ESG's Dave Gruber discusses email security with Patrick Harr of SlashNext.
Watch more of this series:
Read the related ESG Blog(s):
- Cloud-delivered Email Solutions Dominate, but On-Prem Email Has a Long Tail, Creating Challenges for Security Teams
Dave: Welcome to another episode in my continuing Modern Email Security series. Today, we're going to be talking about phishing, security topic that's most commonly associated with email security. And joining me to help us explore this topic today is Patrick Harr, CEO of SlashNext. Thanks for joining us today, Patrick.
Patrick: Yeah, great to be here with you.
Dave: So phishing has grown to become one of the most successful strategies for adversaries to compromise an organization. In my email security research, we see that protecting against phishing-related attacks is a top priority for most security teams. So I thought we could start, Patrick, by having you talk about why phishing has been so successful for adversaries and why it gets used so widely as a tactic in so many different types of attacks.
Patrick: Yeah, very interesting, when we think of phishing, we do commonly think of email and we think of that bad language email attack, right. Yeah, I would call that first-generation attack, which very unique today, is much like we have available as any company out there, very low cost compute on public resources, like AWS or Azure, together with dark web behavioral information like out of LinkedIn or if you're getting some open source information, and then you have AI models that the bad actors have available to them and automation.
And with that, what we're seeing is a significant increase in the types and delivery mechanisms or channels that they're delivering these phishing attacks through. As an example, everyone probably got the SMS attack, "Your FedEx package was left on the doorstep." So that's the type of a new attack that we are seeing and it's no longer just an email attack. It's all these communication channels.
And so, I think what's fundamentally different today versus before is you now have just sheer speed, sheer delivery of these attacks across different channels, and you have different payload types. So it's not just credential stealing, it's roadware. What I mean by that is software extensions or it could be a scareware tactic or some social engineering type of attack.
Dave: We've talked about phishing so much in the email security space, and I think, you know, as security teams are thinking about phishing protection, they're thinking about, okay, what's built into my email security solutions, and while email's often a mechanism that's used, the broader socially engineering attacks, as you point out here, are covering off a lot of different vectors that security teams maybe haven't been used to having security controls in place for before.
So tell me just a little bit about how people think about this as a security control, whereas previously, when maybe we were thinking about phishing, we were thinking about phishing and email, and therefore depending on mechanisms there to help out.
Patrick: Yeah. So obviously this last year, the world got turned upside down. And everyone shifted to remote working, obviously talking in my son's bedroom right now. And with that, it's dramatically opened up the attack surface. So these different communication channels that are highlighted, mobile phone, SMS, it's not uncommon in our own work day, we go from corporate email to personal email, over to SMS and to LinkedIn Messenger, back to Facebook Messenger, back into Zoom.
And if you think about that, those are just opportunities for the bad actors to "phish you." So what we do very uniquely is we protect across these different communication channels. Anywhere someone can reach you with a message is where we're looking to try to diagnose is it an attack, what type of attack is it, and then block that attack.
And it's not just that credential steal. It is, "I want to get you to download this new browser software from Google Play." Behind there is ransomware, behind there is some malware. So it is a much broader attack vector, a much broader attack surface in many more communication channels. And I think that's what the security professionals really have to pay attention to is how do you protect against those.
Dave: This is a major shift in sort of the way to think of this threat vector, instead of individual siloed phishing controls in email, on a mobile device and other areas. So where does all this come together? How do security teams see and manage these types of attacks? Does it fit into their traditional security architectures or do they need to do something fairly different?
Patrick: I would say the new solutions have to be tuned to use AI, to actually do discovery of these type of attacks, because it's very, very difficult with discernible naked eye to say is this an attack or not. It's not uncommon, when we plug into an O365 environment, we will see many different attacks of what I would call those first-generation tools do not prevent or detect or prevent. But second, I think you have to look at how do you protect that mobile device.
SMS is perhaps a more trusted communication channel today than even email, so what we do is we put a mobile app on that device where we have the ability to detect and block those attacks coming in. Third, you do need to look at these other channels of communication. Again, Zoom, these social channels, and recognize, since we're outside the perimeter, how do you protect against those type of attacks.
Now again, we uniquely do that with a mobile app. We also have browser extensions that plug right into PC, Macs, Linux, Chrome OS, give you that real-time protection across those communication channels and across all these different payloads. You have to be on device to detect and block these attacks, because you have end-to-end encryption, you have Signal, you have WhatsApp, you've got all these end-to-end encryption pieces.
So you think about it, I have to be on that device to actually see that attack, read that attack, and then make the discernible information, do I block it or not. I don't think you'll be able to do that in the network anymore because everyone's outside that perimeter and again, you're going to have to see these live attacks when they occur.
Dave: As people think about SlashNext, the people think about this is truly a net new add or does SlashNext replace anything else in the security stack?
Patrick: We are very complementary to current email security. But what we're really adding is that added layer of protection across, again, the mobile device, those different communication channels. So you want to really look at the, not only again, where are these payloads or these attacks coming from across these communication channels, but also the type of attacks, and do you have the ability to prevent them before they really take hold and do damage to that particular environment.
Dave: Great insights. Patrick Harr, CEO of SlashNext. Thank you so much for joining us today and hope this was helpful in providing some additional insights in phishing.