Creating A New Cybersecurity Category: Phishing Detection & Response (PDR)

Transcript

Opening

Welcome everybody to What's the Problem, the show that explores problems that buyers, practitioners, and folks on the business side of the world of cybersecurity face in today's world. Today, we are fortunate to have Christopher Gibbons joining us.

Conversation

Mike Krass: Christopher, say hello to all the listeners.

Christopher Gibbons: Hey, everyone and Mike, thanks for having me today.

Mike Krass: Absolutely. Everyone who listens knows how this goes, and we get right into it. Christopher, why are you qualified to talk about cybersecurity?

Christopher Gibbons: I work as a Senior Product Marketing Manager of a competitive strategy company called Cofense. We provide enough security for over half of the Fortune 500 and work with over two thousand customers around the globe. We're also a portfolio of BlackRock Private Equity Partners. Before Cofense, I spent two years working for a government contractor in the endpoint security space, mainly working on government contracts. I was responsible for a lot of our thought leadership work. I'm excited to be here. I've been in data security, endpoint security, and email security for a few years now. I look forward to contributing my two cents to cyber security, an important topic of conversation today.

Mike Krass: You gave away a bit of what we might be talking about with problems here. Christopher, are we talking about a problem in the email security space today? Is that the problem you want to explore?

Christopher Gibbons: Yes, that is the problem I'd like to discuss today. Email security is one of the most pressing issues that any executive in cybersecurity needs to think about and really should be a primary tenant of their cybersecurity posture as we move forward into the new year.

Mike Krass: What's the deal with email security? Let's start with the problem.

Christopher Gibbons: Email security has never sounded like a sexy type of security. Everyone wants to talk about high security and encryption. When you look at the data, security is the most active and successful threat vector for threat actors, specifically, email phishing attacks. According to Deloitte, they make up ninety-one percent (9%) of all cyberattacks, so if you're looking at where you should spend one dollar ($1) to maximize your cybersecurity ROI, email phishing security is the first place you should look at.

Mike Krass: We've got email phishing security as a topic here. But when I subscribe to Google business apps or any Microsoft business apps, there's security built. Why do I need more?

Christopher Gibbons: That's a great question. It's something we work with our customers about all the time. When we look at how email security has evolved, we can think back to the late 90s and early 2000s and look at the evolution of email attacks.

We saw malicious attachments—word or excel files with built-in sneaky macros. Your email security provider did not have built-in security, and organizations started to invest in secure email gateways. We're going to refer to them as SEGs for short, and were deployed at the perimeter and would scan every email coming into an environment. If they detected an email with a malicious attachment and an excel file with a bad macro, those are blocked, which worked well for years.

Threat actors are intelligent and are constantly evolving in their attacks to try and maximize the damage they cause. And threat actors have decided to no longer use these attachment-based attacks. They're going to use phishing attacks, and they're going to try and trick you. They're going to try and trick all of our co-workers into believing that a link they're going to click or a financial request that they send comes from someone they know. And when you look at the data, it is coming from what we call Cofense validator, a third-party product we offer that allows organizations to test their perimeter defenses based on real-time X that reaches inboxes. We see those secure email gateways all block around 99% of your legacy attachment attacks, which is great. But they miss half of every phishing attack, and when you look at Microsoft or Google and their built-in security, they block around ninety-nine (99%) of attachments. Many organizations invested in a Microsoft or Google solution receive comparable security compared to legacy sack providers.

Mike Krass: So, you've got this product and reminded me of the name called Cofense. What was the other one?

Christopher Gibbons: The product that we help our customers use to test their efficacy of the parameter is called Cofense Validator.

Mike Krass: I will play devil's advocate here and say, “ Shouldn't the validator be showing this anyways because it helps sell your story.” You're a senior product marketing, and it helps sell your story. How can I trust the validator? Is there other data in the industry that helps validate without a validator?

Christopher Gibbons: That is a very important question that needs to be asked. When a vendor comes on the show and talks about their solution, everyone should ask for third-party references, and we always point them back to Gartner. When you look at Gartner and Forrester, and you look at how they have covered the secure email gateway space have a very negative view now. Gartner no longer issues a magic quadrant about security.

You also hear quotations from analysts at Gartner and Forrester calling SEG’s slowly dying dinosaurs. The impression from experts in the industry or secure gateways says that they're no longer the right technology to invest in when you're looking at your email security posture. And that opens up the question, what should you look at instead, which goes back to how you arm your employees. Do you think about security awareness training and automated tools for your security operations center? Do you get the right intelligence and data to keep your organization informed on the threat landscape and evolve your technology with the latest and greatest attacks?

Mike Krass: I'm sure that you saw the news that CISA put out last month about the instructions of when there is a breach; it needs to be there and needs to be a notification. How do you think that will play into what you're doing at Cofense? Do you think that that will help SEG’s , or will it just continue the slow demise that segues are currently seen?

Christopher Gibbons: When I think about how you have people processes technology and data, it's an important addition to the classic people processes technology framework. This falls under the processes category, and one of the frustrating issues about cybersecurity is it's challenging to be proactive, and often, most organizations are reactive.

When it comes to breach attacks, stay in your inboxes attacks and stay in other areas of your organization. And by the time you recognize there's a breach, it's too late. When an organization thinks about having to notify either customers, community, etc., if there's a breach, the question will come back to them saying, “Okay, you identified a breach. How will you prevent the same type of breach going forward proactively?” And that flows into your technology conversation of the most proactive technologies that evolve with the threat landscape. Unfortunately, secure email gateways are not evolving with the threat landscape, and some organizations and highly regulated industries truly do need security gateways.

Mike Krass: It’s like you're required to use a seg. I even remember when you close on a home, the bank or the lender will often send you. It shows up as an email. But it's a link to make you log in somewhere else in their email, which is painful to do on a mobile device and a layer of security. I appreciate it when you consider the amount of information being transferred, your personal and banking information.

Christopher Gibbons: If you're in a highly regulated industry, you should invest in a secure email gateway if you're required. But if you're looking at a more holistic approach and have a certain amount of budget to spend, I would recommend looking elsewhere at other email security options to ensure your enterprise, SMB, or even crown jewels and customer data is properly secured.

Mike Krass: I have one more question, and I should have asked this earlier. Cofense is not a seg, correct?

Christopher Gibbons: Cofense is not a seg. We offer security awareness training, and we were formally named PhishMe but ur customers asked for more. We have a portfolio of eight products in one managed service that spans secure security awareness training, phishing simulations, automated tools for incident response, threat intelligence, and a managed service to make sure that organizations have the right tools at their disposal to stop the most active and successful threat vectors to that.

Mike Krass: What category do you put your business in? What category do you participate in?

Christopher Gibbons: We are trying to forge a new category. We offer eight products in one solution under an umbrella called phishing detection and response PDR. PDR is similar to EDR or Endpoint Detection and Response. We're a potential response, but we truly believe that 91% of all cyberattacks are phishing attacks. PDR is a necessary investment for organizations today and tomorrow.

Mike Krass: Thank you for telling me that category. Our listeners are probably trying to think of which category bucket I put this group, and where is this guy coming from? At MKG, we have customers in the different brands of detection response and depending on your needs as a business. That's awesome to hear that you're creating a category, and it’s a lot of work—best of luck as you create PDR into a category that Gartner will cover for you.

Christopher Gibbons: We do hope so. We're beginning to beat up on time when we think about how email security needs to evolve going forward. We're seeing heavy investment in artificial intelligence and similar machine learning products. We recently acquired an exciting company out of Israel last year, and the company was named CyberFish, which we've now rebranded as Cofense Protect. It is an API-enabled plugin that you deploy right after the perimeter defense. Our inbox uses machine learning called Computer Vision to scan emails, similar to the way humans do, and the reason we view this as important is going back to this idea of reactive versus proactive. Traditional email security is your security operation center (SOC), analyzing emails reported by your employees in the inbox. We’re not only taking that valuable intelligence coming from our Cofense customer base, but we're joining that with our machine learning solution.

Machine learning solutions can block those attacks before they reach the inbox rather than waiting for an attack to be reported to put one more piece of data before going into our customer environments. Cofense Protect gets twice as smart every quarter, and 88% of the attacks that Cofense Protect has identified have never been seen before in our customer base. So technology works when the right data power, and we're proud of what we've been able to do at Cofense to keep our teams safe.

Mike Krass: As you mentioned, we are up against time, and we like to keep short and punchy, and I have to admit that I got a little nerdy and dove down the PDR wormhole. So that takes us to the end here, Christopher. The third question is going to tell us about your terrible haircut.

Christopher Gibbons: I almost feel like I need to display a picture to prove it. It was back in eighth grade, and we were doing graduation pictures for middle school. My hair was too long for my school regulations, so my father took me to a sports cut. And I'm not kidding when I say my hair is butchered and looks horrendous. It was almost like they put scruffy grass on top of an egg head. I couldn't wear a hat in my picture. When my picture was displayed at the graduation event, the audience gasped, and I was absolutely mortified. You're an eighth-grader about to go to high school. You're getting interested in talking and going on dates, and that's how you look. It scared me for two years, and I'd only get a haircut once in June and December, and I ended up having these lanky locks that were going down on my shoulders. It wasn't the best look at the time, but that's what happens when you go through a bad haircut.

Mike Krass: Christopher, thank you for being honest and vulnerable and sharing that bad haircut. To our listeners, thank you for tuning in to What's the Problem, the show that explores problems the buyers, practitioners, and business folks in the world of security face today. Christopher, say goodbye to everybody.

Christopher Gibbons: Goodbye, everyone. Thank you so much for listening in today, and thank you for inviting me, Mike.