ESG's Dave Gruber discusses the challenge of securing cloud-delivered email with CEO Kevin O'Brien of Greathorn.
Dave: Hi, I'm Dave Gruber, senior ESG analyst covering email security, and today we're going to be talking about the challenges associated with securing cloud- delivered email, and exploring options to overcome some of the gaps that we find in the native security controls offered by cloud email providers. Our ESG research says that two thirds of organizations are now depending on cloud-delivered email as their primary email solution, but that many report gaps in the native email security controls that are included.
Those that do say that they plan to use third-party controls to close those gaps. So joining me to help us explore this topic is Kevin O'Brien, CEO and co-founder for GreatHorn Security. Welcome, Kevin.
Kevin: Thanks, Dave. Nice to be here.
Dave: Yeah, so, if we can, I'd like to start out by hearing your perspective on the threat landscape today, and how the move to cloud-delivered email has played a role in the evolution of current threats.
Kevin: Yeah, of course. What we see is that for most organizations, the most dangerous thing they're going to get over email is a social engineering attack that tries to deceive someone into thinking that their CEO, or an external vendor whom they work with, or a trusted resource... You know, we're in a moment right now when we're recording this when there's the global pandemic occurring, so people are exploiting fear to say, "Oh, you have an employee who is sick," and "click on this link" or "open this document and learn more about it."
And those kinds of threats are fileless, typically. They're not the same as an attack would have been 10 years ago, and they're reliant upon that social engineering or that social pressure that preys on emotions, urgency, and fear, and so on and so forth, to get people to do things that they shouldn't.
Dave: So let's zero in on the move to cloud-delivered email for just a moment. Given that as a backdrop in the threat landscape, many have assumed that the cloud email providers would automatically protect against all of those types of threats and more, but later have found gaps once they moved over to cloud. Can you talk about some of the challenges people are facing with security controls in their cloud-delivered email solutions?
Kevin: Yeah. So when we talk about cloud email, we're talking about Office 365 and we're talking about G Suite from Google. And those two platforms actually do a really nice job at solving for a lot of the low-level basic things that you would have wanted an email security solution for 5 years ago or 10 years ago. But the risks that a business faces are going to be risks from the kinds of attacks that I just described.
The ones that are highly customized, they're impersonations of that business' internal employees, or they're impersonations of external organizations whom they work with regularly, vendors, for example. And Microsoft and Google just aren't built for that. They're building security controls for everyone, and they'll get the broad-based protection right, but that highly targeted side, that really requires a purpose-built and best-of-breed solution that an organization can tweak and adjust and turn the dials and knobs for, based on their own risk profile and their own risk tolerance.
Dave: Can we just kick it up a level quickly and just talk about, you know, in the broader perspective of threat detection and response, how does this all compare to, sort of, what the security analyst would face in other security control areas? Is it different in email, or does it fit into the same model?
Kevin: Every other part of the security market, in the last decade, some sooner, some later, have come to understand that security is a risk management function. But organizations need the ability to articulate their own risk posture and say, "You know, our finance team, if they're getting an external message from someone whom we've never communicated with before, and it's asking about payment terms, they should have a certain set of controls, whereas if it goes to a sales professional in my company, they have a very different reason why they might be getting that, and building these nuanced controls and then being able to do rapid response from a security perspective to things that are in fact attacks, and that would bypass that traditional gateway, that's really how organizations are adopting a modern security posture.
Dave: Got it, got it. So, last question. Tell me about how GreatHorn Security can help security teams take on these challenges and manage through this process?
Kevin: Sure. The cloud email security market is a market that we started. We have really been at the forefront of thinking about how you can natively integrate with Office 365 and G Suite, and then provide a vast array of highly technical controls that an organization can adopt in minutes instead of months. The legacy gateway approach requires that you route your mail through a third party, whereas a cloud email security approach plugs in directly into those cloud environments, using the APIs that Microsoft and Google make available.
And then, really the difference with GreatHorn is that we are designed to be an enterprise breed of email security for these cloud environments. We process over a billion emails a month, we provide robust link sandboxing, social graph analytics, biometric authentication for keystrokes to identify account takeover, end-user phish reporting, so on and so forth.
But the thing that you would want to take away from all of that, beyond the features and the functions, which we're happy to describe in detail, and you can find that information on our website, is that we take a risk approach, and a risk- centric approach to email security, rather than a technical, "buy this thing and it's a silver bullet, you no longer have any problems." And I think that's a more nuanced way of looking at this, and when combined with incident response, it allows our customers to drive down time to detection and time to response for email security without having to run the risk of a legacy secure email gateway, or start with a company that might only just be learning what the ropes are in the cloud email security space.
Dave: Terrific. Kevin, thank you so much for joining me today. Thanks for sharing insights on both the threat landscape, and some of the things that GreatHorn Security can do to help security professionals tackle these problems.