure email gateways (SEGs) to enter the market, and this technology remains the most common phishing prevention method. Around the same time as SEGs, security training became part of the corporate lexicon, and employers attempted to gain some advantage over attackers by using employees to identify and corral suspicious messages. 

Unfortunately, attackers responded to the increased employee awareness and SEG technology by creating new attack techniques that bypass common email security controls. In response, many enterprises have added gamification to their security training as a means to bolster employee situational awareness while also implementing authentication and encryption protocols such as DMARC.

While such counter maneuvers are surely effective from time to time, attackers continue to have the upper hand while enterprises look toward 2020 for a silver bullet. Unfortunately, one is not going to appear.  

Email security challenges that elevate risk
The email security industry is in the midst of an intense debate over what technology, standards and protocols can deliver the most protection and reduce the most risk. The common arguments are a bit ironic when considering that successful cyberattacks continue to cost enterprises more than $1 million per incident.

The most common arguments include:

  • Robust email security requires two-factor authentication.
  • Adoption & maintenance of protocols like DMARC are essential.
  • Phishing awareness training should be mandatory for all organizations.
  • Encrypt all email messages.
  • Incident response requires automation. 

While none of these trending arguments are wrong per se, they all assume that email security is some sort of linear challenge that can be eradicated with a singular solution driven by either technology or people. But if history has taught us anything it’s that attackers will evolve and find a way to defeat whatever human and technical controls and enterprise deploys. 

That's why, as we move into 2020 and a new decade, the conversations surrounding email security must evolve from comparing anti-phishing and email security tools, protocols, and trainings to resolving non-phishing email security challenges that are at the center of elevating risk. This includes the need to address SOC burden and educate the next generation of the cybersecurity workforce; decentralizing threat intelligence sharing so that organizations of all resources can protect their assets, promoting ubiquitous interoperability so that solutions can better integrate for analysts; and having an industry-wide agreed upon definition of what actually defines incident response.

Such a transformation of the email security industry will enable organizations to focus on effective anti-phishing techniques that actually address the root causes of the industry’s problems, and not just the effects. For example, by encouraging decentralized threat intelligence, organizations’ SOC teams can have access to hundreds of thousands of trending threats worldwide, allowing them to be proactive in defense instead of reactive. It’s a power of the pack mentality that suggests industry is stronger together than it is apart. 

As it stands now, attackers will continue to have the means and motives to evolve faster and more efficiently than technological advancements. But when human controls and technological controls work together to decentralize threat intelligence, automate rapid response and encourage employee collaboration, their advantage can shrink to a much more manageable level. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...