The Great Debate - Episode 6 Should Phishing Protection be the 1 Security Priority

Show video

- Hello and welcome to the sixth episode of The Great Debate, a 10 part webinars series, where two guests debate, whether a cyber-security topic should be the top priority right now. Before we get to today's debate, a few operational items. First, today's session is being recorded and we'll send a link to the recording shortly after the webinar wraps up. Next, there are several opportunities for today's guests to cover audience questions. You can add your question using either the chat or the question panel within GoToWebinar.

You'll also notice a poll appear right now, asking you whether you're in favor or opposed to the statement. Phishing protection is a number one cybersecurity priority right now. We'll tally the results and we'll ask again at the end to see if either of our guests changed your mind about the topic. Finally, we'll be making a $500 donation to each of today's speakers, to a charity of their choice. And with that, I'm gonna share the poll results and hand it off to our moderator, Axonius CMO, Nathan Burke, to get started.

- Would you look at that? 50/50, I don't think we've ever had that before. All right. - All right, this is gonna be interesting. All right, thanks, Anna. All right, so, today's topic is should phishing protection be the number one priority right now? Not just phishing 'cause that would be a different topic.

So, our first guest taking the in favor position is Katie Teitler. She is senior analyst at TAG Cyber, where she collaborates with security organizations on market messaging, positioning and strategy. In previous roles, she has managed, written and published content for two research firms, a cybersecurity events company and a security software vendor.

So Katie, please tell our audience the charity that you are supporting today. - Well, I was pretty Broken Tail Rescue. Thank you so much, Nate and Axonius team for inviting me.

I'm really looking forward to this, should be fun. But Broken Tail Rescue is my charity. I'm a huge animal advocate and the reason I chose Broken Tail is because last Friday, just this past Friday, I adopted a dog from them and hopefully, she won't make her presence known on this webinar but to everybody watching and listening, if she does, she just wants to be part of it too.

- All right, great. Thank you again for joining us, Katie. And taking the opposing position on phishing protection today is Ryan Fritts, VP of technology and product security and CISO at ADT.

And his current role at ADT is primarily focused on responsibility for product security. He works with the product teams on the electronic digital security side and the physical security side of the products as well, doing product evaluations and managing a lab, that does their own internal penetration testing for products. Also, he's responsible for technology and the companies emerging cyber security offering.

Prior to joining ADT, he worked at Stanley Security for seven years in a sales operation and hybrid IT role. Ryan, thanks for joining us and please tell us about your charity. - Yes, thanks and Nathan, thanks for doing it, so, I guess, thanks to Katie for joining. My charity is the Bail Project. It's a nonprofit organization designed to combat the money bail system that that creates, you know, a system of injustice for those who cannot afford to pay bail, they will pay the bail on their behalf. There are, you know, hundreds of thousands of people in jail right now, waiting trial and the only reason they are in jail is because they cannot afford to pay bail, effectively criminalizing poverty.

So, they do a fantastic work in terms of social support and getting them back out. If you think about what that means, if you're stuck in jail and can't pay bail, it puts your livelihood on the line for your job, your house, your child, you know, children. So, they do a fantastic, a fantastic job, fantastic charity. - All right, excellent. Thank you for joining us today, Ryan.

So, today's topic is phishing protection and to give a bit of context on the topic, let me hand it off to Noah Simon, who was the director of product marketing here at Axonius. So, Noah take it away. - All right, thank you, Nate. So, phishing is still the most common attack vector. And according to the 2020 Verizon data breach investigation report, 22% of breaches involve social engineering and nearly all of those social engineering breaches occurred via email.

During today's debate, phishing will refer broadly to social engineering attacks that leverage email, text or telephone. To obtain credentials as well as malicious or insecure websites that trick people into entering credentials. We'll also refer to phishing protection as a combination of tools and software as well as user training given to help defend against phishing attacks. Phishing continues to evolve and the following trends are what makes phishing hard to combat against today. The first is that impersonation and account takeover attacks have increased, which means anyone's identity is easy to impersonate or even compromised to carry out very targeted phishing attacks or even business email compromise.

The second is that attacks occur beyond email. Attackers can now present fake login screens for collaboration platforms like Microsoft Teams or Slack or others, in order to gain credentials that way. And the third is smishing, which is phishing attacks that occur via text messages. Now delivers short, obfuscated links to users smartphones.

And because these are text messages and not email, they have much higher open rates than traditional email. So, those are some of the trends we see with phishing today. And with that, over to you. I'll hand it back to Nate. - All right, excellent, thanks Noah.

And now, onto debate and the format will be as follows. So, each candidate will first have two minutes to make their opening statements. After opening statements, I'll then read five questions that each candidate will have two minutes to answer. We'll then go to final remarks and we'll then open up the floor to questions from the audience. And this morning I actually did this, I flipped a coin and Katie, you will be going first.

So, you will have two minutes to make your opening statement on live phishing protection should be the top priority right now. And your time starts now. - Well, I think Noah made my argument for me, right? We've seen huge increases in phishing and it's because it's not just email, it's not just text, it's not just websites, it's all of these avenues. And there are so many opportunities for attackers to exploit humans and humans trusting nature and humans behavior but a few other specific points. Like let's just take email. In business, we're on email all day long.

According to a McKinsey report, 28% of our workday is spent reading and answering email. So, think about that. A third of your work life is spent answering emails so the volume of email that you get. And everybody's trying to be productive and efficient and so, answering these emails and sending emails, you get so used to it, you fall into a trap of just reply, send, respond, whatever the case may be. And the average worker gets 120 plus messages per day. That's just email.

That's not, we're not even talking about your texts. We're not talking about the websites you use. So, in aggregate, there's so much information coming at us, we're trying to be productive and frankly, people are overworked, they're tired, they're stressed. And all of that contributes to maybe being fooled into thinking something is what it isn't or not noticing tiny little details because phishers have gotten savvy. The days of the Nigerian Prince are gone. You know, nobody's coming at you asking you to send a thousand dollars in return for a million dollars anymore.

It doesn't happen. Those emails look like legitimate emails. Those websites look like legitimate websites. And it's really hard to know, especially, when you're busy, when you're multitasking, when you're stressed.

It's hard to know what to look for and it's easy, very, very easy to be tricked by these phishers. And on top of that, part of our job and part of our life is it does involve going to websites and filling in forms and clicking on things. You can't do your job, you can't live in society without taking advantage of this technology.

So, that's number one but beyond that, we have other challenges that come into it. Oh gosh, I hope I have enough time. So, password management is a problem. We all know it. I won't get into the details here but we know, everybody watching is probably insecurity so you know the issues with password management. Only 23 or so percent of users use a password manager and that's probably mandated by their company for a lot of people.

So, the reuse issue is a problem. The lack of MFA issue is a problem. And all of these things facilitate attacks and attackers being able to get into accounts, to find data, to find information, to make their campaigns against people more realistic. If somebody can get into some of my accounts, whether it's my email or my social media, they know more about me and they can create a campaign against me, that talks about something that I really don't think a lot of people have information on. So, so many reasons why phishing should be the number one priority.

We'll get into it a little more. And I see Nate holding the clock so I'm guessing I'm done. - All right, so Ryan, I'm gonna let you, if you can, if you need a little more time, we went over by about a minute and a half on that but we always make up for it. Don't worry about it. We are not as strict as some debate commissions.

So, with that said, let me hand it over to you, Ryan, for your two or three and a half minutes. - You know, right, you're not gonna cut, you're not gonna mute my mic at two minutes. I feel good about that so thanks.

You know, what I would say is, you know, phishing obviously is an initial access vector. You know, it can be a lateral movement vector as well. I feel like Katie kind of helped make my case there at the end a little bit, that, you know, the lack of multi-factor, the lack of stronger, robust identity and access management controls helps precipitate compromises. And, you know, social engineering has been around as long as speech has been around, you know, where there is someone who is, you know, vulnerable to social engineering, you're going to have people trying to take advantage.

And, you know, to some extent it can be very hard. And unless you can get 100%, in terms of stopping social engineering attacks via multiple factors and new ones arising all the time, especially with the rise of Slack and Teams and Zoom, you have new avenues you have to protect and vectors to protect. And, you know, if you're not focused on the rest of the stack, right? If that social engineering Avenue is the way in the door, then it speaks to not having enough landmines on the battlefield.

And, you know, you have to be focused on those other controls, such that phishing doesn't become your number one priority. And, you know, if you've got a strong and robust identity and access management framework, if you've got strong processes and process management in place, then, you know, the, the result is phishing can become less of a priority because you have strong endpoint controls, malware can be mitigated. If you have strong identity and access management controls, you know, that account takeover impersonation can be mitigated. And, you know, if you're able to mitigate the downstream impacts of phishing, is phishing really the number one threat? And with that, I will yield my time. - All right, excellent. Now, onto the questions.

So, remember each guest will have two minutes to answer the following questions and I will just put out a quick plug. We will get to audience questions at the end. So, as we go along, feel free to add your questions, either through the question functionality or the chat within GoToWebinar and we'll get to those at the end.

So, be sure to add them there. All right, so, here is question one. So, as Noah said in the beginning and we've covered a little bit here, that phishing still remains the most common attack vector today and employees continue to click on malicious emails and that can lead to data loss, ransomware, business email compromise. So, the first question here is, is phishing inherently a people problem, a process problem or a technology problem? And we will begin with you Ryan starting now. - All right, I mean, I would say fundamentally, phishing's gotta be a people problem.

It's social engineering. It takes advantage of a sense of urgency, confidence and trust. And you know, where it is successful is a breakdown in process and technology.

Either you didn't have the technology to stop it or your processes aren't robust enough to mitigate against the impact. So, you know, cash management, do you have, you know, voice verification, you know, for opening and handling data and information? You know, do you have the rigor of a process to support identification of improper requests? which effectively are gonna be the social engineering side of the equation. I mean, it's at its core taking advantage of people and projecting the confidence.

It is a con game but it's fundamentally a people problem, where it's most successful or where you have processing technology issues downstream. - All right and Katie over to you. - Well, thank you Ryan. I'm gonna use some of your points too, like any good debater would. I'd say it's all of the above, people, process and technology. It can't be an either or.

So, people may be the first line of defense and attackers will always take advantage of people. And certainly, awareness of phishing has come a long way since I started in security years ago. But phishing, isn't an awareness problem in and of itself, it's a habit problem, it's a behavior problem. And no matter how good and how thorough security awareness and training programs are, the way we run business runs counter to a lot of the so-called best practices. So, we can tell people don't click on links, don't open attachments, you know, double check the URL of a website you're visiting but we can't just rely on people.

We need that rigor of the process. And we need to look at technology as being that layered defense and processes put in place to be a layer defense. We need phishing protection, we need DMARC, we need email gateways, we need content protection for users mailboxes, we need to protect data at rest as well as in transit. So, it's not okay anymore to just think we can stop the bad acts actors from using people as their ingress. We need to have a layered defense and deploy technology to prevent attackers.

When they do get into people's inboxes, we need to prevent it from going any further, to stop the propagation of an attack, to stop lateral movement. And the way to do that is with a layer of defense, people, process and technology. - Okay, all right, on to question number two. Employees are now more distributed than ever and more and more people are working from home, instead of the office.

So, does that mean that companies should prioritize phishing protection even more now? And we'll start with you Katie. - 100%, when companies moved to work from home, they had to accept a lot of things. They had to accept that people might be working over insecure wifi connections.

They had to accept that some employees would not be on managed devices. People were using their personal devices because they didn't have any choice. Companies, unfortunately were not necessarily prepared for it. And with remote work, with work from home, with more data and systems in the cloud, without being able to go and talk to your coworker and say, hey, Joan, tell me about this, that or the other thing. We need to use systems, we need to use our technology to communicate, which means that more information is available, if attackers get to it. It means that the volume of increase, I heard one statistic that said, the volume of email increased with work from home 95%.

Think about that. You have more email, everybody's tired, everybody's stressed, you don't know what's going on. So, just looking at what people have to do to function at home and some of the insecurity that started, when people work from home, opens up a lot of vector for attack. And enterprises are telling us that their main security concerns are around keeping people productive and efficient. And security as it always does, unfortunately, lagged a little bit behind.

So, how do they get their people to be secure on their own devices that might be shared in the home, with their kids, who might click on something or might visit a site that they maybe shouldn't and open up another vector. Secure remote connectivity is a problem too. You know, VPN's, super prevalent and companies were scrambling to put them in place but we all know the pros and cons of VPNs.

If a remote employee clicks on an infected link, an attacker can Snoop on a connection before the VPN encrypts traffic. Again, just gathering that data, using anything that they can to then send out a phishing campaign and exploit the employee. - Okay, Ryan, over to you. - Yeah, I think, you know, I'm gonna pull from Katie on the VPN and say, you know, VPNs are an important part, right? The network security component, identity and access control.

You know, particularly with VPNs, you know, you expose the, that end point back to the corporate network but that speaks more to other control weaknesses, things like network security, endpoint protection, identity and access management and not to phishing itself on the front end and the social engineering component. At some level, we have to accept that we're not gonna be 100% effective at prevention. And when you're not 100% effective at prevention, all of those other controls become all the more important. I think the harder part, maybe a secondary to this, is that it assumes that threats come exclusively from outside in and ignores that, you know, employees are also the source of compromised directly, either via negligence or, you know, compromised malicious activity.

But from some perspective, there has to be an acknowledgement that insider threat exists. And again, it speaks to controls you have on data management, endpoint protection, network, you know, the ability to detect activity becomes more and more important. As soon as you say that you can't stop 100%, you need to have the internal control matrices to be able to detect the activity and respond. - Okay. All right, so onto, I think my favorite question of the series, which is why we ask it every single one of these. So as a CISO or if you're advising a CISO, if you were given one additional headcount and a million dollars to dedicate to phishing protection, where would you start? So, for the in favor candidate, where would you start specifically as it relates to phishing protection? For the opposition candidate, what would you prioritize instead? And Ryan, we start with you.

- Where I would start instead is probably twofold. I'd start on vulnerability management, in particular. It's the one area that's 100% within your control to affect. You know, you can't control how many phishing emails you receive. You can't control how many external attacks you get but you can, 100% control the size and scope of vulnerabilities within the environment.

It's the one lever you can continuously pull. After that, it would probably be identity and access management. You know, how effective can you build multifactor auth, conditional, behavioral and context aware. So, starting to get into zero trust, to be able to secure identities and systems against unauthorized access. Those would be my two areas. So I guess I hit the benefit of providing two options.

- Okay. And over to you, Katie. - Training is obviously important, when it comes to phishing but it's not the be all and end all, for the reasons that that I've mentioned.

And normal business operations require some of the actions that would prevent a lot of phishing, like opening email attachments and clicking on links. So, there's only so much that we can do, in terms of awareness. So, I would say we need to spend a good portion of the money on tools and technologies that prevent attempts from getting through, to prevent that lateral movement. And I agree with Ryan.

I'm going to concede a little here that that access controls are really important. So, I don't wanna give too much away. I'm here to win.

But the fact of the matter is we need technology because you're not gonna quote, fix people because there actually isn't a problem with people and we need that layer of defense and we need to implement some of the things that companies have either lagged doing. We need better anti-phishing, we need better inventory of what systems are being used to connect to our networks, to connect to our clouds, to know where people are getting access so that we can put the right controls in place to prevent the phish from happening or looking at the phish as the facilitator of a deeper attack because that is going to happen. We can't prevent phishing entirely, unfortunately but we need the technology in place and not just rely on the quote, human is the weakest link because, A, it's not true, B, it's derogatory and C, we've got processes and technologies to help with it.

- All right. So, onto our fourth question. So, a strong understanding of your employees, user accounts and security level can help identify, which users are highest risk for phishing attacks but many teams can't even understand all the user accounts they have, the risk level. Which leads me to ask, if you were dead set on prioritizing phishing protection, what are the absolute foundational challenges you need to solve just to get started? And so, I will start with you, Katie. - Foundational challenges, password management, MFA, understanding where people have their access, through what devices, how they're being used, when they're being used, if they're being shared, how many employees do you have, what accounts do the use, is it just their business account or is it their personal accounts? I think we're probably all guilty of using multiple accounts, just either to make it easier or by accident. We use a personal account for things maybe we shouldn't.

When it comes to partners and contractors and how they're managed, we have to look at ways to protect all of the email accounts of the employees. And it's really, really hard to do so because you can't say to an employee, you can't use X email account or you can't use X password on your personal account. You can't force a human being for their non-work life, to use work tools or business tools but we need to have that understanding of what people are using, how they're using it, how they're working so that we can put the right controls in place. I work with one company that offers an anti-phishing solution and it's an email, it's focused on email accounts and they offer it to of their customers protection for their VIP's, their executives or board members, personal accounts. It's like a benefit.

Like we get health insurance or some people get free dry cleaning or discounts on gym memberships. So, there are ways we can go about it but it's definitely hard, when you're human is both an employee and an individual who does things outside of work. - All right, Ryan, same question to you. - Yeah, I mean, I would say that I feel like Katie is helping make my case, saying, you know, identity and access management is the thing to prioritize. You know, if I were to step back and try to be the contrarian here, to my own point, you know, I think foundationally, you have to understand the nature and intent of that outside actor, right? So, if they're targeting the accounts payable team, you know, they're gonna be invoiced fraud, you know, accounts receivable, same deal.

HR is going to be, you know, resumes that are malicious, you know, executing macro code in the background, probably PowerShell. So, you know, it's the, how do you get, get granular on the types of attacks that different groups are gonna see and work with them on what controls can we put in place procedure-wise to manage those? So, for like invoice fraud, you know, changes to payment requests, can you do voice verification, right? Independent verification based on contacts on file. Salespeople are gonna get requests for, you know, assets and inventory that are fraudulent in nature of one, one of shipped with, paid for with fraudulent credit cards. So, there are a number of attacks throughout the organization on which social engineering will be the basis. And it's about trying to understand the attacks that those various groups are going to see and try to contextualize, you know, and build awareness into those groups based on what they're likely to see.

That's in my mind, the best you can do to solve the phishing side of the equation. - All right. So, onto question five. So, the title of this whole session was should phishing protection be the number one priority right now but I think we'd all agree that the answer needs to be a bit more nuanced than yes or no. And so, the final question before we hand it over to audience questions and feel free to add them in the question or the chat here is this.

So, what kinds of organizations should prioritize phishing protection right now? And conversely, what types of organizations or security teams should focus on other things? And we will start with you Ryan. - Yeah, I would say, if you've got weak identity and access management controls, end point protection controls, if you are more laissez-faire, then to some extent you should prioritize phishing, you can control the ingest. I would say, you should probably think about all of the other controls downstream first.

But if you cannot move those organizational pieces relative to identity and access management, if there are big gates that you cannot open, at that point, you have to prioritize phishing to mitigate the ingest and mitigate the start of the life cycle. But it doesn't mean, I believe that should be the first thing that's prioritized but if you can't move those other factors, this would be where I'd say to prioritize. And I would tell everybody that identity and vulnerability, go back in a staunch speech, should be the things that they're really focused on.

- Okay and the same question to you, Katie. - I would say, if you're thinking linearly, the end point is always the starting point, right? The end point, it's the biggest initial tech vector. Noah rattled off some stats from the dipper. So, we know these things, these attacks, start at the end point and they start with phishing. It's the easiest thing to do and it's the most reliable thing for attackers, which is the argument for phishing protection, right? It's the argument to stop things before they start.

I will concede that this is nuance and I'm here to win this debate and Ryan's really good so I don't wanna give up too much but it is obviously nuanced. But if my argument is for phishing protection, then we have to start where the attacks start and that is through phishing. That's said, what types of organizations should focus on other things? Well, my boss used to run the security program at AT&T and his mandate as the CISO was to keep systems up and running, there could be no downtime, there no disruption because the company would lose millions of dollars, anytime subscribers lost connectivity. So, his mandate as the chief security officer wasn't necessarily to keep things secure above all else, it was to keep availability. So, you need to know your business.

So, which types of other organizations should focus on other things? Those where the business mandate is something other than security, right? And oh, I shouldn't have said that, that's a bad one. No, take that back. Can I rewind my words? But like for AT&T or for a medical, for a hospital with medical devices, you have to look at what's happening.

Are you gonna be threatening a life, if your connectivity goes down? Are you a power plant and millions of customers would lose access to their electricity? So, you need to prioritize where you put your protection but again, going back, without the rewind, phishing is the initial attack factor so that should be prioritized to prevent as much as you can, before the attack gets going. - Okay, great. So, that is the conclusion of the main question section. So, before we let each guest give their final remarks and then open it up for the audience questions, Anna, let's poll the audience one more time. - Absolutely and as a reminder, it was 50/50 the first time we polled that in. And here are the results.

- Okay, so, we moved to 75% opposed. So, we went from 50/50 to now more opposed than in favor. All right. So now, we move on to the two minute final remarks and we start with you, Ryan, now.

- Thanks, you know, just want to take a minor victory lap and then, you know, comment that, you know, what Katie indicated in the last section on, you know, breaches or incidents being at the source of endpoint. If you look at recent Ponemon study results, the vast majority of breaches now occur via misconfiguration, cloud misconfigurations and server based attacks. So, you know, it's not just the end point. You know, it gets back to the vulnerability configuration, the hygiene, hygiene at the base. You know and then operations and security.

And in my mind, from an operations and security perspective, for me, those are one in the same. From a business continuity perspective, an incident, whether it's a natural disaster or a cybersecurity attack, it is, I mean, fundamentally irrelevant. It creates an outage and liability event for the organization.

And, you know, you can be focused on operational availability without the sacrifice of security. You know, and what I view is, you know, can you control the things that are in your power to control? Again, vulnerability management, configuration, baseline hygiene, identity and access management policies. If you can control well for the things that are within your power, it helps mitigate against things that are outside of your availability to control, the number of phishing emails you get, the amount of training, the head count turnover, you know, expertise in the area. You know, if you can hit the foundational items well, the other items tend to take care of themselves more easily. - All right and there we go. Katie, your two minutes for final remarks.

- Hats off to you, Ryan and I'm glad my job isn't as a debater but I'll counter you with some stats of my own. Actually, they're not mine, they're Proofpoint's. So, more than nine million suspicious emails were reported by Proofpoint users in the last year, that's only one anti-phishing company.

In 2019, 90% of organizations experienced targeted phishing attacks. 88% of organizations said they face, fear phishing attacks. 86% dealt with business email compromise attacks. We have the Anti-Phishing Working Group and some stats for them in Q3 2019, they detected almost 267,000 phishing sites.

So now, we're moving from email to sites, which is up 46% from the previous quarter and nearly doubled the number of attacks detected in Q4 2018. So, it shows that phishing is a problem, a major problem. It's only increasing, especially with work from home, with email volumes going up, with people being online more than ever before, with people receiving so many more messages. It is, phishing is always going to be the entry point.

And yeah, I've said it, I agree there should be a layered approach but if you wanna stop the bulk of bad, do it at the first place that attackers are gonna look. And that's why phishing anti-phishing campaigns, technology, people, process, should be prioritized because the more you can knock out up front, the less you're gonna have to deal with on the inside. - All right, so, Noah, let me hand it over to you.

I see a couple of audience questions. Where do you wanna start? - Excellent, thank you, Katie and thank you, Ryan. We have a few great questions that came in. I'll start with this first one, which might extend even beyond the realm of security but it's an interesting question, nonetheless. Recent studies have shown that emails are huge in, a huge time in productivity waste of business. Are we putting too much focus on phishing and not addressing the real problem, which is the scourge known as email? - All right, so, I think Ryan, we start with you, yeah.

- Yeah, I'll jump into this hand grenade. You know, I tend to interact a lot more with Teams these days. You know, Teams, Slack, Zoom. You know, I think we are shifting towards the era of collaboration and collaboration tools. I, you know, you can get more immediate interactions, response, outcomes via, you know, that kind of live chat, than, than via email. I do think, you know, email does have a part to play, particularly with intra-organizational conversations, at least, you know, for the foreseeable.

You know, I think that dynamic is certainly open, you know, social engineering will happen, wherever people have conversations. So, I don't think it really matters one way or the other, you know, you'd need to think about that as an attack vector. You know, I tend to think about the downstream controls but you know, as long as we've got collaboration communication, you're gonna have someone there to take advantage of.

- Okay. - So, I worked for a short time in an organization that didn't believe in using email. They communicated with each other and with their customers only via Slack and it was weird. I have to say it was really, really weird for me because I felt like some of the more important things that needed to be documented, that needed to be communicated should be in a place where it was easy to find or easy to categorize, where it was easy to pull up for later reference, if you needed it. That said, I personally would love to decrease my reliance on email, not entirely. I didn't like when I had one channel, that had everything where it wasn't easy to find the important information I needed but there's a lot of stuff communicated via email, that doesn't necessarily need to be.

It's people trying to be polite. It's people trying to over-communicate. So, you can't, I, you know, I wouldn't fault anybody for that but there is a lot of noise.

And if you go back to one of the earlier stats, you know, almost 30% of our day is taken up with email. That's crazy, that's a lot of time answering emails and taking your focus away from other work. That's it, if we do use other collaboration channels, attackers will just move there, they already have, you know, right? We're gonna start seeing more attacks on these kinds of channels for sure because wherever the people are, that's where the attacks will go. - Excellent, we have another great question here that came in. What role do email standards such as DMARC play in combating phishing? And should companies be forced to adopt these standards? And if so, would that make a meaningful impact? - So, we start with Katie on that one.

I don't know if forced is the right word but I would definitely say that standards and technologies like DMARC should be used for sure. We, there's a problem insecurity that we have an abundance of tools that cover a piece of everything and there's no wholistic solution. I don't think it's realistic to expect the silver bullet, which is why we need a layered approach, which is why there are vendors coming up with new things, they're, you know, imagining and building different types of technologies, all the time. That's why we have things like Hype Cycles.

But yeah, I think companies do need to take that approach, that there are different aspects, that cover their email security and protect that vector. You know, for a while security, email gateways were the thing, right? And they do stop some low hanging fruit but we see tons and tons of attacks evading segs. We did a survey at TAG Cyber with our clients and found something like 73% of executives said, that they saw phishing attacks evading segs daily and that was multiple times a day for a lot of those people. So yeah, we definitely need to adopt the technologies that are out there and look for better solutions, that aren't based, of course, on old technologies, old networks, old ways of access.

Yeah but forced, I'm a little fixated on the forced. Should they be forced? No. Should it be best practice? Absolutely. - All right, Ryan, what do you think? - I mean, you know, you've got attackers that, you know, can get DMARC and DKIM passed, you know, so it becomes a component, right? A component of a larger framework of trust.

You know, if you're putting all your eggs in DMARC and DKIM, it's not gonna be a winning solution, primarily because you know, security programs across the board are uneven. So, if somebody else who has DMARC and DKIM set up on their email servers, if one of their users gets compromised and another phishing campaign gets launched from there, it's going to have that, you know, that air of trust, it's going to be backed by the DMARC and DKIM. So, you know, I would say, you know, if you made everybody do it, then the attackers who launch phishing campaigns would just go, you know, sit on websites to get DMARC and DKIM certified and then launch campaigns anyway.

It's a hard question to solve for, based on the nature of how email works and the foundational email technology. So, it's a step in the right direction, where it's enabled, you can gain a higher level of trust and when it's not but if you made everybody do it, it's not gonna stop, it's not gonna stop the attacks, that just, you know, shifts and and get DMARC and DKIM certified mail servers and launch from there. So, my perspective and of one. - Okay, Noah, do we have any other questions? - Yeah, it looks like we have time for this one last question. What would you recommend for small and medium sized businesses that may not have dedicated phishing protection resources? What are some of the basic steps they can take to reduce risks? - Is that one gonna go to me? - Yeah, sorry. Yeah, starts with you, Ryan.

- All right. You know, if I were to think about it, you know, if you don't have resources, it's probably better to lean into a managed security provider. You know, would be my recommendation.

You know and you should be asking them about how to augment and get, you know, identity and access management controls, particularly multi-factor, you know, be asking for, you know, vulnerability and configuration change controls. And you know, lean into the things that you can control. Lean in on the education so you understand that the various attack vectors and maybe the MITRE attack framework and ask what they're doing and how they can help map and what your gaps are relative to maybe the MITRE attack, which would tell you what you need to focus on or where the gaps are and where you've got coverage and then ask them to prove it. - I don't have much more to add because that's also my recommendation. Work with an MSP or an MSSP.

Definitely lean on their expertise. There are, you know, everybody knows the big ones out there but there are tons of small regional players, that do focus on SMBs, that do have services tailored for SMBs and they understand they can't have the same subscription services as you would for a, you know, a giant multinational enterprise. So, definitely lean on those outside experts for help and do all the things Ryan said.

- All right. All right and over to you. - Great, thank you, Katie and Ryan. That concludes our debate. We'll be sending a link to the recording and be sure to join us for the next episode of The Great Debate on November 17th, where Dan Greenhaus of ESEC Training..

and Craig Taylor of CyberHoot, will debate whether endpoint protection should be the top cybersecurity priority right now. This series is sponsored by Axonius, the cybersecurity asset management company, that gives customers a comprehensive asset inventory, uncovers security gaps and automatically validates and enforces policies. To try Axonius free for 30 days or to get a demo, go to axonius.com. Finally, we're excited to be making a donation to the Bail Project on behalf of Ryan Fritts and a donation to Broken Tail Rescue on behalf of Katie Teitler.

Thank you all for joining and we look forward to seeing you soon.

2021-01-16

Show video