Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/30/2019
02:00 PM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Email Threats Poised to Haunt Security Pros into Next Decade

Decentralized threat intel sharing, more public-private collaboration, and greater use of automated incident response are what's needed to combat phishing

As organizations begin to plan their cybersecurity strategy for 2020 and beyond, email security will certainly be high on leadership's agenda. That’s because phishing attacks continue to increase in sophistication and frequency, and email remains the number one vector for all cyber incidents. In fact, 90% of all cyberattacks begin with email, and the breadth of phishing detection, prevention, and response has become the ultimate SOC team burden.

As such, one thing is clear: Enterprises are losing the email security battle. This unpopular truth exists partially because of the complex email threat landscape. After all, it’s almost impossible for any organization to proactively defend against 130 million phishing attacksper quarter, not to mention the tens of thousands of permutations associated with each. Another contributing factor is the proliferation of payload-less, social engineering-driven phishing, such as business email compromise (BEC) and account take over (ATO), which enable attackers to bypass traditional server-level email security tools and trick human defenses with relative ease.

Presently, when it comes to phishing mitigation, the industry is guilty of holding the same conversations that it’s had for the past several years. Comparing and contrasting secure email gateways. Evaluating both the real and perceived benefits of phishing awareness training. Debating the pros and cons of authentication and encryption protocols. While all three tactics remain popular, they are decreasing in effectiveness.

Thus, as we approach the next decade, it’s time to move away from the trivial arguments of yesteryear and focus on what’s needed to defeat the phish of 2020 and beyond. From decentralized threat intelligence sharing and greater public-private collaboration to automatic incident response and mailbox-level security, these safeguards are better suited to combat the future of anti-phishing because they rely on human and technical controls working together 24/7/365. 

Evolution of email security
Looking back over the past decade, email security has, admittedly, come a very long way. Eight years ago, organizations relied almost entirely on spam filters and antivirus software to protect against Nigerian scams. Eventually, antivirus products were rejected as the sole line of email defense, as attackers found creative and cost-effective ways to defeat these controls.

Phishing technique advancements prompted secure email gateways (SEGs) to enter the market, and this technology remains the most common phishing prevention method. Around the same time as SEGs, security training became part of the corporate lexicon, and employers attempted to gain some advantage over attackers by using employees to identify and corral suspicious messages. 

Unfortunately, attackers responded to the increased employee awareness and SEG technology by creating new attack techniques that bypass common email security controls. In response, many enterprises have added gamification to their security training as a means to bolster employee situational awareness while also implementing authentication and encryption protocols such as DMARC.

While such counter maneuvers are surely effective from time to time, attackers continue to have the upper hand while enterprises look toward 2020 for a silver bullet. Unfortunately, one is not going to appear.  

Email security challenges that elevate risk
The email security industry is in the midst of an intense debate over what technology, standards and protocols can deliver the most protection and reduce the most risk. The common arguments are a bit ironic when considering that successful cyberattacks continue to cost enterprises more than $1 million per incident.

The most common arguments include:

  • Robust email security requires two-factor authentication.
  • Adoption & maintenance of protocols like DMARC are essential.
  • Phishing awareness training should be mandatory for all organizations.
  • Encrypt all email messages.
  • Incident response requires automation. 

While none of these trending arguments are wrong per se, they all assume that email security is some sort of linear challenge that can be eradicated with a singular solution driven by either technology or people. But if history has taught us anything it’s that attackers will evolve and find a way to defeat whatever human and technical controls and enterprise deploys. 

That's why, as we move into 2020 and a new decade, the conversations surrounding email security must evolve from comparing anti-phishing and email security tools, protocols, and trainings to resolving non-phishing email security challenges that are at the center of elevating risk. This includes the need to address SOC burden and educate the next generation of the cybersecurity workforce; decentralizing threat intelligence sharing so that organizations of all resources can protect their assets, promoting ubiquitous interoperability so that solutions can better integrate for analysts; and having an industry-wide agreed upon definition of what actually defines incident response.

Such a transformation of the email security industry will enable organizations to focus on effective anti-phishing techniques that actually address the root causes of the industry’s problems, and not just the effects. For example, by encouraging decentralized threat intelligence, organizations’ SOC teams can have access to hundreds of thousands of trending threats worldwide, allowing them to be proactive in defense instead of reactive. It’s a power of the pack mentality that suggests industry is stronger together than it is apart. 

As it stands now, attackers will continue to have the means and motives to evolve faster and more efficiently than technological advancements. But when human controls and technological controls work together to decentralize threat intelligence, automate rapid response and encourage employee collaboration, their advantage can shrink to a much more manageable level. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

As Chief Executive Officer at IRONSCALES, Eyal Benishti pioneered the development of the world's first self-learning anti-phishing email security solution that combines human intelligence and machine learning technologies for automatic prevention, detection, and autonomous ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.